Step 1: Information Gathering

Ask the appropriate questions in order to properly plan and test the application at hand.

Determine highly problematic areas of the application.

This includes areas where users are able to add modify, and/or delete content. These locations require verification on input sanitization and output encodings.

For example: Applications that allow users to enter large amounts of data such as blog posts, especially when done through HTML editors, are at high risk of injection attacks if proper prevention mechanism aren’t enforced.

Construct business logic and data flow.

This includes areas that require manual testing specifically focused on bypassing, escalation, and sensitive data disclosure techniques. Business logic flow can be defined as the data flow specific, and unique , to the application. This type of functionality is often overlooked with automated analysis.

For example: Functionality may include an approval workflow or privileged account access. A tester must ensure:

Integrity of the workflow

Users can’t bypass or skip steps

Users can’t perform privileged activities without authorization

Request an understanding of the permissions/role structure. Gather two credentials for each.

This is required in case of lockouts and/or multiple team member access.