Comment on page

Web Application PenTest

Information Gathering/Information Leakage

  • Identify the product information with the latest version
  • Outdated components or known vulnerability (CVE) found in the identified product
  • Access to the default URL or admin page of the identified product
  • Any opening port other than 80 and 443
  • Any sensitive data found on the website


  • HTTPS is enabled and only TLS 1.2 or above is available
  • Correctness of the certification information
  • SSL Certificate strength, at least > 2048 bits
  • Weak Ciphers are supported


  • Only use the POST HTTP method to transfer the login data
  • Possible to change the valid session with another user id during the login process
  • Browser back to resend the login
  • Possible to identify user id from the application response/behaviour
  • Cached in session key or cookie with login information / sensitive data
  • Default / guessable login credentials used
  • Implemented effective logout mechanism, e.g. invalidate the session and login required
  • Implemented session timeout, e.g. max of 1 hour if no business requirement.
  • Implemented CAPTCHA or other brute force attack prevention mechanism
  • Implemented account locking mechanism
  • Does not allow multiple logins


  • Possible to obtain higher-level function access
  • Possible to obtain other user’s data
  • Is the site structure guessable and accessible
  • Vulnerable to Path Traversal attack

Password Management

  • What is the password policy
  • Allow change password
  • Implemented the maximal length of the password
  • Vulnerable to the reset password process
  • Session-Id stored in the cookie only
  • Vulnerable to the Session fixation or CSRF attack
  • Session-Id change after login
  • Session-Id guessable
  • The cookie session lifetime setting, expired when the browser is closed
  • Restricted the cookie access within the same domain, HTTP Only and secure flag enable

Broken Access Control

  • Higher Privilege functions should not be able to be executed by lower privilege
  • Server-side checking implementation or hidden URL or parameter driven
  • JS Functions via the developer console
  • Copy and Paste of URL


  • Input data are parsed or encoded for output
  • Implemented the server-side parsing mechanism
  • CSP enables correctly
  • Parameter bypass Character
    • // /\ \\ %00 @ ''
    • URL encoding
    • double encodings
  • Captcha Bypass
    • Change of HTTP request type
    • Modify or remove the captcha parameter
    • Parameter pollution
    • No timeout or session mechanism
    • Guessable
  • Open redirect bypass
    • JS open redirects
    • Hiddenlink open redirects
    • using // /\ %00 @ to bypass
    • Parameter pollution
  • JWT
    • Secret is leaked
    • The server never checks the secret
    • The secret is guessable or brute forceable
  • CSRF
    • Check the CSRF Token exists on the CRUD action
    • Server-side or client-side validation
    • Token length and guessable
    • Any parameter with token
    • Accepts empty parameter
    • Responds without CSRF token
    • The token is not session bound
  • Vulnerable to Injection of
o XSS (included: Reflected, Stored and DOM Based )
o SQL (included: Error, Union, Boolean, and time base)
o XPath
o Command

Web Service API

  • Guessable of the API service call
  • Authentication required
  • Authorization implemented
  • All input validate on the server-side
  • All input/output data format is defined with validation control

Others check

  • Clickjacking
  • Frame Tampering
  • Invalidated redirects and forwards
  • Secure HTTP Respond Header setting
  • Error handling
  • File upload control