SlideShare a Scribd company logo

Web Application Penetration Testing Checklist.pdf

I
infosecTrain

This InfosecTrain material unveils a comprehensive checklist for conducting effective web application penetration testing. Covering key aspects such as input validation, authentication mechanisms, and security configurations, the checklist serves as a systematic guide for security professionals. Gain insights into identifying vulnerabilities, understanding attack vectors, and implementing robust defenses to fortify web applications against cyber threats. Enhance your skills and contribute to the resilience of digital landscapes with this indispensable resource. More Information - https://www.infosectrain.com/courses/web-application-penetration-testing-wapt/

1 of 26
Downloaded 13 times
CHECKLIST WEB APPLICATION PENETRATION TESTING
www.infosectrain.com Test Name Test Case Result Identify Web Server, Technologies, and Database Verify that the website is hosted on an HTTP server, front-end technologies, and back-end with PostgreSQL database. ASN (Autonomous System Number) & IP Space Enumeration and Service Enumeration Ensure the enumeration tool’s accuracy in obtaining ASNs, identifying IP addresses within a specified range, and detecting open ports and services on a target IP address. Google Dorking Ensure that the Google Dorking technique effectively retrieves sensitive information from public internet search engine results. Directory Enumeration Ensure that the directory enumeration process accurately identifies and lists directories and files within a specified web server directory. Reverse Lookup Ensure that the reverse lookup functionality accurately maps IP addresses to domain names. JS Files Analysis Confirm that the JS files analysis function accurately identifies vulnerabilities and security issues in JavaScript files. Subdomain Enumeration and Bruteforcing Confirm that the subdomain enumeration and brute-forcing functionality accurately discover subdomains associated with the target domain Port Scanning Verify that the port scanning tool correctly identifies open ports on a target IP address or network. Reconnaissance Phase
Test Name Test Case Result Duplicate Registration/Overwrite Existing User Verify that the registration process prevents duplicate registration and overwriting of existing user accounts. Weak Password Policy Confirm that the registration process enforces a strong password policy. Reuse of Existing Usernames Ensure that the registration process prevents the reuse of the existing usernames. Insufficient Email Verification Process Verify that the email verification process adequately verifies user email addresses. Weak Registration Implementation - Allows Disposable Email Addresses Confirm that the registration process does not allow registration with disposable email addresses. Weak Registration Implementation- Over HTTP Verify that the registration process is securely implemented and does not allow registration over an unencrypted HTTP connection. Overwrite Default Web Application Pages Confirm that the registration process does not allow specially crafted usernames that could potentially overwrite or manipulate default web application pages. www.infosectrain.com Registration Feature Testing
Test Name Test Case Result Decode Cookies Using Standard Decoding Algorithms Verify that cookies can be successfully decoded using standard decoding algorithms. Modify Cookie:Session Token Value Verify if the application correctly handles slight modifications to session cookie token values. Test Self-Registration with Similar Usernames Check if the application handles self-registration with usernames containing small variations. Check Session Cookies and Cookie Expiration Date/Time Verify that session cookies have appropriate expiration settings. Identify Cookie Domain Scope Ensure that session cookies are scoped to the appropriate domain. Check for HttpOnly Flag in Cookie Confirm that session cookies are marked with the HttpOnly flag. Check for Secure Flag in Cookie Ensure that session cookies are marked with the Secure flag if the application is served over SSL. www.infosectrain.com Session Management Testing
Test Name Test Case Result Username Enumeration Verify that the system does not allow username enumeration. Bypass Authentication using SQL Injections Test for bypassing authentication using various SQL injections on the username and password fields. Lack of Password Confirmation Confirm that the system enforces password confirmation when changing email addresses and passwords and managing 2FA. Access Violation without Authentication Check if using resources without authentication is possible, leading to access violations. SSL Transmission of User Credentials Confirm that user credentials are transmitted over SSL. OAuth Login Functionality Check OAuth login functionality, including roles and potential security vulnerabilities. Two-Factor Authentication Misconfiguration Check the misconfiguration of two-factor authentication for response manipulation, status codes, code leakage, reusability, brute-force protection, integrity validation, and null values. www.infosectrain.com Authentication Testing
Test Name Test Case Result Active Account User ID and Tampering Attempt Identify a parameter in the application that uses the active account user ID and attempts tampering to change the details of other accounts Enumerate Features Specific to a User Account and Conduct CSRF Testing Create a list of features specific to a user account and test for Cross-Site Request Forgery (CSRF) vulnerabilities. Change Email and Confirm Server-Side Validation Ensure if changing the email address is validated on the server side and whether the application sends email confirmation links to new users. Verify Account Deletion Option with Forgot Password Feature Verify the account deletion option and confirm it via the forgot password feature. Change Email, Account ID, and User ID Parameters for Brute Force Change the email, account ID, and user ID parameters and attempt brute force attacks on other users’ passwords. www.infosectrain.com Post Login Testing
Test Name Test Case Result Failure to Expire Sessions Upon Logout and Password Reset Ensure the session is invalidated on logout and password reset. Check if Forgot Password Reset Link/Code Uniqueness Ensure the uniqueness of the password reset link/code. Check Expiry of Password Reset Link Verify if the reset link expires if not used within a specific time frame. Find User Account Identification Parameter and Attempt Tampering Identify the user account identification parameter and attempt to tamper with it to change another user’s password. Check for Weak Password Policy Examine if password reset enforces a strong password policy. Check if Active Session Gets Destroyed upon Changing the Password Verify if the active session is destroyed when changing the password. www.infosectrain.com Forgot Password Testing
Test Name Test Case Result Test Common Injection Parameters Examine common injection parameters for potential vulnerabilities. Change URL Parameter Values Examine if changing the URL parameter value redirects to the specified URL. Test Single Slash and URL Encoding Ensure using a single slash and URL encoding in URL parameters. Use Whitelisted Domain or Keyword Check if using a whitelisted domain or keyword in parameters bypasses filters. Use “//” to Bypass HTTP Blacklisted Keyword Check if using “//” in parameters bypasses HTTP blacklisted keywords. Use Null Byte (%00) to Bypass Blacklist Filter Check if using a null byte (%00) in parameters bypasses blacklist filters. Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters. www.infosectrain.com Open Redirection Testing
Test Name Test Case Result Supply an Arbitrary Host Header Check the application’s handling of arbitrary host headers. Check for Flawed Validation Verify if the application has flawed validation for Host headers. Check Ambiguous Requests Send ambiguous requests with various Host header manipulations to observe the application’s behavior. Inject Host Override Headers Test the injection of host override headers to ensure that the application accepts and processes these headers. www.infosectrain.com Host Header Injection
Test Name Test Case Result Entry Point Detection Identify vulnerable entry points for SQL injection. Use SQLmap to Identify Vulnerable Parameters Ensure that SQLmap identifies parameters vulnerable to SQL injection. Run the SQL Injection Scanner on All Requests Check if the SQL injection scanner identifies and reports any SQL injection vulnerabilities. Bypassing Web Application Firewall (WAF) Ensure bypass techniques are effective against the WAF (Web Application Firewall). Time Delays Verify the effectiveness of time delays for each database system. Conditional Delays Evaluate the impact of conditional time delays for each database system. Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters. www.infosectrain.com SQL Injection Testing
