Scribd Logo
Carica

Benvenuto in Scribd!

  • Penetration Testing Checklist

    Caricato da

    Mohan Raj
    541 visualizzazioni3 pagine
    pentest checklist

    Copyright

    © © All Rights Reserved

    Formati disponibili

    DOCX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    pentest checklist

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    541 visualizzazioni3 pagine

    Penetration Testing Checklist

    Caricato da

    Mohan Raj
    pentest checklist

    Copyright:

    © All Rights Reserved
    Scarica in formato DOCX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    Penetration Testing Checklist

    1) Web Applications – Check if a web application is able to identify spam


    attacks on contact forms used in the website.

    2) Proxy Servers – Check if network traffic is monitored by proxy appliances.


    Proxy servers make it difficult for hackers to get internal details of the network,
    thus protecting the system from external attacks.

    3) Spam Email Filters – Verify if incoming and outgoing email traffic is filtered
    and unsolicited emails are blocked. Many email clients come with built-in
    spam filters, which need to be configured per your needs. These configuration
    rules can be applied on email headers, subjects or bodies.

    4) Firewalls – Make sure an entire network or computers are protected with a


    firewall. A firewall can be a software or hardware to block unauthorized access
    to systems. Firewalls can prevent sending data outside the network without
    your permission.

    5) Exploits – Try to exploit all servers, desktop systems, printers and network
    devices.

    6) Verification – Verify that all usernames and passwords are encrypted and
    transferred over secured connections like HTTPs.

    7) Cookies – Verify information stored in website cookies. It should not be in


    readable format.

    8 ) Vulnerabilities – Review previously found vulnerabilities to check if the fix


    is working.

    9) Open Ports – Ensure there are no ports on a network.

    11) Telephones – Check all telephone devices.

    12) WiFi – Test WiFi network security.

    13) HTTP Methods – Review HTTP methods. PUT and Delete methods should
    not be enabled on web server.

    14) Passwords – Password should be at least 8 character long containing at


    least one number and one special character.
    15) Usernames – Usernames should not be like “admin” or “administrator”.

    16) Application Login Pages – Application logins pages should be locked upon
    few unsuccessful login attempts.

    17) Error Messages – Error messages should be generic and not mention
    specific error details like “Invalid username” or “Invalid password”.

    19) Special Characters – Verify if special characters, HTML tags and scripts
    are handled properly as an input value.

    20) Internal System Details – Internal system details should not be revealed
    in any of the error or alert messages.

    21) Custom Error Messages – Custom error messages should be displayed to


    end-users in case of web page crash.

    22) Registry Entries – Review the use of registry entries. Sensitive information
    should not be kept in registry.

    23) Scanning Files – All files must be scanned before uploading to server.

    24) Sensitive Data – Sensitive data should not be passed in URL’s while
    communicating with different internal modules of the web application.

    25) No Hard-Coded Usernames or Passwords – There should not be any hard-


    coded username or password in the system.

    26) Input Fields – Check all input fields with long input strings – with and
    without spaces.

    27) Password Functionality – Ensure reset password functionality is secure.

    28) SQL Injection – Verify application for SQL Injection.

    29) XSS – Verify application for Cross Site Scripting.

    31) Input Validations – Important input validations should be done at server


    side instead of JavaScript checks at client side.

    32) System Resources – Critical resources in the system should be available


    to authorized persons and services only.

    33) Access Permissions – All access logs should be maintained with proper
    access permissions.
    34) Ending Sessions – Check that user sessions end upon log off.

    35) Directory Browsing – Verify that directory browsing is disabled on the


    server.

    36) Up-to-Date Versions – Verify that all applications and database versions
    are up to date.

    37) URL Manipulation – Review URL manipulation to make sure a web


    application is not showing any unwanted information.

    38) Buffer Overflow – Check memory leak and buffer overflow.

    39) Trojan Attacks – Verify if incoming network traffic is scanned to find


    Trojan attacks.

    40) Brute Force Attacks – Check if systems are safe from Brute Force Attacks
    – use a trial and error method to find sensitive information like passwords.

    41) DoS – Ensure the system or network is secured from DoS (denial-of-
    service) attacks. Attackers can target networks or a single computer with
    continuous requests. Resources on target systems get overloaded, resulting in
    denial of service for legit requests.

    Potrebbero piacerti anche