Penetration Testing Checklist
-
Once the application has been mapped, additional configuration management checks assess the security of the host and application:
-
Network/infrastructure configuration
-
Application platform configuration
-
File extensions handling for sensitive information
-
Testing for the presence of old, backup and unreferenced files for sensitive information
-
Infrastructure and application administrative interfaces
-
HTTP methods
-
HTTP strict transport security (HSTS)
-
RIA cross domain policy
Configuration and Deploy Management Testing
-
Initial information gathering is required to understand the application platform, technology, structure, and behavior. The following methods may be utilized, as applicable:
-
Conduct search engine discovery and reconnaissance for information leakage
-
Fingerprint web server
-
Review webserver metafiles for information leakage
-
Enumerate applications on webserver
-
Review webpage comments and metadata for information leakage
-
Identify application entry points
-
Map execution paths through application
-
Fingerprint web application framework
-
Fingerprint web application
-
Map network and application architecture
Information Gathering
Heading 4
Identity Management Testing
-
Verification, where appropriate, for account provisioning considerations, such as testing:
-
Role definitions
-
User registration process
-
Account provisioning process (when self-registration is available)
-
Account enumeration and guessable user accounts
-
Weak or unenforced username policy
Testing for authentication related weaknesses, such as:
-
Credentials transported over an encrypted channel
-
Default credentials
-
Weak lock out mechanisms
-
Bypassing authentication schema
-
Remember password functionality
-
Browser cache weakness
-
Weak password policy
-
Weak security question/answer
-
Weak password change or reset functionalities
-
Weak authentication in alternative channels, where available
Authentication Testing
Authorization Testing
Testing to validate the security of authorization controls such as:
-
Directory traversal/file include
-
Bypassing authorization schema
-
Privilege escalation
-
Insecure direct object references
Data Validation Testing
Testing for data validation involves manipulation of input fields, query strings, hidden parameters, and related input methods.
Reflected cross-site scripting (XSS)
Stored cross-site scripting (XSS)
HTTP verb tampering
HTTP parameter pollution
SQL injection
LDAP injection
ORM injection
XML injection
SSI injection
XPath injection
IMAP/SMTP injection
Code injection (local and/or remote)
Command injection
Buffer overflow
Heap overflow
Stack overflow
Format string
Incubated vulnerabilities
HTTP splitting/smuggling
Session Management Testing
An evaluation of session-related vulnerabilities involves testing:
-
Bypassing session management schema
-
Cookies attributes
-
Session fixation
-
Exposed session variables
-
Cross-site request forgery (CSRF)
-
Logout functionality
-
Session timeout
-
Session puzzling
Heading 2
Heading 1
Testing for data validation involves manipulation of input fields, query strings, hidden parameters, and related input methods.
-
Reflected cross-site scripting (XSS)
-
Stored cross-site scripting (XSS)
-
HTTP verb tampering
-
HTTP parameter pollution
-
SQL injection
-
LDAP injection
-
ORM injection
-
XML injection
-
SSI injection
-
XPath injection
-
IMAP/SMTP injection
-
Code injection (local and/or remote)
-
Command injection
-
Buffer overflow
-
Heap overflow
-
Stack overflow
-
Format string
-
Incubated vulnerabilities
-
HTTP splitting/smuggling
Data Validation Testing
Testing for Error Handling
-
Testing error handling issues, as they relate to security, such as analysis of Error Codes and Stack Traces.
Testing for Weak Cryptography
-
Testing to evaluate the effectiveness of encryption related protections, such as:
-
Weak SSL/TLS ciphers
-
Insufficient transport layer protection
-
Sensitive information sent via unencrypted channels
Testing to determine if the flow or architecture of the application can be manipulated to gain access to sensitive information through flaws in business logic, such as:
-
Business logic data validation
-
Ability to forge requests
-
Integrity checks
-
Process timing
-
Number of times a function can be used
-
Circumvention of workflows
-
Defenses against application misuse
-
Upload of unexpected file types
-
Upload of malicious files
Business Logic Testing
Client-side Testing
Assessing vulnerabilities that commonalty affect the client side of the application session, such as:
-
DOM based cross-site scripting (XSS)
-
JavaScript execution
-
HTML injection
-
Client-side URL redirect
-
CSS injection
-
Client-side resource manipulation
-
Cross-origin resource sharing (CORS)
-
Cross-site flashing
-
Clickjacking
-
Web Socket insecurities
-
Web messaging
-
Local storage