Authentication requires proper security testing to ensure that malicious attackers have no chance to gain access to the application. For instance, if you don’t test for default or auto-generated credentials, you may miss a vulnerability due to passwords and logins (for example, logins of the format firstname.lastname) that can be guessed by tools used by attackers and lead to unauthorized access.
| Tests | Description | Tools |
|---|---|---|
| Testing for Credentials Transported over an Encrypted Channel | Check referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS. | Burp Proxy, ZAP |
| Testing for default credentials | Testing for default credentials of common applications, Testing for default password of new accounts. | Burp Proxy, ZAP, Hydra |
| Testing for Weak lock out mechanism | Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking. | Browser |
| Testing for bypassing authentication schema | Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection | Burp Proxy, ZAP |
| Test remember password functionality | Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off? | Burp Proxy, ZAP |
| Testing for Browser cache weakness | Check browser history issue by clicking "Back" button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache) | Burp Proxy, ZAP, Firefox add-on CacheViewer |
| Testing for Weak password policy | "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of passwords." | Burp Proxy, ZAP, Hydra |
| Testing for Weak security question/answer | Testing for weak pre-generated questions, Testing for weak self-generated question, Testing for brute-forcible answers (Unlimited attempts?) | Browser |
| Testing for weak password change or reset functionalities | Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ? | Browser, Burp Proxy, ZAP |
| Testing for Weaker authentication in alternative channel | Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO) | Browser |
Authorization usually comes right after successful authentication, and the tester will verify this after he holds valid credentials associated with a well-defined set of roles and privileges.The main goal here is to get a comprehensive understanding of how the authorization mechanism works and to see whether it’s possible to trick it.
| Tests | Description | Tools |
|---|---|---|
| Testing Directory traversal/file include | dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion. | Burp Proxy, ZAP, Wfuzz |
| Testing for bypassing authorization schema | Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp) | Burp Proxy (Autorize), ZAP |
| Testing for Privilege Escalation | Testing for role/privilege manipulate the values of hidden variables. Change some param groupid=2 to groupid=1 | Burp Proxy (Autorize), ZAP |
| Testing for Insecure Direct Object References | Force changing parameter value (?invoice=123 -> ?invoice=456) | Burp Proxy (Autorize), ZAP |
Session management is one of the core components of any web application, as it covers everything from the moment users authenticate until they log out.Making sure that a session management schema can’t be bypassed is the first step of proper security testing for session management. Your goal is to trick an application to give you access to a user account without providing the correct credentials.
| Tests | Description | Tools |
|---|---|---|
| Testing for Bypassing Session Management Schema | SessionID analysis prediction, unencrypted cookie transport, brute-force. | Burp Proxy, ForceSSL, ZAP, CookieDigger |
| Testing for Cookies attributes | Check HTTPOnly and Secure flag, expiration, inspect for sensitive data. | Burp Proxy, ZAP |
| Testing for Session Fixation | The application doesn't renew the cookie after a successfully user authentication. | Burp Proxy, ZAP |
| Testing for Exposed Session Variables | Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ? | Burp Proxy, ZAP |
| Testing for Cross Site Request Forgery | URL analysis, Direct access to functions without any token. | Burp Proxy (csrf_token_detect), burpy, ZAP |
| Testing for logout functionality | Check reuse session after logout both server-side and SSO. | Burp Proxy, ZAP |
| Test Session Timeout | Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable. | Burp Proxy, ZAP |
| Testing for Session puzzling | The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another. | Burp Proxy, ZAP |
Failure to properly validate input data that comes from the client or from the environment before using this data is a common weakness of web applications. It’s associated with many major vulnerabilities including SQL injections, file system attacks, and interpreter injections.
