Skip to content

Instantly share code, notes, and snippets.

@jhaddix
Forked from amotmot/WAHH_Task_Checklist.md
Last active January 26, 2025 19:51
Show Gist options
  • Save jhaddix/6b777fb004768b388fefadf9175982ab to your computer and use it in GitHub Desktop.
Save jhaddix/6b777fb004768b388fefadf9175982ab to your computer and use it in GitHub Desktop.
Fast Simple Appsec Testing Checklist

Fast Testing Checklist

A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file

Contents

Task Checklist

App Recon and analysis

  • Map visible content
  • Discover hidden & default content
  • Test for debug parameters
  • Identify data entry points
  • Identify the technologies used
  • Research existing vulnerabilitties in technology
  • Gather wordlists for specific techniology (Assetnote ones are excellent)
  • Map the attack surface (Spider)
  • Identify all javascript files for later analysis

Test handling of access

Authentication

  • Test password quality rules
  • Test for username enumeration
  • Test resilience to password guessing
  • Test any account recovery function
  • Test any "remember me" function
  • Test any impersonation function
  • Test username uniqueness
  • Check for unsafe distribution of credentials
  • Test for fail-open conditions
  • Test any multi-stage mechanisms

Session handling

  • Test tokens for meaning
  • Test tokens for predictability
  • Check for insecure transmission of tokens
  • Check for disclosure of tokens in logs
  • Check mapping of tokens to sessions
  • Check session termination
  • Check for session fixation
  • Check for cross-site request forgery
  • Check cookie scope

Access controls

  • Understand the access control requirements
  • Test effectiveness of controls, using multiple accounts if possible
  • Test for insecure access control methods (request parameters, Referer header, etc)

Test handling of input

  • Fuzz all request parameters
  • Test for SQL injection
  • Identify all reflected data
  • Test for reflected XSS
  • Test for HTTP header injection
  • Test for arbitrary redirection
  • Test for stored attacks
  • Test for OS command injection
  • Test for path traversal
  • Test for script injection
  • Test for file inclusion
  • Test for SMTP injection
  • Test for native software flaws (buffer overflow, integer bugs, format strings)
  • Test for SOAP injection
  • Test for LDAP injection
  • Test for XPath injection
  • Test for SSRF and HTTP Redirrects in all redirecting parameters

Test application logic

  • Identify the logic attack surface
  • Test transmission of data via the client
  • Test for reliance on client-side input validation
  • Test any thick-client components (Java, ActiveX, Flash)
  • Test multi-stage processes for logic flaws
  • Test handling of incomplete input
  • Test trust boundaries
  • Test transaction logic

Assess application hosting

  • Test segregation in shared infrastructures
  • Test segregation between ASP-hosted applications
  • Test for web server vulnerabilities
  • Default credentials
  • Default content
  • Dangerous HTTP methods
  • Proxy functionality
  • Virtual hosting mis-configuration
  • Bugs in web server software

Miscellaneous tests

  • Check for DOM-based attacks
  • Check for frame injection
  • Check for local privacy vulnerabilities
  • Persistent cookies
  • Caching
  • Sensitive data in URL parameters
  • Forms with autocomplete enabled
  • Follow up any information leakage
  • Check for weak SSL ciphers
@Fernandingo7
Copy link

Amazing checklist, bro.

@Divyanshukothari
Copy link

rather than reading wahh v2 we should follow this checklist and practice labs on portswigger websecacademy

@khanjanny
Copy link

'"></script>

qtt4tI

@khanjanny
Copy link

'" rNnTRbt="roannATTR" x=yFAb78x

@khanjanny
Copy link

'">

Qz8zu0

@khanjanny
Copy link

rNnTRbt=1 x=d'">

4HM43V

@khanjanny
Copy link

rNnTRbt=1 x=d'">

NejCJh

@khanjanny
Copy link

rNnTRbt=1 x=d'">

95IWbL

@khanjanny
Copy link

rNnTRbt=1 x=d'">

h7c6WO

@khanjanny
Copy link

rNnTRbt=1 x=d'">

Y0Wpus

@khanjanny
Copy link

rNnTRbt=1 x=d'">

y1ADnl

@khanjanny
Copy link

rNnTRbt=1 x=d'">

SWiS6W

@khanjanny
Copy link

rNnTRbt=1 x=d'">

y7qblu

@khanjanny
Copy link

rNnTRbt=1 x=d'">

0EMeJ3

@khanjanny
Copy link

rNnTRbt=1 x=d'">

Hn5ZTj

@khanjanny
Copy link

rNnTRbt=1 x=d'">

On7P2q

@khanjanny
Copy link

rNnTRbt=1 x=d'">

9ReK5g

@khanjanny
Copy link

rNnTRbt=1 x=d'">

Gx2kGR

@khanjanny
Copy link

rNnTRbt=1 x=d'">

iNwCwt

@khanjanny
Copy link

rNnTRbt=1 x=d'">

GPR5GO

@khanjanny
Copy link

rNnTRbt=1 x=d'">

QQW8b0

@khanjanny
Copy link

rNnTRbt=1 x=d'">

30CQ4n

@khanjanny
Copy link

rNnTRbt=1 x=d'">

onjrlW

@khanjanny
Copy link

rNnTRbt=1 x=d'">

lYrBYf

@khanjanny
Copy link

rNnTRbt=1 x=d'">

6PSBN0

@khanjanny
Copy link

rNnTRbt=1 x=d'">

pYrXqd

@khanjanny
Copy link

rNnTRbt=1 x=d'">

zPHzFD

@khanjanny
Copy link

rNnTRbt=1 x=d'">

kpKZ1U

@khanjanny
Copy link

rNnTRbt=1 x=d'">

Pp6hGi

@khanjanny
Copy link

rNnTRbt=1 x=d'">

qrXAZU

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment