Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering October 16, 2024 The Ultimate Pentest Checklist for Full-Stack Security Introduction Penetration testing has become one of the most effective offensive security measures to identify and assess vulnerabilities across both internal and external attack surfaces. Traditional pentesting methods have certainly evolved and penetration testing services are now widely used to help fortify an organization’s security posture. Pentesting is carried out by certified security experts who simulate real-world attacks to identify vulnerabilities for assessment and mitigation within a specific scope. These tests are based on detailed pentest checklists that are tailored by asset (e.g., web applications, network, APIs, etc.) and act as a guide for the pentest process, ensuring standardized frameworks are used and testing adheres to applicable compliance requirements. To better understanding pentesting, below are the varied methods used for penetration testing that lie in the delivery model, scalability, and frequency of testing, followed by pentest checklists by asset type. Delivery Models 1. Traditional Penetration Testing Typically performed manually by a team of certified pentesting experts over a fixed period (often a few days or weeks). The engagement is project-based with a final report delivered upon completion of testing. Frequency: Usually performed on a periodic basis, such as annually or semi-annually, as part of compliance requirements or security audits. Scalability: Limited in scalability due to the manual effort required by human testers and the one-off nature of the engagement. Advantage: Deep analysis, thorough testing tailored to specific security requirements, and direct engagement with pentest experts. Challenges: Fixed time frame and limited scope of assessment, which can leave gaps between tests. 2. Penetration Testing as a Service (PTaaS) PTaaS is a cloud-based model that offers ongoing penetration testing services, often integrated with platforms that provide real-time reporting and collaboration. It combines automated tools with human-led expertise. Frequency: A more proactive approach that allows for continuous or more frequent approach to detecting and updating vulnerabilities as they emerge. Scalability: Highly scalable, as it leverages automation, cloud infrastructure, and hybrid models (automated testing with human validation), enabling rapid testing of multiple assets across different environments. Advantage: Scalable, on-demand accessibility, hybrid efficiency, convenience, provides real-time insights, and allows for ongoing security testing. 3. Automated or Continuous Penetration Testing Uses automation to continuously monitor and test systems for vulnerabilities and is often integrated with tools that run periodic scans. Frequency: Provides ongoing or continuous assessments rather than periodic tests. Can be used for ongoing pentesting to validate security measure and/or to uncover new vulnerabilities as they emerge. Scalability: Highly scalable, as it leverages automation enabling rapid testing of multiple assets across different environments. Advantage: Efficient for frequent testing of repetitive tasks or enterprises in high computing environments, cost-effective, and ideal for covering large attack surfaces and complex IT infrastructures. Challenges: Limited in identifying complex vulnerabilities and unique attack paths that require human intuition. 4. Human-led Penetration Testing A manual and well-scoped process where certified pentest experts simulate realistic attack scenarios and TTPs, focusing on complex vulnerabilities that automated tools may miss. Frequency: Relies on a human-driven approach whereby certified pentest experts explore potential attack vectors. Frequency is usually project-led and periodic. Scalability: Highly customized to the enterprise’s unique environment and assets. However, limited scalability due to the manual effort required by human testers. Advantage: In-depth analysis, greater flexibility, and a high success rate in discovering sophisticated vulnerabilities. Challenges: Can be more time-consuming and costly than automated methods. Pentest Checklist Across Your Attack Surface High-Level Pentest Checklist Creating a detailed pentest checklist is essential for performing thorough and effective security assessments. This first checklist is a general but expanded checklist that offers a structure approach to ensure both enterprises and pen testers cover all critical areas in evaluating cybersecurity defenses. Set Clear Objectives and Define Scope Clarify Goals: Set concise objectives of the pentest engagement, such as identify weaknesses for specific assets, compliance or security audit, or post incident reconnaissance. Define Scope: Specify the systems, networks, and applications that will be tested, including the type of testing (e.g., black box, white box, gray box) for each asset. Establish Boundaries: Set parameters to avoid disrupting operations, such as not testing certain assets or limiting tests to outside business hours. Assemble Penetration Testing Team Build a Skilled Team: Include certified professionals with diverse expertise, such as network, application security, or social engineering specialists. Check Credentials: Ensure pentest experts have relevant certifications like CREST, OSCP, OSWE, CEH, or CISSP, along with hands-on experience. Obtain Necessary Approvals Get Formal Authorization: Secure written consent from stakeholders detailing and agreeing upon scope, objectives, and limitation of the test to ensure legal compliance. Document Process: Record all stages of the approval process, including discussions and any agreed-upon conditions. If using a third-party pentesting provider, the scope and process should be documented and signed off on. Information Gathering Analyze Targets: Gather comprehensive information about the infrastructure, including hardware, software, network design, and configurations. Use OSINT: Apply open-source intelligence techniques to gather additional insights into the enterprise’s online presence and potential weak points. Generating a Pentest Roadmap Attack Surface Management: Run automated scans using tools such as Nessus or OpenVAS to identify vulnerabilities, focusing on identifying issues without manual input to create a preliminary roadmap for penetration testing. Validate Findings: Results from these scans can be validated to rule out false positives, understand the real context and impact of each potential vulnerability, and categorize by severity to provide a clear roadmap for penetration testing. Create a Threat Model Identify Potential Threats: Review recent attacks and TTPs, consider likely attackers – from random hackers to more targeted – likely attack paths, sophisticated entities, and their motivations. Map Attack Vectors: Prioritize the possible ways an attacker could breach an enterprise based on its environment and the current threat landscape. Simulate Attacks Follow a Structure Approach: Conduct attacks systematically, attempting to exploit weaknesses, bypass controls, and gain higher privileges where possible. Adhere to Ethical Standards: Ensure testing is conducted by certified experts, following standardized frameworks and compliance standards, to minimize risks to systems and data. Gather Data and Analyze Results Capture Evidence: Collect thorough evidence for each attack, such as proof of concepts (POCs) via screenshots, potential attack paths for each domain and associated subdomains and IPs.