# Web Application PenTest

## **Information Gathering/Information Leakage**

* Identify the product information with the latest version
* Outdated components or known vulnerability (CVE) found in the identified product
* Access to the default URL or admin page of the identified product
* Any opening port other than 80 and 443
* Any sensitive data found on the website

## Encryption

* HTTPS is enabled and only TLS 1.2 or above is available
* Correctness of the certification information
* SSL Certificate strength, at least > 2048 bits
* Weak Ciphers are supported

## Authentication

* Only use the POST HTTP method to transfer the login data
* Possible to change the valid session with another user id during the login process
* Browser back to resend the login
* Possible to identify user id from the application response/behaviour
* Cached in session key or cookie with login information / sensitive data
* Default / guessable login credentials used
* Implemented effective logout mechanism, e.g. invalidate the session and login required
* Implemented session timeout, e.g. max of 1 hour if no business requirement.
* Implemented CAPTCHA or other brute force attack prevention mechanism
* Implemented account locking mechanism
* Does not allow multiple logins

## Authorization

* Possible to obtain higher-level function access
* Possible to obtain other user’s data
* Is the site structure guessable and accessible
* Vulnerable to Path Traversal attack

## Password Management

* What is the password policy
* Allow change password
* Implemented the maximal length of the password
* Vulnerable to the reset password process

## Session / Cookie Management

* Session-Id stored in the cookie only
* Vulnerable to the Session fixation or CSRF attack
* Session-Id change after login
* Session-Id guessable
* The cookie session lifetime setting, expired when the browser is closed
* Restricted the cookie access within the same domain, HTTP Only and secure flag enable

## Broken Access Control

* Higher Privilege functions should not be able to be executed by lower privilege&#x20;
* Server-side checking implementation or hidden URL or parameter driven
* JS Functions via the developer console
* Copy and Paste of URL

## Validation

* Input data are parsed or encoded for output
* Implemented the server-side parsing mechanism
* CSP enables correctly
* Parameter bypass Character&#x20;
  * `// /\ \\ %00 @ ''`&#x20;
  * URL encoding&#x20;
  * double encodings
* Captcha Bypass
  * Change of HTTP request type
  * Modify or remove the captcha parameter
  * Parameter pollution
  * No timeout or session mechanism
  * Guessable
* Open redirect bypass
  * JS open redirects
  * Hiddenlink open redirects
  * using `// /\ %00 @` to bypass
  * Parameter pollution
* JWT
  * Secret is leaked
  * The server never checks the secret
  * The secret is guessable or brute forceable
* CSRF
  * Check the CSRF Token exists on the CRUD action
  * Server-side or client-side validation &#x20;
  * Token length and guessable&#x20;
  * Any parameter with token
  * Accepts empty parameter
  * Responds without CSRF token
  * The token is not session bound
* Vulnerable to Injection of

&#x20;      o XSS (included: Reflected, Stored and DOM Based )

&#x20;      o SQL (included: Error, Union, Boolean, and time base)

&#x20;      o XPath

&#x20;      o XML

&#x20;      o Command

&#x20;       o LDAP

## Web Service API

* Guessable of the API service call
* Authentication required
* Authorization implemented
* All input validate on the server-side
* All input/output data format is defined with validation control

## Others check

* Clickjacking
* Frame Tampering
* Invalidated redirects and forwards
* Secure HTTP Respond Header setting
* Error handling
* File upload control