Tag Archives: test cases for penetration testing
- Authentication Bypass: Verify if authentication mechanism implemented by your application can be bypassed.
- Password Strength: Check whether the application implements strong password requirements.
- Password field with auto complete enabled: Password fields in an application should have “Autocomplete=OFF” set.
- Authorization Bypass: Verify if lower privileged user can access resources of higher privileged user.
- SQL Injection: Test for SQLi vulnerability in all the fields that take user input and that are being sent to the database.
- LDAP Injection: For applications that use LDAP, verify if input parameters are vulnerable to LDAP injection.
- Cross site request Forgery: Test for CSRF vulnerability on all the form submissions and URLs (POST and GET requests) of the application.
- Buffer Over flow: Check if any of the input parameters cause buffer overflow on the server or client.
- Response Splitting: Identify input parameters that are being used in response headers and check if they are vulnerable to response splitting.
- Harmful HTTP Methods Enabled: Check if harmful HTTP methods like PUT, DELETE, TRACE are enabled on the server. It is good to disable OPTIONS method also.
- Directory Listing enabled on the server: Check if the application server allows listing of contents of a folder in application server.
- Web pages containing sensitive pages being cached: Verify if the application caches pages containing sensitive data.
- Un-encrypted sensitive data: Sensitive data need to be encrypted. It should neither be stored in plain text nor it should be stored in a encoded format.
- Server Platform Information Leak: Check if server platform information is leaked in Response headers or error messages or default server pages.
- Session Hijacking: Check if the application allows users to steal session cookies and use them from their machines.
- Session Fixation: Verify if the application allows fixation of session cookie by users or attackers.
- Predictable session cookies: Verify whether the session cookies random enough and could not be predicted by users.