Scribd
Upload
28 views

Web application vapt checklist

The document is a comprehensive checklist for application security penetration testing, covering various issues such as authentication, session management, sensitive data exposure, and vulnerabilities like XSS, CSRF, and SQL injection. It provides detailed steps and techniques for identifying and exploiting security weaknesses in web applications. The checklist serves as a guide for security professionals to ensure thorough testing and remediation of potential vulnerabilities.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
28 views

Web application vapt checklist

The document is a comprehensive checklist for application security penetration testing, covering various issues such as authentication, session management, sensitive data exposure, and vulnerabilities like XSS, CSRF, and SQL injection. It provides detailed steps and techniques for identifying and exploiting security weaknesses in web applications. The checklist serves as a guide for security professionals to ensure thorough testing and remediation of potential vulnerabilities.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

🐞

Appsec Pentesting Checklist


Authentication Issues
Response Manipulation (false to true)

Response Manipulation (0 to 1)

Status Code Manipulation

OTP Bruteforce

Captch Bypass

2FA Code Leakage in Response

Check for null or 0000 OTP

Missing integtrity for 2FA or OTP Code

Rate Limiting & Race Condition Issues


Check for No RL

Check for race conditions on sensitive functions - coupon, add money, like ,
comment, follow etc by Turbo Intruder

Appsec Pentesting Checklist 1


Mass Forgot Password Email sent ( Amazon SES paid service)

Mass SMS Bombing (Mail Chimp paid service)

Add Random Headers X-Forwarded-Host , X-Real-IP to bypass

Using Burp IP Rotation or Fake IP or any IP Changer Extension or Tool

Session Issues
Session Doesnt expire after Logout

Failure to invalidate session after password change

Failure to invalidate session after 2FA

Session Fixation ( Use same session cookie for other user)

Weak / Easily guessable Session Tokens

Reset Password email doesnt expire after email change

Sensitive Data Exposure


Directory Listing with Sensitive Data

Tokens leaked in Github

API Keys in Response, Javascript or Github

Sensitive Data in EXIF

Open S3 Buckets publically available

Find SDE by Fuzzing using ffuf or Intruder

Cross Site Scripting (XSS)


Spider all urls with burp find common params

Spider urls with Waybackurls

Appsec Pentesting Checklist 2


Check special characters blocked or not using kxss

Use common params from gf xss

Use Dorks to identify Params

URL & Double URL Encoded Payloads

Check Stored XSS on all Forms

Check DOM Xss with vulnerable sink & source

Check Blind XSS with xsshunter

Cross Site Request Forgery (CSRF)


Check CSRF Token present in request/response

Remove value of csrf_token and forward to server

Modify value of csrf_token and forward to server

Use another account's csrf token

Remove csrf_token header and forward to server

Open Redirect
Spider all urls with burp find common params like url, redir_url , redirect

Spider urls with Waybackurls

Check urls with most common params with gf patterns

Use Script or any tool to test

SSRF
Spider all urls with burp find common params like url, redir_url , redirect

Spider urls with Waybackurls

Check urls with most common params with gf patterns

Appsec Pentesting Checklist 3


Perform Port or Service Scanning with requestcatcher or burpcollab

Try to get sensitive files or metadata from server

Signup using emails like [email protected]

Broken Link hijacking


Check using brokenlinkcheck.com

Install blc and test for broken Links

Try to walk on the webapp and check manually

CORS
Check using curl with command → curl "https://example.com" -H Origin:evil.com -I

Check using burp Add Origin Header i.e,Origin:attacker.com or Origin:null or


Origin:attacker.target.com or Origin:target.attacker.com

Check Response Headers for ACAO: evil.com , ACAC: true

1. Best case
Access-control Allow Origin: evil.com
Access-control Allow Credential: true
2. Best case
Access-control Allow Origin: null
Access-control Allow Credential: true
3. Bad Implementation, Not Exploitable
Access-control Allow Origin: *
Access-control Allow Credential: true

HTML Injection
Check by entering <h1>attacker</h1> in search fields

Check by entering <h1>attacker</h1> in Reset password

Appsec Pentesting Checklist 4


If HTML tags get executed, use <h1>attacker</h1><a href=" evil.com "Click here</a>

and send to victim

SQLi
Identify Params by spidering the web app using burp or wayback

Add single or doube quotes to make error and check response (' or ")

Check Auth bypass with boolean logic (rohit' OR '1'='1)

Use SQLMap —batch —banner -dbs —tables —columns —dump

Use SQLMap —os-shell —sql-shell to escalte to Shell

Local File Inclusion


Identify Params by spidering the web app using burp or wayback

Check for most common params using gf xss like file= , document=

Try to read /etc/passwd

Also try to read other files

Try escalating to RCE

Remote Code Execution


Identify Params by spidering the web app using burp or wayback

Check for most common params using gf patterns like cmd= , exec= etc..

Try to execute commands like id

Check for Exploits for Rce like Apache struts

Fuzz Application with to check for RCE with a slug and id command, search for it in
response

Appsec Pentesting Checklist 5


Appsec Pentesting Checklist 6

You might also like