Web Application Checklist

Web Application Checklist

Status: WIP

Actions:

0%

Information Gathering: Crawling / Identify Default Directories

Technologies in use

HTTP Headers

Information Disclosure through Error Messages

Outdated Libraries

Directory Listing Enabled

User Roles

User Enumeration

Business Logic

Input Validation / Injections: Cross-Site Scripting (XSS)

SQL / NoSQL Injections

Server Side Includes

Server Side Request Forgery

Cross Site Request Forgery

CORS

XML / LDAP / Command Injection

Open Redirect

Path Traversal

Local / Remote File Includes

HTTP Request Smuggling

Session: Session ID Entropy

Improper Session Termination

Session Fixation

Cookies Poisoning

Clickjacking

Session Cookies Without Flags

HTTP Strict Transport Security

Cryptography: Algorithms & Ciphers

Self-Signed Certificates

Improper Password Storage

Lack of SSL

Authorization: User Segregation

Insecure Direct Object Reference

Default / Easily Guessable Passwords

Hardcoded Credentials in Files

No Brute Force Protection

Unauthenticated Admin Access

Unrestricted File Upload

Lack of Antivirus Solution

Denial of Service: Account Lockout

Cache Poisoning