| 1 |
Input Validation |
Whois information discovery |
| Testing for Reflected Cross Site Scripting |
| Testing for Stored Cross Site Scripting |
| Testing for HTTP Verb Tampering |
| Testing for HTTP Verb Tampering |
| Testing for HTTP Parameter Pollution |
| Testing for SQL Injection |
| Testing for LDAP Injection |
| Testing for XML Injection |
| Testing for SSI Injection |
| Testing for XPath Injection |
| Testing for IMAP SMTP Injection |
| Testing for Code Injection |
| Testing for Local and Remote File Inclusion |
| Testing for Command Injection |
| Testing for Format String Injection |
| Testing for Host Header Injection |
| Testing for Server-side Template Injection |
| Testing for Server-side Template Injection |
| Testing for Server-Side Request Forgery |
| Testing for Serialization/Deserialization related vulnerabilities |
| 2 |
Authentication Testing |
| Testing for Credentials Transported over an Encrypted Channel |
| Testing for Default Credentials |
| Testing for Weak Lock Out Mechanism |
| Testing for Bypassing Authentication Schema |
| Testing for Vulnerable Remember Password |
| Testing for Browser Cache Weaknesses |
| Testing for Weak Password Policy |
| Testing for Weak Security Question Answer |
| Testing for Weak Password Change or Reset Functionalities |
| Testing for Weaker Authentication in Alternative Channel |
| 3 |
Configuration and Deployment Management Testing |
| Test Network Infrastructure Configuration |
| Test Application Platform Configuration |
| Test File Extensions Handling for Sensitive Information |
| Review Old Backup and Unreferenced Files for Sensitive Information |
| Enumerate Infrastructure and Application Admin Interfaces |
| Test HTTP Methods |
| Test HTTP Strict Transport Security |
| Test RIA Cross Domain Policy |
| Test File Permission |
| Test for Subdomain Takeover |
| Test Cloud Storage |
| 4 |
Session Management Testing |
| Testing for Session Management Schema |
| Testing for Cookies Attributes |
| Testing for Session Fixation |
| Testing for Exposed Session Variables |
| Testing for Cross Site Request Forgery |
| Testing for Logout Functionality |
| Testing Session Timeout |
| Testing for Session Puzzling |
| Testing for Session Hijacking |
| 5 |
Authorization Testing |
| Testing Directory Traversal File Include |
| Testing for Bypassing Authorization Schema |
| Testing for Privilege Escalation |
| Testing for Insecure Direct Object References |
| 6 |
Identity Management Testing |
| Test Role Definitions |
| Test User Registration Process |
| Test Account Provisioning Process |
| Testing for Account Enumeration and Guessable User Account |
| Testing for Weak or Unenforced Username Policy |
| Testing for KYC integrations |
| 7 |
Business Logic Testing |
| Test Business Logic Data Validation |
| Test Ability to Forge Requests |
| Test Integrity Checks |
| Test for Process Timing |
| Test Number of Times a Function Can Be Used Limits |
| Testing for the Circumvention of Work Flows |
| Test Defenses Against Application Misuse |
| Test Upload of Unexpected File Types |
| Test Upload of Malicious Files |
| Test for round off errors |
| 8 |
Testing for Error Handling |
| Testing for Improper Error Handling |
| Testing for Stack Traces |
| 9 |
Information Disclosure |
| Client Side Data protection |
| Hard-coded sensitive information |
| 10 |
Testing for Weak Cryptography |
| Testing for Weak Transport Layer Security |
| Testing for Padding Oracle |
| Testing for Sensitive Information Sent via Unencrypted Channels |
| Testing for Weak Encryption |
| 11 |
Client-Side Testing |
| Testing for DOM-Based Cross Site Scripting |
| Testing for JavaScript Execution |
| Testing for HTML Injection |
| Testing for Client-side URL Redirect |
| Testing for CSS Injection |
| Testing for Client-side Resource Manipulation |
| Testing Cross Origin Resource Sharing |
| Testing for Cross Site Flashing |
| Testing for Clickjacking |
| Testing WebSockets |
| Testing Web Messaging |
| Testing Browser Storage |
| Testing for Cross Site Script Inclusion |
Chat with Us