Web App Checklist

CSRF:

• Verify token presence on necessary forms (Create, Update, Delete)
• Check server-side token length validation
• Ensure server checks for token parameter
• Test server response to empty parameter and missing CSRF token
• Confirm tokens are not session-bound

JWT:

• Ensure None-signing algorithm is not allowed
• Check for leaked secrets
• Verify server secret checks
• Test secret guessability/brute-force resistance

Open redirect bypass:

• Test various bypass techniques (e.g., evil.com/expected.com, Javascript * openRedirects, hidden link open redirects)
• Experiment with bypass characters (e.g., //, https:evil.com, /, %00, @)
• Examine parameter pollution

BAC:

• Test access controls for all user levels
• Evaluate access using different methods (e.g., authorize, JS Functions via developer console, copy-pasting URLs)

IDOR:

• Test across all tenants
• Check access methods similar to BAC

Captcha bypasses:

• Attempt request method changes
• Remove or modify captcha parameters

LFI:

• Test bypass techniques similar to Open redirect bypass
• Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
• Test for log poisoning or user input storage to achieve code execution through LFI
• Examine the inclusion of configuration files or other sensitive files for information disclosure

RFI:

• Test bypass techniques similar to Open redirect bypass
• Experiment with different path traversal techniques (e.g., ../, %2e%2e%2f, ..%5c) to bypass input filters
• Test for log poisoning or user input storage to achieve code execution through LFI
• Examine the inclusion of configuration files or other sensitive files for information disclosure

SQLi:

• Use special characters (e.g., ' " ) to trigger SQL injection
• Utilize SQLmap for testing
• Use time-based techniques (e.g., SLEEP() in MySQL, WAITFOR DELAY in SQL Server) to extract information if the output is not directly visible (blind SQLi)
• Test for out-of-band techniques (e.g., DNS exfiltration) when other methods are not possible
• Exploit second-order SQLi by injecting payloads that get stored and later executed in another part of the application

XXE:

• Test file formats vulnerable to XXE (e.g., SVG, DOCX/XLSX, SOAP)
• Attempt blind SSRF, file exfiltration, and command execution
• Test different XML parsers (e.g., DOM, SAX) to identify vulnerable endpoints
• Utilize out-of-band techniques (e.g., HTTP callbacks, DNS exfiltration) for blind XXE exploitation
• Experiment with different encoding or obfuscation methods (e.g., using CDATA sections, XML entity expansion) to bypass input filters or security measures

Template injections (CSTI/SST):

• Test basic template injection payloads ${{7*9}}
• Identify templating engine and refer to manuals for potential exploits
• Employ encoding techniques for special characters
• Identify the templating engine in use (e.g., Jinja2, Twig, Mako) and craft payloads specific to the engine
• Use encoding, obfuscation, or other techniques to bypass input filters or security measures Escalate impact by chaining template injection with other vulnerabilities (e.g., XSS, RCE)

XSS:

• Test payload injection into input fields and reflected parameters
• Identify reflection context and craft attack vector accordingly
• Test various encoding and obfuscation techniques
• Check for and attempt to bypass CSP
• Test for DOM-based XSS by analyzing JavaScript code and manipulating variables used in the DOM
• Experiment with different encoding techniques (e.g., HTML entities, URL encoding, Unicode) to bypass * * input filters and WAFs
• Utilize event handlers (e.g., onload, onerror) or other obscure tags to trigger XSS when common vectors are blocked

SSRF:

• Test SSRF against server itself and other servers on the network
• Use alternative URL schemes (e.g., file://, dict://, gopher://) to interact with internal services or to bypass filters
• Test for IPv6 and other address formats (e.g., octal, decimal, hexadecimal) to bypass IP-based filters Chain SSRF with other vulnerabilities (e.g., XXE, open redirects) to escalate impact

Command injection:

• Test every single parameter for command injection vulnerability
• Compile a list of commands and command separators for the target OS

Admin panel bypass:

• Try referer header manipulation
• Test easy username/password combinations
• Perform directory brute-forcing for unprotected pages

Race conditions:

• Identify and test critical functionalities for potential race conditions
• Simulate concurrent requests to assess system stability

API security testing:

• Test API endpoints for vulnerabilities similar to those in web applications
• Evaluate proper use of authentication and authorization mechanisms
• Check for potential data leaks or unauthorized data access

Insecure deserialization:

• Identify potential points of deserialization in the application
• Test for deserialization vulnerabilities that could lead to arbitrary code execution or data tampering
• Test for insecure deserialization by tampering with serialized data formats (e.g., JSON, XML, PHP serialization) and observing application behavior
• Identify and exploit "gadget chains" to escalate impact and achieve arbitrary code execution
• Employ encryption or encoding bypass techniques to manipulate serialized data

Clickjacking:

• Check if the application is vulnerable to clickjacking attacks
• Verify proper implementation of X-Frame-Options header and other defensive mechanisms

Parameter Pollution:

• Test for potential parameter pollution vulnerabilities in all input fields and URL parameters
• Identify and manipulate repeated parameters to observe application behavior
• Check if any application logic relies on single instances of parameters and can be bypassed or exploited using parameter pollution
• Verify that the application handles repeated parameters consistently and securely

Session Management:

• Test for secure implementation of session cookies (e.g., HttpOnly, Secure, SameSite attributes)
• Evaluate the effectiveness of session expiration and session fixation prevention mechanisms
• Assess the randomness and predictability of session IDs
• Verify proper handling of concurrent sessions and logout functionality

Web Application Firewall (WAF) Evasion:

• Attempt to bypass WAF rules using different evasion techniques (e.g., encoding, obfuscation, HTTP Verb Tampering)
• Evaluate the effectiveness of the WAF in detecting and preventing known attack vectors

File Upload Security:

• Test file upload functionality for potential vulnerabilities (e.g., unrestricted file types, size limitations, handling of malicious content)
• Verify proper access controls for uploaded files to prevent unauthorized access or file manipulation
• Check for secure storage of uploaded files and proper handling of metadata

Account Recovery and Password Reset:

• Evaluate the security of account recovery and password reset mechanisms (e.g., secret questions, email-based resets, multi-factor authentication)
• Test for potential bypasses or weaknesses that may allow unauthorized account access

Unconventional Attack Vectors:

• Investigate less commonly tested functionalities, features, or components that might have been overlooked by developers or other testers
• Explore edge cases, uncommon input types, or rare user interactions that might trigger vulnerabilities

Cross-Platform and Cross-Browser Testing:

• Test the application on different platforms (e.g., mobile, desktop) and browsers, as some vulnerabilities may be platform- or browser-specific

Bug Chaining and Impact Amplification:

• Explore chaining multiple bugs or vulnerabilities together to create a higher impact or escalate privileges, which can potentially lead to higher rewards

Misconfigured or Exposed Infrastructure:

• Check for exposed or misconfigured infrastructure components (e.g., open AWS S3 buckets, unsecured cloud storage, publicly accessible admin interfaces)

Remote Code Execution (RCE):

• Investigate the use of environment variables or process control functions for command injection
• Leverage file upload vulnerabilities to upload and execute a malicious payload
• Bypass execution restrictions by utilizing script interpreters (e.g., Python, Ruby, PHP) or built-in OS functionality (e.g., PowerShell, Bash)