OWASP Top 10 2021 — Bug Name Examples by Category:

A01: Broken Access Control

IDOR
Directory or Path Traversal
Function Injection
Privilege Escalation
Horizontal and Vertical Privilege Escalation

A02: Cryptographic Failures

Cleartext Transmission of Sensitive Data

Insufficient Entropy
Insecure Random Number Generation
Padding Oracle Attack
Use of Weak Ciphers
Weak or Misconfigured Cryptographic Configurations

A03: Injection

Os Command Injection
SQL Injection
Cross-Site Scripting (XSS)
Expression Language Injection
XML Injection
LDAP Injection
NoSQL Injection
SSTI

A04: Insecure Design

Security-by-Obscurity
Session Fixation
Unintended Functionality
Use of Hardcoded Credentials
Weak Error Handling
1
A05: Security Misconfiguration

Default Accounts and Passwords

Default or Weak Configuration Settings
Disabled Security Features
Improperly Configured Permissions and Access Controls (Insecure
Permissions)
Unnecessary Features or Services Enabled
Use of Vulnerable Software
Directory Listing Enabled
Insecure Default Passwords or Credentials
Improperly Configured Cross-Origin Resource Sharing (CORS)

A06: Vulnerable and Outdated Components

Use of Known Vulnerable Components

Outdated Libraries and Frameworks
Third-Party Components with Unpatched Vulnerabilities
Lack of Patching and Updates

A07: Identification and Authentication Failures

Brute-Force Attacks
Credential Stuffing
Credential Theft
Session Hijacking
Weak Password Policies
Weak Session Cookies
Lack of Multi-Factor Authentication (MFA)
Insecure Session Management
Insecure Authentication Protocols
Insecure Password Storage
User Enumeration

2
A08: Software and Data Integrity Failures

Insecure Direct Object References (IDOR)

Server-Side Request Forgery (SSRF)
SQL Injection and NoSQL Injection Variants
Tampering with Updates
Unvalidated Redirects and Forwards

A09: Security Logging and Monitoring Failures

Lack of Audit Logging

Insufficient Log Data
Unmonitored Logs
Unsecured Logs

A10: Server-Side Request Forgery (SSRF)

Unauthenticated SSRF
Authenticated SSRF

3
 WEB APPLICATION PENTESTING CHECKLIST
OWASP Based Checklist

INFORMATION GATHERING

1. Open Source Reconnaissance

☐ Perform Google Dorks search
☐ Perform OSINT

2. Fingerprint Web Application Framework

☐ Use the Wappalyzer browser extension
☐ Use Whatweb
☐ View URL extensions
☐ View HTML source code
☐ View the cookie parameter
☐ View the HTTP headers

3. Enumerating Web Server’s Applications

☐ Enumerating with Nmap
☐ Enumerating with Netcat
☐ Perform a DNS lookup
☐ Perform a Reverse DNS lookup

4. Fingerprinting Web Server

☐ Find the type of Web Server
☐ Find the version details of the Web Server

5. Identifying Application’s Entry Points

☐ Identify what the methods used are?
☐ Identify where the methods used are?
☐ Identify the Injection point

4
6. Looking For Metafiles
☐ View the Robots.txt file
☐ View the Sitemap.xml file
☐ View the Humans.txt file
☐ View the Security.txt file

7. Review The Web Contents

☐ Inspect the page source for sensitive info
☐ Try to find Sensitive Javascript codes
☐ Try to find any keys
☐ Make sure the autocomplete is disabled

8. Map Application Architecture

☐ Map the overall site structure

9. Mapping Execution Paths

☐ Use Burp Suite
☐ Use Dirsearch
☐ Use Gobuster

CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

10. Test Network Configuration

☐ Check the network configuration
☐ Check for default settings
☐ Check for default credentials