| Tests | Description | Tools |
|---|---|---|
| Testing for Reflected Cross Site Scripting | Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution. | Burp Proxy, ZAP, Xenotix XSS |
| Testing for Stored Cross Site Scripting | Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF | Burp Proxy, ZAP, BeEF, XSS Proxy |
| Testing for HTTP Verb Tampering | Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization. | netcat |
| Testing for HTTP Parameter pollution | Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP | ZAP, HPP Finder (Chrome Plugin) |
| Testing for SQL Injection | Union, Boolean, Error based, Out-of-band, Time delay. | Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB) |
| Oracle Testing | Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection | Orascan, SQLInjector |
| MySQL Testing | Identify MySQL version, Single quote, Information_schema, Read/Write file. | SQLMap, Mysqloit, Power Injector |
| SQL Server Testing | Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell) | SQLMap, SQLninja, Power Injector |
| Testing PostgreSQL | Determine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command) | SQLMap |
| MS Access Testing | Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb. | SQLMap |
| Testing for NoSQL injection | Identify NoSQL databases, Pass special characters (' " \ ; { } ), Attack with reserved variable name, operator. | NoSQLMap |
| Testing for XML Injection | "Check with XML Meta Characters ', "" , <>, , &, , XXE, TAG" | Burp Proxy, ZAP, Wfuzz |
| Testing for SSI Injection | #Presense of .shtml extension #Check for these characters < ! # = / . "" -> and [a-zA-Z0-9]3include String = " | Burp Proxy, ZAP |
| Testing for XPath Injection | "Check for XML error enumeration by supplying a single quote (') Username: ‘ or ‘1’ = ‘1 Password: ‘ or ‘1’ = ‘1" | Burp Proxy, ZAP |
| Testing for Code Injection | "Enter OS commands in the input field. ?arg=1; system('id')" | Burp Proxy, ZAP |
| Testing for Local File Inclusion | LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource) | Burp Proxy, fimap, Liffy |
| Testing for Command Injection | "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server. %3Bcat%20/etc/passwdtest.pdf+ | +Dir C:" |
| Testing for Buffer overflow | .Testing for heap overflow vulnerability .Testing for stack overflow vulnerability .Testing for format string vulnerability | Immunity Canvas, Spike, MSF, Nessus |
| Testing for incubated vulnerabilities | File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel) | Burp Proxy, BeEF, MSF |
| Testing for HTTP Splitting/Smuggling | param=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0aSorry,%20System%20Down | Burp Proxy, ZAP, netcat |
Error handling is crucial for proper web application performance and security. It can allow information disclosure thanks to informative error messages and stack traces.
| Tests | Description | Tools |
|---|---|---|
| Analysis of Error Codes | Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database) | Burp Proxy, ZAP |
| Analysis of Stack Traces | "# Invalid Input / Empty inputs #Input that contains non alphanumeric characters or query syntax #Access to internal pages without authentication #Bypassing application flow" | Burp Proxy, ZAP |
Cryptography is vital for web applications. The absence of encryption when transferring data between a client and a server makes it possible for hackers to arrange MITM attacks.
| Tests | Description | Tools |
|---|---|---|
| Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection | Identify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE) | testssl.sh, SSL Breacher |
| Testing for Padding Oracle | "Compare the responses in three different states: # Cipher text gets decrypted, resulting data is correct. # Cipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic. # Cipher text decryption fails due to padding errors." | PadBuster, Poracle, python-paddingoracle, POET |
| Testing for Sensitive information sent via unencrypted channels | "Check sensitive data during the transmission:# Information used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…) # Information protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)" | Burp Proxy, ZAP, Curl |
Even though business logic attacks aren’t new, they’re often underestimated, so it’s best to add business logic to your PenTest testing checklist. Business logic vulnerabilities are unique to each application, potentially damaging, and can only be tested manually. You have to start thinking out of the box in order to find business logic weaknesses in multi-functional web applications.
| Tests | Description | Tools |
|---|---|---|
| Test Business Logic Data Validation | "• Looking for data entry points or hand off points between systems or software.• Once found try to insert logically invalid data into the application/system. " | Burp Proxy, ZAP |
| Test Ability to Forge Requests | "• Looking for guessable, predictable or hidden functionality of fields.• Once found try to insert logically valid data into the application/system allowing the user go through the application/system against the normal busineess logic workflow. " | Burp Proxy, ZAP |
| Test Integrity Checks | "•Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.• For each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.• Attempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the busines logic workflow. " | Burp Proxy, ZAP |
| Test for Process Timing | "• Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.• Develop and execute the mis-use cases ensuring that attackers can not gain an advantage based on any timing." | Burp Proxy, ZAP |
| Test Number of Times a Function Can be Used Limits | "• Looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow.• For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times." | Burp Proxy, ZAP |
| Testing for the Circumvention of Work Flows | "• Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow. • For each method develop a misuse case and try to circumvent or perform an action that is ""not acceptable"" per the the business logic workflow. " | Burp Proxy, ZAP |
| Test Defenses Against Application Mis-use | "Measures that might indicate the application has in-built self-defense:• Changed responses • Blocked requests • Actions that log a user out or lock their account" | Burp Proxy, ZAP |
| Test Upload of Unexpected File Types | "• Review the project documentation and perform some exploratory testing looking for file types that should be ""unsupported"" by the application/system. • Try to upload these “unsupported” files an verify that it are properly rejected. • If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. PS. file.phtml, shell.phPWND, SHELL~1.PHP" | Burp Proxy, ZAP |
| Test Upload of Malicious Files | "• Develop or acquire a known “malicious” file. • Try to upload the malicious file to the application/system and verify that it is correctly rejected. • If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. " | Burp Proxy, ZAP |
This testing aims to check for correct code execution on the client side, which is distinct from the server side, as the client side returns the subsequent content. Client-side testing is typically performed natively within a web browser or browser plugin.
