Special pages checklist
You will encounter some specific pages during pen tests, and when you do, you'll have to use a checklist different from the one we used before. Take note that you will still need to use the common checklist too, after finishing this step:
- Login page (this includes the admin page):
- Test for default credentials (for example,
username= admin
andpassword= admin
). - Brute-force credentials using a dictionary file.
- Test for a lockout after a number of failed attempts for accomplishing a DOS instead.
- Does it use CAPTCHA? It allows for defending against automated attacks.
- Use SQL injection to bypass authentication.
- Do they use
remember me
passwords?
- Test for default credentials (for example,
- Registration page:
- Do they allow weak passwords?
- If you register with an existing username, will you be able to enumerate users?
- Test for weak, pre-generated questions and answers (for example, favorite color, which can easily be brute-forced).
- Reset/change password page:
- Test whether a user can change someone else's password (for example...