| Authentication and Session Management | Weak Passwords and Brute-Force Vulnerabilities | Test for weak passwords and brute-force vulnerabilities. |
| Authentication and Session Management | Multi-Factor Authentication (MFA) | Verify that multi-factor authentication (MFA) is properly implemented. |
| Authentication and Session Management | Password Recovery, Reset, and Update | Check for password recovery, reset, and update vulnerabilities. |
| Authentication and Session Management | Session Management | Assess session management, ensuring secure cookies, session timeout, and session fixation. |
| Authentication and Session Management | Logout Functionality | Ensure proper logout functionality and invalidation of sessions. |
| Authentication and Session Management | Default Credentials | Check if default credentials are changed or disabled. |
| Authentication and Session Management | Account Lockout Mechanism | Verify the presence and effectiveness of account lockout mechanisms after multiple failed login attempts. |
| Authentication and Session Management | Secure Password Storage | Ensure passwords are stored securely using strong hashing algorithms like bcrypt. |
| Authentication and Session Management | Token Expiration | Verify that authentication tokens have appropriate expiration times. |
| Authentication and Session Management | Session Hijacking | Test for vulnerabilities that could lead to session hijacking, such as missing Secure or HttpOnly flags on cookies. |
| Authentication and Session Management | Secure Login Forms | Ensure that login forms are served over HTTPS and do not expose credentials in logs or URL parameters. |
| Authentication and Session Management | CAPTCHAs | Verify the implementation of CAPTCHAs to prevent automated login attempts. |
| Authentication and Session Management | Password Complexity | Ensure password policies enforce complexity requirements (length, character variety). |
| Authentication and Session Management | Remember Me | Check the security of “Remember Me” functionality and ensure tokens expire appropriately. |
| Authentication and Session Management | Session Timeout | Validate session timeout configurations to prevent extended idle sessions. |
| Authentication and Session Management | Inactive Account Handling | Ensure that inactive accounts are disabled after a defined period. |
| Authorization | Privilege Escalation | Test for vertical and horizontal privilege escalation. |
| Authorization | Role-Based Access Control (RBAC) | Verify role-based access control (RBAC) implementation. |
| Authorization | Insecure Direct Object References (IDOR) | Check for Insecure Direct Object References (IDOR). |
| Authorization | Access Control Policies | Review and test access control policies for effectiveness. |
| Authorization | Least Privilege Principle | Ensure that users have the minimum level of access necessary to perform their functions. |
| Authorization | Forceful Browsing | Test if unauthorized users can access restricted resources by manipulating URLs or parameters. |
| Authorization | Multi-Tenancy | Verify that users from different tenants cannot access each other’s data. |
| Authorization | Security Misconfigurations | Check for misconfigurations in access controls, such as overly permissive roles. |
| Authorization | Time-Based Authorization | Test for authorization that changes based on time or other factors. |
| Authorization | Logical Access Controls | Ensure that access control mechanisms are implemented logically throughout the application. |
| Authorization | Role Misuse | Check for roles being misused to gain unauthorized access. |
| Authorization | Sensitive Functionality | Ensure sensitive functionality is only accessible by authorized roles. |
| Authorization | Dynamic Access Control | Test for dynamic access control based on context (e.g., IP address, device). |
| Input Validation | Cross-Site Scripting (XSS) | Test for XSS vulnerabilities (Reflected, Stored, DOM-based). |
| Input Validation | SQL Injection (SQLi) and NoSQL Injection | Check for SQL Injection (SQLi) and NoSQL Injection. |
| Input Validation | Command Injection, LDAP Injection, and XML External Entities (XXE) | Assess for Command Injection, LDAP Injection, and XML External Entities (XXE). |
| Input Validation | Client-Side and Server-Side Validation | Validate input on both client-side and server-side. |
| Input Validation | Cross-Site Script Inclusion (XSSI) | Test for the possibility of including external scripts that execute within the application’s context. |