<.li> Assess Impact: Evaluate the consequences or impact of each vulnerability, including potential data breaches, system compromise, and operational disruption and prioritize findings by risk severity and potential impact. Prepare and Deliver Reports Document Findings: Provide a detailed report on each vulnerability and technical descriptions, POCs, risk severity, potential impact, and remediation recommendations. Prioritization: Pentest providers will work with enterprise to rank vulnerabilities based on risk and develop a plan for remediation in line with available resources. Support Remediation Efforts Actionable Mitigation: Present clear recommendations on how to mitigate each issue based on severity and impact. Retesting: Verify effectiveness of remediation by conducting follow-up pentest to ensure issues have been resolved. Communicate with Stakeholders Present Results: Share findings by providing story of impact if no action is taken. This is a much more effective strategy then providing a laundry list of vulnerabilities. Summarize key risks and actions for non-technical stakeholders. Foster Dialogue: Engage in discussions to address any concerns or questions about reporting and remediation efforts. Pentest Checklists Across Different Assets Before pentesting begins it is important to understand the definition of testing results based on the different pentest checklists as follows: Tested – Vulnerability Found: This states that there is a vulnerability identified against the check performed and the finding name is mapped for easier reference. Tested – No Vulnerability Found: This states that the pentesting expert performed the stated check or test and did not identify the vulnerability. This demonstrates the security check and/or malicious activity did not impact the intended functionality. Not Applicable: Pentesting expert attempted the test, but the test cannot be performed due to any of the below-listed reasons, but not limited to: Functionality not available in the application, User role doesn’t have access to this functionality etc. Network Pentest Checklist Network pentesting plays a critical role in strengthening an enterprise’s security posture. It entails a thorough assessment of the network to uncover potential weaknesses, and entry points that cyber criminals could exploit. Below is a detailed checklist of the primary stages involved in conducting network pentesting using various frameworks such as OWASP Top 10 and OWASP-ASVS. External Network Penetration Test: Black Box The adversary is trying to gather information to be used for future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. Information Gathering Open Ports: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: By using industry-standard tooling and proprietary technologies, scans are performed to identify if a host is reachable. Tested – Vulnerability Found Vulnerability Name – Open Network Ports Found on Server Filtered Ports: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: By analyzing the banners, attackers can determine the operating system and software versions running on the target system which can provide valuable information for planning further attacks or exploits. Tested – Vulnerability Found Vulnerability Name – Filtered/Closed Network Ports Found on Server Host Down: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Server software version disclosure is the process of revealing the specific software versions and configuration details of a web server Not applicable Banner Grabbing: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: After identifying various system versions, check to see if these versions have any known vulnerabilities. Tested – Vulnerability Found Vulnerability Name – banner grabbing possible Server Software Version Disclosed: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Through various techniques and technologies, identify and showcase Heartbleed, POODLE, BEAST, CRIME, DROWN, FREAK, Logjam, and other various misconfigurations with the SSL protocol. Tested – Vulnerability Found Vulnerability Name – Server Software Versions(s) Disclosed Vulnerable Version: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Through various techniques and technologies, identify and showcase weak SSH keys, weak encryption ciphers, and other various misconfigurations and CVEs. Tested – No Vulnerability Found Generic Security Findings SSL Based Vulnerabilities/Configurations: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Through various techniques and technologies, attempt to identify issues like anonymous access, plain text transmission, weak brute-forceable authentication, and other various CVEs and misconfigurations. Tested – Vulnerability Found Vulnerability Name – Server supports weak Diffie-Hellman moduli for SSL/TLS Connections (Logjam) SSH Based Vulnerabilities and Configurations: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: 1.9.2 Communications Architecture Not Applicable Service-Based Testing FTP – 21: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Through various techniques and technologies, attempt to identify issues like EternalBlue, SMB relay attacks, MitM-based attacks, SMB1 protocol vulnerabilities, and other various CVEs and misconfigurations. Not Applicable LDAP – 389: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Through various techniques and technologies, attempt to identify issues weak encryption cyphers, weak authentication, SSH key weaknesses, and other various vulnerabilities and misconfigurations. Tested – Vulnerability Found Vulnerability Name – Eternal Blue SMB – 139,445: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Approach web applications in a network pentest by attempting exploits like default credentials, identifying sensitive files, known CVEs, and hardcoded information. Not Applicable SSH – 22: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Looks for misconfigurations, injections, anonymous access and other various things that can compromise a Redis sever. Tested – Vulnerability Found Vulnerability Name – SSH Weak Encryption Algorithms Supported HTTP – 80,443,8080: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security: Attempt anonymous access/known vulnerabilities against each kind of database. This includes, but not limited to, MySQL, MongoDB, PostgreSQL, and other such instances. Tested – No Vulnerability Found Redis – 6379: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security Tested – No Vulnerability Found Databases: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security Not Applicable Others: OWASP: A05:2021 – Security Misconfiguration OWASP-ASVS: V11.1 Business Logic Security Tested – No Vulnerability Found Web Application Pentest Checklist Pentesting for web applications is one of the most common asset types tested for potential vulnerabilities. This thorough process replicates