11. Test Application Configuration

☐ Ensure only required modules are used
☐ Ensure unwanted modules are disabled
☐ Ensure the server can handle DOS
☐ Check how the application is handling 4xx & 5xx errors
☐ Check for the privilege required to run
☐ Check logs for sensitive info
5
12. Test File Extension Handling
☐ Ensure the server won’t return sensitive extensions
☐ Ensure the server won’t accept malicious extensions
☐ Test for file upload vulnerabilities

13. Enumerate Infrastructure & Admin Interfaces

☐ Try to find the Infrastructure Interface
☐ Try to find the Admin Interface
☐ Identify the hidden admin functionalities

14. Review Backup & Unreferenced Files

☐ Ensure unreferenced files don’t contain any sensitive info
☐ Ensure the namings of old and new backup files
☐ Check the functionality of unreferenced pages

15. Testing HTTP Methods

☐ Discover the supported methods
☐ Ensure the PUT method is disabled
☐ Ensure the OPTIONS method is disabled
☐ Test access control bypass
☐ Test for XST attacks
☐ Test for HTTP method overriding

16. Test HSTS

☐ Ensure HSTS is enabled

17. Test Cloud Storage

☐ Check the sensitive paths of AWS
☐ Check the sensitive paths of Google Cloud
☐ Check the sensitive paths of Azure

6
18. Test File Permission
☐ Ensure the permissions for sensitive files
☐ Test for directory enumeration

19. Test RIA Cross Domain Policy

☐ Check for Adobe’s Cross Domain Policy
☐ Ensure it has the least privilege

20. Test For Subdomain Takeover

☐ Test DNS, A, and CNAME records for subdomain takeover
☐ Test NS records for subdomain takeover
☐ Test 404 response for subdomain takeover

IDENTITY MANAGEMENT TESTING

21. Test User Registration Process

☐ Ensure the same user or identity can’t register again and again
☐ Ensure the registrations are verified
☐ Ensure disposable email addresses are rejected
☐ Check what proof is required for successful registration

22. Test Role Definitions

☐ Test for forced browsing
☐ Test for IDOR (Insecure Direct Object Reference)
☐ Test for parameter tampering
☐ Ensure low privilege users can’t able to access high privilege resources

7
23. Testing For Account Enumeration
☐ Check the response when a valid username and password entered
☐ Check the response when a valid username and an invalid password entered
☐ Check the response when an invalid username and password entered
☐ Ensure the rate-limiting functionality is enabled in username and password fields

24. Test Account Provisioning Process

☐ Check the verification for the provisioning process
☐ Check the verification for the de-provisioning process
☐ Check the provisioning rights for an admin user to other users
☐ Check whether a user is able to de-provision themself or not?
☐ Check for the resources of a de-provisioned user

25. Test For Weak Username Policy

☐ Check the response for both valid and invalid usernames
☐ Check for username enumeration

AUTHENTICATION TESTING

26. Test For Default Credentials

☐ Test with default credentials
☐ Test organization name as credentials
☐ Test for response manipulation
☐ Test for the default username and a blank password
☐ Review the page source for credentials

8
27. Test For Weak Lockout Mechanism
☐ Ensure the account has been locked after 3-5 incorrect attempts
☐ Ensure the system accepts only the valid CAPTCHA
☐ Ensure the system rejects the invalid CAPTCHA
☐ Ensure CAPTCHA code regenerated after reloaded
☐ Ensure CAPTCHA reloads after entering the wrong code
☐ Ensure the user has a recovery option for a lockout account

28. Test For Un-Encrypted Channel

☐ Check for the HTTP login page
☐ Check for the HTTP register or sign-in page
☐ Check for HTTP forgot password page
☐ Check for HTTP change password
☐ Check for resources on HTTP after logout
☐ Test for forced browsing to HTTP pages

29. Test For Vulnerable Remember Password

☐ Ensure that the stored password is encrypted
☐ Ensure that the stored password is on the server-side

30. Test For Browser Cache Weakness

☐ Ensure proper cache-control is set on sensitive pages
☐ Ensure no sensitive data is stored in the browser cache storage