| Input Validation | HTTP Parameter Pollution | Check if multiple parameters with the same name can be used to manipulate the application logic. |
| Input Validation | Remote Code Execution (RCE) | Test for vulnerabilities that could lead to remote code execution. |
| Input Validation | Directory Traversal | Check for directory traversal vulnerabilities that could allow access to unauthorized files. |
| Input Validation | HTTP Splitting/Smuggling | Test for HTTP request splitting and smuggling vulnerabilities. |
| Input Validation | Path Traversal | Test for vulnerabilities that allow attackers to traverse the directory structure of the server. |
| Input Validation | File Inclusion | Check for Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities. |
| Input Validation | Template Injection | Test for vulnerabilities in template engines that could lead to code execution. |
| Input Validation | Input Length | Validate input length to prevent buffer overflow attacks. |
| Input Validation | Data Sanitization | Ensure input data is properly sanitized before processing. |
| Input Validation | Encoding | Verify that all input is appropriately encoded before outputting. |
| Business Logic | Logic Flaws and Bypasses | Identify and test for logic flaws and bypasses in the application’s workflow. |
| Business Logic | Security Controls in Business Processes | Verify the proper implementation of security controls in business processes. |
| Business Logic | Race Conditions | Test for race conditions that could cause security issues. |
| Business Logic | Business Process Tampering | Ensure that business process steps cannot be manipulated or skipped. |
| Business Logic | Transaction Manipulation | Test for the ability to manipulate transactions to cause unintended outcomes. |
| Business Logic | Workflow Validation | Verify that business workflows enforce proper sequencing and validation at each step. |
| Business Logic | Inconsistent State | Test for conditions that could lead to an inconsistent state in the application. |
| Business Logic | Integrity Checks | Ensure that integrity checks are implemented and cannot be bypassed. |
| Business Logic | Business Logic Abuse | Identify potential abuse cases in the business logic. |
| Business Logic | Transaction Duplication | Test for the possibility of duplicating transactions. |
| Business Logic | Conditional Logic | Verify that conditional logic enforces the correct business rules. |
| Security Misconfiguration | Configuration of Servers, Databases, and Frameworks | Check for improper configurations of web servers, databases, and frameworks. |
| Security Misconfiguration | Debug and Error Messages | Verify that debug and error messages do not reveal sensitive information. |
| Security Misconfiguration | Removal of Unnecessary Features | Ensure that unnecessary features, such as default accounts or sample files, are removed. |
| Security Misconfiguration | HTTP Headers | Verify proper HTTP headers are set (e.g., Content-Type, Cache-Control). |
| Security Misconfiguration | Secure Directory Listings | Ensure directory listings are disabled on the web server. |
| Security Misconfiguration | File Permissions | Check for proper file permissions to prevent unauthorized access. |
| Security Misconfiguration | Default Error Pages | Ensure custom error pages are configured to prevent information disclosure. |
| Security Misconfiguration | Administrative Interfaces | Verify that administrative interfaces are properly secured and not exposed to unauthorized users. |
| Security Misconfiguration | Third-Party Integrations | Check for security configurations in third-party integrations and services. |
| Security Misconfiguration | Configuration Management | Verify that configuration management practices are in place to maintain secure settings. |
| Security Misconfiguration | Software Updates | Ensure all software components are up-to-date with the latest security patches. |
| Security Misconfiguration | Backup Configurations | Check the security of backup configurations and processes. |
| Security Misconfiguration | API Security Settings | Verify that APIs are securely configured to prevent unauthorized access. |
| Sensitive Data Exposure | Encryption of Sensitive Data | Ensure that sensitive data (PII, passwords, credit card information) is encrypted at rest and in transit. |