the strategies used by attackers to expose weak entry points that can be exploited. Below is a comprehensive pentest checklist of the steps involved in web application pentesting using various frameworks such as OWASP Top 10 and OWASP-ASVS and authentication methods such as OAuth. Web Application Pentest Checklist: Gray Box The adversary is trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. User Authentication Lacking Redirect from Http to Https: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 9.1.1 Client Communication Security: Test if the application redirects when directly navigate to the HTTP (port 80) variation of the applications Tested – Vulnerability Found Vulnerability Name – Lacking Redirect from Http to Https Bypassing Authentication: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 1.4 Access Control Architecture: Combination of various attacks to bypass the login (including MFA bypass) Not Applicable Weak Password Policy: OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS 2.1 Password Security: Check for the use of weak password policies in any component where passwords can be set by attempting to reset or change the password to one in short length or without numbers or special characters. This can include passwords generated during user creation, within password resets or forgot password functionality, and change password functionality. Tested – Vulnerability Found Vulnerability Name – Weak Password Policy Broken Password Rest: OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS 2.1 Password Security: Attempt password reset based attacks, password reset link interception, token or code enumeration, insecure transmission, insecure storage. Tested – Vulnerability Found Vulnerability Name – Broken Password Reset User Enumeration: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 4.1.3 General Access Control Design: Attempt JWT based attacks, focused on signature verification, brute forcing, algorithm substitution, token tampering, replay attacks, and NONE algorithm-based attacks. Tested – Vulnerability Found Vulnerability Name – User Enumeration JWT Attacks: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 4.1.3 General Access Control Design: Attempt OAuth based attacks, authorization bypass, CSRF, authorization code leakage, token hijacking, token enumeration, token replay attacks. Not Applicable OAuth Attacks: OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS 1.1.1 Secure Software Development Lifecycle: Attempt to send a large number of requests, whether login requests (Login Brute Forcing), or sending thousands of password reset emails (Rate-limiting). Tested – No Vulnerability Found Rate Limiting/Login Brute Force: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 4.2.1 Operation Level Access Control: Target access control related issues, specifically targeting functionalities with some type of id number necessary to access given data. Tested – Vulnerability Found Vulnerability Name – No Rate Limiting Authorization Testing Insecure Direct Object References (IDOR): OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 1.4 Access Control Architecture: Attempt to access functionality beyond current role’s ability. For example, a typical user creating a user, which is an admin functionality only. Or a user being able to view another user’s information, which normally is private. Not Applicable Access Control/Missing Function Level Access Control: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 4.2.2 Operation Level Access Control: By utilizing an outside application, an attacker attempts to execute unwanted actions on behalf of a victim user who is already authenticated in a target web application. Tested – No Vulnerability Found Cross-Site Request Forgery: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 3.3.3 Session Termination: The application doesn’t renew the cookie after a successfully user authentication. Not Applicable Server-Side Request Forgery (SSRF): OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 3.3.3 Session Termination: SSRF attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. Tested – No Vulnerability Found Input Testing Session Fixation: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP SVS 3.3.3 Session Termination: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. Tested – No Vulnerability Found Improper Session Handling: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 3.3.3 Session Termination: Vulnerability that occurs when the application fails to properly handle user sessions. Attackers can exploit this vulnerability to hijack user sessions, gain unauthorized access, steal sensitive data, or perform other malicious actions. Tested – No Vulnerability Found Reflected Cross Site Scripting (XSS): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.2.7 Sanitization and Sandboxing: Check for input validation, specifically targeting values in situations like GET parameters that can be used to cause reflection on the given pages. Next, enter various XSS payloads to attempt reflected CSS. Tested – Vulnerability Found Vulnerability Name – Reflected Cross Site Scripting (XSS) DOM Cross Site Scripting (XSS): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 14.3.3 Unintended Security Disclosure: Check for input validation, specifically targeting any form of input (URL based, parameter based, etc.) that can be processed within the JavaScript DOM, then perform. Next perform various XSS payloads and attempt to bypass any existing sanitization. Not Applicable Stored Cross Site Scripting (XSS): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.2.7 Sanitization and Sandboxing: Check for input validation, specifically targeting values that get stored into the applications databased/memory and attempt to add XSS-based payloads to see if they remain unsanitized or can bypass the sanitization process. Tested – No Vulnerability Found DOM-based Client-Side JSON Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 14.3.3 Unintended Security Disclosure: Use various techniques to break out or modify JSON to break the web application’s interface or bypass logical functions within the application. Not Applicable HTTP Verb Tampering: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 5.4.2 Memory, String, and Unmanaged Code: Utilize various HTTP verbs to attempt to bypass security controls and identify various situations of application function outside of its normal scope. Tested – No Vulnerability Found HTTP Parameter Pollution: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 5.4.2 Memory, String, and Unmanaged Code Injecting: Multiple variations of the same given parameter to potentially override the parameter in a different context. Not Applicable SQL Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: Utilize various techniques to perform Blind, Boolean, Error based SQL injection attacks and attempt to bypass situations like login pages, search restrictions, etc. Tested – Vulnerability Found Vulnerability Name – SQL Injection LDAP Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: When user-supplied input is not properly sanitized or validated before being included in LDAP queries. Not Applicable XML Injection (XXE): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.1.5 Input Validation: When user-supplied input is not properly sanitized before being included in SSI directives. Tested – No Vulnerability Found Server Side Include Injection (SSI): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: Attackers can exploit this vulnerability to injection malicious XPath queries that can manipulate or disclose sensitive data stored in XML-based web application. Tested – No Vulnerability Found XPath Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: When user-supplied input is not properly sanitized or validated when constructing XPath queries. Tested – No Vulnerability Found IMAP/SMTP Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: Perform various injection-based attacks with the goal of embedding malicious code into the given application context. Not Applicable Code Injection: OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS 1.2.3 Authentication Architecture: When user-supplied input is not properly sanitized or validated before including in IMAP or SMTP commands. Tested – No Vulnerability Found Remote File Inclusion (RFI): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 12.3.1 File Execution: Remote File inclusion can be exploited by injecting a remote file inclusion payload into the input fields, such as URL parameters or form fields. If the application includes the file specified in the payload, it may be vulnerable to RFI. Not Applicable Local File Inclusion (LFI): OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 1.1.1 Secure Software Development Lifecycle: Check for input validation and attempt to put known file paths for the assigned target. For example, /etc/passwd for Linux-based operating systems. This attack targets parameters/request fields that result in a lookup of some file or the inclusion of a page. Tested – No Vulnerability Found Command Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.2.4 Sanitization and Sandboxing: Attack specific parameters and fields with arbitrary system commands. For example, using ICMP requests such as ping, echo, Fping, etc. Tested – Vulnerability Found Vulnerability Name – Command Injection HTTP Request Smuggling/Response Splitting: OWASP: OWASP Top 10: A06:2021 – Vulnerable and Outdated Components OWASP-ASVS: OWASP ASVS 5.1.5 Input Validation: Modify requests that will allow an attacker to manipulate the sequence and content of the requests, leading to various types of attacks such as bypassing security measure, data theft, or cross-site scripting (XSS). Tested – No Vulnerability Found HTTP Cache Poisoning: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 5.4.2 Memory, String, and Unmanaged Code: Manipulate or inject malicious content into the cache of a web application or a user’s web browser. Not Applicable Open Redirect: OWASP: OWASP Top 10: A10:2021 – Server-Side Request Forgery (SSRF) OWASP: OWASP Top 10 A03:2021 Injection: Check parameters that seem to direct to a page navigation, URL, or any other type of possible redirection. This is often seen during authentication sequences. Tested – No Vulnerability Found NoSQL Injection: OWASP: OWASP Top 10: A10:2021 – Server-Side Request Forgery (SSRF) OWASP-ASVS: OWASP ASVS 5.1.5 Input Validation: Target NoSQLI based databases utilizing various payloads to attempt bypass login, user account takeovers, leak user information, etc. Tested – No Vulnerability Found Missing Server-Side Validation: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 5.1 Input Validation: Check input validation to identify if any input allows for illogical data in the application context. For example, inserting a string of characters into a phone number field. Tested – Vulnerability Found Vulnerability Name – Missing Server-Side Validation HTML Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 4.1.3 General Access Control Design: Check for input validation that can be used in any scenario where normal reflected or stored XSS is possible. Instead of XXS-based payloads, utilize regular HTML tags like u, input, b, h1, etc. Not Applicable Mass Assignment: OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS 5.1.2 Input Validation: Target parameters that are not directly used in the application but often identify via the responses in various requests. Attempt to resend those parameters to override values that normally do not have control. For example, a backend value is _admin = false but modify the request to update the profile to contain is _admin = true. Tested – Vulnerability Found Vulnerability Found – Mass Assignment Origin Manipulation (Cors Misconfig): OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 14.5.3 HTTP Security Headers: Changing the Origin header enables a potential bypass mitigation inserted by a Cross-origin-Policy response header. Tested – No Vulnerability Found Server-Side Template Injection (SSTI): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.2.7 Sanitization and Sandboxing: Utilize various SSTI payloads to see if back-end server is evaluating payloads when data is reflected. Not Applicable Client-Side Template Injection (CSTI): OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.2.7 Sanitization and Sandboxing: Utilize various CSTI payloads to see if front-end application is evaluating payloads when data is reflected. Tested – No Vulnerability Found File Based Attacks Arbitrary File Upload: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 12.2.1 File Integrity: Check if the application does not properly validate the file type or perform content checks. An attacker can upload a file that appears to be an image but is a web shell that can be used to execute arbitrary commands on the server. Tested – No Vulnerability Found CSV Injection: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 5.1.5 Input Validation: If the application does not properly sanitize the user input, an attacker can inject malicious code into the fields to execute commands on the victim’s system. Tested – No Vulnerability Found Image Based XSS: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 14.3.3 Unintended Security Disclosure: If the application does not properly sanitize the user input, an attacker can inject malicious JavaScript into a svg-based file, resulting in XSS when the file is stored. Not Applicable Unsanitized File Upload: OWASP: OWASP Top 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS 14.3.3 Unintended Security Disclosure: An attacker can upload a file that appears to be harmless but contains malicious code that can be used to execute arbitrary commands on the server. Check if these files persisted and stored within the application / server. Tested – Vulnerability Found Vulnerability Name – Unsanitized File Upload Error Handling Internal Server Error: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 5.3.5 Output Encoding and Injection Prevention: Utilize various methods (invalid parameters, XSS, SQLI, invalid characters, etc.) to attempt to cause a 500 internal server error. Tested – Vulnerability Found Vulnerability Name – Internal Server Error Stack Trace Disclosure: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS14.3.3 Unintended Security Disclosure: Utilize various methods (XSS, SQLI, invalid parameters, invalid characters, debug methods, etc.) to attempt to disclose a stack trace error message. Tested – No Vulnerability Found Business Logic Testing Business Logic Vulnerability: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 1.11.3 Business Logic Architecture: A vulnerability that occurs when an attacker can manipulate the logical flow of an application’s business rules and processes to gain unauthorized access, steal data, or perform other malicious actions. Tested – No Vulnerability Found Discovery/Recon HTML Comments: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 1.11.3 Business Logic Architecture: Identify HTML comments that contain sensitive or interesting information. Tested – No Vulnerability Found API Keys: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 13.1.3 Generic Web Service Security: Identify hardcoded or environment-based API keys. Tested – Vulnerability Found Hardcoded Credentials: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 13.1.3 Generic Web Service Security: Identify hardcoded credentials (Usernames, passwords, access tokens, etc.). Tested – No Vulnerability Found Sensitive Files: OWASP: OWASP Top 10: A06:2021 – Vulnerable and Outdated Components OWASP-ASVS: OWASP ASVS 5.2.7 Sanitization and Sandboxing: Identify files that could contain sensitive data as well as files that may contain other information like source code or logs. Tested – No Vulnerability Found JavaScript Map Files: OWASP: OWASP Top 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS 1.11.3 Business Logic Architecture: Identify JavaScript files with .map extensions. Tested – Vulnerability Found Vulnerability Name – JavaScript Map Files Email Addresses: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 13.1.3 Generic Web Service Security: Identify disclosed email addresses (outside of what is expected for normal site functionality). Tested – No Vulnerability Found Vulnerable/Outdated JS Libraries: OWASP: OWASP Top 10: A06:2021 – Vulnerable and Outdated Components OWASP-ASVS: OWASP ASVS 1.11.3 Business Logic Architecture: Identify the use of outdated and vulnerable JavaScript libraries/dependencies. Tested – Vulnerability Found Vulnerability Name – Outdated JS Libraries API Pentest Checklist An API pentest checklist ensure comprehensive coverage of potential vulnerabilities that could be exploited in an API. APIs are increasingly a target due to their critical role in enabling applications to communicate and exchange data. By following a checklist, pen testers can systematically assess security risks and ensure that every component of the API is tested for flaws using such common frameworks as OWASP API Security Top 10, and authentication methods such as OAuth 2.0, JWT (JSON Web Token), API Keys, and others. API Pentest Checklist: Gray Box The adversary is trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. User Authentication Lacking Redirect from HTTP to HTTPS: OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS 9.1.1 Client Communication Security: Test if the application redirects when navigating to the HTTP (port 80) variation of the application. Tested – No Vulnerability Found Weak Password Policy OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS: 2.1 Password Security: Check for the use of weak password policies in any places where passwords can be set or changed by attempting to change the password to be short in length or without numbers/special characters. This can include during user creation within password reset Tested – Vulnerability Found Vulnerability Name -Weak Password Policy Broken Password Reset OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS: 2.1 Password Security: Attempting password reset based attacks, password reset link interception, token or code enumeration, insecure transmission, insecure storage Not Applicable User Enumeration OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 4.1.3 General Access Control Design: Identify valid usernames/email addresses using common scenarios like on the login page and password reset. Also, target more complex scenarios like application functionality that can result in users being disclosed. Tested – Vulnerability Found Vulnerability Name – User Enumeration JWT Attacks OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 4.1.3 General Access Control Design: Attempt JWT attack based on signature verification, brute forcing, algorithm substitution, token tampering, replay attacks, and NONE algorithm based attacks. Not Applicable OAuth Attacks OWASP: OWASP Top 10: A07:2021 – Identification and Authentication Failures OWASP-ASVS: OWASP ASVS: 1.1.1 Secure Software Development Lifecycle: Attempt OAuth based attacks, authorization bypass, CSRF, authorization code leakage, token hijacking, token enumeration, and token replay attacks. Tested – Vulnerability Found Vulnerability Name – OAuth Attacks Rate limiting/Login Brute Force OWASP: OWASP Top 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS: 4.2.1 Operation Level Access Control: Attempt to send a large number of requests, whether login requests (Login Brute Forcing), or sending thousands of password reset emails (Rate-limiting) Tested – Vulnerability Found Vulnerability Name -Rate limiting/Login Brute Force Directory Traversal OWASP: OWASP Top 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 1.1.1 – Secure Software Development Lifecycle Tested – No Vulnerability Found Authorization Testing Remote File Inclusion OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 12.3.1 File Execution: Target attack on functionalities that include an outside application URL. This allows the inclusion of attacks like backdoors, malicious code, configuration files, etc. Tested – Vulnerability Found Vulnerability Name -Remote File Inclusion Local File Inclusion OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP -ASVS: OWASP ASVS: 1.1.1 – Secure Software Development Lifecycle: Use various techniques an attacker can inject “../” or other such sequences to access files outside of the intended directory, such as configuration files that contain database credentials. Tested – No Vulnerability Found Privilege Escalation OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP -ASVS: OWASP ASVS: 4.2.2 Operation Level Access Control: Perform various attacks with the goal of vertical and horizontal privilege escalation. Tested – Vulnerability Found Vulnerability Name – Privilege Escalation Insecure Direct Object References (IDOR) OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP -ASVS: OWASP ASVS: 1.4 Access Control Architecture: Target access control related issues, specifically targeting those given functionalities that possess some type of id number to access information. Tested – Vulnerability Found Vulnerability Name – Insecure Direct Object References (IDOR) Input Testing Access Control / Missing Function Level Access Control OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP -ASVS: OWASP ASVS: 4.2.2 Operation Level Access Control: Attempt to access functionality beyond the current role ability, for example: a normal user creating a user, which is supposed to only be an admin functionality. Or one user being able to view another user’s information, which