Web Application Security Testing Checklist
Hello everyone, Welcome to my Blog!
Today I am going to share with you how I personally start security testing of any web application step by step to ensure that I do not miss any security vulnerability in web application. Although, if I forgot any vulnerability that should be listed here, please forgive me and let me know in the comment section, I will review it and definitely try to incorporate the same.
I will try to keep this list updated, however, it might take some time. In the meantime, please have a look at the web application security testing checklist and let us know in the comment section if I have missed any test cases or if I should add some specific test cases for any specific vulnerability.
Let’s Start…
Web Application Security Testing
I personally prefer to start with the Black-Box approach where I try to enumerate banners information, some basic or I can say network-level findings that can be found using any automated tool as well as manually such as:
- Missing HTTP Security Header (using Burp)
- Cacheable HTTP Responses (using Burp)
- Web vendor/version disclosure (using Burp)
- Track/Trace/Delete method enabled (using Burp)
- Vulnerable components/Outdated framework (using RetireJS, Wappalyser)
- Cookie not marked Secure/HttpOnly (using Burp)
- SSL/TLSv1.0 (using TestSSL)
- SSL/TLS supports weak ciphers (using TestSSL)
- SSL weak hashing algorithm (using TestSSL)
- Form/Field autocomplete ON (using Browser)
- Hardcoded Sensitive information (using Browser)
- Data replay attack (using Burp)
- Misconfigured CORS (using Burp)
- Host Header Injection (using Burp)
- HTTP Verb Tampering (using Burp)
- Open Redirection (using Burp)
- Sensitive Data in Clear Text (using Burp)
- Unencrypted Communication (using Browser)
- Web application accessible via IP (using Browser)
Alright, Now I will proceed further step by step to have a look at every possible vulnerability. When I browse any application, the first thing I usually see in the application is a dashboard with all the information about the business and a login and register page. Hence let’s try to dig from the Homepage itself.
Login Page:
- No Captcha Implemented
- Username/Email enumeration via verbose failure messages
- Mobile enumeration via verbose failure messages
- Brute Force Possible/No account lockout policy
- Remember me Functionality
- No MFA
- No, Forget Password Functionality
- No Virtual Keyboard Supported
- Password is not case sensitive while login
Registration Functionality:
- Username enumeration via verbose failure messages
- No confirmed password functionality
- No mobile number verification process
- No email verification process/No account verification process
- Weak Security Question/Answer
- No multi-factor authentication enables option
- No term and condition checkbox during registration
- Nonunique usernames/Predictable usernames
- Lack of User Input Validation (Max Length not Implemented)
Password Functionality:
- No password change functionality post login
- No password history enforcement
- Insufficient password complexity
- Password Policy accepts any Special Characters
- Unverified Password Change/No old password required for new password
- Password change link reused/ does not expire
- Old password link does not expire on new link generation
- Password change token is tied with email id/username
- Reset Password Email flooding
- No minimum time interval between password changes
- Wrong Redirection post password change
- No logout button enabled on Dashboard
- No Email on sensitive action
Authentication Bypass:
- Forced Browsing
- Parameter Modification
- using response manipulation
- using response replay attack
- using OTP bypass/MFA bypass
- leveraging OTP misconfiguration
- Using session ID prediction
- SQL Injection
Session Management:
- Weak token generation/predictable token
- Session fixation
- Multiple Concurrent Sessions Allowed
- No session invalidation after logout/SessionID can be used post logout
- Session timeout not implemented
- Improper Session Management on Password Change
- Back Button Enabled