| Sensitive Data Exposure | Secure Protocols | Verify the implementation of secure protocols (e.g., HTTPS, TLS). |
| Sensitive Data Exposure | Data Leakage | Check for inadvertent data leakage in logs, error messages, or client-side code. |
| Sensitive Data Exposure | HTTP Strict Transport Security (HSTS) | Verify the use of HSTS to enforce secure connections. |
| Sensitive Data Exposure | Information Disclosure | Test for information disclosure vulnerabilities that reveal sensitive information. |
| Sensitive Data Exposure | Backup Data | Ensure that backup data is securely stored and encrypted. |
| Sensitive Data Exposure | Data Masking | Verify that sensitive data is masked or obfuscated where appropriate. |
| Sensitive Data Exposure | Sensitive Data in URLs | Check that sensitive data is not included in URLs or referrer headers. |
| Sensitive Data Exposure | Secure Data Handling | Ensure secure handling of sensitive data throughout its lifecycle. |
| Sensitive Data Exposure | Encryption Key Management | Verify secure management and storage of encryption keys. |
| Sensitive Data Exposure | Tokenization | Ensure that tokenization is used where applicable for sensitive data. |
| Cross-Site Request Forgery (CSRF) | CSRF Vulnerabilities | Test for CSRF vulnerabilities and ensure the use of anti-CSRF tokens. |
| Cross-Site Request Forgery (CSRF) | State-Changing Operations | Validate that the application does not perform state-changing operations without proper authorization. |
| Cross-Site Request Forgery (CSRF) | SameSite Cookies | Ensure cookies are set with the SameSite attribute to prevent CSRF attacks. |
| Cross-Site Request Forgery (CSRF) | Referer Header | Verify the use of the Referer header to help prevent CSRF attacks. |
| Cross-Site Request Forgery (CSRF) | Double Submit Cookie | Check for the implementation of the double submit cookie pattern as an additional CSRF mitigation. |
| Cross-Site Request Forgery (CSRF) | Custom Headers | Ensure that custom headers are required for state-changing requests to prevent CSRF. |
| Cross-Site Request Forgery (CSRF) | Form Token Validation | Verify that form tokens are used and validated for all state-changing requests. |
| Cross-Site Request Forgery (CSRF) | Secure Token Storage | Ensure anti-CSRF tokens are stored securely and not exposed to attackers. |
| File Uploads | Unrestricted File Upload and Malware Injection | Assess file upload functionality for vulnerabilities like unrestricted file upload and malware injection. |
| File Uploads | File Type Validation and Storage | Check for proper file type validation and storage. |
| File Uploads | File Execution | Ensure that uploaded files cannot be executed on the server. |
| File Uploads | Content-Type Verification | Verify that the content type of uploaded files matches the expected type. |
| File Uploads | File Size Limits | Ensure file size limits are enforced to prevent denial of service attacks. |
| File Uploads | Virus Scanning | Verify that uploaded files are scanned for viruses and malware. |
| File Uploads | Temporary Storage | Check the security of temporary storage locations for uploaded files. |
| File Uploads | File Path Manipulation | Ensure that file path manipulation is not possible through file uploads. |
| File Uploads | Storage Location | Ensure uploaded files are stored in secure locations with appropriate access controls. |
| File Uploads | File Integrity | Verify that file integrity checks are performed on uploaded files. |
| File Uploads | Sanitization of File Names | Ensure that uploaded file names are sanitized to prevent directory traversal attacks. |
| Client-Side Security | Content Security Policy (CSP) | Verify the implementation of Content Security Policy (CSP). |
| Client-Side Security | JavaScript Code and Third-Party Libraries | Test for vulnerabilities in JavaScript code and third-party libraries. |
| Client-Side Security | Secure Use of Cookies | Ensure secure use of cookies (HttpOnly, Secure, SameSite attributes). |
| Client-Side Security | Local Storage and Session Storage | Check for sensitive data stored insecurely in local storage or session storage. |
| Client-Side Security | JavaScript Obfuscation | Ensure that sensitive business logic is not exposed in client-side JavaScript. |
| Client-Side Security | Clickjacking | Test for clickjacking vulnerabilities and ensure the use of X-Frame-Options or CSP frame-ancestors. |
| Client-Side Security | DOM Manipulation | Check for insecure DOM manipulation practices that could lead to vulnerabilities. |
