Web Application Vulnerabilities Checklist

Download Report

Transcript Web Application Vulnerabilities Checklist 

Web Application
Vulnerabilities
Checklist
Parameter Checklist
URL request
 URL encoding
 Query string
 Header
 Cookie
 Form field
 Hidden field
 Client side validation
 ‘Tainted’ parameters
 Min/Max lengths
 Concatenate commands

EC-Council

EC-Council
Determine policies for access to content and
functions.
Credential Management

Password storage

Password change

User Update section

Password strength

Lockout policy

Login attempts allowed
EC-Council
Session Management

Token protection

Session Duration

Idle time Duration

Guess Session ID format

Transfer in URL or BODY?

Is Session Id linked to the IP address?

Change Referrer tag
EC-Council
Backend Authentication

Trust relationships

Encryption

Plaintext password in HTML

Password in configuration file.
EC-Council
XSS

Which type – stored or reflected

Check for 404/500 error pages for

return information.

Input validation
EC-Council
MisConfiguration










EC-Council
Nikto results
Nessus results
Patch level
Directory listing
Directory permission
Error messages
Default username/pass
SSL cert. Configuration
Debug or configuration Files
Check for latest vulnerabilities
Unwanted

Backup files

Defaults files

Services

Remote admin. Access
EC-Council

Flaws in access control?

Check for path transversal.

Client side Caching

Check header

Check metatag

Determine file permissions
EC-Council
SQL injection

Mirror website and search for all input
parameters

Gain database related information

Error Messages

Privileges given to the webserver or database
EC-Council
OS calls

Using any interpreter?

OS service calls (e.g. Sendmail)

Mirror and search code for all calls to external
sources.

Privileges given to other services and
webserver.
EC-Council

Complete check of information returned in
error messages. Guess

application logic through errors codes and
messages.

Deconstruction of binary codes (if any)

Is critical data secured and encrypted?
EC-Council
Examine

Token

Cookie

SSID

Serialized Objects
EC-Council
Access points

Regular users

Admin access

Any other?
EC-Council

Ability to brute force at the discovered access
points.

Ability to bypass auth. with spoofed tokens

Ability to conduct replay attack.

Forced browsing, does application keep a check
by tracking request from each user.
EC-Council