# Web-Pentesting-Checklist A comprehensive guide that merges both blackbox and whitebox pentesting methodologies, ensuring a thorough assessment of web vulnerabilities. These collections contain thorough documentation of the security risk that the application can go through. 1. **Preparation:** - Obtain proper permissions and approvals for the test. - Define the scope of the test. - Gather initial information about the target. 2. **Blackbox Testing:** - **Reconnaissance:** - [Passive](https://kalhara-sampath.medium.com/active-and-passive-information-gathering-techniques-844992cc5df9) information gathering (e.g., using search engines, [WHOIS](https://hacksheets.medium.com/whois-who-owns-a-domain-3bee72a28fd4) lookup). - [Active](https://kalhara-sampath.medium.com/active-and-passive-information-gathering-techniques-5b1c15290ee7) information gathering (e.g., [subdomain enumeration](https://medium.com/@anupatel283/subdomain-enumeration-739ab1127f95#:~:text=Subdomain%20Enumeration%20is%20a%20process,get%20security%20issues%20or%20vulnerabilities.), [banner grabbing](https://medium.com/@Infikxion/banner-grabbing-577e829145ba)). - **Scanning:** - Detect live hosts using tools like [Nmap](https://medium.com/@Aircon/nmap-live-host-discovery-tryhackme-thm-47c5c69f1bd7), [Nuclei](https://blog.projectdiscovery.io/ultimate-nuclei-guide/), [Cloudsploit](https://securityboulevard.com/2021/06/a-complete-guide-on-cloud-penetration-testing/). - Service detection and version [enumeration](https://medium.com/purple-team/network-scanning-and-enumeration-4e998752eb10). - **Vulnerability Assessment:** - Identify vulnerabilities using [automated tools](https://medium.com/@joemcfarland/hack-to-learn-vulnerability-scanning-a43fbae2afc8). - **Exploitation:** - Try to exploit identified vulnerabilities without knowing the internals. 3. **Whitebox Testing:** - **Static Analysis:** - [Review source code for vulnerabilities.](https://www.cobalt.io/blog/a-pentesters-guide-to-source-code-review) - Analyze configurations and defaults. - **Dynamic Analysis:** - Test the application's [runtime](https://www.hackerone.com/knowledge-center/what-dast-how-it-works-and-5-key-considerations) behavior. - **Software & Architecture Review:** - Check if the software is patched to the latest versions. - Inspect [architectural design](https://www.hackerone.com/knowledge-center/owasp-top-10-web-app-security-risks-updated-2021) for security best practices. 4. **Specific Web Vulnerabilities:** - Test for OWASP Top 10 vulnerabilities: - [SQL Injection](https://portswigger.net/web-security/sql-injection) - [Cross-Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) - [Cross-Site Request Forgery (CSRF)](https://portswigger.net/web-security/csrf) - [Security misconfigurations](https://portswigger.net/support/using-burp-to-test-for-security-misconfiguration-issues) - [Broken authentication](https://portswigger.net/web-security/authentication) and [session management](https://portswigger.net/burp/documentation/desktop/testing-workflow/session-management) - [... and others.](https://owasp.org/www-project-top-ten/) - Check for [misconfigurations](https://praniethchandrasekara.medium.com/most-common-web-application-security-vulnerabilities-5-security-misconfiguration-813c33269e15) in web server settings. - [Identify insecure direct object references](https://medium.com/@Steiner254/insecure-direct-object-references-idor-16bf0b981b90). 5. **Post Exploitation:** - Gather valuable data (if within the scope). - Understand the depth of access. - Test for lateral movement within the network. 6. **Reporting:** - Document all findings. - [Prioritize](https://www.brinqa.com/blog/how-to-prioritize-vulnerabilities/#:~:text=Vulnerability%20prioritization%20is%20the%20process,greatest%20threat%20to%20your%20organization.) vulnerabilities based on risk. - Provide remediation recommendations. - Offer a re-test, if necessary. 7. **Cleanup:** - Ensure that all changes made to the system are reverted. - Remove any tools or payloads used during the test. ## Table of Contents * [Information Gathering](#Information) * [Network Tests](#Network) * [Secure Transmission](#Transmission) * [Preparation](#Preparation) * [Registration](#Registration) * [Authentication](#Authentication) * [Authorization](#Authorization) * [Denial of Service](#Denial) * [Session Management](#Session) * [Profile Details](#Profile) * [Password Recovery](#Password) * [Data Validation](#Validation) * [Error Handling](#Error) * [Application Logic](#Logic) * [Hosting](#Host) * [CAPTCHA](#Captcha) * [Headers](#Headers) * [Risky Functionality - File Uploads](#File) * [Risky Functionality - Card Payment](#Card) * [HTML 5](#HTML) * [Cryptography](#Cryptography) * [Business Logic](#Business) ## Pre-Engagement ### <a name="Information">Information Gathering</a> * [ ] [Identify](https://geekflare.com/what-technology-website-using/) web server & technologies * [ ] Manually explore