Identify web server & technologies
Subdomains Enumeration
Directory enumeration
Find leaked ids, emails (pwndb)
Identify WAF
Crawl all the site for interesting keywords like password, token, etc
Test for debug parameters
Identify data entry points
Try to locate /robots.txt /crossdomain.xml /clientaccesspolicy.xml /phpinfo.php /sitemap.xml
Review comments on source code
Check /.git
Shodan
Google dorking
Check waybackurls (gau and waybackurls)
Check ICMP packets allowed
Check DMARC policies (spoofcheck)
Look services on other ports than 80 and 443
Check UDP ports (udp-proto-scanner or nmap)
Test SSL (testssl)
Study site structure
Make a list with all possible test cases
Duplicate registration
Overwrite existing user (existing user takeover)
Username uniqueness
Weak password policy
Insufficient email verification process
Weak registration implementation or allows disposable email addresses
Fuzz after user creation to check if any folder have been overwritten or created with your profile name
Add only spaces in password
Username enumeration
Resilience to password guessing
Account recovery function
"Remember me" function
Impersonation function
Unsafe distribution of credentials
Fail-open conditions
Multi-stage mechanisms
SQL Injections
Auto-complete testing
Lack of password confirmation on change email, password or 2FA
Weak login function over HTTP and HTTPS if both are available
User account lockout mechanism on brute force attack
Check for password wordlist (cewl and burp-goldenNuggets)
Test 0auth login functionality for Open Redirection
Test response tampering in SAML authentication
In OTP check guessable codes and race conditions
If JWT, check common flaws
Browser cache weakness (eg Pragma, Expires, Max-age)
Session handling
Test tokens for meaning
Test tokens for predictability
Insecure transmission of tokens
Disclosure of tokens in logs
Mapping of tokens to sessions
Session termination
Session fixation
Cross-site request forgery
Cookie scope
Decode Cookie (Base64, hex, URL etc.)
Cookie expiration time
Check HTTPOnly and Secure flags
Use same cookie from a different effective IP address or system
Access controls
Effectiveness of controls using multiple accounts
Insecure access control methods (request parameters, Referer header, etc)
Check for concurrent login through different machine/IP
Bypass AntiCSRF tokens
Find parameter with user id and try to tamper in order to get the details of other users
Create a list of features that are pertaining to a user account only and try CSRF
Change email id and update with any existing email id. Check if its getting validated on server or not.
Check any new email confirmation link and what if user doesn't confirm.
File upload: Unsafe File upload, No Antivirus, No Size Limit, File extension, Filter Bypass, burp
CSV import/export: Command Injection, XSS, macro injection
Check profile picture URL and find email id/user info or EXIF Geolocation Data
Imagetragick in picture profile upload
Metadata of all downloadable files
Account deletion option and try to reactivate with "Forgot password" feature
Try bruteforce enumeration when change any user unique parameter.
Check application request re-authentication for sensitive operations
Try parameter pollution to add two values of same field
Invalidate session on Logout and Password reset
Uniqueness of forget password reset link/code
Reset links expiration time
Find user id or other sensitive fields in reset link and tamper them
Request 2 reset passwords links and use the older
Check if many requests have sequential tokens
Fuzz all request parameters
Identify all reflected data
Reflected XSS
HTTP header injection in GET & POST (X Forwarded Host)
Arbitrary redirection
Stored attacks
OS command injection
Path traversal
Script injection
File inclusion
SMTP injection
Native software flaws (buffer overflow, integer bugs, format strings)
SOAP injection
LDAP injection
XPath injection
XXE in any request, change content-type to text/xml
Stored XSS
SQL injection
NoSQL injection
HTTP Request Smuggling
Open redirect
SSRF in previously discovered open ports
xmlrpc.php DOS and user enumeration
HTTP dangerous methods OPTIONS PUT DELETE
Access custom pages like /whatever_fake.php (.aspx,.html,.etc)
Add multiple parameters in GET and POST request using different values
Add "[]", "]]", and "[[" in cookie values and parameter values to create errors
Generate error by giving input as "/~randomthing/%s" at the end of URL
Use Burp Intruder "Fuzzing Full" List in input to generate error codes
Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE
Identify the logic attack surface
Test transmission of data via the client
Test for reliance on client-side input validation
Thick-client components (Java, ActiveX, Flash)
Multi-stage processes for logic flaws
Handling of incomplete input
Trust boundaries
Transaction logic
Implemented CAPTCHA in email forms to avoid flooding
Tamper product id, price or quantity value in any action (add, modify, delete, place, pay...)
Tamper gift or discount codes
Reuse gift codes
Try parameter pollution to use gift code two times in same request
Try stored XSS in non-limited fields like address
Check in payment form if CVV and card number is in clear text or masked
Check if is processed by the app itself or sent to 3rd parts
IDOR from other users details ticket/cart/shipment
Check PRINT or PDF creation for IDOR
Check unsubscribe button with user enumeration
Parameter pollution on social media sharing links
CORS (corsy)
Change POST sensitive requests to GET
Segregation in shared infrastructures
Segregation between ASP-hosted applications
Web server vulnerabilities
Dangerous HTTP methods
Proxy functionality
Virtual hosting misconfiguration
Check for internal numeric IP's in request
Check for external numeric IP's and resolve it
References to cloud assets
Send old captcha value.
Send old captcha value with old session ID.
Request captcha absolute path like www.url.com/captcha/1.png
Remove captcha with any adblocker and request again
Bypass with OCR tool
X-XSS-Protection
Strict-Transport-Security
Content-Security-Policy
Public-Key-Pins
X-Frame-Options
X-Content-Type-Options
Referer-Policy
Cache-Control
Expires
Last updated 1 year ago