Web Application Test Cases

Sr.No Category
1
2
3
4
5
6
7
8
9
10
11
Information Gathering
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44 Configuration Management
45
46
 Configuration Management

47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Session Management
74
75
76
77
78
79
80
81
82
83
84
85
86 Authorization
87
88
89
90
91
92
93
94
 95
96
97
98
99
100
101
102
103
104
105
106
107 Data Validation
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
Business Logic
127
128
129
130
131
132
Cryptography
133
134
135
136
137
138
139
Risky Functionality - File Uploads
140
141
142
 Risky Functionality - File Uploads

143
144
145
146
147
148
149 Risky Functionality - Card Payment
150
151
152
153
154
155
156 Using Component With Known Vulnerability
157
158
159
160
161
162 Sensitive Data Exposure
163
164
165
166
167
168
169
170
171
Server Side Injection
172
173
174
175
176
177
178
179
180
181
182
Client Side Testing
183
184
185
186
187
188
189
190 Error Handling
 Error Handling
191
192
193
194
195
196
197
198
199
200
201
OWASP Low-Code/No-Code Top 10
202
203
204
205
206
 Web Application Test Cases
Test Cases
Conduct Search Engine Discovery and Reconnaissance for Information Leakage
Map Application Architecture
Manually explore the site
Spider/crawl for missed or hidden content
Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
Check the caches of major search engines for publicly accessible sites
Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
Perform Web Application Fingerprinting
Identify technologies used
Identify user roles
Identify application entry points
Identify client-side code
Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
Identify co-hosted and related applications
Identify all hostnames and ports
Identify third-party hosted content
Review Webserver Metafiles for Information Leakage
Enumerate Applications on Webserver
Review Webpage Comments and Metadata for Information Leakage
Identify application entry points
Map execution paths through application
Identify web application framework and technologies used
Check for commonly used application and administrative URLs
Check for old, backup and unreferenced files
Check HTTP methods supported and Cross Site Tracing (XST)
Test file extensions handling
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
Test for policies (e.g. Flash, Silverlight, robots)
Test for non-production data in live environment, and vice-versa
Check for sensitive data in client-side code (e.g. API keys, credentials)
Test Network/Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA cross domain policy
Testing for Credentials Transported over an Encrypted Channel
Check SSL Version, Algorithms, Key length
Check for Digital Certificate Validity (Duration, Signature and CN)
Check credentials only delivered over HTTPS
Check that the login form is delivered over HTTPS
Check session tokens only delivered over HTTPS
Check if HTTP Strict Transport Security (HSTS) in use
Test for user enumeration
 Test for authentication bypass
Test for bruteforce protection
Test password quality rules
Test remember me functionality
Test for autocomplete on password forms/input
Test password reset and/or recovery
Test password change process
Test CAPTCHA
Test multi factor authentication
Test for logout functionality presence
Test for cache management on HTTP (eg Pragma, Expires, Max-age)
Test for default logins
Test for user-accessible authentication history
Test for out-of channel notification of account lockouts and successful password changes
Test for consistent authentication across applications with shared authentication schema / SSO
Testing for Weak lock out mechanism
Testing for Browser cache weakness
Testing for Weak security question/answer
Testing for Browser cache weakness
Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
Check session tokens for cookie flags (httpOnly and secure)
Check session cookie scope (path and domain)
Check session cookie duration (expires and max-age)
Check session termination after a maximum lifetime
Check session termination after relative timeout
Check session termination after logout
Check for session expiration after password reset.
Test to see if users can have multiple simultaneous sessions
Test session cookies for randomness
Session not Expired on 2fa enabled
Session not Expired on Email Change
Confirm that new session tokens are issued on login, role change and logout
Test for consistent session management across applications with shared session management
Test for session puzzling
Test for CSRF and clickjacking
Test for path traversal
Test for bypassing authorization schema
Test for vertical Access control problems (a.k.a. Privilege Escalation)
Test for horizontal Access control problems (between two users at the same privilege level)
Test for missing authorization
Test for insecure direct object references
Testing for Exposed Session Variables
Test for missing authorization
Testing for Session Fixation
Test for Reflected Cross Site Scripting
Test for Stored Cross Site Scripting
Test for DOM based Cross Site Scripting
Test for Cross Site Flashing
 Test for HTML Injection
Test for SQL Injection
Test for LDAP Injection
Test for XML Injection
Test for XXE Injection
Test for SSTI Injection
Test for XPath Injection
Test for IMAP/SMTP Injection
Test for Code Injection
Test for Expression Language Injection
Test for Command Injection
Test for Overflow (Stack, Heap and Integer)
Test for Format String
Test for incubated vulnerabilities
Test for HTTP Splitting/Smuggling
Test for HTTP Verb Tampering
Test for Open Redirection
Test for Local File Inclusion
Test for Remote File Inclusion
Compare client-side and server-side validation rules
Test for NoSQL injection
Test for HTTP parameter pollution
Test for auto-binding
Test for Mass Assignment
Test for NULL/Invalid Session Cookie
Testing for Session Fixation
Testing For CSV Injection
Testing for HTTP Splitting/Smuggling
Testing PostgreSQL
Test for feature misuse
Test for lack of non-repudiation
Test for trust relationships
Test for integrity of data
Test Ability to Forge Requests
Test Defences Against Application Mis-use
Check if data which should be encrypted is not
Check for wrong algorithms usage depending on context
Check for weak algorithms usage
Check for proper use of salting
Check for randomness functions
Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
Test that acceptable file types are whitelisted
Test that file size limits, upload frequency and total file counts are defined and are enforced
Test that file contents match the defined file type
Test that all file uploads have Anti-Virus scanning in-place.
Test that unsafe filenames are sanitised
Test that uploaded files are not directly accessible within the web root
Test that uploaded files are not served on the same hostname/port
Test that files and other media are integrated with the authentication and authorisation schemas
Test for known vulnerabilities and configuration issues on Web Server and Web Application
Test for default or guessable password
Test for non-production data in live environment, and vice-versa
Test for Injection vulnerabilities
Test for Buffer Overflows
Test for Insecure Cryptographic Storage
Test for Insufficient Transport Layer Protection
Test for Improper Error Handling
Test for all vulnerabilities with a CVSS v2 score > 4.0
Test for Authentication and Authorization issues
Test for CSRF
Testing for Outdated Software Version For Known Exploit
Testing For Vulnerable Host For Known Exploit
Testing For Vulnerable library For Known Exploit
Disclosure Of Secret
Exif Geo Location Data Not Stripped from Image
Token Leakage Via Referer
Check GitHub, Shodan for Data Leakage
Sensitive data in URL
Internal IP disclosure
Token leakage Via Password reset poisoning
Directory Listing
Testing for PII Leakage
Parameter Pollution
Remote code execution
Xml External Entity
Content spoofing
Iframe Injection
Email Html Injection
Text Injection
Email Hyperlink Injection
Server Side Template Injection
Test that acceptable file types are whitelisted and non-whitelisted types are rejected
Testing for DOM based Cross Site Scripting
Testing for JavaScript Execution
Testing for HTML Injection
Testing for Client Side URL Redirect
Testing for CSS Injection
Testing for Client Side Resource Manipulation
Test Cross Origin Resource Sharing
Testing for Cross Site Flashing
Testing for Clickjacking
Testing WebSockets
Test Web Messaging
Test Local Storage
Analysis of Error Codes
Analysis of Stack Traces
 Check for sensitive data via error message
Test User Registration Process
Testing for Account Enumeration and Guessable User Account
Testing for Weak or unenforced username policy
Test Permissions of Guest/Training Accounts
Test Account Suspension/Resumption Process
LCNC-SEC-01: Account Impersonation
LCNC-SEC-02: Authorization Misuse
LCNC-SEC-03: Data Leakage and Unexpected Consequences
LCNC-SEC-04: Authentication and Secure Communication Failures
LCNC-SEC-05: Security Misconfiguration
LCNC-SEC-06: Injection Handling Failures
LCNC-SEC-07: Vulnerable and Untrusted Components
LCNC-SEC-08: Data and Secret Handling Failures
LCNC-SEC-09: Asset Management Failures
LCNC-SEC-10: Security Logging and Monitoring Failures