the site * [ ] Spider/[crawl](https://portswigger.net/burp/documentation/scanner/crawling) for missed or hidden content * [ ] [Subdomains Enumeration](https://medium.com/@_tas/subdomain-enumeration-try-hack-me-learnings-d9def486e5b) * [ ] [Directory enumeration](../enumeration/web/crawl-fuzz.md) * [ ] Find[ leaked ids, emails](../recon/public-info-gathering.md) \([pwndb](https://github.com/davidtavarez/pwndb)\) * [ ] Identify [WAF](https://geekflare.com/find-which-waf-is-protecting-a-website/) * [ ] [Crawl](https://redwerk.com/blog/in-depth-look-at-automated-crawling-of-website-protected-areas/) all the site for interesting keywords like password, token, etc * [ ] Test for debug parameters * [ ] Identify [data entry points](https://www.hackerone.com/knowledge-center/attack-surface-and-how-analyze-manage-and-reduce-it) * [ ] Try to locate /robots.txt /crossdomain.xml /clientaccesspolicy.xml /phpinfo.php /sitemap.xml /.DS_Store * [ ] Review comments on source code * [ ] Check /.git * [ ] [Shodan](https://cybertalents.com/blog/shodan-the-search-engine-for-hackers) * [ ] [Google dorking](https://www.avg.com/en/signal/google-dorks) * [ ] Check waybackurls \([gau](https://github.com/lc/gau) and [waybackurls](https://github.com/tomnomnom/waybackurls)\) * [ ] Identify [user roles](https://frontegg.com/guides/user-role-and-permission#:~:text=User%20roles%20and%20permissions%20are%20crucial%20for%20maintaining%20secure%20access,sensitive%20data%20or%20restricted%20areas.) * [ ] Perform [Web Application Fingerprinting](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework) * [ ] Identify multiple versions/channels * [ ] Identify all [hostnames and ports](https://medium.com/@Aircon/nmap-basic-port-scans-tryhackme-thm-c7c3361831f0) * [ ] Identify technologies used * [ ] Identify client-side code * [ ] Identify third-party hosted content ### <a name="Network">Network Tests</a> * [ ] [Check](https://askubuntu.com/questions/637470/how-to-check-if-icmp-blocking-is-enabled-in-a-system) ICMP packets allowed * [ ] Check DMARC policies \([spoofcheck](https://github.com/BishopFox/spoofcheck)\) * [ ] Look services on other ports than 80 and 443 * [ ] Check UDP ports \([udp-proto-scanner](https://github.com/CiscoCXSecurity/udp-proto-scanner) or nmap\) * [ ] Test SSL \([testssl](https://github.com/drwetter/testssl.sh)\) ### <a name="Transmission">Secure Transmission</a> - [ ] Check SSL Version, Algorithms, [Key length](https://www.rapidsslonline.com/ssl/how-to-verify-the-ssl-key-length/#:~:text=The%20key%20size%20varies%20depending,yet%20supported%20by%20most%20browsers.) - [ ] Check for [Digital Certificate Validity](https://www.keyfactor.com/education-center/how-to-check-ssl-certificate/) (Duration, Signature and CN) - [ ] Check credentials [only delivered over HTTPS](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel) - [ ] [Check that the login form is delivered over HTTPS](https://superuser.com/questions/214272/how-to-ensure-https-is-used-to-send-credentials) - [ ] [Check session tokens only delivered over HTTPS](https://anjarwilujeng.medium.com/session-management-testing-eab5502b6d0d) - [ ] Check if HTTP Strict Transport Security ([HSTS](https://www.namecheap.com/support/knowledgebase/article.aspx/9711/38/how-to-check-if-hsts-is-enabled/)) in use ### <a name="Preparation">Preparation</a> * [ ] Study site structure * [ ] Make a list with all possible test cases ## User management ### <a name="Registration">Registration</a> * [ ] [Duplicate registration](https://shahjerry33.medium.com/duplicate-registration-the-twinning-twins-883dfee59eaf) * [ ] [Overwrite existing user](https://datadome.co/learning-center/how-to-prevent-account-takeover-attacks/) \(existing user takeover\) * [ ] Username uniqueness * [ ] Weak password policy * [ ] [Insufficient email verification process](https://github.com/KathanP19/HowToHunt/blob/master/Sign_Up_Functionality/Hunting_for_bugs_in_signup_feature.md) * [ ] [Weak registration implementation](https://imwaiting18.medium.com/weak-registration-implementation-you-need-to-know-about-f90eb46fe16b) or allows disposable email addresses * [ ] [Fuzz](https://www.synopsys.com/glossary/what-is-fuzz-testing.html#:~:text=Definition,as%20crashes%20or%20information%20leakage.) after user creation to check if any folder have been overwritten or created with your profile name * [ ] Add only spaces in password ### <a name="Authentication">Authentication</a> * [ ] [Username enumeration](https://www.virtuesecurity.com/kb/username-enumeration/#:~:text=What%20is%20username%20enumeration%3F,username%20is%20invalid%E2%80%9D%20is%20returned.) * [ ] Resilience to password guessing * [ ] Account recovery function * [ ] "Remember me" function * [ ] [Impersonation function](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication) * [ ] Autocomplete function on input forms * [ ] [Unsafe distribution of credentials](https://owasp.org/www-community/attacks/Credential_stuffing) * [ ] [Fail-open conditions](https://www.keysight.com/blogs/tech/nwvs/2020/05/20/fail-closed-fail-open-fail-safe-and-failover-abcs-of-network-visibility#:~:text=A%20system%20set%20to%20fail,deemed%20more%20important%20that%20authentication.) * [ ] [Multi-stage mechanisms](https://veridiumid.com/multi-step-vs-multi-factor-authentication/) * [ ] [SQL Injections](../enumeration/web/sqli.md) * [ ] Lack of password confirmation on change email, password or 2FA * [ ] [Weak login function](https://www.cobalt.io/vulnerability-wiki/v2-authentication/weak-login-function) over HTTP and HTTPS if both are available * [ ] Check for password wordlist \([cewl](https://github.com/digininja/CeWL) and [burp-goldenNuggets](https://github.com/GainSec/GoldenNuggets-1)\) * [ ] Test 0auth login functionality for [Open Redirection](../enumeration/web/ssrf.md) * [ ] Test response tampering in [SAML ](../enumeration/webservices/onelogin-saml-login.md)authentication * [ ] In OTP check guessable codes and race conditions * [ ] If [JWT](../enumeration/webservices/jwt.md), check common flaws * [ ] [Browser cache weakness](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses) \(eg Pragma, Expires, Max-age\) ### <a name="Authorization">Authorization</a> - [ ] Test for [path traversal](https://portswigger.net/support/using-burp-to-test-for-path-traversal-vulnerabilities) - [ ] Test for [bypassing authorization schema](https://darahbiru.medium.com/how-to-perform-authorization-testing-based-on-owasp-c5f013be32b2) - [ ] Test for vertical Access control problems (a.k.a.[ Privilege Escalation](https://portswigger.net/web-security/access-control)) - [ ] Test for horizontal Access control problems ([between two users at the same privilege level](https://portswigger.net/web-security/access-control)) - [ ] Test for missing authorization ### <a name="Denial">Denial of Service</a> - [ ] Test for [anti-automation](https://medium.com/@KDR9666/insufficient-anti-automation-brute-force-attack-602cedb5edc7) - [ ] Test for [account lockout](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism) - [ ] Test for [HTTP protocol DoS](https://ourcodeworld.com/articles/read/949/how-to-perform-a-dos-attack-slow-http-with-slowhttptest-test-your-server-slowloris-protection-in-kali-linux) - [ ] Test for [SQL wildcard DoS](https://shahjerry33.medium.com/sql-wildcard-dos-hang-till-death-adbae66d1f7b) - [ ] [Test for NoSQL wildcard DoS](https://bryanavery.co.uk/denial-of-service-dos-attacks-via-sql-wildcards-should-be-prevented/) - [ ] Test for Batching Attack SQL/NoSQL - [ ] [Test for Validation Limit Fetch/GET/POST/Query](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html) ### <a name="Session">Session</a> * [ ] Session handling * [ ] Test tokens for meaning * [ ] [Test tokens for predictability](https://portswigger.net/support/using-burp-to-test-session-token-generation) * [ ] [Insecure transmission of tokens](https://portswigger.net/support/using-burp-to-test-session-token-handling) * [ ] [Disclosure of tokens in logs](https://blog.eduguru.in/web-hosting-2/disclosure-of-tokens-in-logs) * [ ] [Mapping of tokens to sessions](https://blog.eduguru.in/uncategorized/vulnerable-mapping-of-tokens-to-sessions) * [ ] Session termination * [ ] [Session fixation](https://owasp.org/www-community/attacks/Session_fixation#:~:text=Session%20Fixation%20is%20an%20attack,specifically%20the%20vulnerable%20web%20application.) * [ ] [Cross-site request forgery](../enumeration/web/csrf.md) * [ ] [Cookie scope](https://resources.infosecinstitute.com/topics/general-security/cookies-an-overview-of-associated-privacy-and-security-risks/) * [ ] Decode Cookie \(Base64, hex, URL etc.\) * [ ] Cookie expiration time * [ ] [Check](https://www.site24x7.com/tools/secure-cookie-tester.html) HTTPOnly and Secure flags * [ ] Use same cookie from a different effective IP address or system * [ ] [Access controls](https://www.fortinet.com/resources/cyberglossary/access-control#:~:text=Access%20Control%20Definition,levels%20are%20granted%20to%20users.) * [ ] Effectiveness of controls using multiple accounts * [ ] Check for [concurrent login](https://groups.google.com/g/security-onion/c/98780R5z66k/m/TAag3JKuBAAJ) through different machine/IP * [ ] Bypass [AntiCSRF ](../enumeration/web/csrf.md#csrf-token-bypass)tokens ### <a name="Profile">Profile/Account details</a> * [ ] Find parameter with user id and try to tamper in order to get the details of other users * [ ] Create a list of features that are pertaining to a user account only and try [CSRF](https://www.synopsys.com/glossary/what-is-csrf.html) * [ ] Change email id and update with any existing email id. Check if its getting validated on server or not. * [ ] Check any new email confirmation link and what if user doesn't confirm. * [ ] File [upload](../enumeration/web/upload-bypasses.md): Unsafe File upload, No Antivirus, No Size Limit, File extension, Filter