9
31. Test For Weak Password Policy
☐ Ensure the password policy is set to strong
☐ Check for password reusability
☐ Check the user is prevented to use his username as a password
☐ Check for the usage of common weak passwords
☐ Check the minimum password length to be set
☐ Check the maximum password length to be set

32. Testing For Weak Security Questions

☐ Check for the complexity of the questions
☐ Check for brute-forcing

33. Test For Bypassing Authentication Schema

☐ Test forced browsing directly to the internal dashboard without login
☐ Test for session ID prediction
☐ Test for authentication parameter tampering
☐ Test for SQL injection on the login page
☐ Test to gain access with the help of session ID
☐ Test multiple logins allowed or not?

34. Test For Weak Password Reset Function

☐ Check what information is required to reset the password
☐ Check for password reset function with HTTP
☐ Test the randomness of the password reset tokens
☐ Test the uniqueness of the password reset tokens
☐ Test for rate limiting on password reset tokens
☐ Ensure the token must expire after being used
☐ Ensure the token must expire after not being used for a long time

10
35. Test For Weak Password Change Function
☐ Check if the old password asked to make a change
☐ Check for the uniqueness of the forgotten password
☐ Check for blank password change
☐ Check for password change function with HTTP
☐ Ensure the old password is not displayed after changed
☐ Ensure the other sessions got destroyed after the password change

36. Test For Weak Authentication In Alternative Channel

☐ Test authentication on the desktop browsers
☐ Test authentication on the mobile browsers
☐ Test authentication in a different country
☐ Test authentication in a different language
☐ Test authentication on desktop applications
☐ Test authentication on mobile applications

AUTHORIZATION TESTING

37. Testing Traversal With Encoding

☐ Test Traversal with Base64 encoding
☐ Test Traversal with URL encoding
☐ Test Traversal with ASCII encoding
☐ Test Traversal with HTML encoding
☐ Test Traversal with Hex encoding
☐ Test Traversal with Binary encoding
☐ Test Traversal with Octal encoding
☐ Test Traversal with Gzip encoding

38. Testing Directory Traversal File Include

☐ Identify the injection point on the URL
☐ Test for Local File Inclusion
☐ Test for Remote File Inclusion
☐ Test Traversal on the URL parameter
☐ Test Traversal on the cookie parameter

11
39. Testing Travesal With Different OS Schemes
☐ Test Traversal with Unix schemes
☐ Test Traversal with Windows schemes
☐ Test Traversal with Mac schemes

40. Test Authorization Schema Bypass

☐ Test for Horizontal authorization schema bypass
☐ Test for Vertical authorization schema bypass
☐ Test override the target with custom headers

41. Test For Insecure Direct Object Reference

☐ Test to change the ID parameter
☐ Test to add parameters at the endpoints
☐ Test for HTTP parameter pollution
☐ Test by adding an extension at the end
☐ Test with outdated API versions
☐ Test by wrapping the ID with an array
☐ Test by wrapping the ID with a JSON object
☐ Test for JSON parameter pollution
☐ Test by changing the case
☐ Test for path traversal
☐ Test by changing words
☐ Test by changing methods

42. Test For Privilege Escalation

☐ Identify the injection point
☐ Test for bypassing the security measures
☐ Test for forced browsing
☐ Test for IDOR
☐ Test for parameter tampering to high privileged user

12
SESSION MANAGEMENT TESTING

43. Test For Session Management Schema

☐ Ensure all Set-Cookie directives are secure
☐ Ensure no cookie operation takes place over an unencrypted channel
☐ Ensure the cookie can’t be forced over an unencrypted channel
☐ Ensure the HTTPOnly flag is enabled
☐ Check if any cookies are persistent
☐ Check for session cookies and cookie expiration date/time
☐ Check for session fixation
☐ Check for concurrent login
☐ Check for session after logout
☐ Check for session after closing the browser
☐ Try decoding cookies (Base64, Hex, URL, etc)

