 INFORMATION GATHERING

Open-Source Reconnaissance

 Perform Google Dorks search

 Perform OSINT

Fingerprinting Web Server

 Find the type of Web Server

 Find the version details of the Web Server

Looking For Metafiles

o View the Robots.txt file

o View the Sitemap.xml file

o View the Humans.txt file

o View the Security.txt file

Enumerating Web Server’s Applications

o Enumerating with Nmap

o Enumerating with Net cat

o Perform a DNS lookup

o Perform a Reverse DNS lookup

Review The Web Contents

o Inspect the page source for sensitive info

o Try to find Sensitive Javascript codes

o Try to find any keys

o Make sure the autocomplete is disabled

Identifying Application’s Entry Points

o Identify what the methods used are?

o Identify where the methods used are?

o Identify the Injection point

Mapping Execution Paths

o Use Burp Suite

 o Use Dirsearch

o Use Gobuster

Fingerprint Web Application Framework

o Use the Wappalyzer browser extension

o Use Whatweb

o View URL extensions

o View HTML source code

o View the cookie parameter

o View the HTTP headers

Map Application Architecture

o Map the overall site structure

 CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

Test Network Configuration

o Check the network configuration

o Check for default settings

o Check for default credentials

Test Application Configuration

o Ensure only required modules are used

o Ensure unwanted modules are disabled

o Ensure the server can handle DOS

o Check how the application is handling 4xx & 5xx errors

o Check for the privilege required to run

o Check logs for sensitive info

Test File Extension Handling

o Ensure the server won’t return sensitive extensions

o Ensure the server won’t accept malicious extensions

o Test for file upload vulnerabilities

Review Backup & Unreferenced Files

o Ensure unreferenced files don’t contain any sensitive info

o Ensure the namings of old and new backup files

o Check the functionality of unreferenced pages

Enumerate Infrastructure & Admin Interfaces

o Try to find the Infrastructure Interface

o Try to find the Admin Interface

o Identify the hidden admin functionalities

Testing HTTP Methods

o Discover the supported methods

o Ensure the PUT method is disabled

o Ensure the OPTIONS method is disabled

o Test access control bypass

o Test for XST attacks

o Test for HTTP method overriding

Test HSTS

o Ensure HSTS is enabled

Test RIA Cross Domain Policy

o Check for Adobe’s Cross Domain Policy

o Ensure it has the least privilege

Test File Permission

o Ensure the permissions for sensitive files

o Test for directory enumeration

Test For Subdomain Takeover

o Test DNS, A, and CNAME records for subdomain takeover

o Test NS records for subdomain takeover

o Test 404 response for subdomain takeover

Test Cloud Storage

o Check the sensitive paths of AWS

o Check the sensitive paths of Google Cloud

o Check the sensitive paths of Azure

 IDENTITY MANAGEMENT TESTING

Test Role Definitions

o Test for forced browsing

o Test for IDOR (Insecure Direct Object Reference)

o Test for parameter tampering

o Ensure low privilege users can’t able to access high privilege resources

Test User Registration Process

o Ensure the same user or identity can’t register again and again

o Ensure the registrations are verified

o Ensure disposable email addresses are rejected

o Check what proof is required for successful registration

Test Account Provisioning Process

o Check the verification for the provisioning process

o Check the verification for the de-provisioning process

o Check the provisioning rights for an admin user to other users

o Check whether a user is able to de-provision themself or not?

o Check for the resources of a de-provisioned user

Testing For Account Enumeration

o Check the response when a valid username and password entered

o Check the response when a valid username and an invalid password entered

o Check the response when an invalid username and password entered

o Ensure the rate-limiting functionality is enabled in username and password fields

Test For Weak Username Policy

 o Check the response for both valid and invalid usernames

o Check for username enumeration

 AUTHENTICATION TESTING

Test For Un-Encrypted Channel

o Check for the HTTP login page

o Check for the HTTP register or sign-in page

o Check for HTTP forgot password page

o Check for HTTP change password

o Check for resources on HTTP after logout

o Test for forced browsing to HTTP pages

Test For Default Credentials

o Test with default credentials

o Test organization name as credentials

o Test for response manipulation

o Test for the default username and a blank password

o Review the page source for credentials

Test For Weak Lockout Mechanism

o Ensure the account has been locked after 3-5 incorrect attempts

o Ensure the system accepts only the valid CAPTCHA

o Ensure the system rejects the invalid CAPTCHA

o Ensure CAPTCHA code regenerated after reloaded

o Ensure CAPTCHA reloads after entering the wrong code

o Ensure the user has a recovery option for a lockout account

Test For Bypassing Authentication Schema

o Test forced browsing directly to the internal dashboard without login

o Test for session ID prediction

o Test for authentication parameter tampering

 o Test for SQL injection on the login page

o Test to gain access with the help of session ID

o Test multiple logins allowed or not?

