In the third post of the series about the checklists for web application pentests, we share the checklist to look for the weaknesses and vulnerabilities of authentication strategies.

1. Password policies
   • Credential should not be transferred as clear text.
   • “Forgot my password” function should be configured properly.
   • Examine the complexity of user passwords.
   • Test whether the login pages and information forms are vulnerable to brute force attacks.
   • Test if the current password is asked while changing password.
2. Testing for known and default credentials
   • If we know the technical infrastructure of the application, we should test the default users and passwords of the frameworks used.
   • While guessing passwords, don’t forget to try for the company name which is the owner of the application.
   • While guessing user names, identify if the usernames are given automatically. If we see a username like “user0015”, it won’t be hard to find valid users.
3. Authentication type used
   • Find out the authentication methods first.
   • If the applications and/or web services we test use “basic authentication”, try MitM (man in the middle) attacks to gather credentials.
   • Check if the authentication connection is encrypted.
4. Bypassing authentication mechanism
   • Forced browsing: Test if the pages which should be accessible only after logging in are accessible directly even we are not logged in.
   • If the username is used inside the application, give an XSS payload (e.g. “<script>alarm(1)</script>”) as the username.
   • Analyse session ID. In some cases, some part of user information may be used to create session ID. Change the information, look at the new session ID if it’s brand new or not.
   • SQL injection: Test the login mechanism if it’s possible to bypass the mechanism by SQL injection.
5. Testing login mechanism
   • Application should return “302 Found” instead of “200 OK” when the login attempt is successful. Browser keeps the credential in its cache if 200 OK is used; in this case, refreshing the page will send the credential to the server.
6. Testing logout mechanism
   • Application should have a logout mechanism.
   • Test if the application logs off when the browser is closed directly.
   • Test if the logout mechanism ends the session.
7. Browser Cache Management
   • Check if the sensitive data is held in the cache of the browser. Cache is not cleaned by logout mechanism.
   • HTTP responses should include “Cache control: no-cache, no-store”. If “no-store” option is not used, browser’s back button brings the visited pages back even after the logout process.