AppSecNotes
Methodology
  • Check if important cookie headers exist:
    • Max-Age: Should be set for tokens to expire.
    • HttpOnly: When set to true mitigates the risk of client side scripts accessing the cookies.
    • SameSite: When set to strict the cookie can only be sent if the site matches the site shown in the address bar.
    • Secure: When set to true forces browsers that support the secure attribute to only send cookies if the request is going to an HTTPS page, blocking them on clear text HTTP traffic.
  • Brute-Force Authentication.
  • Attack Multi-Factor Authentication.
  • Check for SQL Injection and NoSQL Injection in the sign-in and sign-up forms.
  • Attack Tokens.
  • Attack OAuth.
  • Test changing parameter values and body fields to another user to see if the requests still work for that other user in Forget/Reset Password Functionalities. Test with and without tokens and with any random token not tied to an user (matching parameter with body if both exist).
  • Check CSRF for Vulnerable Remember Password functionality.