Bypass, [burp](https://github.com/portswigger/upload-scanner) * [ ] [CSV](https://owasp.org/www-community/attacks/CSV_Injection) import/export: Command Injection, XSS, macro injection * [ ] Check profile picture URL and find email id/user info or [EXIF](https://er.educause.edu/articles/2021/6/privacy-implications-of-exif-data) Geolocation Data * [ ] [Imagetragick](https://www.cobalt.io/blog/imagetragick) in picture profile upload * [ ] [Metadata](https://github.com/exiftool/exiftool) of all downloadable files * [ ] Account deletion option and try to reactivate with "Forgot password" feature * [ ] Try [bruteforce enumeration](https://medium.com/@saiashish3760/naive-vs-greedy-vs-brute-force-f1c9ebba1d2) when change any user unique parameter. * [ ] Check application request re-authentication for sensitive operations ### <a name="Password">Forgot password</a> * [ ] [Invalidate session](https://gaya3-r.medium.com/failure-to-invalidate-session-on-logout-1063206bef03) on Logout and Password reset * [ ] [Uniqueness of forget password reset link/code](https://www.authgear.com/post/authentication-security-password-reset-best-practices-and-more) * [ ] [Reset links expiration time](https://www.authgear.com/post/authentication-security-password-reset-best-practices-and-more) * [ ] Find user id or other sensitive fields in reset link and tamper them * [ ] Request 2 reset passwords links and use the older * [ ] Check if many requests have sequential tokens ## Input handling ### <a name="Validation">Data Validation</a> * [ ] [Fuzz](https://medium.com/@Magii/fuzzing-with-postman-599dce6317c7) all request parameters * [ ] Identify all reflected data * [ ] [Reflected XSS](../enumeration/web/xss.md) * [ ] HTTP[ header injection](../enumeration/web/header-injections.md) in GET & POST \(X Forwarded Host\) * [ ] [Arbitrary redirection](https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_arbitrary_redirect.htm) * [ ] Stored attacks * [ ] [OS command injection](http://portswigger.net/web-security/os-command-injection) * [ ] Path [traversal](../enumeration/web/lfi-rfi.md) * [ ] [SMTP injection](https://vk9-sec.com/smtp-injection-attack/) * [ ] Native software flaws \(buffer overflow, integer bugs, format strings\) * [ ] [SOAP injection](https://portswigger.net/kb/issues/00100700_xml-injection) * [ ] [LDAP injection](https://www.cobalt.io/blog/introduction-to-ldap-injection-attack) * [ ] [XPath injection](https://portswigger.net/kb/issues/00100600_xpath-injection) * [ ] [XXE](../enumeration/web/xxe.md) in any request, change content-type to text/xml * [ ] Stored [XSS](../enumeration/web/xss.md) * [ ] [SQL ](../enumeration/web/sqli.md)injection * [ ] [NoSQL ](../enumeration/webservices/nosql-and-and-mongodb.md)injection * [ ] HTTP Request [Smuggling](../enumeration/web/request-smuggling.md) * [ ] [Open redirect](../enumeration/web/ssrf.md) * [ ] [SSRF ](../enumeration/web/ssrf.md)in previously discovered open ports * [ ] [xmlrpc.php DOS](https://servebolt.com/articles/xmlrpc-php/) * [ ] Test for [Cross Site Flashing](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing) * [ ] Test for [Code Injection](https://portswigger.net/support/using-burp-to-test-for-code-injection-vulnerabilities) * [ ] Test for [Expression Language Injection](https://portswigger.net/kb/issues/00100f20_expression-language-injection) * [ ] Test for [Overflow](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13.1-Testing_for_Heap_Overflow) (Stack, Heap and Integer) * [ ] Test for [Format String](https://owasp.org/www-community/attacks/Format_string_attack) * [ ] Test for [incubated vulnerabilities](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability) * [ ] Test for [HTTP Verb Tampering](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering) * [ ] Test for [Remote File Inclusion](https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/) * [ ] Compare client-side and server-side validation rules * [ ] Test for [HTTP parameter pollution](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution) * [ ] [Test for Mass Assignment](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/) * [ ] Test for NULL/Invalid Session Cookie ### <a name="Error">Error handling</a> * [ ] Access custom pages like /whatever\_fake.php \(.aspx,.html,.etc\) * [ ] Add multiple parameters in GET and POST request using different values * [ ] Add "\[\]", "\]\]", and "\[\[" in cookie values and parameter values to create errors * [ ] Generate error by giving input as "/~randomthing/%s" at the end of URL * [ ] Use Burp Intruder ["Fuzzing Full"](https://medium.com/@k43p/fuzzing-web-applications-with-burp-suite-7908e62d20f6) List in input to generate error codes * [ ] [Try different HTTP Verbs](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods) like PATCH, DEBUG or wrong like FAKE ## <a name="Logic">Application Logic</a> * [ ] Identify the logic [attack