Differences

This shows you the differences between two versions of the page.

--- tbhm:fast_checklist [2026/05/14 09:18] – TBHM import drew
+++ tbhm:fast_checklist [2026/05/14 09:28] (current) – converted from markdown to dokuwiki syntax drew
@@ Line 1: / Line 1: @@
 # Fast Testing Checklist
-A combination of TBHM methodology and the Web Application Hacker's Handbook Task checklist.
+A combination of my own methodology and the Web Application Hacker's Handbook Task checklist.
-===== Contents =====
+====== Contents ======
-  * [[#App Recon and analysis|App Recon and analysis]]
+- App Recon and analysis
-  * [[#Test handling of access|Test handling of access]]
+- Test handling of access
-  * [[#Test handling of input|Test handling of input]]
+- Test handling of input
-  * [[#Test application logic|Test application logic]]
+- Test application logic
-  * [[#Assess application hosting|Assess application hosting]]
+- Assess application hosting
-  * [[#Miscellaneous tests|Miscellaneous tests]]
+- Miscellaneous tests
-===== Task Checklist =====
+====== Task Checklist ======
-==== App Recon and analysis ====
+===== App Recon and analysis =====
-  * Map visible content (Manually)
+- [ ] Map visible content (Manually)
-  * Discover hidden & default content (Directory/File Bruteforce)
+- [ ] Discover hidden & default content (Directory/File Bruteforce)
-  * Test for debug parameters
+- [ ] Test for debug parameters
-  * Identify data entry points (Discover Dynamic Content in Burp Pro)
+- [ ] Identify data entry points (Discover Dynamic Content in Burp Pro)
-  * Identify the technologies used (Wapplyzer or similar)
+- [ ] Identify the technologies used (Wapplyzer or similar)
-  * Research existing vulnerabilities in technology (Google ++)
+- [ ] Research existing vulnerabilities in technology (Google ++)
-  * Gather wordlists for specific technology (Assetnote ones are excellent)
+- [ ] Gather wordlists for specific technology (Assetnote ones are excellent)
-  * Map the attack surface automatically (Spider)
+- [ ] Map the attack surface automatically (Spider)
-  * Identify all javascript files for later analysis (in your proxy)
+- [ ] Identify all javascript files for later analysis (in your proxy)
-==== Test handling of access ====
+===== Test handling of access =====
-=== Authentication ===
+==== Authentication ====
+- [ ] Test password quality rules
+- [ ] Test for username enumeration
+- [ ] Test resilience to password guessing
+- [ ] Test any account recovery function
+- [ ] Test any "remember me" function
+- [ ] Test any impersonation function
+- [ ] Test username uniqueness
+- [ ] Check for unsafe distribution of credentials
+- [ ] Test for fail-open conditions
+- [ ] Test any multi-stage mechanisms
-  * Test password quality rules
+==== Session handling ====
-  * Test for username enumeration
+- [ ] Test tokens for meaning
-  * Test resilience to password guessing
+- [ ] Test tokens for predictability
-  * Test any account recovery function
+- [ ] Check for insecure transmission of tokens
-  * Test any "remember me" function
+- [ ] Check for disclosure of tokens in logs
-  * Test any impersonation function
+- [ ] Check mapping of tokens to sessions
-  * Test username uniqueness
+- [ ] Check session termination
-  * Check for unsafe distribution of credentials
+- [ ] Check for session fixation
-  * Test for fail-open conditions
+- [ ] Check for cross-site request forgery
-  * Test any multi-stage mechanisms
+- [ ] Check cookie scope
-=== Session handling ===
+==== Access controls ====
+- [ ] Understand the access control requirements
+- [ ] Test effectiveness of controls, using multiple accounts if possible
+- [ ] Test for insecure access control methods (request parameters, Referer header, etc)
-  * Test tokens for meaning
+===== Test handling of input =====
-  * Test tokens for predictability
-  * Check for insecure transmission of tokens
