Home

Web Application Security Assessment Methodology by @tannerprynn

Also: Google Sheets version for test tracking

Table of Contents

1. Discovery
   • Background
     • Documentation
     • Application roles and access
     • Source code
   • Application Mapping
     • Traffic and usage
     • Spidering
     • Client-side protections
2. Configuration
   • Network Configuration
     • Non-web applications and alternate endpoints
     • TLS configuration
     • Certificate Validity
     • Mutual TLS
   • Dependencies and patching
   • Infrastructure
     • Administrative endpoints
     • Firewalls
   • Global Web Application Configuration
     • Cookie security
     • Security headers
     • Content-Type
3. Design
   • User Data and Privacy
     • Encryption
     • Metadata and tracking
   • Development Practices
     • Dead code
     • Information disclosure
     • Application secrets
     • Backdoors
     • Logging and Monitoring
   • Information Disclosure
     • Error handling
     • Client requests
     • Server responses
4. Authentication
   • Login, Identity, and Account Management
     • Missing authentication checks
     • Credential handling
     • Password hashing
     • Password strength
     • Password reset
     • Account management
     • Multi-stage or multi-factor authentication
     • Impersonation
     • Single-Sign On
   • Session Management
     • Implementation
     • Session token predictability
     • Session token invalidation
     • Session fixation
     • Session token disclosure
5. Authorization
   • Horizontal Authorization
     • Cross-account attacks
     • Cross-organization attacks
     • Insecure direct object references
   • Vertical Authorization
     • Cross-role attacks
     • Privilege escalation
   • Logical Authorization
   • Business logic bypasses
   • Rate limiting
6. Frontend Attacks
   • Cross Site Scripting
     • Reflected XSS
     • Stored XSS
     • DOM XSS
     • Content-Type confusion
   • Cross Site Requests
     • CSRF
     • CORS
     • Websockets
     • Window.postMessage()
   • Miscellaneous
     • Email content injection
     • Framing and clickjacking
7. Input Handling
   • Injection
     • SQL injection
     • NoSQL injection
     • OS command injection
     • Template injection
   • Unsafe Functions
     • Eval()
     • Unsafe deserialization
   • File Handling
     • Path traversal
     • File write
     • File read
     • File inclusion
     • Filesystem permissions
     • Processing and conversion
   • Format-Specific Issues
     • XML external entities
     • CSV command injection
     • Archive decompression
     • Network communication
   • Data Validation and Bypasses
     • Input allowlisting
     • Input denylisting
     • Input sanitization
   • Other
     • Denial of Service
     • HTTP request smuggling
     • HTTP response splitting
8. Cryptography
   • Data Validation and Bypasses
     • Unauthenticated ciphertext
     • Weak block cipher mode
     • Initialization vectors: reuse or predictability
   • Vulnerabilities in Cryptographic Primitives
     • Lack of parameter validation
     • Insecure randomness
     • Weak hash