surface](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html#:~:text=Defining%20the%20Attack%20Surface%20of%20an%20Application,-The%20Attack%20Surface&text=The%20Attack%20Surface%20of%20an%20application%20is%3A,logging%2C%20data%20validation%20and%20encoding) * [ ] Test transmission of data via the client * [ ] Test for reliance on client-side input validation * [ ] [Thick-client components](https://www.cyberark.com/resources/threat-research-blog/thick-client-penetration-testing-methodology) \(Java, ActiveX, Flash\) * [ ] Multi-stage processes for logic flaws * [ ] Handling of incomplete input * [ ] [Trust boundaries](https://medium.com/pragmatic-programmers/trust-boundaries-7d81c23f9df9) * [ ] Transaction logic * [ ] Implemented CAPTCHA in email forms to avoid flooding * [ ] Tamper product id, price or quantity value in any action \(add, modify, delete, place, pay...\) * [ ] Tamper gift or discount codes * [ ] Reuse gift codes * [ ] Try stored [XSS](https://medium.com/@wiktorderda/cross-site-scripting-tryhackme-walkthrough-dbdebc0b9a6a) in non-limited fields like address * [ ] Check in payment form if CVV and card number is in clear text or masked * [ ] Check if is processed by the app itself or sent to 3rd parts * [ ] [IDOR](https://portswigger.net/web-security/access-control/idor#:~:text=What%20are%20insecure%20direct%20object,the%20OWASP%202007%20Top%20Ten.) from other users details ticket/cart/shipment * [ ] Check PRINT or PDF creation for [IDOR](https://portswigger.net/web-security/access-control/idor#:~:text=What%20are%20insecure%20direct%20object,the%20OWASP%202007%20Top%20Ten.) * [ ] Check unsubscribe button with user enumeration * [ ] [Parameter pollution](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution) on social media sharing links * [ ] CORS \([corsy](https://github.com/s0md3v/Corsy)\) * [ ] [Change POST sensitive requests to GET](https://medium.com/traceable-and-true/should-you-use-get-or-post-with-rest-apis-for-sensitive-data-it-depends-on-your-constraints-473f0139f9c3) ## ANDROID / IOS APP ### <a name="Basic">Basic Mobile Security</a> - [ ] [`salt`](http://salttechnology.github.io/integration_guide.html) from payment gateways should not be hardcoded. - [ ] `secret` / `auth token` from 3rd party SDK's [should not be hardcoded](https://www.netguru.com/blog/hardcoded-keys-storage-mobile-app). - [ ] API calls intended to be done `server to server` should not be done from the app. - [ ] In Android, all the granted [permissions](https://developer.android.com/guide/topics/security/permissions.html) should be carefully evaluated. - [ ] On iOS, [store sensitive information](https://auth0.com/blog/security-best-practices-in-ios/) (authentication tokens, API keys, etc.) in the system keychain. Do __not__ store this kind of information in the user defaults. - [ ] [Certificate pinning](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) is highly recommended. ### Data Storage - [ ] [The Keystore is used to store sensitive data, such as user credentials or cryptographic keys.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#keystore) - [ ] [No sensitive data is written to application logs.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs) - [ ] [No sensitive data is shared with third parties unless it is a necessary part of the architecture.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#determining-whether-sensitive-data-is-shared-with-third-parties-mstg-storage-4) - [ ] [The keyboard cache is disabled on text inputs that process sensitive data.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#determining-whether-the-keyboard-cache-is-disabled-for-text-input-fields-mstg-storage-5) - [ ] [No sensitive data is exposed via IPC mechanisms.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#determining-whether-sensitive-stored-data-has-been-exposed-via-ipc-mechanisms-mstg-storage-6) - [ ] [No sensitive data, such as passwords or pins, is exposed through the user interface.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-for-sensitive-data-disclosure-through-the-user-interface-mstg-storage-7) - [ ] [No sensitive data is included in backups.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-backups-for-sensitive-data-mstg-storage-8) - [ ] [Sensitive data is removed from views when they're moved to the background.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9) ### Platform Interaction - [ ] [The app only requests the minimum set of permissions necessary.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-app-permissions-mstg-platform-1) - [ ] [All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-injection-flaws-mstg-platform-2) - [ ] [The app does not export sensitive functionality via custom URL schemes without proper protection.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-deep-links-mstg-platform-3) - [ ] [The app does not export sensitive functionality through IPC facilities without proper protection.