# Web Application PenTest

## **Information Gathering/Information Leakage**

* Identify the product information with the latest version
* Outdated components or known vulnerability (CVE) found in the identified product
* Access to the default URL or admin page of the identified product
* Any opening port other than 80 and 443
* Any sensitive data found on the website

## Encryption

* HTTPS is enabled and only TLS 1.2 or above is available
* Correctness of the certification information
* SSL Certificate strength, at least > 2048 bits
* Weak Ciphers are supported

## Authentication

* Only use the POST HTTP method to transfer the login data
* Possible to change the valid session with another user id during the login process
* Browser back to resend the login
* Possible to identify user id from the application response/behaviour
* Cached in session key or cookie with login information / sensitive data
* Default / guessable login credentials used
* Implemented effective logout mechanism, e.g. invalidate the session and login required
* Implemented session timeout, e.g. max of 1 hour if no business requirement.
* Implemented CAPTCHA or other brute force attack prevention mechanism
* Implemented account locking mechanism
* Does not allow multiple logins

## Authorization

* Possible to obtain higher-level function access
* Possible to obtain other user’s data
* Is the site structure guessable and accessible
* Vulnerable to Path Traversal attack

## Password Management

* What is the password policy
* Allow change password
* Implemented the maximal length of the password
* Vulnerable to the reset password process

## Session / Cookie Management

* Session-Id stored in the cookie only
* Vulnerable to the Session fixation or CSRF attack
* Session-Id change after login
* Session-Id guessable
* The cookie session lifetime setting, expired when the browser is closed
* Restricted the cookie access within the same domain, HTTP Only and secure flag enable

## Broken Access Control

* Higher Privilege functions should not be able to be executed by lower privilege&#x20;
* Server-side checking implementation or hidden URL or parameter driven
* JS Functions via the developer console
* Copy and Paste of URL

## Validation

* Input data are parsed or encoded for output
* Implemented the server-side parsing mechanism
* CSP enables correctly
* Parameter bypass Character&#x20;
  * `// /\ \\ %00 @ ''`&#x20;
  * URL encoding&#x20;
  * double encodings
* Captcha Bypass
  * Change of HTTP request type
  * Modify or remove the captcha parameter
  * Parameter pollution
  * No timeout or session mechanism
  * Guessable
* Open redirect bypass
  * JS open redirects
  * Hiddenlink open redirects
  * using `// /\ %00 @` to bypass
  * Parameter pollution
* JWT
  * Secret is leaked
  * The server never checks the secret
  * The secret is guessable or brute forceable
* CSRF
  * Check the CSRF Token exists on the CRUD action
  * Server-side or client-side validation &#x20;
  * Token length and guessable&#x20;
  * Any parameter with token
  * Accepts empty parameter
  * Responds without CSRF token
  * The token is not session bound
* Vulnerable to Injection of

&#x20;      o XSS (included: Reflected, Stored and DOM Based )

&#x20;      o SQL (included: Error, Union, Boolean, and time base)

&#x20;      o XPath

&#x20;      o XML

&#x20;      o Command

&#x20;       o LDAP

## Web Service API

* Guessable of the API service call
* Authentication required
* Authorization implemented
* All input validate on the server-side
* All input/output data format is defined with validation control

## Others check

* Clickjacking
* Frame Tampering
* Invalidated redirects and forwards
* Secure HTTP Respond Header setting
* Error handling
* File upload control


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://calvin-lai.gitbook.io/calvin-lai-security/penetration-testing/web-application-pentest.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.