Comment on page
Web Application PenTest
- Identify the product information with the latest version
- Outdated components or known vulnerability (CVE) found in the identified product
- Access to the default URL or admin page of the identified product
- Any opening port other than 80 and 443
- Any sensitive data found on the website
- HTTPS is enabled and only TLS 1.2 or above is available
- Correctness of the certification information
- SSL Certificate strength, at least > 2048 bits
- Weak Ciphers are supported
- Only use the POST HTTP method to transfer the login data
- Possible to change the valid session with another user id during the login process
- Browser back to resend the login
- Possible to identify user id from the application response/behaviour
- Cached in session key or cookie with login information / sensitive data
- Default / guessable login credentials used
- Implemented effective logout mechanism, e.g. invalidate the session and login required
- Implemented session timeout, e.g. max of 1 hour if no business requirement.
- Implemented CAPTCHA or other brute force attack prevention mechanism
- Implemented account locking mechanism
- Does not allow multiple logins
- Possible to obtain higher-level function access
- Possible to obtain other user’s data
- Is the site structure guessable and accessible
- Vulnerable to Path Traversal attack
- What is the password policy
- Allow change password
- Implemented the maximal length of the password
- Vulnerable to the reset password process
- Session-Id stored in the cookie only
- Vulnerable to the Session fixation or CSRF attack
- Session-Id change after login
- Session-Id guessable
- The cookie session lifetime setting, expired when the browser is closed
- Restricted the cookie access within the same domain, HTTP Only and secure flag enable
- Higher Privilege functions should not be able to be executed by lower privilege
- Server-side checking implementation or hidden URL or parameter driven
- JS Functions via the developer console
- Copy and Paste of URL
- Input data are parsed or encoded for output
- Implemented the server-side parsing mechanism
- CSP enables correctly
- Parameter bypass Character
// /\ \\ %00 @ ''- URL encoding
- double encodings
- Captcha Bypass
- Change of HTTP request type
- Modify or remove the captcha parameter
- Parameter pollution
- No timeout or session mechanism
- Guessable
- Open redirect bypass
- JS open redirects
- Hiddenlink open redirects
- using
// /\ %00 @to bypass - Parameter pollution
- JWT
- Secret is leaked
- The server never checks the secret
- The secret is guessable or brute forceable
- CSRF
- Check the CSRF Token exists on the CRUD action
- Server-side or client-side validation
- Token length and guessable
- Any parameter with token
- Accepts empty parameter
- Responds without CSRF token
- The token is not session bound
- Vulnerable to Injection of
o XSS (included: Reflected, Stored and DOM Based )
o SQL (included: Error, Union, Boolean, and time base)
o XPath
o XML
o Command
o LDAP
- Guessable of the API service call
- Authentication required
- Authorization implemented
- All input validate on the server-side
- All input/output data format is defined with validation control
- Clickjacking
- Frame Tampering
- Invalidated redirects and forwards
- Secure HTTP Respond Header setting
- Error handling
- File upload control