Test For Vulnerable Remember Password

o Ensure that the stored password is encrypted

o Ensure that the stored password is on the server-side

Test For Browser Cache Weakness

o Ensure proper cache-control is set on sensitive pages

o Ensure no sensitive data is stored in the browser cache storage

Test For Weak Password Policy

o Ensure the password policy is set to strong

o Check for password reusability

o Check the user is prevented to use his username as a password

o Check for the usage of common weak passwords

o Check the minimum password length to be set

o Check the maximum password length to be set

Testing For Weak Security Questions

o Check for the complexity of the questions

o Check for brute-forcing

Test For Weak Password Reset Function

o Check what information is required to reset the password

o Check for password reset function with HTTP

o Test the randomness of the password reset tokens

o Test the uniqueness of the password reset tokens

o Test for rate limiting on password reset tokens

o Ensure the token must expire after being used

o Ensure the token must expire after not being used for a long time
Test For Weak Password Change Function

o Check if the old password asked to make a change

o Check for the uniqueness of the forgotten password

o Check for blank password change

o Check for password change function with HTTP

o Ensure the old password is not displayed after changed

o Ensure the other sessions got destroyed after the password change

Test For Weak Authentication In Alternative Channel

o Test authentication on the desktop browsers

o Test authentication on the mobile browsers

o Test authentication in a different country

o Test authentication in a different language

o Test authentication on desktop applications

o Test authentication on mobile applications

 AUTHORIZATION TESTING

Testing Directory Traversal File Include

o Identify the injection point on the URL

o Test for Local File Inclusion

o Test for Remote File Inclusion

o Test Traversal on the URL parameter

o Test Traversal on the cookie parameter

Testing Traversal With Encoding

o Test Traversal with Base64 encoding

o Test Traversal with URL encoding

o Test Traversal with ASCII encoding

o Test Traversal with HTML encoding

o Test Traversal with Hex encoding

 o Test Traversal with Binary encoding

o Test Traversal with Octal encoding

o Test Traversal with Gzip encoding

Testing Travesal With Different OS Schemes

o Test Traversal with Unix schemes

o Test Traversal with Windows schemes

o Test Traversal with Mac schemes

Test Other Encoding Techniques

o Test Traversal with Double encoding

o Test Traversal with all characters encode

o Test Traversal with only special characters encode

Test Authorization Schema Bypass

o Test for Horizontal authorization schema bypass

o Test for Vertical authorization schema bypass

o Test override the target with custom headers

Test For Privilege Escalation

o Identify the injection point

o Test for bypassing the security measures

o Test for forced browsing

o Test for IDOR

o Test for parameter tampering to high privileged user

Test For Insecure Direct Object Reference

o Test to change the ID parameter

o Test to add parameters at the endpoints

o Test for HTTP parameter pollution

o Test by adding an extension at the end

o Test with outdated API versions

 o Test by wrapping the ID with an array

o Test by wrapping the ID with a JSON object

o Test for JSON parameter pollution

o Test by changing the case

o Test for path traversal

o Test by changing words

o Test by changing methods

 SESSION MANAGEMENT TESTING

Test For Session Management Schema

o Ensure all Set-Cookie directives are secure

o Ensure no cookie operation takes place over an unencrypted channel

o Ensure the cookie can’t be forced over an unencrypted channel

o Ensure the HTTPOnly flag is enabled

o Check if any cookies are persistent

o Check for session cookies and cookie expiration date/time

o Check for session fixation

o Check for concurrent login

o Check for session after logout

o Check for session after closing the browser

o Try decoding cookies (Base64, Hex, URL, etc)

Test For Cookie Attributes

o Ensure the cookie must be set with the secure attribute

o Ensure the cookie must be set with the path attribute

o Ensure the cookie must have the HTTPOnly flag

Test For Session Fixation

o Ensure new cookies have been issued upon a successful authentication

o Test manipulating the cookies

Test For Exposed Session Variables

o Test for encryption

o Test for GET and POST vulnerabilities

o Test if GET request incorporating the session ID used

o Test by interchanging POST with GET method

Test For Back Refresh Attack

o Test after password change

o Test after logout

Test For Cross Site Request Forgery

o Check if the token is validated on the server-side or not

o Check if the token is validated for full or partial length

o Check by comparing the CSRF tokens for multiple dummy accounts

o Check CSRF by interchanging POST with GET method

o Check CSRF by removing the CSRF token parameter

o Check CSRF by removing the CSRF token and using a blank parameter

o Check CSRF by using unused tokens

o Check CSRF by replacing the CSRF token with its own values

o Check CSRF by changing the content type to form-multipart

o Check CSRF by changing or deleting some characters of the CSRF token

o Check CSRF by changing the referrer to Referrer

o Check CSRF by changing the host values

o Check CSRF alongside clickjacking

Test For Logout Functionality

o Check the log out function on different pages

o Check for the visibility of the logout button

o Ensure after logout the session was ended

o Ensure after logout we can’t able to access the dashboard by pressing the back
button
 o Ensure proper session timeout has been set

