Below is the list of Penetration Testing checklist notes that were discussed in the OWASP meeting I attended yesterday.
1). Web Applications – Check if a web application is able to identify spam attacks on contact forms used in the website.
2). Proxy Servers – Check if the network traffic is monitored by proxy appliances. Proxy servers make it difficult for hackers to get internal details of the network.
3). Spam Email Filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked.
4). Firewalls – Make sure an entire network or computers are protected with a firewall.
5). Exploits – Try to exploit all servers, desktop systems, printers and network devices (Within scope).
6). Verification – Verify that all usernames and passwords are encrypted and transferred over secured connections like HTTPs.
7). Cookies – Verify information stored in website cookies. It should not be in readable format.
8). Vulnerabilities – Review previously found vulnerabilities to check if the fix is working.
9). Open Ports – Ensure there are no unnecessary open ports on a network.
10). Telephones – Check all telephone(VOIP) devices.
11). WiFi – Test Wifi network security.
12). HTTP Methods – Review HTPP methods. PUT and DELETE methods should not be enabled on web server.
13). Passwords – Password should be at least 8 character long containing at least one number and one special character.
14). Usernames – Usernames should not be like “admin” or “administrator”
15). Application Login Pages – Application logins pages should be locked upon few unsuccessful login attempts (Brute force attacks).
16). Error messages – Error messages should be generic and not mention specific error details like “Invalid username” or “Invalid Password”.
17). Special Characters – Verify if special characters, HTML tags and scripts are handled properly as an input value.
18). Internal System Details – Internal system details should not be revealed in any of the error or alert messages.
19). Custom Error Messages – Custom error messages should be displayed to the end users in case of web page crash.
20). Registry Entries – Review the use of registry entries. Sensitive Information should not be kept in registry.
21). Scanning Files – All files must be scanned before uploading to server.
22). Sensitive Data – Sensitive data should not be passed in URL’s while communicating with different internal modules of the web application.
23). No Hard-Coded usernames or passwords – There should not be any hard coded username of password in the system.
24). Input Fields – Check all input fields with long input strings – With and Without spaces.
25). Password Functionality – Ensure reset password functionality’s secure.
26). SQL Injection – Check application for Cross Site Scripting.
27). XSS – Check application for Cross Site Scripting.
29). System Resources – Critical resources in the system should be available to authorized persons and services only.
30). Access Permissions – All access logs should be maintained with proper access permissions.
31). Ending Sessions – Check that user sessions end upon log off.
32). Directory Browsing – Verify that directory browsing is disabled on the server.
33). Up To Date Versions – Verify that all applications and database versions are up to date.
34). URL Manipulation – Review URL manipulation to make sure a web application is not showing any unwanted information.
35). Buffer Overflow – Check memory leak and buffer overflow.
36). Brute Force Attacks – Check if systems are safe from Bruce Force Attacks – use a trial and error method to find sensitive information like passwords.
37). DoS (Denial of Service) – Ensure the system or network is secured from DoS (Denial-of-service) attacks.
All credits to Rob Taylor
Hope you’ve liked it.