├── README.md ├── mob-owasp.md └── owasp-whhb.md /README.md: -------------------------------------------------------------------------------- 1 | # Web application security checklist 2 | 3 | 4 | Basically a combination between Owasp web application testing guide and Web application hackers handbook. 5 | 6 | -------------------------------------------------------------------------------- /mob-owasp.md: -------------------------------------------------------------------------------- 1 | # Owasp checklist mobile security 2 | 3 | ## V1 - Arcitechture, design, threat modelling 4 | 5 | * [ ] Verify all application components are identified and are known to be needed. 6 | * [ ] Verify that security controls are never enforced only on the client side, but on the respective remote endpoints. 7 | * [ ] Verify that a high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture. 8 | * [ ] Verify that data considered sensitive in the context of the mobile app is clearly identified. 9 | * [ ] Verify all app components are defined in terms of the business functions and/or security functions they provide. 10 | * [ ] Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and countermeasures, has been produced. 11 | * [ ] Verify that all security controls have a centralized implementation. 12 | * [ ] Verify that there is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57. 13 | * [ ] Verify that a mechanism for enforcing updates of the mobile app exists. 14 | * [ ] Verify that security is addressed within all parts of the software development lifecycle. 15 | 16 | ## V2 - Data storage and Privacy 17 | 18 | * [ ] Verify that system credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys. 19 | * [ ] Verify that no sensitive data is stored outside of the app container or system credential storage facilities. 20 | * [ ] Verify that no sensitive data is written to application logs. 21 | * [ ] Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture. 22 | * [ ] Verify that the keyboard cache is disabled on text inputs that process sensitive data. 23 | * [ ] Verify that no sensitive data is exposed via IPC mechanisms. 24 | * [ ] Verify that no sensitive data, such as passwords or pins, is exposed through the user interface. 25 | * [ ] Verify that no sensitive data is included in backups generated by the mobile operating system. 26 | * [ ] Verify that the app removes sensitive data from views when backgrounded. 27 | * [ ] Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use. 28 | * [ ] Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode. 29 | * [ ] Verify that the app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app. 30 | 31 | ## V3 - Cryptography 32 | 33 | * [ ] Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption. 34 | * [ ] Verify that the app uses proven implementations of cryptographic primitives. 35 | * [ ] Verify that the app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices. 36 | * [ ] Verify that the app does not use cryptographic protocols or algorithms that are widely considered depreciated for security purposes. 37 | * [ ] Verify that the app doesn't re-use the same cryptographic key for multiple purposes. 38 | * [ ] Verify that all random values are generated using a sufficiently secure random number generator. 39 | 40 | ## V4 - Authentication and Session Management 41 | 42 | * [ ] Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as username/password authentication is performed at the remote endpoint. 43 | * [ ] Verify that the remote endpoint uses randomly generated session identifiers, if classical server side session management is used, to authenticate client requests without sending the user's credentials. 44 | * [ ] Verify that the remote endpoint uses server side signed tokens, if stateless authentication is used, to authenticate client requests without sending the user's credentials. 45 | * [ ] Verify that the remote endpoint terminates the existing session when the user logs out. 46 | * [ ] Verify that a password policy exists and is enforced at the remote endpoint. 47 | * [ ] Verify that the remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times. 48 | * [ ] Verify that sessions are terminated at the remote endpoint or tokens expire after a predefined period of inactivity. 49 | * [ ] Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. 50 | * [ ] Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. 51 | * [ ] Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions. 52 | * [ ] Verify that the app informs the user of all login activities with his or her account. Users are able view a list of devices used to access the account, and to block specific devices. 53 | 54 | 55 | ## V5 - Network Communication 56 | 57 | * [ ] Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the app. 58 | * [ ] Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a valid CA are accepted. 59 | - [ ] Generate self-signed certificate and and make burp use that. 60 | - [ ] Generate self-signed certificate with correct hostname, but from untrusted CA. 61 | * [ ] Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA. 62 | * [ ] Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery. 63 | * [ ] Verify that the app only depends on up to date connectivity- and security libraries. 64 | 65 | ## V6 - Platform Interaction 66 | 67 | * [ ] Verify that the app only requires the minimum set of permissions necessary. 68 | * [ ] Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources. 69 | * [ ] Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected. 70 | * [ ] Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected. 71 | * [ ] Verify that JavaScript is disabled in WebViews unless explicitly required. 72 | * [ ] Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https). Potentially dangerous handlers, such as file, tel and app-id, are disabled. 73 | * [ ] If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package. 74 | * [ ] Verify that object serialization, if any, is implemented using safe serialization APIs. 75 | 76 | ## V7 - Code Quality and Build Settings 77 | * [ ] Verify that the app is signed and provisioned with valid certificate. 78 | * [ ] Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). 79 | * [ ] Verify that debugging symbols have been removed from native binaries. 80 | * [ ] Verify that debugging code has been removed, and the app does not log verbose errors or debugging messages. 81 | * [ ] Verify that all third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. 82 | * [ ] Verify that the app catches and handles possible exceptions. 83 | * [ ] Verify that error handling logic in security controls denies access by default. 84 | * [ ] Verify that in unmanaged code, memory is allocated, freed and used securely. 85 | * [ ] Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated. 86 | -------------------------------------------------------------------------------- /owasp-whhb.md: -------------------------------------------------------------------------------- 1 | # Intro 2 | 3 | Legend 4 | ``` 5 | X - NOT VULNERABLE 6 | V - VULNERABLE 7 | N - NOT APPLICABLE 8 | - - NOT TESTED 9 | ``` 10 | 11 | # RECON 12 | 13 | id: 1 14 | 15 | ## Browser entire application while in burp 16 | 17 | id: 1.1 18 | 19 | * URL: 20 | * Username: 21 | * Password: 22 | 23 | 24 | ## Consult Public Sources 25 | 26 | id: 1.2 27 | 28 | * [ ] Google 29 | 30 | ``` 31 | site:target.com filetype:7z OR filetype:bin OR filetype:bzip2 OR 32 | filetype:egg OR filetype:gzip OR filetype:rar OR filetype:zip OR 33 | filetype:iso OR filetype:dat OR filetype:db OR filetype:sql OR 34 | filetype:indd OR filetype:psd OR filetype:asc OR filetype:csv OR 35 | filetype:docx OR filetype:doc OR filetype:epub 36 | 37 | Google limit the number of letters in a query so we need to divide it up in several chunks 38 | site:target.com filetype:html OR filetype:htm OR filetype:gdoc OR 39 | filetype:log OR filetype:md OR filetype:odt OR filetype:rtf OR 40 | filetype:odf OR filetype:php OR filetype:ods OR filetype:xls OR 41 | filetype:xlsx OR filetype:conf OR filetype:cnf OR filetype:cfg OR 42 | filetype:temp OR filetype:tmp OR filetype:ppt OR 43 | filetype:txt 44 | 45 | site:target.com