Test Name Test Case Result Use HTML Tags if Script Tags Are Banned Check if the HTML tags are executed as XSS. Reflect Output Inside JavaScript Variable Check if the output is reflected inside a JavaScript variable and if an alert payload can be used. Upload JavaScript Using Image File Check if the JavaScript code is executed when the image is displayed. Change Method From POST to GET Check if the payload is executed using the modified method from POST to GET can bypass filters. Syntax Encoding Payload Check if the syntax-encoded payload is executed as XSS. XSS Firewall Bypass Verify whether the employed XSS firewall bypass techniques effectively circumvent the XSS firewall. www.infosectrain.com Cross-Site Scripting Testing
Test Name Test Case Result Validation of CSRF Token Confirm whether the CSRF token validation rejects a GET request when the validation process depends on the request method. CSRF Token Presence Validation Check if the application only accept requests with a valid CSRF token. The CSRF Token Is Independent of the User Session Check if the CSRF token is not associated with the user’s session and ensure it validate the CSRF token even after the user session has ended. validate the CSRF token even after the user session has ended. Ensure that the application should validate the CSRF token when the non-session cookie is included. Verify Referer Header Presence Ensure that application should only accept requests with a valid Referer header. www.infosectrain.com CSRF Testing
Test Name Test Case Result FUZZ on the Internal System After SSO Redirect Conduct fuzzing on an internal system following redirection to the SSO system to identify vulnerabilities or misconfigurations within the internal system. Craft SAML Request and Server Interaction Craft a SAML request with a token and analyze how the server processes the crafted SAML request. Test for XML Signature Wrapping Vulnerabilities Check if the server is vulnerable to XML Signature Wrapping. Inject XXE Payloads in SAML Response Check if the server processes the XXE payloads. SSO for Takeover Assess the possibility of taking over the victim’s account. SSRF Using Cookie Header URLs Check if SSRF can be achieved by modifying the IP in the Cookie header URLs. www.infosectrain.com SSO Vulnerabilities
Test Name Test Case Result Change Content Type for XML Injection Verify if the server is vulnerable to XML Injection. Blind XXE with Out-of-Band Interaction Identifies if the server is vulnerable to Blind XXE attacks. Errors Parsing Origin Headers Check if Cross-Origin Resource Sharing (CORS)-related errors can be triggered. Whitelisted Null Origin Value Check if the server whitelists null Origin values. Bypassing Filters Check if filters can be bypassed. Cloud Instances Check if SSRF vulnerabilities can access cloud instance data. www.infosectrain.com XML Injection Testing
Test Name Test Case Result Null Byte (%00) Bypass Check if null bytes can bypass upload restrictions. Content-Type Bypass Check if content type manipulation can bypass restrictions. Magic Byte Bypass Identify if magic byte manipulation can bypass upload checks. Client-Side Validation Bypass Check if client-side validation can circumvent upload restrictions. Blacklisted Extension Bypass Check if the application effectively enforces extension restrictions. Homographic Character Bypass Check if homographic characters can bypass filters. www.infosectrain.com File Upload Testing
Test Name Test Case Result Missing Captcha Field Integrity Checks Verify if the application performs integrity checks on the Captcha field and rejects incomplete submissions. HTTP Verb Manipulation Check if changing HTTP verbs impacts Captcha validation. Reusable Captcha Check if Captchas are single-use or can be reused. Server-Side Validation for CAPTCHA Check if the server performs proper Captcha validation independently. OCR Image Recognition Check if OCR tools can successfully recognize Captcha content. Absolute Path Retrieval Check if Captcha images are accessible via absolute paths. www.infosectrain.com CAPTCHA Testing
Test Name Test Case Result Brute-Forcing Secret Keys Check if the application’s secret key is resistant to brute-force attacks. Creating a Fresh Token Using the “none” Algorithm Verify if the application accepts or rejects tokens signed with the “none” algorithm. Changing the Signing Algorithm of the Token Check how the application responds to changes in the signing algorithm. Signing the Asymmetrically-Signed Token to Symmetric Algorithm Match Check if the application allows signing transitions from asymmetric to symmetric algorithms. www.infosectrain.com JWT Token testing
Test Name Test Case Result Intercepting and Modifying WebSocket Messages Check intercept WebSocket messages and modify the content. WebSockets Man-in-the-Middle (MITM) Attempts Perform a Man-in-the-Middle attack on WebSocket communication. Test Secret Header WebSocket Check if the WebSocket implementation relies on secret headers for authentication. Content Stealing in Websockets Check if access to sensitive data is transmitted via WebSocket. Token Authentication Testing in Websockets Evaluate if the token-based authentication is secure. www.infosectrain.com Websockets Testing
Test Name Test Case Result Inconsistent Authorization Checks Identify instances where authorization checks are not consistently applied across different parts of the GraphQL schema. Missing Validation of Custom Scalars Identifies any custom scalar types that do not have adequate validation for input values. Failure to Appropriately Rate-Limit Evaluate whether rate-limiting is adequately enforced to prevent abuse or DoS attacks. Introspection Query Enabled/Disabled Determine if the server allows introspection queries that can reveal schema details. www.infosectrain.com GraphQL Vulnerabilities Testing
Test Name Test Case Result XSPA in WordPress Identify if there are any exposed services or ports that may be susceptible to XSPA. Bruteforce in wp-login.php Check if the application effectively prevents or mitigates brute-force login attempts. Information Disclosure WordPress Username Enumerate usernames and confirm if the application reveals valid usernames. Backup File wp-config Exposed Ensure that backup files or sensitive configuration files are not accessible. Log Files Exposed Confirm if log files containing sensitive data are improperly exposed to unauthorized users. Denial of Service via load-styles.php Assess if the file can be abused to launch DoS attacks. www.infosectrain.com WordPress Common Vulnerabilities
Test Name Test Case Result Cookie Bomb Check if the application can handle an excessive number of cookies effectively. Pixel Flood (Using Image with Huge Pixels) Assess the application for vulnerabilities related to “Pixel Flood” attacks. Frame Flood (Using GIF with Huge Frame) Check for the application for potential “Frame Flood” vulnerabilities. ReDoS (Regex DoS) Assess if the application is susceptible to ReDoS attacks due to insecure regular expressions. CPDoS (Cache Poisoned Denial of Service) Check if attackers can poison the application’s cache to cause a DoS condition. www.infosectrain.com Denial of Service
Test Name Test Case Result X Frame Options Header Testing Ensure the application has X-Frame-Options set to DENY or allow specific domains. X-XSS-Protection Header Testing Verify the existence and settings of the X-XSS-Protection header. HSTS Header Testing Evaluate the presence and configuration of the HTTP Strict Transport Security (HSTS) header. CSP Header Testing Check the presence and configuration of the Content Security Policy (CSP) header. Cache Control Header Testing Check for the presence and correct configuration of Cache Control headers. www.infosectrain.com Security Headers Testing
Test Name Test Case Result Access Control Testing Verify the application’s access control by attempting to access high-privileged resources with normal user privileges. Forced Browsing Testing Verify forced browsing attempts to access restricted or unlinked resources. Insecure Direct Object Reference (IDOR) Testing Check for IDOR vulnerabilities by attempting to access objects and data outside of the authorized scope. Parameter Tampering Testing Assess the application’s vulnerability to parameter tampering for privilege escalation. www.infosectrain.com Role Authorization Testing
Test Name Test Case Result Time Delays Check if the application prevents time-based command injection. Output Redirection Conduct blind OS command injection with out-of-band interactions. www.infosectrain.com Blind OS Command Injection Testing
Test Name Test Case Result Cryptography Implementation Flaw Check for implementation flaws, such as hard-coded encryption keys, weak algorithms, or improper initialization vectors. Encrypted Information Compromised Verify if sensitive information, even when encrypted, can be compromised due to data leaks, insecure key storage, or weak encryption. Weak Ciphers Used for Encryption Identify encryption mechanisms in use and check if weak ciphers are employed. www.infosectrain.com Broken Cryptography
Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon & www.infosectrain.com
Ad