| Client-Side Security | HTML Injection | Test for HTML injection vulnerabilities that could compromise the application’s integrity. |
| Client-Side Security | Secure Event Handling | Ensure that event handlers are securely implemented to prevent exploitation. |
| Client-Side Security | Cross-Origin Resource Sharing (CORS) | Verify that CORS policies are correctly implemented to prevent unauthorized data access. |
| Client-Side Security | JavaScript Sandbox | Ensure that any potentially unsafe JavaScript execution is contained within a sandbox environment. |
| Client-Side Security | Secure Frameworks | Check for secure usage of client-side frameworks and libraries (e.g., React, Angular). |
| Client-Side Security | Client-Side Caching | Validate that sensitive data is not inadvertently cached on the client-side. |
| Client-Side Security | Client-Side Encryption | Ensure any sensitive data processed on the client-side is encrypted appropriately. |
| Security Headers | Presence and Configuration | Verify the presence and correct configuration of security headers (e.g., X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security). |
| Security Headers | Referrer Policy | Ensure that the Referrer-Policy header is configured correctly to minimize information leakage. |
| Security Headers | Permissions Policy | Check the Permissions-Policy header to control which features and APIs can be used in the browser. |
| Security Headers | Feature Policy | Verify the implementation of Feature Policy to control the use of web features and APIs. |
| Security Headers | Cross-Origin Resource Sharing (CORS) | Ensure that CORS headers are properly configured to prevent unauthorized cross-origin requests. |
| Security Headers | Content-Security-Policy (CSP) | Verify that CSP is properly configured to prevent XSS and data injection attacks. |
| Security Headers | X-Content-Type-Options | Ensure that the X-Content-Type-Options header is set to prevent MIME-type sniffing. |
| Security Headers | X-XSS-Protection | Verify that X-XSS-Protection is configured to prevent reflected XSS attacks. |
| Security Headers | X-Frame-Options | Ensure that X-Frame-Options is set to prevent clickjacking. |
| Security Headers | Public-Key-Pins (HPKP) | Check for the use of HTTP Public-Key-Pinning to mitigate man-in-the-middle attacks. |
| API Security | Rate Limiting and Throttling | Test for API rate limiting and throttling. |
| API Security | Authentication and Authorization | Assess for improper API authentication and authorization. |
| API Security | Data Exposure | Check for data exposure through API responses. |
| API Security | Input Validation | Ensure proper input validation and sanitization in API endpoints. |
| API Security | CORS Configuration | Verify that Cross-Origin Resource Sharing (CORS) is properly configured to prevent unauthorized access. |
| API Security | API Key Management | Check for secure management and storage of API keys. |
| API Security | Versioning | Ensure that API versioning is implemented to manage changes and deprecations securely. |
| API Security | Error Handling | Verify that API error messages do not reveal sensitive information. |
| API Security | Parameter Tampering | Test for vulnerabilities where API parameters can be tampered with to achieve unintended effects. |
| API Security | Mass Assignment | Ensure that APIs do not accept and process unexpected parameters that could lead to mass assignment vulnerabilities. |
| API Security | JSON Web Token (JWT) | Verify the secure implementation and storage of JWTs, including proper signing and expiration. |
| API Security | Input Whitelisting | Ensure APIs use input whitelisting to accept only known and expected inputs. |
| API Security | Data Filtering | Verify that sensitive data is properly filtered out of API responses. |
| API Security | API Gateway Security | Check the security configurations of API gateways and their role in protecting backend services. |
| API Security | OAuth/OpenID Connect | Verify secure implementation of OAuth and OpenID Connect for authentication and authorization. |
| Logging and Monitoring | Log Sensitive Actions | Ensure that sensitive actions (e.g., login attempts, data modifications) are logged. |
| Logging and Monitoring | Log Integrity | Verify that logs are protected from tampering and unauthorized access. |
| Logging and Monitoring | Centralized Logging | Check for the implementation of centralized logging for comprehensive monitoring. |