44. Test For Cookie Attributes

☐ Ensure the cookie must be set with the secure attribute
☐ Ensure the cookie must be set with the path attribute
☐ Ensure the cookie must have the HTTPOnly flag

45. Test For Session Fixation

☐ Ensure new cookies have been issued upon a successful authentication
☐ Test manipulating the cookies

46. Test For Exposed Session Variables

☐ Test for encryption
☐ Test for GET and POST vulnerabilities
☐ Test if GET request incorporating the session ID used
☐ Test by interchanging POST with GET method

47. Test For Back Refresh Attack

☐ Test after password change
☐ Test after logout

13
48. Test For Cross Site Request Forgery
☐ Check if the token is validated on the server-side or not
☐ Check if the token is validated for full or partial length
☐ Check by comparing the CSRF tokens for multiple dummy accounts
☐ Check CSRF by interchanging POST with GET method
☐ Check CSRF by removing the CSRF token parameter
☐ Check CSRF by removing the CSRF token and using a blank parameter
☐ Check CSRF by using unused tokens
☐ Check CSRF by replacing the CSRF token with its own values
☐ Check CSRF by changing the content type to form-multipart
☐ Check CSRF by changing or deleting some characters of the CSRF token
☐ Check CSRF by changing the referrer to Referrer
☐ Check CSRF by changing the host values
☐ Check CSRF alongside clickjacking

49. Test For Logout Functionality

☐ Check the logout function on different pages
☐ Check for the visibility of the logout button
☐ Ensure after logout the session was ended
☐ Ensure after logout we can’t able to access the dashboard by pressing the back button
☐ Ensure proper session timeout has been set

50. Test For Session Puzzling

☐ Identify all the session variables
☐ Try to break the logical flow of the session generation

51. Test For Session Timeout

☐ Ensure there is a session timeout exists
☐ Ensure after the timeout, all of the tokens are destroyed

52. Test For Session Hijacking

☐ Test session hijacking on target that doesn’t has HSTS enabled
☐ Test by login with the help of captured cookies

14
INPUT VALIDATION TESTING

53. Test For Reflected Cross Site Scripting

☐ Ensure these characters are filtered <>’’&””
☐ Test with a character escape sequence
☐ Test by replacing < and > with HTML entities &lt; and &gt;
☐ Test payload with both lower and upper case
☐ Test to break firewall regex by new line /r/n
☐ Test with double encoding
☐ Test with recursive filters
☐ Test injecting anchor tags without whitespace
☐ Test by replacing whitespace with bullets
☐ Test by changing HTTP methods

54. Test For HTTP Parameter Pollution

☐ Identify the backend server and parsing method used
☐ Try to access the injection point
☐ Try to bypass the input filters using HTTP Parameter Pollution

55. Test For Stored Cross Site Scripting

☐ Identify stored input parameters that will reflect on the client side
☐ Look for input parameters on the profile page
☐ Look for input parameters on the shopping cart page
☐ Look for input parameters on the file upload page
☐ Look for input parameters on the settings page
☐ Look for input parameters on the forum, comment page
☐ Test uploading a file with XSS payload as its file name
☐ Test with HTML tags

15
56. Test For SQL Injection
☐ Test SQL Injection on authentication forms
☐ Test SQL Injection on the search bar
☐ Test SQL Injection on editable characteristics
☐ Try to find SQL keywords or entry point detections
☐ Try to inject SQL queries
☐ Use tools like SQLmap or Hackbar
☐ Use Google dorks to find the SQL keywords
☐ Try GET based SQL Injection
☐ Try POST based SQL Injection
☐ Try COOKIE based SQL Injection
☐ Try HEADER based SQL Injection

57. Test For XPATH Injection

☐ Identify XPATH Injection point
☐ Test for XPATH Injection

58. Testing For XML Injection

☐ Check if the application is using XML for processing
☐ Identify the XML Injection point by XML metacharacter
☐ Construct XSS payload on top of XML