normally is private. Tested – No vulnerability Found Cross Site Request Forgery OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP -ASVS: OWASP ASVS: 3.3.3 Session Termination: By utilizing a outside application an attacker attempts to execute unwanted actions on behalf of a victim user who is already authenticated in a target web application. Tested – Vulnerability Found Vulnerability Name-Cross Site Request Forgery HTTP Verb Tampering OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP -ASVS: OWASP ASVS: 5.4.2 – Memory, String, and Unmanaged Code: Utilize various HTTP verbs to attempt to bypass security controls and identify various situations of application function outside of its normal scope. Tested – No Vulnerability Found HTTP Parameter Pollution OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP -ASVS: OWASP ASVS: 5.4.2 – Memory, String, and Unmanaged Code: Inject multiple variations of the same given parameter to potentially override the parameter in different context. Tested – Vulnerability Found Vulnerability Name – HTTP Parameter Pollution SQL Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: Utilize various techniques to perform Blind, Boolean, Error-based SQL injection attacks attempting to bypass situations like login pages, search restrictions, etc. Tested – Vulnerability Found Vulnerability Name – SQL Injection LDAP Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: When user-supplied input is not properly sanitized or validated before being included in LDAP queries. Tested – No Vulnerability Found XML Injection (XXE) OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.1.5 Input Validation: When user-supplied input is not properly sanitized or validated when constructing XPath queries. Tested – Vulnerability Found Vulnerability Name – XML Injection (XXE) Server Side Include Injection (SSI) OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: When user-supplied input is not properly sanitized or validated before inclusion in SSI directives. Tested – Vulnerability Found Vulnerability Name – Server Side Include Injection (SSI) XPATH Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: Attackers can exploit this vulnerability to inject malicious XPath queries that can manipulate or disclose sensitive data stored in XML-based web applications. Tested – Vulnerability Found Vulnerability Name – XPATH Injection IMAP/SMTP Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: When user-supplied input is not properly sanitized or validated before inclusion in IMAP or SMTP commands Tested – Vulnerability Found Vulnerability Name – IMAP/SMTP Injection Code Injection OWASP: OWASP TOP 10: A07:2021 – Identification and Authentication Failures OWASP -ASVS: OWASP ASVS: 1.2.3 Authentication Architecture: Perform various injection-based attacks with the goal of embedding malicious code into the application context. Tested – No Vulnerability Found Remote File Inclusion (RFI) OWASP: OWASP TOP 10: A03:2021 – Injection OWASP -ASVS: OWASP ASVS: 12.3.1 File Execution: Remote File Inclusion can be exploited by injecting a RFI payload into the input fields, such as URL parameters or form fields. If the application includes the file specified in the payload, it may be vulnerable to RFI. Tested – Vulnerability Found Vulnerability Name – Remote File Inclusion (RFI) Local File Inclusion (LFI) OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 1.1.1 – Secure Software Development Lifecycle: Check for input validation to attempt to input known file paths for the current system. For example, /etc/passwd for Linux-based operating systems. This attack targets parameters/request fields that result in a lookup of some file or the inclusion. Tested – No Vulnerability Found Directory Traversal OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 1.1.1 – Secure Software Development Lifecycle: An attacker can exploit this vulnerability by submitting specially crafted input, such as “../” or “../../”, to trick the web application into accessing files or directories outside of the intended directory. Tested – Vulnerability Found Vulnerability Name – Directory Traversal Command Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS: 5.2.4 Sanitization and Sandboxing: Attack specific parameters and fields with arbitrary system commands. For example, using ICMP requests such as ping, echo, Fping, etc. Tested – Vulnerability Found Vulnerability Name – Command Injection HTTP Request Smuggling / Response Splitting OWASP: A06:2021 – Vulnerable and Outdated Components OWASP-ASVS: OWASP ASVS: 5.1.5 Input Validation: Modify requests to allow an attacker to manipulate the sequence and content of the requests, leading to various types of attacks, such as bypassing security measures, data theft, or cross-site scripting (XSS). Tested – No Vulnerability Found HTTP Cache Poisoning OWASP: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS: 5.4.2 – Memory, String, and Unmanaged Code. Tested – Vulnerability Found Vulnerability Name – HTTP Cache Poisoning Host Header Attack OWASP: 0 OWASP-ASVS: OWASP ASVS: 0: Manipulate or inject malicious content into the cache of a web application or a user’s web browser. Tested – No Vulnerability Found Open Redirect OWASP: A10:2021 – Server-Side Request Forgery (SSRF) OWASP: OWASP TOP 10: A03:2021 – Injection: Check parameters that seems to send a user to a page navigation, URL, or any other kind of possible redirection. This is often seen during authentication sequences. Tested – Vulnerability Found Vulnerability Name – Open Redirect NoSQL Injection Tested – Vulnerability Found Insecure Deserialization Not Applicable Missing Server-Side Validation OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 5.1 Input Validation: Check input validation to identify if any input allows for data that is illogical in the application context. For example, inserting a string of characters into a phone number field Tested – Vulnerability Found Vulnerability Name – Missing Server-Side Validation HTML Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS: 4.1.3 General Access Control Design: Check for input validation possibility that can be used in any scenario in normal reflected or stored XSS instead of XSS-based payloads. Utilize regular HTML tags like u, input, b, h1, etc. Not Applicable Mass Assignment OWASP: OWASP TOP 10: A01:2021 – Broken Access Control OWASP-ASVS: OWASP ASVS: 5.1.2 Input Validation: Target parameters that are not directly used in the application but often identify via the responses in various requests. Attempt to resend those parameters to override values that should not normally have control. For example: a backend validation token or system flag might be exposed in response and, if included in subsequent requests, could allow attackers to bypass certain security controls or alter the application’s behavior in unintended ways. Tested – Vulnerability Found Vulnerability Name – Mass Assignment Origin Manipulation (Cors Misconfig) OWASP: OWASP TOP 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS: 14.5.3 HTTP Security Headers: Change the Origin header that allows a potential bypass mitigation to be put in place by a Cross-origin-Policy response header. Tested – Vulnerability Found