BufferOverflow,  CyberSecurity,  DevSecOps,  Malware,  Network

WEB APPLICATION PENTESTING CHECKLIST

July 15, 2024 / 0 Comments

Broken Access Control

  1. Test for IDOR (Insecure Direct Object References)
  • Example: Access another user’s data by changing the user ID in the URL from /user/123 to /user/124.
  1. Test for missing function level access control
  • Example: Attempt to access admin functionalities as a regular user by navigating to /admin.
  1. Check for bypassing access control by modifying parameters
  • Example: Change user roles by modifying hidden form fields or API requests.

Cryptographic Failures

  1. Test for weak encryption algorithms
  • Example: Identify the use of outdated encryption algorithms like MD5 or SHA1 for hashing passwords.
  1. Check for proper implementation of SSL/TLS
  • Example: Use SSL/TLS scanning tools to check for weak ciphers and SSL/TLS misconfigurations.
  1. Test for data exposure in transit
  • Example: Ensure sensitive data is transmitted over HTTPS and not HTTP by intercepting traffic with tools like Burp Suite.

Injection

  1. Test for SQL injection
  • Example: Inject SQL commands through input fields and URLs, e.g., using ' OR '1'='1.
  1. Test for command injection
  • Example: Try to execute system commands through input fields, e.g., using ; ls -la.
  1. Test for LDAP injection
  • Example: Inject LDAP commands through input fields, e.g., using *)(userPassword=*).

Insecure Design

  1. Check for lack of input validation
  • Example: Submit invalid or unexpected input data to see how the application handles it.
  1. Test for insecure authentication mechanisms
  • Example: Attempt to bypass authentication using weak password policies or brute force attacks.
  1. Review application logic for security flaws
  • Example: Analyze how the application handles critical functions like password resets and multi-factor authentication.

Security Misconfiguration

  1. Test for default accounts and passwords
  • Example: Attempt to log in using default credentials like admin/admin.
  1. Check for unnecessary services enabled
  • Example: Identify and attempt to exploit unnecessary services running on the server.
  1. Review security headers
  • Example: Ensure headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy are properly set.

Vulnerable and Outdated Components

  1. Identify outdated software versions
  • Example: Use tools like Nmap or Nessus to identify outdated versions of software and libraries.
  1. Check for known vulnerabilities
  • Example: Cross-reference identified software versions with known vulnerabilities in databases like the NVD.
  1. Review application dependencies
  • Example: Use tools like OWASP Dependency-Check to identify vulnerabilities in application libraries.

Identification and Authentication Failures

  1. Test for weak password policies
  • Example: Attempt to create an account with weak passwords like password123.
  1. Check for session fixation
  • Example: Try to hijack a session by setting the session identifier through a URL parameter or cookie.
  1. Review multi-factor authentication implementation
  • Example: Test the effectiveness of multi-factor authentication by attempting to bypass it.

Software and Data Integrity Failures

  1. Test for code and configuration integrity
  • Example: Check if software and configurations are protected against unauthorized modifications.
  1. Check for untrusted deserialization
  • Example: Attempt to manipulate serialized objects to exploit insecure deserialization.
  1. Review CI/CD pipeline security
  • Example: Ensure the CI/CD pipeline includes security checks and only allows trusted sources.

Security Logging and Monitoring Failures

  1. Check for adequate logging
  • **Example

:** Ensure that security-relevant events, such as login attempts and access control failures, are logged properly.

  1. Test log integrity
  • Example: Attempt to modify or delete log entries to see if the application can detect and prevent such actions.
  1. Review monitoring and alerting systems
  • Example: Ensure there are mechanisms in place to alert administrators of suspicious activities or potential breaches.

Server-Side Request Forgery (SSRF)

  1. Test for SSRF vulnerabilities
  • Example: Use payloads to request internal resources, e.g., http://localhost/admin or http://169.254.169.254/latest/meta-data/.
  1. Check for unrestricted URL access
  • Example: Attempt to fetch URLs from an input field to see if the application validates and restricts URL access.
  1. Review input validation for external requests
  • Example: Ensure that any user input used in server-side requests is properly validated and sanitized.

Note: Blog based on publicly available information.

You May Also Like

Understanding Same Origin Policy (SOP) and Cookies: A Practical Lab Guide

July 15, 2024

ICMP Redirect attack

July 15, 2024

Exploitation : Heartbleed Vulnerability : Ubuntu Server 12.04

March 25, 2018

Leave a Reply

Your email address will not be published. Required fields are marked *