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-sensitive-functionality-exposure-through-ipc-mstg-platform-4) - [ ] [JavaScript is disabled in WebViews unless explicitly required.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5) - [ ] [WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-webview-protocol-handlers-mstg-platform-6) - [ ] [If native methods of the app are exposed to a WebView, that WebView only renders JavaScript contained within the app package](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#determining-whether-java-objects-are-exposed-through-webviews-mstg-platform-7). - [ ] [Object serialization, if any, is implemented using safe serialization APIs.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-object-persistence-mstg-platform-8) ### Cryptography - [ ] [The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05e-Testing-Cryptography.md#testing-symmetric-cryptography-mstg-crypto-1) - [ ] [The app uses proven implementations of cryptographic primitives.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#cryptographic-apis-on-android-and-ios) - [ ] [The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#common-configuration-issues-mstg-crypto-1-mstg-crypto-2-and-mstg-crypto-3) - [ ] [The app does not use cryptographic protocols or algorithms that are widely considered depreciated for security purposes.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4) - [ ] [All random values are generated using a sufficiently secure random number generator.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators) - [ ] The app doesn't re-use the same cryptographic key for multiple purposes. - [ ] Check for [weak algorithms usage](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption) ### Authentication - [ ] [If the app provides users with access to a remote service, an acceptable form of authentication such as username/password authentication is performed at the remote endpoint.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#verifying-that-appropriate-authentication-is-in-place-mstg-arch-2-and-mstg-auth-1) - [ ] [A password policy exists and is enforced at the remote endpoint.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-best-practices-for-passwords-mstg-auth-5-and-mstg-auth-6) - [ ] [The remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrect authentication credentials are submitted an excessive number of times.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#login-throttling) - [ ] [If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-stateful-session-management-mstg-auth-2) - [ ] [If stateless token-based authentication is used, the server provides a token signed using a secure algorithm.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-stateless-token-based-authentication-mstg-auth-3) - [ ] [The remote endpoint terminates the existing stateful session or invalidates the stateless session token when the user logs out.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-user-logout-mstg-auth-4) - [ ] [Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the Keystore.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05f-Testing-Local-Authentication.md#testing-biometric-authentication-mstg-auth-8) ### WebViews - [ ] [WebViews correctly validate incoming URLs.](https://blog.oversecured.com/Android-security-checklist-webview/#insufficient-url-validation) - [ ] [The app sanitizes the JavaScript data when injected.](https://blog.oversecured.com/Android-security-checklist-webview/#javascript-code-injections) - [ ] [WebViewClient sanitizes the Intent received from the URL before launching it.](https://blog.oversecured.com/Android-security-checklist-webview/#attacks-on-internal-url-handlers) ### Network - [ ] [Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-data-encryption-on-the-network-mstg-network-1) - [ ] [The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md#verifying-the-tls-settings-mstg-network-2) - [ ] [The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-endpoint-identify-verification-mstg-network-3) ### Code Quality - [ ] [The app is signed and provisioned with valid certificate.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#making-sure-that-the-app-is-properly-signed-mstg-code-1) - [ ] [The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#testing-whether-the-app-is-debuggable-mstg-code-2) - [ ] [Debugging symbols have been removed from native binaries.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#testing-for-debugging-symbols-mstg-code-3) - [ ] [Debugging code has been removed, and the app does not log verbose errors or debugging messages.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#testing-for-debugging-code-and-verbose-error-logging-mstg-code-4) - [ ] [Third-party libraries have been checked for weaknesses](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#checking-for-weaknesses-in-third-party-libraries-mstg-code-5) - [ ] [The app catches and handles possible exceptions.