Authorization Flaw:
- Authentication bypass via invalidation of credentials (Parameter modification)
- Insecure access (without token/OTP/MFA)
- Directory traversal
- File inclusion
- Privilege escalation
- Insecure direct object reference (IDOR)
- Forced browsing
Business logic flaw
- Business constraint bypass
- Business flow bypasses
- Business control bypass
Sensitive data exposure
- PCI data in clear text
- Sensitive data submission in clear text
- Password without hashing and salting
- Clear text password in response
- Clear text password stored in cookies
- Sensitive data traveled via GET method
- Cleat text storage of sensitive information in Database
- Information disclosure
- Internal IP disclosure
Injection:
- SQL injection
- Error based
- Union-based
- Boolean based
- Time-based
- Out-of-band
- Second-order
- Cross-site scripting (XSS)
- Reflected
- Stored
- DOM
- Blind
- HTML injection
- CSS injection
- Link injection
- Iframe injection
- CSV/Formula injection
- XML injection
- XPath injection
- LDAP injection
- NoSQL Injection
- Command injection
- Server-side template injection
- Host header injection
Other Vulnerabilities:
- Cross-site request forgery
- Server-side request forgery
- File upload
- XML external entity (XXE)
- Insecure deserialization
- HTTP Request smuggling/Desynchronization attack
- HTTP Response splitting/CRLF injection
- HTTP Parameter pollution
- HTTP Verb tempering
- Open redirection
- Clickjacking
- Misconfigured CORS
- Misconfigured referer header
- Data replay attack
- Race condition
- Web cache poisoning
- Web cache deception
Cryptographic Failures:
- Unencrypted HTTP communication
- Self-signed Certificate
- SSL/TLSv1.0
- SSL/TLS supports weak ciphers
- SSL weak hashing algorithm
- TLS fallback is not supported
Other Security Misconfigurations:
- OTP Flooding
- HTTP basic authentication/HTML form-based authentication
- No email/activity alert on sensitive action (account registration/change password)
- Weak/default/predictable username
- Weak/default/predictable password
- HTTP security header missing
- Cookie not marked Secure/HttpOnly
- Cacheable HTTP response
- Web vendor/version disclosure
- Email spoofing
- Vulnerable components/Outdated framework
- Track/Trace/Delete method enabled
- No privacy policy implemented
- Robots.txt file exposure
- Robots.txt file misconfigured
- Admin module exposed publicly
- No separate table for admin and normal user accounts
- No super admin for multiple admin accounts
- Database running with root privileges
- Backup file found on the server
- Hidden/Sensitive/Default files found
- Upload module on public page
- Server time misconfigured
- Insufficient logging and monitoring
Server-side Vulnerabilities are as below:
- SQLi
- Authentication
- Business logic Vulnerabilities
- Access Control
- Server-side Request Forgery
- XXE Injection
- Directory Traversal
- Command Injection
- Information Disclosure
Client-side Vulnerabilities are as below:
- XSS
- CSRF
- CORS
- Clickjacking
- DOM Based Vulnerabilities
- Web Sockets
URL-based vulnerabilities:
- SQL Injection
- Error based
- Union based
- Time-based
- XSS
- Reflected
- DOM
- XXE
- File Inclusion
- LFI
- RFI
- Directory Traversal
- IDOR
- Privilege Escalation
- Horizontal
- Vertical
- OS Command Injection
- SSRF
- Parameter pollution
- Response Splitting/CRLF
Form-based vulnerability
- SQL Injection
- XSS
- Reflection
- Stored
- DOM
- Blind
- Other Injection
- HTML
- CSS
- iFrame
- Formula
- Command
- SSTI
- XXE
- CSRF
- File Upload
- Clickjacking
Header based vulnerability
- Host header injection
- Request Smuggling
- Misconfigured CORS
- Verb Tampering
- Misconfigured referer header
- Web cache Poisoning
- Web cache deception
- Data replay attack
- Missing Security Header
- Cookie Issues
- Web Vendor/version disclosure
- Cacheable response
Wrapping Up
Please note that this checklist is not assuring all the vulnerabilities present in the web application. Vulnerabilities may rely on business requirements and exposure. Hence, some vulnerabilities can be invalid as per the business requirements or as per the design.
Thank you