Recommended

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Web search Technologies
Web search TechnologiesWeb search Technologies
Web search Technologies
Abdul Sami Kharal
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Java script array
Java script arrayJava script array
Java script array
chauhankapil
 
Software Test Metrics and Measurements
Software Test Metrics and MeasurementsSoftware Test Metrics and Measurements
Software Test Metrics and Measurements
Davis Thomas
 
Boundary value analysis
Boundary value analysisBoundary value analysis
Boundary value analysis
Vadym Muliavka
 
Auto Scaling Groups
Auto Scaling GroupsAuto Scaling Groups
Auto Scaling Groups
Peter Sankauskas
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
BG Java EE Course
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Controls
ControlsControls
Controls
teach4uin
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
gebrsh
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Introduction to ASP.NET
Introduction to ASP.NETIntroduction to ASP.NET
Introduction to ASP.NET
Rajkumarsoy
 
AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기
AWSKRUG - AWS한국사용자모임
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Html forms
Html formsHtml forms
Html forms
M Vishnuvardhan Reddy
 
android menus
android menusandroid menus
android menus
Deepa Rani
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Sgml
SgmlSgml
Sgml
rahul kundu
 
Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
Balkrishanpatidar
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) Testing
Sauce Labs
 
Ad

More Related Content

What's hot (20)

Boundary value analysis
Boundary value analysisBoundary value analysis
Boundary value analysis
Vadym Muliavka
 
Auto Scaling Groups
Auto Scaling GroupsAuto Scaling Groups
Auto Scaling Groups
Peter Sankauskas
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
BG Java EE Course
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Controls
ControlsControls
Controls
teach4uin
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
gebrsh
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Introduction to ASP.NET
Introduction to ASP.NETIntroduction to ASP.NET
Introduction to ASP.NET
Rajkumarsoy
 
AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기
AWSKRUG - AWS한국사용자모임
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Html forms
Html formsHtml forms
Html forms
M Vishnuvardhan Reddy
 
android menus
android menusandroid menus
android menus
Deepa Rani
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Sgml
SgmlSgml
Sgml
rahul kundu
 
Boundary value analysis
Boundary value analysisBoundary value analysis
Boundary value analysis
Vadym Muliavka
 
Auto Scaling Groups
Auto Scaling GroupsAuto Scaling Groups
Auto Scaling Groups
Peter Sankauskas
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
BG Java EE Course
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Controls
ControlsControls
Controls
teach4uin
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
gebrsh
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Introduction to ASP.NET
Introduction to ASP.NETIntroduction to ASP.NET
Introduction to ASP.NET
Rajkumarsoy
 
AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기AWS Fargate on EKS 실전 사용하기
AWS Fargate on EKS 실전 사용하기
AWSKRUG - AWS한국사용자모임
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Html forms
Html formsHtml forms
Html forms
M Vishnuvardhan Reddy
 
android menus
android menusandroid menus
android menus
Deepa Rani
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Sgml
SgmlSgml
Sgml
rahul kundu
 

Similar to Web Application Penetration Testing Checklist.pdf (20)

Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
Balkrishanpatidar
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) Testing
Sauce Labs
 
Azure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkAzure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalk
Shailesh Dwivedi
 
Input validation errors
Input validation errorsInput validation errors
Input validation errors
manoharparakh
 
API testing - Japura.pptx
API testing - Japura.pptxAPI testing - Japura.pptx
API testing - Japura.pptx
TharindaLiyanage1
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
amiable_indian
 
Grand tour of Azure API Management.pdf
Grand tour of Azure API Management.pdfGrand tour of Azure API Management.pdf
Grand tour of Azure API Management.pdf
Sherman37
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Summer '16 Realease notes
Summer '16 Realease notesSummer '16 Realease notes
Summer '16 Realease notes
aggopal1011
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
OAuth Authorization flows in salesforce
OAuth Authorization flows in salesforceOAuth Authorization flows in salesforce
OAuth Authorization flows in salesforce
Kishore B T
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
wp-25tips-oltscripts-2287467
wp-25tips-oltscripts-2287467wp-25tips-oltscripts-2287467
wp-25tips-oltscripts-2287467
Yutaka Takatsu
 
SFDC Inbound Integrations
SFDC Inbound IntegrationsSFDC Inbound Integrations
SFDC Inbound Integrations
Sujit Kumar
 
28791456 web-testing
28791456 web-testing28791456 web-testing
28791456 web-testing
Rushikesh Bhongade
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
martinvoelk
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
Balkrishanpatidar
 
Just Enough (Automated) Testing
Just Enough (Automated) TestingJust Enough (Automated) Testing
Just Enough (Automated) Testing
Sauce Labs
 
Azure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkAzure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalk
Shailesh Dwivedi
 
Input validation errors
Input validation errorsInput validation errors
Input validation errors
manoharparakh
 
API testing - Japura.pptx
API testing - Japura.pptxAPI testing - Japura.pptx
API testing - Japura.pptx
TharindaLiyanage1
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
amiable_indian
 
Grand tour of Azure API Management.pdf
Grand tour of Azure API Management.pdfGrand tour of Azure API Management.pdf
Grand tour of Azure API Management.pdf
Sherman37
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Summer '16 Realease notes
Summer '16 Realease notesSummer '16 Realease notes
Summer '16 Realease notes
aggopal1011
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
OAuth Authorization flows in salesforce
OAuth Authorization flows in salesforceOAuth Authorization flows in salesforce
OAuth Authorization flows in salesforce
Kishore B T
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
wp-25tips-oltscripts-2287467
wp-25tips-oltscripts-2287467wp-25tips-oltscripts-2287467
wp-25tips-oltscripts-2287467
Yutaka Takatsu
 
SFDC Inbound Integrations
SFDC Inbound IntegrationsSFDC Inbound Integrations
SFDC Inbound Integrations
Sujit Kumar
 
28791456 web-testing
28791456 web-testing28791456 web-testing
28791456 web-testing
Rushikesh Bhongade
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
martinvoelk
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Ad

More from infosecTrain (20)

Common Security Policies in Organizations.pdf
Common Security Policies in Organizations.pdfCommon Security Policies in Organizations.pdf
Common Security Policies in Organizations.pdf
infosecTrain
 
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al GovernanceJust Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
infosecTrain
 
ISSAP [Information Systems Security Architecture Professional) Certification ...
ISSAP [Information Systems Security Architecture Professional) Certification ...ISSAP [Information Systems Security Architecture Professional) Certification ...
ISSAP [Information Systems Security Architecture Professional) Certification ...
infosecTrain
 
CEH Exam Practice Questions and Answers Part 2.pdf
CEH Exam Practice Questions and Answers Part 2.pdfCEH Exam Practice Questions and Answers Part 2.pdf
CEH Exam Practice Questions and Answers Part 2.pdf
infosecTrain
 
CEH Exam Practice Questions and Answers Part -1.pdf
CEH Exam Practice Questions and Answers Part -1.pdfCEH Exam Practice Questions and Answers Part -1.pdf
CEH Exam Practice Questions and Answers Part -1.pdf
infosecTrain
 
AI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdfAI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
ISO 27001 2022 Audit Charter - By InfosecTrain
ISO 27001 2022 Audit Charter - By InfosecTrainISO 27001 2022 Audit Charter - By InfosecTrain
ISO 27001 2022 Audit Charter - By InfosecTrain
infosecTrain
 
