1. Web Application Vulnerabilities Checklist

2. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field  Hidden field  Client side validation  ‘Tainted’ parameters  Min/Max lengths  Concatenate commands

3. EC-Council  Determine policies for access to content and functions.

4. EC-Council Credential Management  Password storage  Password change  User Update section  Password strength  Lockout policy  Login attempts allowed

5. EC-Council Session Management  Token protection  Session Duration  Idle time Duration  Guess Session ID format  Transfer in URL or BODY?  Is Session Id linked to the IP address?  Change Referrer tag

6. EC-Council Backend Authentication  Trust relationships  Encryption  Plaintext password in HTML  Password in configuration file.

7. EC-Council XSS  Which type – stored or reflected  Check for 404/500 error pages for  return information.  Input validation

8. EC-Council MisConfiguration  Nikto results  Nessus results  Patch level  Directory listing  Directory permission  Error messages  Default username/pass  SSL cert. Configuration  Debug or configuration Files  Check for latest vulnerabilities

9. EC-Council Unwanted  Backup files  Defaults files  Services  Remote admin. Access

10. EC-Council  Flaws in access control?  Check for path transversal.  Client side Caching  Check header  Check metatag  Determine file permissions

11. EC-Council SQL injection  Mirror website and search for all input parameters  Gain database related information  Error Messages  Privileges given to the webserver or database

12. EC-Council OS calls  Using any interpreter?  OS service calls (e.g. Sendmail)  Mirror and search code for all calls to external sources.  Privileges given to other services and webserver.

13. EC-Council  Complete check of information returned in error messages. Guess  application logic through errors codes and messages.  Deconstruction of binary codes (if any)  Is critical data secured and encrypted?

14. EC-Council Examine  Token  Cookie  SSID  Serialized Objects

15. EC-Council Access points  Regular users  Admin access  Any other?

16. EC-Council  Ability to brute force at the discovered access points.  Ability to bypass auth. with spoofed tokens  Ability to conduct replay attack.  Forced browsing, does application keep a check by tracking request from each user.