Test For Session Timeout

o Ensure there is a session timeout exists

o Ensure after the timeout, all of the tokens are destroyed

Test For Session Puzzling

o Identify all the session variables

o Try to break the logical flow of the session generation

Test For Session Hijacking

o Test session hijacking on target that doesn’t has HSTS enabled

o Test by login with the help of captured cookies

 INPUT VALIDATION TESTING

Test For Reflected Cross Site Scripting

o Ensure these characters are filtered <>’’&””

o Test with a character escape sequence

o Test by replacing < and > with HTML entities < and >

o Test payload with both lower and upper case

o Test to break firewall regex by new line /r/n

o Test with double encoding

o Test with recursive filters

o Test injecting anchor tags without whitespace

o Test by replacing whitespace with bullets

o Test by changing HTTP methods

Test For Stored Cross Site Scripting

o Identify stored input parameters that will reflect on the client-side

o Look for input parameters on the profile page

o Look for input parameters on the shopping cart page

o Look for input parameters on the file upload page

 o Look for input parameters on the settings page

o Look for input parameters on the forum, comment page

o Test uploading a file with XSS payload as its file name

o Test with HTML tags

Test For HTTP Parameter Pollution

o Identify the backend server and parsing method used

o Try to access the injection point

o Try to bypass the input filters using HTTP Parameter Pollution

Test For SQL Injection

o Test SQL Injection on authentication forms

o Test SQL Injection on the search bar

o Test SQL Injection on editable characteristics

o Try to find SQL keywords or entry point detections

o Try to inject SQL queries

o Use tools like SQLmap or Hackbar

o Use Google dorks to find the SQL keywords

o Try GET based SQL Injection

o Try POST based SQL Injection

o Try COOKIE based SQL Injection

o Try HEADER based SQL Injection

o Try SQL Injection with null bytes before the SQL query

o Try SQL Injection with URL encoding

o Try SQL Injection with both lower and upper cases

o Try SQL Injection with SQL Tamper scripts

o Try SQL Injection with SQL Time delay payloads

o Try SQL Injection with SQL Conditional delays

o Try SQL Injection with Boolean based SQL

 o Try SQL Injection with Time based SQL

Test For LDAP Injection

o Use LDAP search filters

o Try LDAP Injection for access control bypass

Testing For XML Injection

o Check if the application is using XML for processing

o Identify the XML Injection point by XML metacharacter

o Construct XSS payload on top of XML

Test For Server Side Includes

o Use Google dorks to find the SSI

o Construct RCE on top of SSI

o Construct other injections on top of SSI

o Test Injecting SSI on login pages, header fields, referrer, etc

Test For XPATH Injection

o Identify XPATH Injection point

o Test for XPATH Injection

Test For IMAP SMTP Injection

o Identify IMAP SMTP Injection point

o Understand the data flow

o Understand the deployment structure of the system

o Assess the injection impact

Test For Local File Inclusion

o Look for LFI keywords

o Try to change the local path

o Use the LFI payload list

o Test LFI by adding a null byte at the end

Test For Remote File Inclusion

 o Look for RFI keywords

o Try to change the remote path

o Use the RFI payload list

Test For Command Injection

o Identify the Injection points

o Look for Command Injection keywords

o Test Command Injection using different delimiters

o Test Command Injection with payload list

o Test Command Injection with different OS commands

Test For Format String Injection

o Identify the Injection points

o Use different format parameters as payloads

o Assess the injection impact

Test For Host Header Injection

o Test for HHI by changing the real Host parameter

o Test for HHI by adding X-Forwarded Host parameter

o Test for HHI by swapping the real Host and X-Forwarded Host parameter

o Test for HHI by adding two Host parameters

o Test for HHI by adding the target values in front of the original values

o Test for HHI by adding the target with a slash after the original values

o Test for HHI with other injections on the Host parameter

o Test for HHI by password reset poisoning

Test For Server Side Request Forgery

o Look for SSRF keywords

o Search for SSRF keywords only under the request header and body

o Identify the Injection points

o Test if the Injection points are exploitable

 o Assess the injection impact

Test For Server Side Template Injection

o Identify the Template injection vulnerability points

o Identify the Templating engine

o Use the tplmap to exploit

 ERROR HANDLING TESTING