filetype:java OR filetype:bak OR filetype:old OR 46 | filetype:tar OR filetype:rar OR filetype:tgz OR filetype:gz 47 | 48 | site:target.com filetype:pdf 49 | ``` 50 | 51 | * [ ] https://web.archive.org/ 52 | * [ ] https://yahoo.com 53 | * [ ] https://bing.com 54 | * [ ] https://netcraft.com/ 55 | 56 | 57 | ## Discover Hidden Content 58 | 59 | id: 1.3 60 | 61 | * [ ] Review comments and other client side code to find hidden content 62 | * [ ] Sample files, known files 63 | - dirb https://www.address.blab -f -l -R -z 10 -o address.blab.txt 64 | * [ ] Run it targeting the IP address directly 65 | 66 | ## Discover DNS 67 | 68 | * [ ] Reverse DNS lookup 69 | `dig -x 10.10.10.10` 70 | * [ ] Brute force DNS (recon-ng, recon/domain-hosts/brute-hosts, set source, show hosts) 71 | * [ ] python sublist3r.py -d example.com 72 | * [ ] Zone-transfer test (fierce -dns target.com) 73 | 74 | 75 | ## Enumerate Identifier-Specified Functions 76 | 77 | id: 1.5 78 | 79 | * [ ] Identify instances where specific functions are accessed by url parameters 80 | Example: /admin.jsp?action=editUser 81 | * [ ] Fuzz those for other actions 82 | 83 | ---------------------------------------------------------------------------- 84 | 85 | # Analyze the Application 86 | 87 | ## Identify Functionality 88 | 89 | * [ ] Core Functionality 90 | * [ ] Security Functionality 91 | * [ ] Peripheral Functionality (error messages, administratice, logging-functionality) 92 | * [ ] Functionality that diverge from standard GUI appearance, parameter naming, navigation mechanism 93 | 94 | ## Identify Data Entry Points 95 | 96 | POST, GET, WS? 97 | 98 | * [ ] Identify the Technologies Used 99 | * [ ] Client side (cookies, scripts, java applets, flash) 100 | * [ ] Server side (server, scripting lang, platform, backend components) 101 | * [ ] Map the Attack Surface 102 | * [ ] Acertain likely internal structure 103 | * [ ] Identify vulnerabilities related to each functionality 104 | * [ ] Formulate plan to attack - Prioritize 105 | 106 | ---------------------------------------------------------------------------- 107 | 108 | # Basic tests 109 | 110 | * [ ] Check Same-Origin Policy Configuration 111 | * [ ] Check for presence of Headers: 112 | Expires, Cache-control: no-cache, Pragma, HSTS 113 | * [ ] Check for /crossdomain.xml 114 | * [ ] Check /clientaccesspolicy.xml 115 | * [ ] Check for Local Privacy Vulnerabilities 116 | 117 | 118 | 119 | # Static analysis of JavaScript 120 | 121 | 122 | * [ ] Increase attack surface by looking for URL:s and domains 123 | * [ ] Sensitive information (Passwords, API keys, Storage etc) 124 | * [ ] Potentially dangerous areas in code(eval, dangerouslySetInnerHTML etc) 125 | * [ ] Components with known vulnerabilities (Outdated frameworks etc) 126 | 127 | 128 | ## Test Transmission of Data Via the Client 129 | 130 | * [ ] Locate hidden fields, cookies and URL parameters 131 | * [ ] Try to deobfuscate obfuscated data (like viewState or other) 132 | * [ ] Identify Client-Side Controls Over User Input 133 | * [ ] Test if the controls are replicated on server-side 134 | * [ ] Looked for disabled content. `input disabled=true` 135 | * [ ] Test Browser Extension Components (flash, java-applet, etc) 136 | 137 | 138 | ---------------------------------------------------------------------------- 139 | 140 | 141 | 142 | 143 | # Test the Autentication Mechanism 144 | 145 | id: 4.0 146 | 147 | 148 | ## Test Login Mechanism 149 | * [ ] Test for Logic Flaws 150 | * [ ] Test for Fail-Open Conditions 151 | * [ ] Test to submit empty string as the value 152 | * [ ] Remove the name/value pair 153 | * [ ] Submit very long and very short values 154 | * [ ] Submit strings instead of numbers, and vice versa 155 | * [ ] Submit the same named parameter multiple times, with the same and different values 156 | * [ ] Test any Multistage Mechanisms 157 | * [ ] Proceed through all stages but in different sequence 158 | * [ ] Test Resilience to Password Guessing - Lock-out mechanism 159 | * [ ] Test Any Impersionation Function 160 | * [ ] Test for Username Enumeration 161 | * [ ] Testing