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#testing-exception-handling-mstg-code-6-and-mstg-code-7) - [ ] [Error handling logic in security controls denies access by default.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#testing-exception-handling-mstg-code-6-and-mstg-code-7) - [ ] [In unmanaged code, memory is allocated, freed and used securely.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#memory-corruption-bugs-mstg-code-8) - [ ] [Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05i-Testing-Code-Quality-and-Build-Settings.md#make-sure-that-free-security-features-are-activated-mstg-code-9) ### Defense-in-Depth - [ ] [A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-two-factor-authentication-and-step-up-authentication-mstg-auth-9-and-mstg-auth-10) - [ ] [Sessions and access tokens are invalidated at the remote endpoint after a predefined period of inactivity.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-session-timeout-mstg-auth-7) - [ ] [The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#cleaning-out-key-material) - [ ] [The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-the-device-access-security-policy-mstg-storage-11) - [ ] [Step-up authentication is required to enable actions that deal with sensitive data or transactions.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-two-factor-authentication-and-step-up-authentication-mstg-auth-9-and-mstg-auth-10) - [ ] [The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4) - [ ] [The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md#making-sure-that-critical-operations-use-secure-communication-channels-mstg-network-5) - [ ] [The app detects whether it is being executed on a rooted device. Depending on the business requirement, users are warned, or the app is terminated if the device is rooted.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1) - [ ] [The app informs the user of all login activities with his or her account. Users are able view a list of devices used to access the account, and to block specific devices.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md#testing-login-activity-and-device-blocking-mstg-auth-11) - [ ] [The app educates the user about the types of personally identifiable information.](https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04i-Testing-User-Privacy-Protection.md#testing-user-education-mstg-storage-12) ## CI & CD - [ ] Audit your design and implementation with [unit/integration tests coverage.](https://gonocode.net/should-integration-tests-be-included-in-code-coverage/) - [ ] [Use a code review process and disregard self-approval.](https://medium.com/dunnhumby-data-science-engineering/code-review-behavior-lets-be-professional-48af2ecd5827) - [ ] Ensure that all components of your services are statically scanned by[ AV software](https://medium.com/@ComputersMobile/what-is-an-anti-virus-software-how-does-it-work-93eadbaa1bbe) before pushing to production, including vendor libraries and other dependencies. - [ ] [Design a rollback solution for deployments.](https://yankeexe.medium.com/how-rolling-and-rollback-deployments-work-in-kubernetes-8db4c4dce599) ## Infrastructure - [ ] Ensure you can do upgrades without downtime. Ensure you can quickly update software in a fully automated manner. - [ ] Create all infrastructure using a tool such as [Terraform](https://www.terraform.io), and not via the cloud console. Infrastructure should be defined as “code” and be able to be recreated at the push of a button. Have zero tolerance for any resource created in the cloud by hand — Terraform can then audit your configuration. - [ ] Use [centralized logging](https://medium.com/gogooutlab/implementing-a-centralized-logging-system-a-journey-at-gogoout-4b1d44cff7ce) for all services. You should never need SSH to access or retrieve logs. - [ ] Don’t SSH into services except for one-off diagnosis. Using SSH regularly, typically means you have not automated an important task. - [ ] Don’t keep [port 22 open on any AWS](https://docs.bridgecrew.io/docs/networking_1-port-security) service groups on a permanent basis. Instead consider allowing only authorized IPs to SSH on the box. - [ ] Create immutable hosts instead of long-lived servers that you patch and upgrade. (See [Immutable Infrastructure](https://medium.com/the-cloud-architect/immutable-infrastructure-21f6613e7a23) Can Be More Secure). - [ ] Use an [Intrusion Detection System](https://medium.com/@niitwork0921/understanding-the-different-types-of-intrusion-detection-systems-8cd4e8f1191b) like SenseDeep or service to minimize APTs. ## Other checks ### <a name="Host">Hosting</a> * [ ] [Segregation in shared infrastructures](https://www.unifiedmicro.systems/articles/network-segregation#:~:text=Network%20segregation%20is%20a%20popular,an%20effective%20defence%20against%20hackers) * [ ] Segregation between ASP-hosted applications * [ ] [Web server vulnerabilities](https://www.toptal.com/cyber-security/10-most-common-web-security-vulnerabilities) * [ ] [Dangerous HTTP methods](https://thexssrat.medium.com/do-you-have-these-dangerous-http-methods-enabled-on-your-server-4646b26e9392) * [ ] [Proxy](https://www.proxyrack.com/blog/how-to-test-proxies/) functionality * [ ] [Virtual ](../enumeration/webservices/vhosts.md)hosting misconfiguration * [ ] Check for internal numeric IP's in request * [ ] Check for external numeric IP's and resolve it * [ ] References to [cloud ](../enumeration/cloud/cloud-info-recon.md)assets ### <a name="Captcha">CAPTCHA</a> * [ ] Send old captcha value. * [ ] Send old captcha value with old session ID. * [ ] Request captcha absolute path like www.url.com/captcha/1.png * [ ] Remove captcha with any adblocker and request again * [ ] [Bypass with OCR tool](https://systemweakness.com/brute-force-attacks-with-image-captcha-bypass-using-bash-script-and-ocr-2dc05b69f2d9) * [ ] Test CAPTCHA expiration time and session management. ### <a name="Headers">Headers</a> * [ ] [X-XSS-Protection](https://www.keycdn.com/blog/x-xss-protection) - mitigated if cloud service (WAF) * [ ] [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) - mitigated if cloud service (WAF) * [ ] [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) - mitigated if cloud service (WAF) * [ ] [Public-Key-Pins](https://infosecwriteups.com/ssl-pinning-aws-certificate-manager-e414c4fb2aa3) * [ ] [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) * [ ] [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) - mitigated if cloud service (WAF) * [ ] [Referer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) * [ ] [Cache-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control) - mitigated if cloud service and be set * [ ] [Expires](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires) - mitigated if cloud service ### <a name="File">Risky Functionality - File Uploads</a> - [ ] [Test that acceptable file types are whitelisted](https://hackerone.com/reports/1606957) - [ ] [Test that file size limits, upload frequency and total file counts are defined and are enforced](https://cqr.company/web-vulnerabilities/failure-to-restrict-file-uploads/) - [ ] [Test that file contents match the defined file type](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types) - [ ] Test that all file uploads have Anti-Virus scanning in-place. - [ ] Test that unsafe filenames are [sanitised](https://www.geeksforgeeks.org/how-to-sanitize-your-file-names-using-the-sanitize-filename-npm-package/) - [ ] [Test that uploaded files are not directly accessible within the web root](https://portswigger.net/web-security/file-upload) - [ ] Test that uploaded files are not served on the same hostname/port - [ ] [Test that files and other media are integrated with the authentication and authorisation schemas](https://docs.amplify.aws/guides/api-graphql/image-and-file-uploads/q/platform/js/) ### <a name="Card">Risky Functionality - Card Payment</a> - [ ] Test for known vulnerabilities and configuration issues on Web Server and Web Application - [ ] Test for default or guessable password - [ ] Test for non-production data in live environment, and vice-versa - [ ] Test for [Injection vulnerabilities](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#:~:text=SQL%20injection%20testing%20checks%20if,queries%20without%20proper%20input%20validation.) - [ ] Test for [Buffer Overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) - [ ] Test for [Insecure Cryptographic Storage](https://www.geeksforgeeks.org/insecure-cryptographic-storage-vulnerability/) - [ ] Test for [Insufficient Transport Layer Protection](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection) - [ ] Test for Improper Error Handling - [ ] [Test for all vulnerabilities with a CVSS v2 score > 4.0](https://www.first.org/cvss/v2/guide) - [ ] Test for Authentication and Authorization issues - [ ] Test for [CSRF/JWT](https://medium.com/@mena.meseha/how-to-defend-against-csrf-using-jwt-8adebe64824b) - [ ] [Test for race conditions](https://www.linkedin.com/pulse/testing-race-conditions-web-applications-babak-esmaeili/) ### <a name="HTML">HTML 5</a> - [ ] [Test Web Messaging](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging) - [ ] [Check Offline Web Application](https://www.w3.org/TR/offline-webapps/) ### <a name="Business">Business Logic</a> - [ ] Test for feature misuse - [ ] Test for lack of [non-repudiation](https://medium.com/@luishrsoares/understanding-non-repudiation-ensuring-integrity-and-accountability-in-digital-communications-d9608c3c9727) - [ ] Test for trust relationships - [ ] Test for integrity of data - [ ] Test segregation of duties ## Reference - [ ] https://github.com/OWASP/owasp-mastg - [ ] https://github.com/MahdiMashrur/Awesome-Application-Security-Checklist - [ ] https://github.com/muellerberndt/android_app_security_checklist - [ ] https://github.com/0xRadi/OWASP-Web-Checklist/blob/master/README.md?plain=1