Test For Improper Error Handling

o Identify the error output

o Analyze the different outputs returned

o Look for common error handling flaws

o Test error handling by modifying the URL parameter

o Test error handling by uploading unrecognized file formats

o Test error handling by entering unrecognized inputs

o Test error handling by making all possible errors

 WEAK CRYPTOGRAPHY TESTING

Test For Weak Transport Layer Security

o Test for DROWN weakness on SSLv2 protocol

o Test for POODLE weakness on SSLv3 protocol

o Test for BEAST weakness on TLSv1.0 protocol

o Test for FREAK weakness on export cipher suites

o Test for Null ciphers

o Test for NOMORE weakness on RC4

o Test for LUCKY 13 weakness on CBC mode ciphers

o Test for CRIME weakness on TLS compression

o Test for LOGJAM on DHE keys

o Ensure the digital certificates should have at least 2048 bits of key length

o Ensure the digital certificates should have at least SHA-256 signature algorithm
 o Ensure the digital certificates should not use MDF and SHA-1

o Ensure the validity of the digital certificate

o Ensure the minimum key length requirements

o Look for weak cipher suites

 BUSINESS LOGIC TESTING

Test For Business Logic

o Identify the logic of how the application works

o Identify the functionality of all the buttons

o Test by changing the numerical values into high or negative values

o Test by changing the quantity

o Test by modifying the payments

o Test for parameter tampering

Test For Malicious File Upload

o Test malicious file upload by uploading malicious files

o Test malicious file upload by putting your IP address on the file name

o Test malicious file upload by right to left override

o Test malicious file upload by encoded file name

o Test malicious file upload by XSS payload on the file name

o Test malicious file upload by RCE payload on the file name

o Test malicious file upload by LFI payload on the file name

o Test malicious file upload by RFI payload on the file name

o Test malicious file upload by SQL payload on the file name

o Test malicious file upload by other injections on the file name

o Test malicious file upload by Inserting the payload inside of an image by the bmp.pl
tool

o Test malicious file upload by uploading large files (leads to DOS)

 CLIENT SIDE TESTING

Test For DOM Based Cross Site Scripting

 o Try to identify DOM sinks

o Build payloads to that DOM sink type

Test For URL Redirect

o Look for URL redirect parameters

o Test for URL redirection on domain parameters

o Test for URL redirection by using a payload list

o Test for URL redirection by using a whitelisted word at the end

o Test for URL redirection by creating a new subdomain with the same as the target

o Test for URL redirection by XSS

o Test for URL redirection by profile URL flaw

Test For Cross Origin Resource Sharing

o Look for “Access-Control-Allow-Origin” on the response

o Use the CORS HTML exploit code for further exploitation

Test For Clickjacking

o Ensure “X-Frame-Options” headers are enabled

o Exploit with iframe HTML code for POC

 OTHER COMMON ISSUES

Test For No-Rate Limiting

o Ensure rate limiting is enabled

o Try to bypass rate limiting by changing the case of the endpoints

o Try to bypass rate limiting by adding / at the end of the URL

o Try to bypass rate limiting by adding HTTP headers

o Try to bypass rate limiting by adding HTTP headers twice

o Try to bypass rate limiting by adding Origin headers

o Try to bypass rate limiting by IP rotation

o Try to bypass rate limiting by using null bytes at the end

o Try to bypass rate limiting by using race conditions

Test For EXIF Geodata

o Ensure the website is striping the geodata

o Test with EXIF checker

Test For Broken Link Hijack

o Ensure there is no broken links are there

o Test broken links by using the blc tool

Test For SPF

o Ensure the website is having SPF record

o Test SPF by nslookup command

Test For Weak 2FA

o Try to bypass 2FA by using poor session management

o Try to bypass 2FA via the OAuth mechanism

o Try to bypass 2FA via brute-forcing

o Try to bypass 2FA via response manipulation

o Try to bypass 2FA by using activation links to login

o Try to bypass 2FA by using status code manipulation

o Try to bypass 2FA by changing the email or password

o Try to bypass 2FA by using a null or empty entry

o Try to bypass 2FA by changing the boolean into false

o Try to bypass 2FA by removing the 2FA parameter on the request

Test For Weak OTP Implementation

o Try to bypass OTP by entering the old OTP

o Try to bypass OTP by brute-forcing

o Try to bypass OTP by using a null or empty entry

o Try to bypass OTP by response manipulation

o Try to bypass OTP by status code manipulation