Review System Security Checklist#
Vulnerability List#
- File includes
- File Traversal
- IDs can't be guessed
- Null values in auth forms (Post with no values)
- JWT token vallidation signature check
- Validate login against SQL Injection
- Ldap injection attacks and NULL Values
- URL redirects and SSR
- Unrestricted File Uploads
- Sign JWT Keys
- JWT should not allow None algorithms, in fact just single algorithm to support
- JWT should not allow validation on tokens with Empty signatures
- Using an ID that is very predictable (Or incremental)
- Rotate TLS keys or use forward secrecy
Passwords#
- Password Reset link not timing out
- Password lockout after N-attempts
- Password storage encrypted or not
- Logout button, inactivity logoff
- Password reste should ask for an old password