Vulnerability Name – Origin Manipulation (Cors Misconfig) Server-Side Template Injection (SSTI) OWASP: OWASP TOP 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS: 5.2.7 Sanitization and Sandboxing: Utilize various SSTI payloads to see if the backend server is evaluating payloads when the data is reflected. Tested – No Vulnerability Found File Based Attacks Arbitrary File Upload OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS: 12.2.1 File Integrity: Check if the application fails to properly validate the file type or perform content checks, as an attacker could upload a file that appears to be an image but is a web shell, which could be used to execute arbitrary commands on the server. Not Applicable CSV Injection OWASP: OWASP TOP 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS: 5.1.5 Input Validation: If the application does not properly sanitize the user input, an attacker can inject malicious code into the fields to execute commands on the victim’s system. Not Applicable Unsanitized File Upload OWASP: OWASP TOP 10: A03:2021 – Injection OWASP-ASVS: OWASP ASVS: 14.3.3 Unintended Security Disclosure: An attacker can upload a file that appears to be harmless but contains malicious code that can be used to execute arbitrary commands on the server. Check if these files persisted and stored within the application / server. Not Applicable Internal Server Error OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS: 5.3.5 Output Encoding and Injection Prevention: Utilize various methods (invalid parameters, XSS, SQLI, invalid characters, etc.) to attempt to cause a 500 internal server error. Tested – Vulnerability Found Vulnerability Name – Internal Server Error Error Handling Stack Trace Disclosure OWASP: OWASP TOP 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS: 14.3.3 Unintended Security Disclosure: Attempt various methods (XSS, SQLI, Invalid parameters, invalid characters, debug methods, etc.) to attempt to disclose a stack trace error message. Tested – No vulnerability Found Business Logic Vulnerability OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS: 1.11.3 Business Logic Architecture: A vulnerability that occurs when an attacker can manipulate the logical flow of an application’s business rules and processes to gain unauthorized access, steal data, or perform other malicious actions. Tested – No vulnerability Found Business Logic Testing HTML Comments OWASP: OWASP TOP 10: A04:2021 – Insecure Design OWASP-ASVS: OWASP ASVS: 1.11.3 Business Logic Architecture: Identify HTML comments that contain sensitive or particularly interesting information. Not Applicable Discovery / Recon API Keys OWASP: OWASP TOP 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS: 13.1.3 Generic Web Service Security: Identify hardcoded, or environment-based API keys. Tested – No Vulnerability Found Hardcoded Credentials OWASP: OWASP TOP 10: A05:2021 – Security Misconfiguration OWASP-ASVS: OWASP ASVS: 13.1.3 Generic Web Service Security: Identify hardcoded credentials (Usernames, passwords, access tokens, etc.). Tested – No Vulnerability Found Mobile Pentest Checklist A pentest checklist for mobile penetration testing ensures a thorough and consistent approach to identifying security vulnerabilities in mobile applications. Mobile apps often handle sensitive user data, and their architecture differs from web applications, making specialized testing important. A pentest checklist, using common frameworks like the OWASP Mobile Security Testing Guide (MSTG) and authentication methods like OAuth 2.0 or SAML, helps maintain focus on areas like data storage, authentication, network communications, and platfom-specific vulnerabilities, ensuring no critical areas is overlooked. Mobile Pentest Checklist: Gray Box The adversary is trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. Static Analysis Hardcoded Credentials OWASP: OWASP-1 OWASP-ASVS: OWASP-ASVS-1: Using industry-standard tooling and proprietary technologies, port scans are performed to identify all the active ports on a target asset. Tested – No vulnerability Found Hardcoded API Keys OWASP: OWASP-2 OWASP-ASVS: OWASP-ASVS-2: By using industry-standard tooling and proprietary technologies port scans are performed to identify all the filtered ports on a target asset. Tested – Vulnerability Found Vulnerability Name – Application Contains Hard-Coded API Key Misconfigurations (IOS and Android Targeted) OWASP: OWASP-3 OWASP-ASVS: OWASP-ASVS-3: By using industry-standard tooling and proprietary technologies scans are performed to identify if a host is reachable. Tested – Vulnerability Found Vulnerability Name – Application Transport Security (ATS) Disabled Jailbreak/Root Detection Bypass OWASP: OWASP-5 OWASP-ASVS: OWASP-ASVS-5: Server software version disclosure is the process of revealing the specific software versions and configuration details of a web server. Tested – No Vulnerability Found Dynamic Analysis Insecure Data Storage OWASP: OWASP-6 OWASP-ASVS: OWASP-ASVS-6: After identifying various system versions, check to see if these versions have any known vulnerabilities. Tested – No Vulnerability Found Lock Bypass OWASP: OWASP-7 OWASP-ASVS: OWASP-ASVS-7: Through various techniques and technologies, identify and showcase Heartbleed, POODLE, BEAST, CRIME, DROWN, FREAK, Logjam, and other various misconfigurations with the SSL protocol. Tested – No Vulnerability Found Runtime Code Manipulation OWASP: OWASP-8 OWASP-ASVS: OWASP-ASVS-8 Tested – No Vulnerability Found Follows Standard API-Based Testing for Accessible Endpoints OWASP: OWASP-9 OWASP-ASVS: OWASP-ASVS-9 Tested – Vulnerability Found Vulnerability Name – Application Does Not Implement Certificate Pinning Network Analysis SSL Pinning Bypass OWASP: OWASP-10 OWASP-ASVS: OWASP-ASVS-10: Through various techniques and technologies, attempt to identify vulnerabilities like directory information disclosure, directory traversal attacks, LDAP injection, and/or other various vulnerabilities and misconfigurations. Tested – Vulnerability Found Vulnerability Name – Application Does Not Implement Certificate Pinning Abbreviated Pentest Checklists Wireless Pentest Checklist A pentest checklist is important to ensure a consistent and systematic evaluation of the security of wireless networks which often serve as entry points for attackers due to the inherent nature of transmitting data over the air. This makes these networks more susceptible to eavesdropping and unauthorized access. A pentest checklist, using such frameworks as Aircrack-ng or Wireshark and authentication methods such as WPA2/WPA3 or 802.1X with RADIUS servers for enterprise environments, help ensure wireless networks are thoroughly tested and secured from potential threats. Below is an abbreviated pentest checklist into critical phases of wireless network penetration testing: Identification of Wireless Network (SSID) Signal Mapping Document the signal strength and GPS coordinates of detected networks to create a coverage map of the wireless environment. This data helps in understanding the physical reach of the wireless network and pinpointing areas where the signal may be vulnerable to unauthorized access. Active Scanning for Hidden SSIDs Use active scanning