for default credentials (OTG-AUTHN-002) 162 | 163 | ### If Saml SSO 164 | https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/ 165 | * [ ] Identify Saml Response (Response from IDP to SP) 166 | * [ ] Test if message expiration is honored ( - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations 182 | * [ ] Test for XXE 183 | 184 | ## Test Registration Mechanism 185 | * [ ] Test Password Quality [[OTG-AUTHN-007]] 186 | * [ ] Test for Username Enumeration 187 | * [ ] Test Username Uniqueness 188 | * [ ] Register same usernname twice (if it is blocked, you can use it to enumerare users). If second account is create, test what happens with collisions. 189 | * [ ] Test Predictibility of Autogenerated Credentials If usernames and passwords are autogenerated see if they are generated in a predictable way. 190 | * [ ] Check for Unsafe Transmission of Credentials 191 | * [ ] Check for Unsafe Distribution of Credentials (Send over email) 192 | * [ ] If application use activation-email with URL test how the URLs are created. 193 | * [ ] Test for Insecure Storage 194 | * [ ] Testing for Weak security question/answer (OTG-AUTHN-008) 195 | 196 | ## Test two factor authentication (2fa) 197 | * [ ] Check 2fa 198 | 199 | ## Password reset mechanism 200 | * [ ] Testing for weak password change or reset functionalities (OTG-AUTHN-009) 201 | * [ ] Check if password reset token can be used several times 202 | * [ ] Check if sessions are invalidated when password is reset 203 | * [ ] Check for user enumeration 204 | * [ ] Check that password is not sent in cleartext 205 | * [ ] Check that password reset token is of high entropy 206 | * [ ] Check that password reset token is unique, random 207 | * [ ] Check that lifespan of the password reset token (Max 24 hours) 208 | * [ ] Check that there is not link to external page where token is sent in referer header 209 | 210 | ## Other Tests 211 | * [ ] Test Any Remember Me/Password Function 212 | * [ ] Testing for Browser cache weakness (OTG-AUTHN-006) 213 | * [ ] Testing for Weaker authentication in alternative channel (OTG-AUTHN-010) 214 | 215 | ---------------------------------------------------------------------------- 216 | 217 | # Test the Session Management Mechnaism 218 | 219 | id: 5 220 | 221 | * [ ] Understand the Session Mechanism 222 | 223 | If cookie: 224 | * [ ] Identify which token is the session identification 225 | * [ ] Test Tokens for Meaning 226 | * [ ] Log in with several usernames and record the tokens recieved. Name the users stuff like A, AA, AAA, AAAAA, AAAAB 227 | * [ ] Analyze token for obfuscation or encoding (base64 etc) 228 | * [ ] Test Tokens for Predictibility 229 | * [ ] Generate and capture a large amount of session tokens 230 | * [ ] Try to identify any patterns 231 | * [ ] If the Session ID is custom-written, use the bit-flipper in burp. 232 | * [ ] Check for Insecure Transmission of Tokens 233 | * [ ] Check for Disclosure of Tokens in Logs 234 | * [ ] Check Mapping of Tokens to Sessions 235 | * [ ] Check if session is terminated on the server side when a user logs out 236 | * [ ] Check when cookies expire, if it is in the future the session will be alive until it expires. 237 | 238 | If JWT: 239 | See: https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/ 240 | https://www.ticarpi.com/jwt-tool-attack-methods/ 241 | * [ ] Test changing alg value to none/None - remove the signature but keep the dot 242 | * [ ] Test to change RS256 to HS256 243 | * [ ] Test for weak secret - brute force secret key 244 | 245 | ## Test for Session Fixation (OTG-SESS-003) 246 | * [ ] Check if sessionID is set before user is authenticated 247 | If the sessionID is not set to authenticated users you can log in with one user, and then go to login-page again, andtv log in with another user. If no new session-token is issued it is vulnerable to session fixation. 248 | 249 | ## Test for CSRF (OTG-SESS-005) 250 | * [ ] If the app uses CSRF-tokens, test the robustness of those. Can you just use whatever? 