ILT-U-1082
Web Application Security Proficiency Test. Aligned with the App Defense Alliance Web Application Testing Guide (Version 2.0)
Determination | Method |
| Authentication brute-force resistance | Authentication testing, rate-limit evaluation, repeated login attempts |
| Presence of default or weak credentials | Credential testing using common/default account combinations |
| Session cookie security attributes | Inspection of HTTP responses and session cookie parameters |
| Session token predictability | Collection and analysis of multiple session identifiers |
| Session invalidation effectiveness | Session lifecycle testing and cookie reuse after logout |
| Unauthorized document access (IDOR) | Resource identifier manipulation and authorization testing |
| Unauthorized document modification | Parameter tampering and authorization validation |
| Unauthorized document deletion | Authorization testing of state-changing operations |
| Access control attribute manipulation | Client-side parameter tampering and workflow testing |
| Access control failure conditions | Direct access testing without authentication or authorization |
| CSRF protection effectiveness | Cross-site request forgery testing of state-changing operations |
| Stored Cross-Site Scripting (XSS) | Input injection, payload persistence testing, and browser execution validation |
| SQL Injection | Input manipulation, query behavior analysis, and exploitation testing |
| OS Command Injection | Input tampering using command metacharacters and response analysis |
| File upload security controls | Malicious file upload testing and content execution validation |
| Exposure of debug functionality | Enumeration of diagnostic endpoints and information disclosure analysis |
| Exposure of configuration files | Direct access testing of configuration resources and sensitive files |
| Exposure of secrets or API keys | Information disclosure analysis of application responses and debug interfaces |
| Technology and version disclosure | HTTP header inspection and platform fingerprinting |
| Hidden or undocumented functionality | Endpoint enumeration, API discovery, and attack surface exploration |
| Business logic weaknesses | Workflow analysis, state transition testing, and process manipulation |
| False positive identification | Validation and verification of suspected vulnerabilities |
| Vulnerability impact assessment | Exploitation analysis, privilege evaluation, and consequence assessment |
| Root cause determination | Technical analysis of vulnerable functionality and implementation flaws |
| Remediation determination | Identification of appropriate corrective security controls |
| Reporting determination | Documentation of findings, evidence, impact, and recommendations |
Related products
ILT-U-1749
Software safety validation of software module for an Adaptative Cruise Control System (ACC)
ILT-U-3695
Proficiency Testing Scheme for RNG Assessment. Netherlands Remote Gambling Gaming System Assessment Scheme (KSA v2.1, October 2024)