59. Test For Command Injection

☐ Identify the Injection points
☐ Look for Command Injection keywords
☐ Test Command Injection using different delimiters
☐ Test Command Injection with payload list
☐ Test Command Injection with different OS commands
60. Test For Local File Inclusion
☐ Look for LFI keywords
☐ Try to change the local path
☐ Use LFI payload list
☐ Test LFI by adding a null byte at the end

16
61. Test For Remote File Inclusion
☐ Look for RFI keywords
☐ Try to change the remote path
☐ Use RFI payload list

62. Test For Format String Injection

☐ Identify the Injection points
☐ Use different format parameters as payloads
☐ Assess the injection impact

63. Test For Host Header Injection

☐ Test for HHI by changing the real Host parameter
☐ Test for HHI by adding X-Forwarded Host parameter
☐ Test for HHI by swapping the real Host and X-Forwarded Host parameter
☐ Test for HHI by adding two Host parameters
☐ Test for HHI by adding the target values in front of the original values
☐ Test for HHI by adding the target with a slash after the original values
☐ Test for HHI with other injections on the Host parameter
☐ Test for HHI by password reset poisoning

64. Test For LDAP Injection

☐ Use LDAP search filters
☐ Try LDAP Injection for access control bypass

65. Test For IMAP SMTP Injection

☐ Identify IMAP SMTP Injection point
☐ Understand the data flow
☐ Understand the deployment structure of the system
☐ Assess the injection impact

17
66. Test For Server Side Reqest Forgery
☐ Look for SSRF keywords
☐ Search for SSRF keywords only under the request header and body
☐ Identify the Injection points
☐ Test if the Injection points are exploitable
☐ Assess the injection impact

67. Test For Server Side Includes

☐ Use Google dorks to find the SSI
☐ Construct RCE on top of SSI
☐ Construct other injections on top of SSI
☐ Test Injecting SSI on login pages, header fields, referrer, etc

68. Test For Server Side Template Injection

☐ Identify the Template injection vulnerability points
☐ Identify the Templating engine
☐ Use the tplmap to exploit

ERROR HANDLING TESTING

69. Test For Improper Error Handling

☐ Identify the error output
☐ Analyze the different outputs returned
☐ Look for common error handling flaws
☐ Test error handling by modifying the URL parameter
☐ Test error handling by uploading unrecognized file formats
☐ Test error handling by entering unrecognized inputs
☐ Test error handling by making all possible errors

18
WEAK CRYPTOGRAPHY TESTING

70. Test For Weak Transport Layer Security

☐ Test for DROWN weakness on SSLv2 protocol
☐ Test for POODLE weakness on SSLv3 protocol
☐ Test for BEAST weakness on TLSv1.0 protocol
☐ Test for FREAK weakness on export cipher suites
☐ Test for Null ciphers
☐ Test for NOMORE weakness on RC4
☐ Test for LUCKY 13 weakness on CBC mode ciphers
☐ Test for CRIME weakness on TLS compression
☐ Test for LOGJAM on DHE keys
☐ Ensure the digital certificates should have at least 2048 bits of key length
☐ Ensure the digital certificates should have at least SHA - 256 signature algorithm
☐ Ensure the digital certificates should not use MDF and SHA - 1
☐ Ensure the validity of the digital certificate
☐ Ensure the minimum key length requirements
☐ Look for weak cipher suites

BUSINESS LOGIC TESTING

71. Test For Business Logic

☐ Identify the logic of how the application works
☐ Identify the functionality of all the buttons
☐ Test by changing the numerical values into high or negative values
☐ Test by changing the quantity
☐ Test by modifying the payments
☐ Test for parameter tampering

