Web Application PenTest
- Identify the product information with the latest version
- Outdated components or known vulnerability (CVE) found in the identified product
- Access to the default URL or admin page of the identified product
- Any opening port other than 80 and 443
- Any sensitive data found on the website
- HTTPS is enabled and only TLS 1.2 or above is available
- Correctness of the certification information
- SSL Certificate strength, at least > 2048 bits
- Weak Ciphers are supported
- Only use the POST HTTP method to transfer the login data
- Possible to change the valid session with another user id during the login process
- Browser back to resend the login
- Possible to identify user id from the application response/behaviour
- Cached in session key or cookie with login information / sensitive data
- Default / guessable login credentials used
- Implemented effective logout mechanism, e.g. invalidate the session and login required
- Implemented session timeout, e.g. max of 1 hour if no business requirement.
- Implemented CAPTCHA or other brute force attack prevention mechanism
- Implemented account locking mechanism
- Does not allow multiple logins
- Possible to obtain higher-level function access
- Possible to obtain other user’s data
- Is the site structure guessable and accessible
- Vulnerable to Path Traversal attack
- What is the password policy
- Allow change password
- Implemented maximal length of password
- Vulnerable to the reset password process
- Session-Id stored in the cookie only
- Vulnerable to the Session fixation or CSRF attack
- Session-Id change after login
- Session-Id guessable
- The cookie session lifetime setting, expired when the browser is closed
- Restricted the cookie access within the same domain, HTTP Only and secure flag enable
- Input data are parsed or encoded for output
- Implemented the server-side parsing mechanism
- SSRF
- Vulnerable to Injection of
o XSS (included: Reflected, Stored and DOM Based )
o SQL (included: Error, Union, Boolean and time base)
o XPath
o XML
o Command
o LDAP
- Guessable of the API service call
- Authentication required
- Authorization implemented
- All input validate on the server-side
- All input/output data format is defined with validation control
- Clickjacking
- Frame Tampering
- Invalidated redirects and forwards
- Secure HTTP Respond Header setting
- Error handling
- File upload control
Last modified 9mo ago