methods with tools like Kismet or airodump-ng to detect hidden SSIDs that are not openly broadcast by access points. If these hidden SSIDs lack proper security, they can become an entry point for unauthorized access. Unauthorized Access to Wireless Networks Vulnerability Assessment for WPS Investigate the Wi-Fi Protected Setup (WPS) feature for vulnerabilities. While designed to facilitate easy connections for devices, WPS can often be manipulated to gain unauthorized access. Passphrase Strength Evaluate the strength of the wireless network’s passphrase. Weak, default, or common passphrases can be easily guessed or cracked, leading to security breaches. Key Cracking Use advanced tools such as Aircrack-ng or Hashcat to attempt to crack encryption keys for WEP, WPA, WPA2, and WPA3. This process involves capturing network traffic and employing methods like dictionary attacks, brute-force attacks, or exploiting weaknesses in the protocols. Assess Security Controls Client Isolation Review the client isolation settings that prevent connected devices from communicating with each other on the wireless network. This feature hinders lateral movement and isolates potential threats. Wireless Intrusion Detection/Prevention Systems (WIDS/WIPS) Evaluation Assess the effectiveness of WIDS/WIPS solutions in identifying and preventing unauthorized access and attacks on the wireless network. Test the system’s responses to various attack scenarios and its capability to differentiate between legitimate traffic and malicious activities. Rogue Access Point Detection SSID Broadcasting Evaluate the SSIDs being broadcast in the organization’s environment to identify unauthorized devices. Check for SSIDs that imitate the organization’s legitimate network name (a tactic known as “evil twin” attacks) or any other unfamiliar SSIDs. Rogue API Identification Use tools like Kismet or Wireshark to search for unauthorized access points that may have been set up in or near the organization’s facilities. Rogue access points can significantly compromise security by intercepting wireless traffic or providing a pathway for network infiltration. Social Engineering Pentest Checklist A social engineering checklist identifies vulnerabilities in human behavior and organizational practices that could be exploited by bad actors. Social engineering attacks target the human element of security, often bypassing technical safeguards by manipulating individuals into divulging confidential information or performing actions that compromise IT security. A social engineering checklist allows a systematic evaluation, using common frameworks such as NIST 800-53, OWASP Top 10, and SANS Security Awareness, as well as authentication methods such as MFA and password policies, to pinpoint specific areas where employees may be vulnerable. This checklist helps organizations understand how well they can respond to social engineering attacks and improve their security posture. Below is an abbreviated pentest checklist for social engineering: Phishing Attacks Customizing Emails Create phishing emails that closely mimic communications from trusted entities, such as corporate messages or well-known online services. The goals are to deceive recipients into revealing sensitive information or clicking on harmful links Phishing Campaigns Use advanced phishing simulation tools like Gophish or the Social-Engineer Toolkit (SET) to generate, execute, and track phishing campaigns. These tools monitor user engagement with the emails, including opens, clicks, and data submissions, offering insights into the campaign’s effectiveness and the target audience’s awareness. Pretexting and Impersonation Scenario Creation Create realistic pretext scenarios that align the target’s expected interactions. For example, impersonating an IT support technician to request password resets or system access can be very effective when backed by adequate background knowledge and credibility. Sensitive Data Compromise Assess the willingness of individuals within an organization to comply with requests for sensitive information or actions that might compromise security, such as bypassing standard verification procedures. USB Drops Harmful Payloads Deliberately place USB devices containing harmless simulation payloads in areas where target employees are likely to discover them. These drives can mimic the behavior of harmful software to determine whether individuals will inadvertently introduce a potential threat to the network. Monitor Behavior Track and document employees’ interactions with USB drives, such as inserting them into company devices, to evaluate the security awareness and training effectiveness. Physical Penetration Surveillance Equipment Evaluate the performance of surveillance cameras and alarm systems in detecting unauthorized entry attempts. Identify blind spots in surveillance coverage and assess the response time of security personnel and alarm protocols. Evasion of Security Controls Attempt to bypass physical security protocols, such as access controls like card readers and biometrics, to gain unauthorized access to secure areas. Conclusion Pentest checklists serve pentesters and their organization by ensuring a consistent, comprehensive, and systematic approach to identifying security vulnerabilities. A pentest checklist leaves no stone unturned and are essential for many reasons. Structured Approach: Pentest checklists provide a structure framework that helps pentesters maintain consistency across different assets and assessments. By following a defined set of criteria, pen testers can ensure that no critical vulnerability in the attack surface is missed, leading to a more thorough evaluation of the system’s defenses. Time and Cost Savings: Checklists help to enhance the efficiency of the pentesting process. Pentest checklists streamline the workflow, allowing pentesters to focus on specific tasks without the risk of missing important steps. This efficiency translates into time and cost savings, which is beneficial in resource-constrained environments. Best Practices: Using a pentest checklist demonstrates a commitment to security best practices. It fosters a culture of accountability, as team can track their progress and ensure that all necessary steps have been taken. This also helps in meeting compliance requirements for those industries mandated by regular security assessments. Stakeholder Communication: Detailed pentest checklists facilitate better communication between pentesters and stakeholders. They provide a clear outline of what will be tested, evaluated, and how the findings will be assessed. This transparency helps enterprises understand their security posture and to make more informed decisions about improvements. In summary, pentest checklists are not only effective in identifying vulnerabilities but ensure a systematic approach, using the best practices, tools, and frameworks, for penetration testing. They benefit pentesters by providing assurances to their organization and stakeholders that they are taking meaningful steps to protect their assets. Pentest checklists are a security blanket for any organization conducting penetration testing. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.