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
IT Auditing with Certified GRC Auditor (CGA) Training.pdfIT Auditing with Certified GRC Auditor (CGA) Training.pdf
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
infosecTrain
 
Top Wireless Attacks and How to Prevent Them.pdf
Top Wireless Attacks and How to Prevent Them.pdfTop Wireless Attacks and How to Prevent Them.pdf
Top Wireless Attacks and How to Prevent Them.pdf
infosecTrain
 
Which Access Control Mechanism is Best for the Cloud?
Which Access Control Mechanism is Best for the Cloud?Which Access Control Mechanism is Best for the Cloud?
Which Access Control Mechanism is Best for the Cloud?
infosecTrain
 
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
Top CompTIA Security+ Exam Practice Questions and Answers..pdfTop CompTIA Security+ Exam Practice Questions and Answers..pdf
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
infosecTrain
 
CISSP Certification Exam Preparation Guide.pdf
CISSP Certification Exam Preparation Guide.pdfCISSP Certification Exam Preparation Guide.pdf
CISSP Certification Exam Preparation Guide.pdf
infosecTrain
 
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
infosecTrain
 
Top 20 DevsecOps Interview Questions.pdf
Top 20 DevsecOps Interview Questions.pdfTop 20 DevsecOps Interview Questions.pdf
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 
Top Interview Questions for Data Protection Officer (DPO).pdf
Top Interview Questions for Data Protection Officer (DPO).pdfTop Interview Questions for Data Protection Officer (DPO).pdf
Top Interview Questions for Data Protection Officer (DPO).pdf
infosecTrain
 
Commonly Asked CISA Exam Questions with Answers..pdf
Commonly Asked CISA Exam Questions with Answers..pdfCommonly Asked CISA Exam Questions with Answers..pdf
Commonly Asked CISA Exam Questions with Answers..pdf
infosecTrain
 
ISOIEC 42001 Lead Auditor Certification Training.pdf
ISOIEC 42001 Lead Auditor Certification Training.pdfISOIEC 42001 Lead Auditor Certification Training.pdf
ISOIEC 42001 Lead Auditor Certification Training.pdf
infosecTrain
 
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdf
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdfKickstart Your Cybersecurity Career with These Must-Have Tools.pdf
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdf
infosecTrain
 
CEHv13 Module 2 - Footprinting and Reconnaissance.pdf
CEHv13 Module 2 - Footprinting and Reconnaissance.pdfCEHv13 Module 2 - Footprinting and Reconnaissance.pdf
CEHv13 Module 2 - Footprinting and Reconnaissance.pdf
infosecTrain
 
Top 20 Cloud Security Professional Interview Q&A.pdf
Top 20 Cloud Security Professional Interview Q&A.pdfTop 20 Cloud Security Professional Interview Q&A.pdf
Top 20 Cloud Security Professional Interview Q&A.pdf
infosecTrain
 
Common Security Policies in Organizations.pdf
Common Security Policies in Organizations.pdfCommon Security Policies in Organizations.pdf
Common Security Policies in Organizations.pdf
infosecTrain
 
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al GovernanceJust Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
infosecTrain
 
ISSAP [Information Systems Security Architecture Professional) Certification ...
ISSAP [Information Systems Security Architecture Professional) Certification ...ISSAP [Information Systems Security Architecture Professional) Certification ...
ISSAP [Information Systems Security Architecture Professional) Certification ...
infosecTrain
 
CEH Exam Practice Questions and Answers Part 2.pdf
CEH Exam Practice Questions and Answers Part 2.pdfCEH Exam Practice Questions and Answers Part 2.pdf
CEH Exam Practice Questions and Answers Part 2.pdf
infosecTrain
 
CEH Exam Practice Questions and Answers Part -1.pdf
CEH Exam Practice Questions and Answers Part -1.pdfCEH Exam Practice Questions and Answers Part -1.pdf
CEH Exam Practice Questions and Answers Part -1.pdf
infosecTrain
 
AI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdfAI-GRC Pros, Are You Implementation-Ready.pdf
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
ISO 27001 2022 Audit Charter - By InfosecTrain
ISO 27001 2022 Audit Charter - By InfosecTrainISO 27001 2022 Audit Charter - By InfosecTrain
ISO 27001 2022 Audit Charter - By InfosecTrain
infosecTrain
 
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
IT Auditing with Certified GRC Auditor (CGA) Training.pdfIT Auditing with Certified GRC Auditor (CGA) Training.pdf
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
infosecTrain
 
Top Wireless Attacks and How to Prevent Them.pdf
Top Wireless Attacks and How to Prevent Them.pdfTop Wireless Attacks and How to Prevent Them.pdf
Top Wireless Attacks and How to Prevent Them.pdf
infosecTrain
 
Which Access Control Mechanism is Best for the Cloud?
Which Access Control Mechanism is Best for the Cloud?Which Access Control Mechanism is Best for the Cloud?
Which Access Control Mechanism is Best for the Cloud?
infosecTrain
 
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
Top CompTIA Security+ Exam Practice Questions and Answers..pdfTop CompTIA Security+ Exam Practice Questions and Answers..pdf
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
infosecTrain
 
CISSP Certification Exam Preparation Guide.pdf
CISSP Certification Exam Preparation Guide.pdfCISSP Certification Exam Preparation Guide.pdf
CISSP Certification Exam Preparation Guide.pdf
infosecTrain
 
