web-application-audit.md 969 B
title: Web Application Audit categories: [checklists]
tags: [web, audit]
Web Application Audit
Injection
- SQLi
- Local/Remote File Inclusion
Broken Auth
- User Enumeration (Error messages/Response size/Timing)
- No Brute-force Protections
- Bad Password Policy
- Bad Session Implementation
Sensitive Data
- Non-existant/Insufficient Crypto
- SSL Scan for Bad Crypto
- Bad Storage of Sensitive Data
- Directory/File Discovery/Fuzzing
XXE
- XXE
Broken Access Control
- Access Unintended Data
- Direct/Hidden Links/Requests
Bad Config
- Headers
- Cookies
- Error Messages/Stack Traces
- Directory Traversal
- Directory/File Discovery/Fuzzing
- Malicious File Upload
XSS
- Persistent XSS
- DOM XSS
- Reflected XSS
Insecure Deserialisation
- Insecure Deserialisation
Vulnerable Components
- Outdated/Vulnerable Software