-  * Check for disclosure of tokens in logs
-  * Check mapping of tokens to sessions
-  * Check session termination
-  * Check for session fixation
-  * Check for cross-site request forgery
-  * Check cookie scope
-=== Access controls ===
+- [ ] Fuzz all request parameters
+- [ ] Test for SQL injection
+- [ ] Identify all reflected data
+- [ ] Test for reflected XSS
+- [ ] Test for HTTP header injection
+- [ ] Test for arbitrary redirection
+- [ ] Test for stored attacks
+- [ ] Test for OS command injection
+- [ ] Test for path traversal
+- [ ] Test for script injection
+- [ ] Test for file inclusion
+- [ ] Test for SMTP injection
+- [ ] Test for native software flaws (buffer overflow, integer bugs, format strings)
+- [ ] Test for SOAP injection
+- [ ] Test for LDAP injection
+- [ ] Test for XPath injection
+- [ ] Test for SSRF and HTTP Redirects in all redirecting parameters
-  * Understand the access control requirements
+===== Test application logic =====
-  * Test effectiveness of controls, using multiple accounts if possible
-  * Test for insecure access control methods (request parameters, Referer header, etc)
-==== Test handling of input ====
+- [ ] Identify the logic attack surface
+- [ ] Test transmission of data via the client
+- [ ] Test for reliance on client-side input validation
+- [ ] Test any thick-client components (Java, ActiveX, Flash)
+- [ ] Test multi-stage processes for logic flaws
+- [ ] Test handling of incomplete input
+- [ ] Test trust boundaries
+- [ ] Test transaction logic
-  * Fuzz all request parameters
+===== Assess application hosting =====
-  * Test for SQL injection
-  * Identify all reflected data
-  * Test for reflected XSS
-  * Test for HTTP header injection
-  * Test for arbitrary redirection
-  * Test for stored attacks
-  * Test for OS command injection
-  * Test for path traversal
-  * Test for script injection
-  * Test for file inclusion
-  * Test for SMTP injection
-  * Test for native software flaws (buffer overflow, integer bugs, format strings)
-  * Test for SOAP injection
-  * Test for LDAP injection
-  * Test for XPath injection
-  * Test for SSRF and HTTP Redirects in all redirecting parameters
-==== Test application logic ====
+- [ ] Test segregation in shared infrastructures
+- [ ] Test segregation between ASP-hosted applications
+- [ ] Test for web server vulnerabilities
+- [ ] Default credentials
+- [ ] Default content
+- [ ] Dangerous HTTP methods
+- [ ] Proxy functionality
+- [ ] Virtual hosting mis-configuration
+- [ ] Bugs in web server software
-  * Identify the logic attack surface
+===== Miscellaneous tests =====
-  * Test transmission of data via the client
-  * Test for reliance on client-side input validation
-  * Test any thick-client components (Java, ActiveX, Flash)
-  * Test multi-stage processes for logic flaws
-  * Test handling of incomplete input
-  * Test trust boundaries
-  * Test transaction logic
-==== Assess application hosting ====
+- [ ] Check for DOM-based attacks
+- [ ] Check for frame injection
-  * Test segregation in shared infrastructures
+- [ ] Check for local privacy vulnerabilities
-  * Test segregation between ASP-hosted applications
+- [ ] Persistent cookies
-  * Test for web server vulnerabilities
+- [ ] Caching
-  * Default credentials
+- [ ] Sensitive data in URL parameters
-  * Default content
+- [ ] Forms with autocomplete enabled
-  * Dangerous HTTP methods
+- [ ] Follow up any information leakage
-  * Proxy functionality
+- [ ] Check for weak SSL ciphers
-  * Virtual hosting mis-configuration
-  * Bugs in web server software
-==== Miscellaneous tests ====
-  * Check for DOM-based attacks
-  * Check for frame injection
-  * Check for local privacy vulnerabilities
-  * Persistent cookies
-  * Caching
-  * Sensitive data in URL parameters
-  * Forms with autocomplete enabled
-  * Follow up any information leakage
-  * Check for weak SSL ciphers