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
infosecTrain
 
Top 20 DevsecOps Interview Questions.pdf
Top 20 DevsecOps Interview Questions.pdfTop 20 DevsecOps Interview Questions.pdf
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 
Top Interview Questions for Data Protection Officer (DPO).pdf
Top Interview Questions for Data Protection Officer (DPO).pdfTop Interview Questions for Data Protection Officer (DPO).pdf
Top Interview Questions for Data Protection Officer (DPO).pdf
infosecTrain
 
Commonly Asked CISA Exam Questions with Answers..pdf
Commonly Asked CISA Exam Questions with Answers..pdfCommonly Asked CISA Exam Questions with Answers..pdf
Commonly Asked CISA Exam Questions with Answers..pdf
infosecTrain
 
ISOIEC 42001 Lead Auditor Certification Training.pdf
ISOIEC 42001 Lead Auditor Certification Training.pdfISOIEC 42001 Lead Auditor Certification Training.pdf
ISOIEC 42001 Lead Auditor Certification Training.pdf
infosecTrain
 
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdf
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdfKickstart Your Cybersecurity Career with These Must-Have Tools.pdf
Kickstart Your Cybersecurity Career with These Must-Have Tools.pdf
infosecTrain
 
CEHv13 Module 2 - Footprinting and Reconnaissance.pdf
CEHv13 Module 2 - Footprinting and Reconnaissance.pdfCEHv13 Module 2 - Footprinting and Reconnaissance.pdf
CEHv13 Module 2 - Footprinting and Reconnaissance.pdf
infosecTrain
 
Top 20 Cloud Security Professional Interview Q&A.pdf
Top 20 Cloud Security Professional Interview Q&A.pdfTop 20 Cloud Security Professional Interview Q&A.pdf
Top 20 Cloud Security Professional Interview Q&A.pdf
infosecTrain
 
Ad

Recently uploaded (20)

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptx
milanasargsyan5
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsepulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
sushreesangita003
 
Geography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjectsGeography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjects
ProfDrShaikhImran
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 AccountingHow to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
Celine George
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptx
milanasargsyan5
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsepulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
sushreesangita003
 
Geography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjectsGeography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjects
ProfDrShaikhImran
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 AccountingHow to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
Celine George
 

