Cybersecurity

User Tools

Site Tools

Trace: escalation open_redirects feature_checklist
zseano:feature_checklist

Table of Contents

Feature Testing Checklist

Test these feature areas on every program. Each has common recurring vulnerabilities.

Registration

  • What info is required? Where is it reflected after signup?
  • What characters are allowed? < > “ '\ in name fields?
  • Can you sign up with @target.com email – blacklisted?
  • Revisit register page while authenticated – redirect parameter?
  • Check page source and JS files for hidden parameters
  • Dork: site:example.com inurl:register inurl:&
  • Mobile signup – different codebase? Different filtering?
  • myemail%00@email.com – null byte truncation to real account?

Login & Password Reset

  • Redirect parameter? Try returnUrl, goto, return_url, back, returnTo
  • Login with myemail%00@email.com – truncation to real email?
  • Social media login – check OAuth flow for token leaks
  • Mobile vs desktop login flow
  • Host header injection in password reset – Host: evil.com
  • IDOR in reset flow: try injecting ID parameter
  • Rate limiting? (check program policy before testing)

Account Updates

  • CSRF protection on profile updates? Test blank/modified tokens
  • < > ” '\ handling – where are characters reflected?
  • Mobile app updates vs desktop – different filtering?
  • Photo/video upload – where stored? Same domain? CDN?
  • Is second confirmation required for email/password change?
  • Can you update without entering current password?

Developer Tools / API

  • Where is the API hosted? AWS = try metadata endpoint
  • Webhooks available? = SSRF target
  • Can you create your own app? Are permissions enforced?
  • API docs/wiki – reveals endpoints, token format, keywords for wordlists
  • GraphQL? Introspection enabled? {__schema{types{name}}}
  • Test every endpoint with all HTTP methods: GET, POST, PUT, DELETE, PATCH

Main Site Features

  • Map all features top-down before attacking
  • Same features on mobile vs desktop?
  • Paid vs free accounts – can free access paid features?
  • Oldest features – old code = bugs
  • New/upcoming features – check JS files, Twitter, newsletters
  • Privacy settings – do they actually enforce on server side?
  • Permission levels: admin, mod, user, guest – test each level

Payment Features

  • Access paid features without paying?
  • Payment info visible in DOM? Chain XSS to leak it
  • Different country payment options – sandbox credit card not blocked?
  • Negative quantities, modified prices in request body
  • Race conditions on payment/coupon processing

See Also

zseano/feature_checklist.txt · Last modified: by drew
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki