Don't let your Applications & APIs be a security risk.
Protect them with these 100 Security Test Cases 🧵
1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Insufficient Logging & Monitoring
10. Using Components with Known Vulnerabilities
11. Using Components with Unsupported Versions
12. Insufficient Exception Handling
13. Insufficient Transport Layer Protection
14. Insufficient Authorization
15. Insecure Cryptographic Storage
16. Unvalidated Redirects & Forwards
17. Caching Problems
18. XML External Entity Injection (XXE)
19. Insecure Direct Object References
20. Unvalidated User Inputs
21. Security Misconfiguration of Server-Side APIs
22. Insufficient Verification of Data Authenticity
23. Lack of Access Control on Server-Side APIs
24. Hardcoded Credentials
25. Insecure Server-Side Request Forgery (SSRF)
26. Buffer Overflow
27. Session Fixation
28. XML Entity Expansion
29. Insecure Randomness
30. Unvalidated SSL Certificates
31. Insecure Communication Between Components
32. Insecure Network Services
33. Improper Error Handling
34. Information Leakage
35. Insufficient Validation of Inputs
36. CORS Misconfiguration
37. Denial of Service
38. SQL Injection
39. NoSQL Injection
40. Path Traversal
41. Race Conditions
42. Code Injection
43. Malicious File Execution
44. Directory Listing
45. Command Injection
46. File Inclusion
47. CRLF Injection
48. LDAP Injection
49. Header Injection
50. XPath Injection
51. Cross-Site Request Forgery (CSRF)
52. Clickjacking
53. SQL Injection Into Out-of-Band Channel
54. Use of Vulnerable Components
55. Improper Certificate Validation
56. Use of Unsafe Cryptographic Algorithms
57. Weak Password Requirements
58. Unprotected APIs
59. Insufficient Security Configuration
60. Insecure Network Protocols
61. Insufficient Authorization Schemes
62. Insecure Cryptographic Coding Practices
63. Insufficient Access Control
64. Unvalidated Inputs or Outputs
65. Insecure Authentication
66. Unprotected Sensitive Data
67. Insecure Session Management
68. Insecure Storage of Sensitive Information
69. Insecure Direct Object References
70. Insufficient Security Logging
71. Insufficient Session Expiration
72. Insufficient Password Strength
73. Insufficient Session Validation
74. Insufficient Authentication Challenges
75. Insufficient Authorization Enforcement
76. Insufficient Input Validation
77. Insufficient Output Encoding
78. Insufficient Cross-Domain Access Control
79. Insufficient Access Control to Sensitive Data
80. Insufficient Password Change Requirements
81. Insufficient Risk Scoring
82. Insufficient Authorization Verification
83. Insufficient Integrity Verification
84. Insufficient Encryption Algorithms
85. Insufficient Key Management
86. Insufficient Encryption Key Strength
87. Insufficient Encryption Key Length
88. Insufficient Encryption Key Generation
89. Unprotected File Uploads
90. Insecure Third-Party Component Usage
91. Insufficient Key Rotation Procedures
92. Insecure Client-Side Storage
93. Insufficient Key Derivation Function Selection
94. Insecure Key Storage
95. Insufficient Key Generation
96. Insufficient Key Distribution
97. Insufficient Key Exchange
98. Insufficient Key Verification
99. Unprotected API Endpoints
100. Insecure Transport Layer Protection.
These test cases were generated using @ChatSonicAI and results were better than expected.
You can read the unrolled version of this thread here: typefully.com/harshbothra_/SAZHpqz
Harsh Bothra
@harshbothra_
Freelance Pentester & Consultant • Cobalt Core Lead & Pentester • Author • Speaker • Blogger • SecurityExplained • Project Bheem • Learn365 • Views are personal