- Test for invalid state transitions
- Test for missing authentication or authorization
- Test for path traversal and filename injection
- Username enumeration
- Test for missing security updates
- Test for unsupported or end-of-life software versions
- Test for extraneous files in the document root
- Test for extraneous directory listings
- Test for sensitive information stored in URLs
- Test for caching of pages with sensitive information
- Test for non-SSL/TLS pages on sites processing sensitive information
- Test for predictable and default credentials
- Test for missing size restrictions on uploaded files
- Test for missing type validation on uploaded files
- Test for missing anti content sniffing measures = Test for missing anti-click jacking measures
- Test for inappropriate rate limiting resulting in a denial of service
- Test for sensitive information in log and error messages
- Test for missing HSTS header on full SSL sites
- Test for cross-site scripting
- Test for cross-site request forgery (CSRF)
- Test for extraneous services
- Test for publicly accessible test, development and acceptance systems
- Test for missing rate limiting on authentication functionality
- Test for missing session revocation on logout
- Test for missing session regeneration when changing credentials
- Test for missing revocation of other sessions when changing credentials
- Test for external session hijacking
...... for a detailed analysis and security advise including encryption services, you can contact us at info@devopsinternational.nl