72. Test For Malicious File Upload

☐ Test malicious file upload by uploading malicious files
☐ Test malicious file upload by putting your IP address on the file name
☐ Test malicious file upload by right to left override
☐ Test malicious file upload by encoded file name
☐ Test malicious file upload by XSS payload on the file name
☐ Test malicious file upload by RCE payload on the file name
19
☐ Test malicious file upload by LFI payload on the file name
☐ Test malicious file upload by RFI payload on the file name
☐ Test malicious file upload by SQL payload on the file name
☐ Test malicious file upload by other injections on the file name
☐ Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
☐ Test malicious file upload by uploading large files (leads to DOS)

CLIENT SIDE TESTING

73. Test For URL Redirect

☐ Look for URL redirect parameters
☐ Test for URL redirection on domain parameters
☐ Test for URL redirection by using a payload list
☐ Test for URL redirection by using a whitelisted word at the end
☐ Test for URL redirection by creating a new subdomain with the same as the target
☐ Test for URL redirection by XSS
☐ Test for URL redirection by profile URL flaw

74. Test For Cross Origin Resource Sharing

☐ Look for “Access-Control-Allow-Origin” on the response
☐ Use the CORS HTML exploit code for further exploitation

75. Test For Clickjacking

☐ Ensure “X-Frame-Options” headers are enabled
☐ Exploit with iframe HTML code for POC

76. Test For DOM Based Cross Site Scripting

☐ Try to identify DOM sinks
☐ Build payloads to that DOM sink type

20
OTHER COMMON ISSUES

77. Test For No-Rate Limiting

☐ Ensure rate limiting is enabled
☐ Try to bypass rate limiting by changing the case of the endpoints
☐ Try to bypass rate limiting by adding / at the end of the URL
☐ Try to bypass rate limiting by adding HTTP headers
☐ Try to bypass rate limiting by adding HTTP headers twice
☐ Try to bypass rate limiting by adding Origin headers
☐ Try to bypass rate limiting by IP rotation
☐ Try to bypass rate limiting by using null bytes at the end
☐ Try to bypass rate limiting by using race conditions

78. Test For Broken Link Hijack

☐ Ensure there is no broken links are there
☐ Test broken links by using the blc tool

79. Test For EXIF Geodata

☐ Ensure the website is striping the geodata
☐ Test with EXIF checker

80. Test For SPF

☐ Ensure the website is having SPF record
☐ Test SPF by nslookup command

21
81. Test For Weak 2FA
☐ Try to bypass 2FA by using poor session management
☐ Try to bypass 2FA via the OAuth mechanism
☐ Try to bypass 2FA via brute-forcing
☐ Try to bypass 2FA via response manipulation
☐ Try to bypass 2FA by using activation links to login
☐ Try to bypass 2FA by using status code manipulation
☐ Try to bypass 2FA by changing the email or password
☐ Try to bypass 2FA by using a null or empty entry
☐ Try to bypass 2FA by changing the boolean into false
☐ Try to bypass 2FA by removing the 2FA parameter on the request

82. Test For Weak OTP Implementation

☐ Try to bypass OTP by entering the old OTP
☐ Try to bypass OTP by brute-forcing
☐ Try to bypass OTP by using a null or empty entry
☐ Try to bypass OTP by response manipulation
☐ Try to bypass OTP by status code manipulation

" It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it."
— Stephane Nappo

Secure Your Business with Byte Capsule – International Award Winner & ISO 27001 Accredited
Cybersecurity Startup.

✔️ Who Can Benefit?

- Enterprises: Protect sensitive data, maintain compliance, and avoid costly breaches.
- Startups: Build a secure foundation for your business from day one.
- Financial Institutions: Safeguard customer data and meet regulatory requirements.
- E-Commerce Platforms: Ensure secure transactions and protect customer trust.
- Government Agencies: Strengthen national security and protect critical infrastructure.

✔️ Ready to Secure Your Business?

Don’t wait for a breach to happen. Partner with Byte Capsule to proactively identify and address
vulnerabilities before they can be exploited.
.
📣 Contact Us Today:
📞 Call: 01796934898
📧 Email: [email protected]
📍 Location: 15 Indira Road (Level 4), Farmgate, Dhaka - 1215, Bangladesh.

22