| Tests | Description | Tools |
|---|---|---|
| Testing for DOM based Cross Site Scripting | Test for the user inputs obtained from client-side JavaScript Objects | Burp Proxy, DOMinator |
| Testing for JavaScript Execution | "Inject JavaScript code: www.victim.com/?javascript:alert(1)" | Burp Proxy, ZAP |
| Testing for HTML Injection | "Send malicious HTML code: ?user=<img%20src='aaa'%20onerror=alert(1)>" | Burp Proxy, ZAP |
| Testing for Client Side URL Redirect | "Modify untrusted URL input to a malicious site: (Open Redirect) ?redirect=www.fake-target.site " | Burp Proxy, ZAP |
| Testing for CSS Injection | "Inject code in the CSS context : • www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12]) • www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)" | Burp Proxy, ZAP |
| Testing for Client Side Resource Manipulation | "External JavaScript could be easily injected in the trusted web site www.victim.com/#http://evil.com/js.js" | Burp Proxy, ZAP |
| Test Cross Origin Resource Sharing | "Check the HTTP headers in order to understand how CORS is used (Origin Header)" | Burp Proxy, ZAP |
| Testing for Cross Site Flashing | Decompile, Undefined variables, Unsafe methods, Include malicious SWF (http://victim/file.swf?lang=http://evil | FlashBang, Flare, Flasm, SWFScan, SWF Intruder |
| Testing for Clickjacking | Discover if a website is vulnerable by loading into an iframe, create simple web page that includes a frame containing the target. | Burp Proxy, ClickjackingTool |
| Testing WebSockets | Identify that the application is using WebSockets by inspecting ws:// or wss:// URI scheme.Use Google Chrome's Developer Tools to view the Network WebSocket communication. Check Origin, Confidentiality and Integrity, Authentication, Authorization, Input Sanitization | Burp Proxy, Chrome, ZAP, WebSocket Client |
| Test Web Messaging | Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains | |
| Test Local Storage | "Determine whether the website is storing sensitive data in the storage. XSS in localstorage http://server/StoragePOC.html# |
Chrome, Firebug, Burp Proxy, ZAP |
Identity management covers account creation and resumption processes. The main goal of identity management pen testing is to make sure that the web application allows users to access only specific information that’s aligned with their roles.
| Tests | Description | Tools |
|---|---|---|
| Test Role Definitions | Validate the system roles defined within the application by creating permission matrix. | Burp Proxy, ZAP |
| Test User Registration Process | "Verify that the identity requirements for user registration are aligned with business and security requirements:" | Burp Proxy, ZAP |
| Test Account Provisioning Process | "Determine which roles are able to provision users and what sort of accounts they can provision." | Burp Proxy, ZAP |
| Testing for Account Enumeration and Guessable User Account | Generic login error statement check, return codes/parameter values, enumerate all possible valid userids (Login system, Forgot password) | Browser, Burp Proxy, ZAP |
| Testing for Weak or unenforced username policy | "User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed." | Browser, Burp Proxy, ZAP |
| Test Permissions of Guest/Training Accounts | Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions. | Burp Proxy, ZAP |
| Test Account Suspension/Resumption Process | Verify the identity requirements for user registration align with business/security requirements. Validate the registration process. | Burp Proxy, ZAP |
Reference : https://software-security.sans.org/resources/swat
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent