Web Application PenTest

Information Gathering/Information Leakage

  • Identify the product information with the latest version
  • Outdated components or known vulnerability (CVE) found in the identified product
  • Access to the default URL or admin page of the identified product
  • Any opening port other than 80 and 443
  • Any sensitive data found on the website

Encryption

  • HTTPS is enabled and only TLS 1.2 or above is available
  • Correctness of the certification information
  • SSL Certificate strength, at least > 2048 bits
  • Weak Ciphers are supported

Authentication

  • Only use the POST HTTP method to transfer the login data
  • Possible to change the valid session with another user id during the login process
  • Browser back to resend the login
  • Possible to identify user id from the application response/behaviour
  • Cached in session key or cookie with login information / sensitive data
  • Default / guessable login credentials used
  • Implemented effective logout mechanism, e.g. invalidate the session and login required
  • Implemented session timeout, e.g. max of 1 hour if no business requirement.
  • Implemented CAPTCHA or other brute force attack prevention mechanism
  • Implemented account locking mechanism
  • Does not allow multiple logins

Authorization

  • Possible to obtain higher-level function access
  • Possible to obtain other user’s data
  • Is the site structure guessable and accessible
  • Vulnerable to Path Traversal attack

Password Management

  • What is the password policy
  • Allow change password
  • Implemented maximal length of password
  • Vulnerable to the reset password process

Session / Cookie Management

  • Session-Id stored in the cookie only
  • Vulnerable to the Session fixation or CSRF attack
  • Session-Id change after login
  • Session-Id guessable
  • The cookie session lifetime setting, expired when the browser is closed
  • Restricted the cookie access within the same domain, HTTP Only and secure flag enable

Data Validation

  • Input data are parsed or encoded for output
  • Implemented the server-side parsing mechanism
  • SSRF
  • Vulnerable to Injection of
o XSS (included: Reflected, Stored and DOM Based )
o SQL (included: Error, Union, Boolean and time base)
o XPath
o XML
o Command
o LDAP

Web Service API

  • Guessable of the API service call
  • Authentication required
  • Authorization implemented
  • All input validate on the server-side
  • All input/output data format is defined with validation control

Others check

  • Clickjacking
  • Frame Tampering
  • Invalidated redirects and forwards
  • Secure HTTP Respond Header setting
  • Error handling
  • File upload control