251 | * [ ] Check Cookie Scope 252 | 253 | ---------------------------------------------------------------------------- 254 | 255 | # Test Access Controls 256 | 257 | id: 6.0 258 | 259 | * [ ] Check vertical access control - identify admin functions and resources. Check if non-admin can access them. (OTG-AUTHZ-003) 260 | * [ ] Check horizontal access control - try to reach resources from other user at same level. 261 | * [ ] Check if you can use token/cookie generated on one application in another (if testing various applications talking with the same api) 262 | * [ ] Test for Insecure Access Control Methods 263 | * [ ] Testing for Insecure Direct Object References (OTG-AUTHZ-004) 264 | * [ ] Look out for control methods like access=read, edit=false. 265 | * [ ] Some access control is based on Referer. 266 | * [ ] Try crafting HTTP requests that send data with HEAD/CATS method instead of GET. 267 | 268 | ---------------------------------------------------------------------------- 269 | 270 | # Test for Input-Based Vulnerabilities 271 | 272 | id: 7.0 273 | 274 | Start looking for injections by doing a basic first fuzzing. Analyze the outcome of it. 275 | It is a good idea to use Burps fuzzing-list, but make sure to edit it before. 276 | 277 | 278 | * [ ] Test for SQL Injection 279 | http://rextester.com/l/sql_server_online_compiler 280 | * [ ] Test to submit single and double quotation-marks. 281 | * [ ] Test for XSS and Other Response Injections 282 | * [ ] Test for Reflected XSS (OTG-INPVAL-001) 283 | * [ ] Check for parameters. Burp/Analyze target/parameters 284 | * [ ] Test for HTTP Header Injection 285 | * [ ] Test for HOST-header manipulation (att two host headers, add X-Forwarded-Host) If you can, see: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 286 | * [ ] Test for Open Redirection 287 | * [ ] Test for Stored Attacks 288 | * [ ] Test for OS Command Injection 289 | * [ ] Test for Path Traversal 290 | * [ ] Test for Script Injection 291 | * [ ] Test for File Inclusion 292 | * [ ] Testing for HTTP Parameter pollution (OTG-INPVAL-004) 293 | * [ ] Testing for NoSQL injection 294 | * [ ] Testing for XML Injection (OTG-INPVAL-008) 295 | * [ ] If application is creating spreadsheet test for CSV injection 296 | 297 | ---------------------------------------------------------------------------- 298 | 299 | 300 | # Testing for weak Cryptography 301 | 302 | * [ ] Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) 303 | * [ ] RSA Public Key bits: 304 | * [ ] Issuer: 305 | * [ ] Signature Algorithm: 306 | * [ ] Testing for Padding Oracle (OTG-CRYPST-002) 307 | * [ ] Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003) 308 | 309 | # Business Logic Testing 310 | 311 | * [ ] Test Business Logic Data Validation (OTG-BUSLOGIC-001) 312 | * [ ] Test Ability to Forge Requests (OTG-BUSLOGIC-002) 313 | * [ ] Test Integrity Checks (OTG-BUSLOGIC-003) 314 | * [ ] Test for Process Timing (OTG-BUSLOGIC-004) 315 | * [ ] Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) 316 | * [ ] Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006) 317 | * [ ] Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007) 318 | 319 | # Test file upload 320 | 321 | * [ ] Test Upload of Unexpected File Types (OTG-BUSLOGIC-008) 322 | * [ ] Test Upload of Malicious Files (OTG-BUSLOGIC-009) 323 | 324 | # Client Side Testing 325 | 326 | * [ ] Testing for DOM based Cross Site Scripting (OTG-CLIENT-001) 327 | * [ ] Identify the following APIs: 328 | ``` 329 | document.location 330 | document.URL 331 | document.URLEncoded 332 | document.referrer 333 | window.location 334 | ``` 335 | * [ ] Identify if any of the input data to above mentioned APIs are passed through the following functions: 336 | ``` 337 | document.write() 338 | document.writeln() 339 | document.body.innerHtml 340 | eval() 341 | window.execScript() 342 | window.setInterval() 343 | window.setTimeout() 344 | ``` 345 | * [ ] If the input data is passed through to any of the following functions it might be vulnerable to redirection attack: 346 | ``` 347 | document.location 348 | document.URL 349 | document.open() 350 | window.location.href 351 | window.navigate() 352 | window.open() 353 | ``` 354 | 355 | * [ ] Testing for JavaScript Execution (OTG-CLIENT-002) 356 | * [ ] Testing for HTML Injection (OTG-CLIENT-003) 357 | * [ ] Testing for Client Side URL Redirect (OTG-CLIENT-004) 358 | * [ ] Testing for CSS Injection (OTG-CLIENT-005) 359 | * [ ] Testing for Client Side Resource Manipulation (OTG-CLIENT-006) 360 | * [ ] Test Cross Origin Resource Sharing (OTG-CLIENT-007) 361 | * [ ] Testing for Cross Site Flashing (OTG-CLIENT-008) 362 | * [ ] Testing for Clickjacking (OTG-CLIENT-009) 363 | * [ ] Testing WebSockets (OTG-CLIENT-010) 364 | * [ ] Test Web Messaging (OTG-CLIENT-011) 365 | * [ ] Test Local Storage (OTG-CLIENT-012) 366 | 367 | 368 | # Test for Function-Specific Input Vulnerabilities 369 | 370 | id 8.0 371 | 372 | * [ ] Test for SMTP-injection 373 | * [ ] Test for Native Software Vulnerabilities 374 | * [ ] Test for Buffer Overflows 375 | * [ ] Test for Integer Vulnerabilities 376 | * [ ] Test for Format String Vulnerabilities 377 | * [ ] Test for SOAP Injection 378 | * [ ] Test for LDAP Injection 379 | * [ ] Test for XPath Injection 380 | * [ ] Test for Back-End Request Injection 381 | * [ ] Test for XXE Injection (https://blog.netspi.com/playing-content-type-xxe-json-endpoints/) 382 | * [ ] If JSON, change the content type to application/xml, and change the body to xml format, and follow the link above. 383 | 384 | ---------------------------------------------------------------------------- 385 | 386 | # Test for Logic Flaws 387 | 388 | id: 9.0 389 | 390 | Identify the key attack surface 391 | 392 | * [ ] Test Multistage Processes 393 | Skip stages. Accessing one stage several times. Look for error messages and debug output. 394 | * [ ] Test Handling of Incomplete Input 395 | * [ ] Test Trust Boundaries 396 | * [ ] Test Transaction Logic 397 | 398 | ---------------------------------------------------------------------------- 399 | 400 | # Test for Shared Hosting Vulnerabilities 401 | 402 | id: 10.0 403 | 404 | * [ ] Test Segregation in Shared Infrastructure 405 | * [ ] Test Segregation Between ASP-Hosted Applications 406 | 407 | ---------------------------------------------------------------------------- 408 | 409 | # Test for Application Server Vulnerabilities 410 | 411 | id: 11.0 412 | 413 | * [ ] Perform a port-scan of machine to identify administrative interface 414 | * [ ] If found, test default credentials. 415 | * [ ] Test for Default Content 416 | * [ ] Scan with Nikto 417 | * [ ] Examine default content found 418 | * [ ] Test for Dangerous HTTP Methods (OTG-CONFIG-006) 419 | * [ ] Use OPTIONS-method to list HTTP Methods available on the server 420 | * [ ] Try each reported method and confirm them 421 | * [ ] Test for Proxy Functionality 422 | * [ ] Test for Virtual Hosting Misconfiguration 423 | * [ ] Send correct Host-header 424 | * [ ] Bogus Host-header 425 | * [ ] The servers ip-address in the host-header 426 | * [ ] No Host-header (use HTTP/1.0 only) 427 | * [ ] Test for Web Server Software Bugs 428 | * [ ] Run Nessus or similar 429 | * [ ] Test for Web Application Firewalling 430 | 431 | ---------------------------------------------------------------------------- 432 | 433 | 434 | # Miscellaneous Checks 435 | 436 | id: 12.0 437 | * [ ] Information disclose / Stack trace 438 | 439 | ## Test for Debug Parameters 440 | 441 | id: 1.6 442 | 443 | * [ ] Test debug=true in URLs 444 | 445 | Use cluster-bomb attack in Burp 446 | 447 | ``` 448 | debug true 449 | test yes 450 | hide 1 451 | source on 452 | 453 | ---------------------------------------------------------------------------- 454 | 455 | 456 | # A little bit of everything 457 | 458 | http://pentestmonkey.net/ 459 | 460 | http://sqlzoo.net 461 | 462 | https://github.com/Hack-with-Github/Awesome-Hacking/blob/master/README.md 463 | 464 | https://html5sec.org/ 465 | 466 | Various Cloud service SSRF endpoints https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb 467 | 468 | https://github.com/bl4de/security_whitepapers 469 | 470 | ## Notes 471 | --------------------------------------------------------------------------------