---
title: Web Application Audit
categories: [checklists]
tags: [web, audit]
---

# Web Application Audit

## Injection

* [ ] SQLi
* [ ] Local/Remote File Inclusion

## Broken Auth

* [ ] User Enumeration (Error messages/Response size/Timing)
* [ ] No Brute-force Protections
* [ ] Bad Password Policy
* [ ] Bad Session Implementation

## Sensitive Data

* [ ] Non-existant/Insufficient Crypto
* [ ] SSL Scan for Bad Crypto
* [ ] Bad Storage of Sensitive Data
* [ ] Directory/File Discovery/Fuzzing

## XXE

* [ ] XXE

## Broken Access Control

* [ ] Access Unintended Data
* [ ] Direct/Hidden Links/Requests

## Bad Config

* [ ] Headers
* [ ] Cookies
* [ ] Error Messages/Stack Traces
* [ ] Directory Traversal
* [ ] Directory/File Discovery/Fuzzing
* [ ] Malicious File Upload

## XSS

* [ ] Persistent XSS
* [ ] DOM XSS
* [ ] Reflected XSS

## Insecure Deserialisation

* [ ] Insecure Deserialisation

## Vulnerable Components

* [ ] Outdated/Vulnerable Software