Web Application Penetration Testing Checklist.pdf

  • 2. www.infosectrain.com Test Name Test Case Result Identify Web Server, Technologies, and Database Verify that the website is hosted on an HTTP server, front-end technologies, and back-end with PostgreSQL database. ASN (Autonomous System Number) & IP Space Enumeration and Service Enumeration Ensure the enumeration tool’s accuracy in obtaining ASNs, identifying IP addresses within a specified range, and detecting open ports and services on a target IP address. Google Dorking Ensure that the Google Dorking technique effectively retrieves sensitive information from public internet search engine results. Directory Enumeration Ensure that the directory enumeration process accurately identifies and lists directories and files within a specified web server directory. Reverse Lookup Ensure that the reverse lookup functionality accurately maps IP addresses to domain names. JS Files Analysis Confirm that the JS files analysis function accurately identifies vulnerabilities and security issues in JavaScript files. Subdomain Enumeration and Bruteforcing Confirm that the subdomain enumeration and brute-forcing functionality accurately discover subdomains associated with the target domain Port Scanning Verify that the port scanning tool correctly identifies open ports on a target IP address or network. Reconnaissance Phase
  • 3. Test Name Test Case Result Duplicate Registration/Overwrite Existing User Verify that the registration process prevents duplicate registration and overwriting of existing user accounts. Weak Password Policy Confirm that the registration process enforces a strong password policy. Reuse of Existing Usernames Ensure that the registration process prevents the reuse of the existing usernames. Insufficient Email Verification Process Verify that the email verification process adequately verifies user email addresses. Weak Registration Implementation - Allows Disposable Email Addresses Confirm that the registration process does not allow registration with disposable email addresses. Weak Registration Implementation- Over HTTP Verify that the registration process is securely implemented and does not allow registration over an unencrypted HTTP connection. Overwrite Default Web Application Pages Confirm that the registration process does not allow specially crafted usernames that could potentially overwrite or manipulate default web application pages. www.infosectrain.com Registration Feature Testing
  • 4. Test Name Test Case Result Decode Cookies Using Standard Decoding Algorithms Verify that cookies can be successfully decoded using standard decoding algorithms. Modify Cookie:Session Token Value Verify if the application correctly handles slight modifications to session cookie token values. Test Self-Registration with Similar Usernames Check if the application handles self-registration with usernames containing small variations. Check Session Cookies and Cookie Expiration Date/Time Verify that session cookies have appropriate expiration settings. Identify Cookie Domain Scope Ensure that session cookies are scoped to the appropriate domain. Check for HttpOnly Flag in Cookie Confirm that session cookies are marked with the HttpOnly flag. Check for Secure Flag in Cookie Ensure that session cookies are marked with the Secure flag if the application is served over SSL. www.infosectrain.com Session Management Testing
  • 5. Test Name Test Case Result Username Enumeration Verify that the system does not allow username enumeration. Bypass Authentication using SQL Injections Test for bypassing authentication using various SQL injections on the username and password fields. Lack of Password Confirmation Confirm that the system enforces password confirmation when changing email addresses and passwords and managing 2FA. Access Violation without Authentication Check if using resources without authentication is possible, leading to access violations. SSL Transmission of User Credentials Confirm that user credentials are transmitted over SSL. OAuth Login Functionality Check OAuth login functionality, including roles and potential security vulnerabilities. Two-Factor Authentication Misconfiguration Check the misconfiguration of two-factor authentication for response manipulation, status codes, code leakage, reusability, brute-force protection, integrity validation, and null values. www.infosectrain.com Authentication Testing
  • 6. Test Name Test Case Result Active Account User ID and Tampering Attempt Identify a parameter in the application that uses the active account user ID and attempts tampering to change the details of other accounts Enumerate Features Specific to a User Account and Conduct CSRF Testing Create a list of features specific to a user account and test for Cross-Site Request Forgery (CSRF) vulnerabilities. Change Email and Confirm Server-Side Validation Ensure if changing the email address is validated on the server side and whether the application sends email confirmation links to new users. Verify Account Deletion Option with Forgot Password Feature Verify the account deletion option and confirm it via the forgot password feature. Change Email, Account ID, and User ID Parameters for Brute Force Change the email, account ID, and user ID parameters and attempt brute force attacks on other users’ passwords. www.infosectrain.com Post Login Testing
  • 7. Test Name Test Case Result Failure to Expire Sessions Upon Logout and Password Reset Ensure the session is invalidated on logout and password reset. Check if Forgot Password Reset Link/Code Uniqueness Ensure the uniqueness of the password reset link/code. Check Expiry of Password Reset Link Verify if the reset link expires if not used within a specific time frame. Find User Account Identification Parameter and Attempt Tampering Identify the user account identification parameter and attempt to tamper with it to change another user’s password. Check for Weak Password Policy Examine if password reset enforces a strong password policy. Check if Active Session Gets Destroyed upon Changing the Password Verify if the active session is destroyed when changing the password. www.infosectrain.com Forgot Password Testing
  • 8. Test Name Test Case Result Test Common Injection Parameters Examine common injection parameters for potential vulnerabilities. Change URL Parameter Values Examine if changing the URL parameter value redirects to the specified URL. Test Single Slash and URL Encoding Ensure using a single slash and URL encoding in URL parameters. Use Whitelisted Domain or Keyword Check if using a whitelisted domain or keyword in parameters bypasses filters. Use “//” to Bypass HTTP Blacklisted Keyword Check if using “//” in parameters bypasses HTTP blacklisted keywords. Use Null Byte (%00) to Bypass Blacklist Filter Check if using a null byte (%00) in parameters bypasses blacklist filters. Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters. www.infosectrain.com Open Redirection Testing
  • 9. Test Name Test Case Result Supply an Arbitrary Host Header Check the application’s handling of arbitrary host headers. Check for Flawed Validation Verify if the application has flawed validation for Host headers. Check Ambiguous Requests Send ambiguous requests with various Host header manipulations to observe the application’s behavior. Inject Host Override Headers Test the injection of host override headers to ensure that the application accepts and processes these headers. www.infosectrain.com Host Header Injection
  • 10. Test Name Test Case Result Entry Point Detection Identify vulnerable entry points for SQL injection. Use SQLmap to Identify Vulnerable Parameters Ensure that SQLmap identifies parameters vulnerable to SQL injection. Run the SQL Injection Scanner on All Requests Check if the SQL injection scanner identifies and reports any SQL injection vulnerabilities. Bypassing Web Application Firewall (WAF) Ensure bypass techniques are effective against the WAF (Web Application Firewall). Time Delays Verify the effectiveness of time delays for each database system. Conditional Delays Evaluate the impact of conditional time delays for each database system. Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters. www.infosectrain.com SQL Injection Testing
  • 11. Test Name Test Case Result Use HTML Tags if Script Tags Are Banned Check if the HTML tags are executed as XSS. Reflect Output Inside JavaScript Variable Check if the output is reflected inside a JavaScript variable and if an alert payload can be used. Upload JavaScript Using Image File Check if the JavaScript code is executed when the image is displayed. Change Method From POST to GET Check if the payload is executed using the modified method from POST to GET can bypass filters. Syntax Encoding Payload Check if the syntax-encoded payload is executed as XSS. XSS Firewall Bypass Verify whether the employed XSS firewall bypass techniques effectively circumvent the XSS firewall. www.infosectrain.com Cross-Site Scripting Testing
