Information Gathering Test Name

Conduct Search Engine Discovery Reconnaissance for

Information Leakage

Fingerprint Web Server

Review Webserver Metafiles for Information Leakage

Enumerate Applications on Webserver

Identify application entry points

Map execution paths through application
Fingerprint Web Application Framework
Fingerprint Web Application

Map Application Architecture

Configuration and
Deploy Management
Testing Test Name

Test File Extensions Handling for Sensitive Information

Review Old Backup and Unreferenced Files for Sensitive
Information

Enumerate Infrastructure and Application Admin Interfaces

Test HTTP Methods

Test HTTP Strict Transport Security

Test for Subdomain Takeover

Identity Management
Testing Test Name

Test Role Definitions

Test User Registration Process

 Test Account Provisioning Process

Testing for Account Enumeration and Guessable User Account

Testing for Weak or unenforced username policy

Authentication Testing Test Name

Testing for Credentials Transported over an Encrypted Channel

Testing for Default Credentials

Testing for Weak Lock Out Mechanism

Testing for Weak Password Policy

Testing for Weak Password Change or Reset Functionalities

Authorization Testing Test Name

Testing Directory Traversal File Include

Testing for Privilege Escalation

Testing for Insecure Direct Object References

Session Management
Testing Test Name

Testing for Cookies Attributes

Testing for Session Fixation

Testing for Exposed Session Variables

 Testing for Cross Site Request Forgery

Testing for Logout Functionality

Testing Session Timeout

Data Validation Testing Test Name

Testing for Reflected Cross Site Scripting

Testing for Stored Cross Site Scripting

Testing for Injection

Testing for Command Injection

Testing for Host Header Injection

Error Handling Test Name

Testing for Improper Error Handling

Cryptography Test Name

Testing for Weak Transport Layer Security

Testing for Sensitive Information Sent via Unencrypted

Channels

Testing for Weak Encryption

Business logic Testing Test Name

Test Business Logic Data Validation

 Test Ability to Forge Requests

Test Integrity Checks

Test for Process Timing

Test Number of Times a Function Can be Used Limits

Testing for the Circumvention of Work Flows

Test Defenses Against Application Mis-use

Test Upload of Unexpected File Types

Test Upload of Malicious Files

Client Side Testing Test Name

Testing for HTML Injection

Testing for Client Side URL Redirect

Test Cross Origin Resource Sharing

 Testing for Clickjacking

Test Web Messaging

Not Started
Pass
Issues
N/A
Objectives Status

- Identify what sensitive design and configuration information of

the application, system, or organization is exposed directly (on the
organization's website) or indirectly (via third-party services). N/A
- Determine the version and type of a running web server to
enable further discovery of any known vulnerabilities. N/A
Check for Robot.txt and sitemap.xlm, xmlrpc.php
- Extract and map other information that could lead to better
understanding of the systems at hand. N/A
- Enumerate the applications within scope that exist on a web
server. N/A
- Identify possible entry and injection points through request and response
analysis. Pass
- Map the target application and understand the principal workflows. Pass
- Fingerprint the components being used by the web applications. Not Started
Pass
- Generate a map of the application at hand based on the research
conducted. Pass

Objectives Status
- Dirbust sensitive file extensions, or extensions that might contain
raw data (*e.g.* scripts, raw data, credentials, etc.).
- Validate that no system framework bypasses exist on the rules
set. N/A
- Find and analyse unreferenced files that might contain sensitive
information. N/A

- Identify hidden administrator interfaces and functionality. N/A

- Enumerate supported HTTP methods.

- Test for access control bypass.
- Test XST vulnerabilities.
- Test HTTP method overriding techniques. Not Started
- Review the HSTS header and its validity. Not Started
- Enumerate all possible domains (previous and current).
- Identify forgotten or misconfigured domains. N/A

Objectives Status
- Identify and document roles used by the application.

- Attempt to switch, change, or access another role.

- Review the granularity of the roles and the needs behind the
permissions given. N/A
- Verify that the identity requirements for user registration are
aligned with business and security requirements.
- Validate the registration process. Pass
- Verify which accounts may provision other accounts and of what type. N/A
- Review processes that pertain to user identification (*e.g.*
registration, login, etc.).
- Enumerate users where possible through response analysis. Not Started
- Determine whether a consistent account name structure renders
the application vulnerable to account enumeration.
- Determine whether the application's error messages permit
account enumeration. N/A

Objectives Status
- Assess whether any use case of the web site or application
causes the server or the client to exchange credentials without
encryption. N/A
- Enumerate the applications for default credentials and validate if
they still exist.
- Review and assess new user accounts and if they are created
with any defaults or identifiable patterns. N/A
- Evaluate the account lockout mechanism's ability to mitigate
brute force password guessing.- Evaluate the unlock mechanism's
resistance to unauthorized account unlocking. Pass

