-
Notifications
You must be signed in to change notification settings - Fork 0
/
Checklist
196 lines (193 loc) · 5.33 KB
/
Checklist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
`Checklist 1:`
Week Registration Implementation
Week password reset implementation
Lack of security header improper cache control
The token is invalidated after use
HTTP and HTTPS are both available
HTTP by default
Broken link hijacking
clickjacking
Delete account without a password
Email spoofing
External Authentication Injection - content spoofing
Failure to invalidate session on password reset or change
No rate limit in the login
No rate limit on OTP
No rate limit on SMS triggering.
No rate limit on email triggering client-side
No rate limit on email triggering server-side
No rate limit on Promo code
Password Policy
Open Redirection
Sensitive token in URL
Clear text transmission of the sensitive token
token leakage by 3rd party
sensitive data exposure to pay-per-use abuse
clipboard enables in password - Android
Screenshot enable in sensitive pages - Android
No secure integrity check
CRLF injection
Session fixation
wifi ssid+password
Token leaked in response
Exif geolocation data not stripped from manual enumeration
Exif geolocation data not stripped from automation enumeration
Failure to invalidate session on logout
HTML Email injection
2fa bypass
Server-side credential storage
Username enumeration
WAF Bypass - original IP disclosure
Blind XSS - XSS Hunter
Reflected XSS
Stored XSS
Stored xss via file upload
off domain xss
CSRF
Iframe injection
captcha bypass
2fa bypass through SSO Misconfiguration
Host header injection
Missing secure and httpOnly from the session cookie
Visible detailed / debug error page
App-level DOS
Oauth misc account takeover
Subdomain takeover
CSRF Application wide
Privilege escalation
Auth bypass using response manipulation
weak cryptographic flaw
Hardcoded password/ directory listing
using default cred
SSRF
RCE
Log4J
LFI
RFI
XXE
SQL Injection error based
information disclosure
`Checklist for Non-Signup:`
Broken Link hijacking
DMARC SPF
HTTP and HTTPS Available
EXIF - (If upload option is available)
No Secure Integrity Check (If upload option is available)
HTML - (If support/contact us page is available)
Rate limit (Client or Server)
Captcha Bypass
App-level DOS
SSTI - Command Injection
Google map API
Open Redirect
CRLF Injection
Reflected XSS
Visible Debug page
Subdomain takeover
Directory Listing
Path Traversal (LFI)
Port Scanning
Info disclosure(PII)
RCE - LOG4J
SQL
Privilege Escalation
Authentication Bypass
Weak Login Function
Session Fixation
Missing Secure or HTTPOnly Cookie Flag
Failure to Invalidate Session
On Logout (Client and Server-Side)
Long Timeout
On Password Reset and/or Change
Concurrent Sessions On Logout
On Email Change
Concurrent Logins
Sensitive Data Exposure - Essential Guideline
Critically Sensitive Data
Password Disclosure
Private API Keys
User Enumeration
Visible Detailed Error/Debug Page
Detailed Server Configuration
Full Path Disclosure
Descriptive Stack Trace
Token Leakage via Referer
Sensitive Token in URL
Weak Password Reset Implementation
Password Reset Token Sent Over HTTP
Cleartext Transmission of Sensitive Data
Directory Listing Enabled
Disclosure of Known Public Information
Mixed Content (HTTPS Sourcing HTTP)
Sensitive Data Hardcoded
OAuth Secret
File Paths
Internal IP Disclosure
JSON Hijacking
Cross Site Script Inclusion (XSSI)
Insufficient Security Configurability - Essential Guideline
Weak Password Policy
Weak Password Reset Implementation
Token is Not Invalidated After Use
Token is Not Invalidated After Email Change
Token is Not Invalidated After Password Change
Token is Not Invalidated After New Token is Requested
Lack of Verification Email
Lack of Notification Email
Weak Registration Implementation
Weak 2FA Implementation
Unvalidated Redirects and Forwards - Essential Guideline
Tabnabbing
Server Security Misconfiguration - Essential Guideline
Using Default Credentials
Misconfigured DNS
Subdomain Takeover
OAuth Misconfiguration
Account Takeover
Insecure Redirect URI
Mail Server Misconfiguration
Missing SPF on Email Domain
Missing SPF on Non-Email Domain
Database Management System (DBMS) Misconfiguration
Lack of Password Confirmation
Delete Account
Change Email Address
Change Password
No Rate Limiting on Form
Registration
Login
Email-Triggering
Directory Listing Enabled
Sensitive Data Exposure
Non-Sensitive Data Exposure
Same-Site Scripting
Unsafe File Upload
File Extension Filter Bypass | No Antivirus
No Size Limit
Exposed Admin Portal - To Internet
Lack of Security Headers
Content-Security-Policy | X-Content-Security-Policy | X-Webkit-CSP
X-XSS-Protection
X-Frame-Options
Public-Key-Pins
X-Content-Type-Options
Strict-Transport-Security
Cache-Control for a Non-Sensitive Page
Content-Security-Policy-Report-Only
Path Traversal
SSL Attack (BREACH, POODLE etc.)
Rate Limit Brute Forcing OTP Vulnerability
Logical Bugs | Vulnerabilities
Same Site Scripting
Missing Certification Authority Authorization (CAA) Record
Email Spoofing to Spam Folder
Missing or Misconfigured SPF and/or DKIM
Session Cookie Scoped to Parent Domain
Missing Secure or HTTPOnly Cookie Flag
CAPTCHA ByPass Vulnerability
Exposed Admin Portal | IP Address Disclosure
Missing DNSSEC
Brute Force Username Enumeration
Potentially Unsafe HTTP Method Enabled - OPTIONS | TRACE
Lack of Forward Secrecy
Insecure Cipher Suite