Review System Security Checklist#

Vulnerability List#

• File includes
• File Traversal
• IDs can't be guessed
• Null values in auth forms (Post with no values)
• JWT token vallidation signature check
• Validate login against SQL Injection
• Ldap injection attacks and NULL Values
• URL redirects and SSR
• Unrestricted File Uploads
• Sign JWT Keys
• JWT should not allow None algorithms, in fact just single algorithm to support
• JWT should not allow validation on tokens with Empty signatures
• Using an ID that is very predictable (Or incremental)
• Rotate TLS keys or use forward secrecy

Passwords#

• Password Reset link not timing out
• Password lockout after N-attempts
• Password storage encrypted or not
• Logout button, inactivity logoff
• Password reste should ask for an old password

Resources#

• Prevention PE
• Broken Access Control
• User Enumeration
• Information Leakage
• Toxic Dependencies
• Password Management
• File Uploads