- Determine the resistance of the application against brute force

password guessing using available password dictionaries by
evaluating the length, complexity, reuse, and aging requirements
of passwords. N/A
- Determine the resistance of the application to subversion of the
account change process allowing someone to change the
password of an account.
- Determine the resistance of the passwords reset functionality
against guessing or bypassing. N/A

Objectives Status
- Identify injection points that pertain to path traversal.
- Assess bypassing techniques and identify the extent of path
traversal. Not Started
- Identify injection points related to privilege manipulation.
- Fuzz or otherwise attempt to bypass security measures. Not Started
- Identify points where object references may occur.
- Assess the access control measures and if they're vulnerable to
IDOR. Not Started

Objectives Status

- Ensure that the proper security configuration is set for cookies. Not Started
- Analyze the authentication mechanism and its flow.
- Force cookies and assess the impact. Not Started
- Ensure that proper encryption is implemented.
- Review the caching configuration.
- Assess the channel and methods' security. Not Started
- Determine whether it is possible to initiate requests on a user's
behalf that are not initiated by the user. Not Started
- Assess the logout UI.
- Analyze the session timeout and if the session is properly killed
after logout. Not Started
- Validate that a hard session timeout exists. Not Started

Objectives Status

- Identify variables that are reflected in responses.

- Assess the input they accept and the encoding that gets applied
on return (if any). Not Started
- Identify stored input that is reflected on the client-side.
- Assess the input they accept and the encoding that gets applied
on return (if any). Not Started

- Identify SQL injection points.

- Assess the severity of the injection and the level of access that
can be achieved through it. Not Started
- Identify and assess the command injection points. Not Started
- Assess if the Host header is being parsed dynamically in the
application.
- Bypass security controls that rely on the header. Not Started

Objectives Status
- Identify existing error output.
- Analyze the different output returned. Not Started

Objectives Status
- Validate the service configuration.

- Review the digital certificate's cryptographic strength and validity.

- Ensure that the TLS security is not bypassable and is properly
implemented across the application. Not Started
- Identify sensitive information transmitted through the various
channels.
- Assess the privacy and security of the channels used. Not Started
- Provide a guideline for the identification weak encryption or
hashing uses and implementations. Not Started

Objectives Status
- Identify data injection points.
- Validate that all checks are occurring on the back end and can't
be bypassed.
- Attempt to break the format of the expected data and analyze
how the application is handling it. Not Started
- Review the project documentation looking for guessable,
predictable, or hidden functionality of fields.
- Insert logically valid data in order to bypass normal business
logic workflow. Not Started
- Review the project documentation for components of the system
that move, store, or handle data.
- Determine what type of data is logically acceptable by the
component and what types the system should guard against.
- Determine who should be allowed to modify or read that data in
each component.
- Attempt to insert, update, or delete data values used by each
component that should not be allowed per the business logic
workflow. Not Started
- Review the project documentation for system functionality that
may be impacted by time.
- Develop and execute misuse cases. Not Started
- Identify functions that must set limits to the times they can be
called.
- Assess if there is a logical limit set on the functions and if it is
properly validated. Not Started
- Review the project documentation for methods to skip or go
through steps in the application process in a different order from
the intended business logic flow.
- Develop a misuse case and try to circumvent every logic flow
identified. Not Started
- Generate notes from all tests conducted against the system.
- Review which tests had a different functionality based on
aggressive input.
- Understand the defenses in place and verify if they are enough
to protect the system against bypassing techniques. Not Started
- Review the project documentation for file types that are rejected
by the system.
- Verify that the unwelcomed file types are rejected and handled
safely.
- Verify that file batch uploads are secure and do not allow any
bypass against the set security measures. Not Started
- Identify the file upload functionality.
- Review the project documentation to identify what file types are
considered acceptable, and what types would be considered
dangerous or malicious.
- Determine how the uploaded files are processed.
- Obtain or create a set of malicious files for testing.
- Try to upload the malicious files to the application and determine
whether it is accepted and processed. Not Started

Objectives Status
- Identify HTML injection points and assess the severity of the
injected content. Not Started
- Identify injection points that handle URLs or paths.
- Assess the locations that the system could redirect to. Not Started
- Identify endpoints that implement CORS.
- Ensure that the CORS configuration is secure or harmless. Not Started
- Understand security measures in place.
- Assess how strict the security measures are and if they are
bypassable. Not Started
- Assess the security of the message's origin.
- Validate that it's using safe methods and validating its input. Not Started