  • 12. Test Name Test Case Result Validation of CSRF Token Confirm whether the CSRF token validation rejects a GET request when the validation process depends on the request method. CSRF Token Presence Validation Check if the application only accept requests with a valid CSRF token. The CSRF Token Is Independent of the User Session Check if the CSRF token is not associated with the user’s session and ensure it validate the CSRF token even after the user session has ended. validate the CSRF token even after the user session has ended. Ensure that the application should validate the CSRF token when the non-session cookie is included. Verify Referer Header Presence Ensure that application should only accept requests with a valid Referer header. www.infosectrain.com CSRF Testing
  • 13. Test Name Test Case Result FUZZ on the Internal System After SSO Redirect Conduct fuzzing on an internal system following redirection to the SSO system to identify vulnerabilities or misconfigurations within the internal system. Craft SAML Request and Server Interaction Craft a SAML request with a token and analyze how the server processes the crafted SAML request. Test for XML Signature Wrapping Vulnerabilities Check if the server is vulnerable to XML Signature Wrapping. Inject XXE Payloads in SAML Response Check if the server processes the XXE payloads. SSO for Takeover Assess the possibility of taking over the victim’s account. SSRF Using Cookie Header URLs Check if SSRF can be achieved by modifying the IP in the Cookie header URLs. www.infosectrain.com SSO Vulnerabilities
  • 14. Test Name Test Case Result Change Content Type for XML Injection Verify if the server is vulnerable to XML Injection. Blind XXE with Out-of-Band Interaction Identifies if the server is vulnerable to Blind XXE attacks. Errors Parsing Origin Headers Check if Cross-Origin Resource Sharing (CORS)-related errors can be triggered. Whitelisted Null Origin Value Check if the server whitelists null Origin values. Bypassing Filters Check if filters can be bypassed. Cloud Instances Check if SSRF vulnerabilities can access cloud instance data. www.infosectrain.com XML Injection Testing
  • 15. Test Name Test Case Result Null Byte (%00) Bypass Check if null bytes can bypass upload restrictions. Content-Type Bypass Check if content type manipulation can bypass restrictions. Magic Byte Bypass Identify if magic byte manipulation can bypass upload checks. Client-Side Validation Bypass Check if client-side validation can circumvent upload restrictions. Blacklisted Extension Bypass Check if the application effectively enforces extension restrictions. Homographic Character Bypass Check if homographic characters can bypass filters. www.infosectrain.com File Upload Testing
  • 16. Test Name Test Case Result Missing Captcha Field Integrity Checks Verify if the application performs integrity checks on the Captcha field and rejects incomplete submissions. HTTP Verb Manipulation Check if changing HTTP verbs impacts Captcha validation. Reusable Captcha Check if Captchas are single-use or can be reused. Server-Side Validation for CAPTCHA Check if the server performs proper Captcha validation independently. OCR Image Recognition Check if OCR tools can successfully recognize Captcha content. Absolute Path Retrieval Check if Captcha images are accessible via absolute paths. www.infosectrain.com CAPTCHA Testing
  • 17. Test Name Test Case Result Brute-Forcing Secret Keys Check if the application’s secret key is resistant to brute-force attacks. Creating a Fresh Token Using the “none” Algorithm Verify if the application accepts or rejects tokens signed with the “none” algorithm. Changing the Signing Algorithm of the Token Check how the application responds to changes in the signing algorithm. Signing the Asymmetrically-Signed Token to Symmetric Algorithm Match Check if the application allows signing transitions from asymmetric to symmetric algorithms. www.infosectrain.com JWT Token testing
  • 18. Test Name Test Case Result Intercepting and Modifying WebSocket Messages Check intercept WebSocket messages and modify the content. WebSockets Man-in-the-Middle (MITM) Attempts Perform a Man-in-the-Middle attack on WebSocket communication. Test Secret Header WebSocket Check if the WebSocket implementation relies on secret headers for authentication. Content Stealing in Websockets Check if access to sensitive data is transmitted via WebSocket. Token Authentication Testing in Websockets Evaluate if the token-based authentication is secure. www.infosectrain.com Websockets Testing
  • 19. Test Name Test Case Result Inconsistent Authorization Checks Identify instances where authorization checks are not consistently applied across different parts of the GraphQL schema. Missing Validation of Custom Scalars Identifies any custom scalar types that do not have adequate validation for input values. Failure to Appropriately Rate-Limit Evaluate whether rate-limiting is adequately enforced to prevent abuse or DoS attacks. Introspection Query Enabled/Disabled Determine if the server allows introspection queries that can reveal schema details. www.infosectrain.com GraphQL Vulnerabilities Testing
  • 20. Test Name Test Case Result XSPA in WordPress Identify if there are any exposed services or ports that may be susceptible to XSPA. Bruteforce in wp-login.php Check if the application effectively prevents or mitigates brute-force login attempts. Information Disclosure WordPress Username Enumerate usernames and confirm if the application reveals valid usernames. Backup File wp-config Exposed Ensure that backup files or sensitive configuration files are not accessible. Log Files Exposed Confirm if log files containing sensitive data are improperly exposed to unauthorized users. Denial of Service via load-styles.php Assess if the file can be abused to launch DoS attacks. www.infosectrain.com WordPress Common Vulnerabilities
  • 21. Test Name Test Case Result Cookie Bomb Check if the application can handle an excessive number of cookies effectively. Pixel Flood (Using Image with Huge Pixels) Assess the application for vulnerabilities related to “Pixel Flood” attacks. Frame Flood (Using GIF with Huge Frame) Check for the application for potential “Frame Flood” vulnerabilities. ReDoS (Regex DoS) Assess if the application is susceptible to ReDoS attacks due to insecure regular expressions. CPDoS (Cache Poisoned Denial of Service) Check if attackers can poison the application’s cache to cause a DoS condition. www.infosectrain.com Denial of Service
  • 22. Test Name Test Case Result X Frame Options Header Testing Ensure the application has X-Frame-Options set to DENY or allow specific domains. X-XSS-Protection Header Testing Verify the existence and settings of the X-XSS-Protection header. HSTS Header Testing Evaluate the presence and configuration of the HTTP Strict Transport Security (HSTS) header. CSP Header Testing Check the presence and configuration of the Content Security Policy (CSP) header. Cache Control Header Testing Check for the presence and correct configuration of Cache Control headers. www.infosectrain.com Security Headers Testing
  • 23. Test Name Test Case Result Access Control Testing Verify the application’s access control by attempting to access high-privileged resources with normal user privileges. Forced Browsing Testing Verify forced browsing attempts to access restricted or unlinked resources. Insecure Direct Object Reference (IDOR) Testing Check for IDOR vulnerabilities by attempting to access objects and data outside of the authorized scope. Parameter Tampering Testing Assess the application’s vulnerability to parameter tampering for privilege escalation. www.infosectrain.com Role Authorization Testing
  • 24. Test Name Test Case Result Time Delays Check if the application prevents time-based command injection. Output Redirection Conduct blind OS command injection with out-of-band interactions. www.infosectrain.com Blind OS Command Injection Testing
  • 25. Test Name Test Case Result Cryptography Implementation Flaw Check for implementation flaws, such as hard-coded encryption keys, weak algorithms, or improper initialization vectors. Encrypted Information Compromised Verify if sensitive information, even when encrypted, can be compromised due to data leaks, insecure key storage, or weak encryption. Weak Ciphers Used for Encryption Identify encryption mechanisms in use and check if weak ciphers are employed. www.infosectrain.com Broken Cryptography
  • 26. Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon & www.infosectrain.com