| Logging and Monitoring | Real-Time Monitoring | Ensure that real-time monitoring and alerting are in place for security incidents. |
| Logging and Monitoring | Log Retention Policies | Verify that log retention policies comply with regulatory and business requirements. |
| Logging and Monitoring | Anomaly Detection | Implement and verify anomaly detection to identify suspicious activities. |
| Logging and Monitoring | Security Event Management | Ensure integration with Security Information and Event Management (SIEM) systems. |
| Logging and Monitoring | Compliance Logging | Validate that logging complies with industry standards and regulations (e.g., PCI-DSS, GDPR). |
| Cryptography | Strong Encryption Algorithms | Ensure the use of strong, industry-standard encryption algorithms (e.g., AES-256). |
| Cryptography | Secure Key Management | Verify that encryption keys are managed and stored securely. |
| Cryptography | Certificate Management | Check for the proper management and rotation of SSL/TLS certificates. |
| Cryptography | TLS Configuration | Ensure that TLS is properly configured to prevent vulnerabilities like POODLE and BEAST. |
| Cryptography | End-to-End Encryption | Verify the implementation of end-to-end encryption for sensitive data. |
| Cryptography | Random Number Generation | Ensure that cryptographic functions use secure random number generation. |
| Cryptography | Deprecated Protocols | Verify that deprecated protocols (e.g., SSLv3) are disabled. |
| Cryptography | HMAC | Ensure the use of HMAC for integrity checks where applicable. |
| Cloud Security | Secure Cloud Configuration | Ensure that cloud resources are configured securely (e.g., storage buckets, virtual machines). |
| Cloud Security | Identity and Access Management (IAM) | Verify that IAM policies follow the principle of least privilege. |
| Cloud Security | Data Encryption | Ensure that data is encrypted at rest and in transit in the cloud. |
| Cloud Security | Network Security | Check the security configurations of cloud network components (e.g., security groups, firewalls). |
| Cloud Security | Monitoring and Logging | Verify that cloud monitoring and logging are in place and properly configured. |
| Cloud Security | Backup and Recovery | Ensure that backup and recovery processes are secure and regularly tested. |
| Cloud Security | Serverless Security | Verify the security configurations of serverless functions. |
| Cloud Security | Cloud Compliance | Ensure compliance with relevant regulations and standards in the cloud environment. |
| Third-Party Components | Vulnerability Management | Ensure that third-party components are regularly checked for vulnerabilities. |
| Third-Party Components | License Compliance | Verify that the use of third-party components complies with their licenses. |
| Third-Party Components | Secure Configuration | Ensure that third-party components are securely configured. |
| Third-Party Components | Update Management | Check that third-party components are kept up-to-date with the latest security patches. |
| Third-Party Components | Integrity Checks | Verify the integrity of third-party components before use. |
| Development and Deployment | Secure Development Lifecycle | Ensure that security is integrated into the development lifecycle. |
| Development and Deployment | Code Reviews | Conduct regular code reviews to identify and mitigate security vulnerabilities. |
| Development and Deployment | Static and Dynamic Analysis | Use static and dynamic analysis tools to identify security issues in the code. |
| Development and Deployment | Secure CI/CD Pipeline | Verify that the CI/CD pipeline includes security checks and validations. |
| Development and Deployment | Deployment Security | Ensure that the deployment process follows secure practices to prevent vulnerabilities. |
| Development and Deployment | Environment Segregation | Verify the segregation of development, testing, and production environments. |
| Incident Response | Incident Response Plan | Ensure there is an incident response plan in place. |
| Incident Response | Detection and Analysis | Verify that incidents can be detected and analyzed promptly. |
| Incident Response | Containment and Eradication | Ensure that procedures for containment and eradication of threats are in place. |
| Incident Response | Recovery and Post-Incident Activities | Verify the recovery processes and post-incident review activities. |
