Web-App Checklist Pentest

This is the checklist focused on pen-testing(dynamic assessment) of web applications, while most of the items can be also assessed by code auditing.

The checklist is based on the OWASP testing guide V4. Some items that are not practically helpful to assess security(e.g. finding security vulnerabilities) are excluded, because they refer to processes(e.g. using proxy) or provide high-level concepts(e.g. persistent attacks), or contains subjective issues (e.g. weak password or security questions)

Checklist - Simple

Input Validation

• Reflected XSS

• Stored XSS

• VERB tampering

• HTTP Parameter pollution

• SQL/ORM Injection

• LDAP injection

• XML External Entity(XXE)

• Server-Side Includes(SSI)

• XPath injection

• Local/Remote File Inclusion

• Command injection

• Buffer overflow

• HTTP response splitting

Session Management

• Bypass session management schema

• Cookies attributes

• Session Fixation

• Exposed Session Variables

• CSRF

• Logout functionality

• Session Timeout

• Session puzzling

Authentication

• Credentials transport over an encrypted channel

• Default credentials

• Weak lock out mechanism

• Bypassing authentication schema(direct page request)

• Bypassing authentication schema(parameter modification)

• Bypassing authentication schema(sql injection)

• Vulnerable remember password

• password reset functionalities

• Weaker authN in alternative channel

Authorization

• Path Traversal

• bypassing authorization schema

• Privilege escalation

• IDOR(Insecure Direct Object Reference)

Client Attack

• DOM XSS

• HTML Injection

• Open redirect

• CSS Injection

• Client Side Resource Manipulation

• Cross Origin Resource Sharing

• Cross Site Flashing

• Clickjacking

• websocket

• web messaging

• Local Storage

Configuration Management

• SSL/TLS

• Known platform vulnerabilities

• Files with sensitive information

• Errors with sensitive information

Business Logic

• Business logic data validation

• Upload of Malicious Files

Checklist - Verbose

Input Validation

• Reflected XSS: Check if HTML/script tags are reflected in the response

• Stored XSS: Check if HTML/script tags can be stored and viewed later when the page is requested

• VERB Tampering: Check if methods other than GET and POST are accepted

• HTTP Parameter pollution: Check if the target responds in any unexpected ways when supplying multiple parameters of the same name

• SQL/ORM Injection: Check if user input requests can manipulate the SQL queries in the backend

• LDAP Injection: Check if unexpected user information can be obtained by user input parameters

• XXE: Check if sensitive information can be retrieved via XXE if the target allows XML input

• SSI: Check if SSI directives can be injected

• XPath Injection: Check if user input requests can manipulate the XPath queries

• File Inclusion: (php) Test if file inclusion is possible via parameters

• Command Injection:Check if OS commands can be run via user input parameters

• Buffer overflow:

  Check if long values in headers, parameters cause crash in the backend

• HTTP response splitting: Check if HTTP splitting is possible when supplying %0d%0a in the user input data

Session Management

• Bypass session management schema: Check if any unexpected ways can cause bypass session management schema

• Cookies attributes: Check cookies if the following attributes are set: HttpOnly, secure

• Session Fixation: Check if the session cookie is the same between before login and after and if an arbitrary(not generated by the server) token can be fixed

• Exposed Session Variables: Check if sensitive information(e.g. session ID) is sent in the GET requests(e.g. In the query string)

• CSRF (Cross-Site Request Forgery): Check if requests can be performed repeatedly without any CSRF preventative mechanism when a user is logged in

• Logout functionality: Check if session is still activated after logout.

• Session Timeout: Check if session is still activated after required session timeout

• Session puzzling: Check if session variables are used in multiple locations and they can be used in unexpected ways

Authentication

• Credentials transport over an encrypted channel: Check if any sensitive data can be accessible via HTTP

• Default credentials: Check if the application can be accessed with default username/password

• Weak lock out mechanism: (only if brute force prevention matters) Check if the lock out mechanism to prevent brute-force attack is properly implemented

• Bypassing authentication schema(direct page request): Check if authentication can be bypassed by direct page request

• Bypassing authentication schema(parameter modification): Check if authentication can be bypassed by parameter modification

• Bypassing authentication schema(sql injection): Check if authentication can be bypassed by SQL injection

• Vulnerable remember password: Check if password is stored in plain-text in a cookie or local store. Examine the hashing mechanism if hashed.

  Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application.

• Test for password reset functionalities: Check if a user can reset other users' password

• Weaker authN in alternative channel: Test in mobile pages, different languages, partner websites

• User enumeration: Check if the server's responses are the same between when log-ins are requested as an existing user and as a non-existent user

Authorization

• Path Traversal: Check if restricted files can be accessed via '../' by testing file-operation related parameters

• bypassing authorization schema: Check if an user can access other users' information or privileges

• Privilege escalation: Check if a normal user can perform admin functions

• IDOR(Insecure Direct Object Reference): Check if a user can perform actions with another user's privilege by modifying parameters

Client Attack

• DOM XSS: Check if XSS is possible in the client side(e.g. In Javascript code, jquery, Angularjs, etc.)

• HTML Injection: Check if any user input is reflected in the HTML code

• Open redirect: Check if users can be forcedly redirected by user input parameters

• CSS Injection: Check where CSS is dynamically structured and if user input data can affect

• Client Side Resource Manipulation: Part of DOM XSS. Main test target is location.hash

• Cross Origin Resource Sharing: Check if Access-Control-Allow-Origin header is set to '*'. Check if requests from another site other than allowed in Access-Control-Allow-Origin header are processed

• Cross Site Flashing: (only if flash/actionscript is available) Check if external data can be input via user input parameters

• Clickjacking: Ensure if X-Frame-Options header exists in the server response.

• websocket: (only if websocket is available) test if there are any security issues

• web messaging (only if web messaging is available): Check how the target is restricting messages from untrusted domain and how the data is handled even for trusted domains.

• Local Storage: Review local storage in the browser and check if sensitive information is stored esp. in plaintext

Configuration Management

• SSL/TLS: Check if SSL/TLS is mis-configured. Tools such as sslscan can be used.

• Known platform vulnerabilities: (if testing running instance)

  Check if infrastructure/application platform's vulnerabilities exist

• Files for sensitive information: Check if default files, old files or backup files expose sensitive information

• Errors with sensitive information: Check if error messages contain sensitive information (e.g. private information, stack trace)

Business Logic

• Business logic data validation: Check if logically invalid data is properly handled

• Upload of Malicious Files: Find where file uploading is possible and check if a file of restricted extensions can be uploaded