Security Testing Checklist - Appian Platform

My personal pentesting checklist for Appian. Use this when you run into one of these things.

Pre-Assessment Phase

1. Information Gathering

• Target Identification

  • Find Appian deployment URL(s)
  • Figure out if it's cloud/on-prem/hybrid
  • Map subdomains and related services
  • Get version and build info

• Network Discovery

  • Port scan for default ports (8080, 8443, 5400, 5432, 389, 636)
  • Service enumeration and version detection
  • SSL/TLS config analysis
  • Network segmentation assessment

• Technology Stack Analysis

  • Identify underlying tech (Java, Tomcat, databases)
  • Check for third-party components (Log4j2, Spring)
  • Analyze HTTP headers and error messages
  • Review JavaScript and client-side code

2. Vulnerability Research

• CVE Analysis

  • Check CVE-2025-50434 (Access control vulnerability)
  • Check CVE-2007-6509 (DoS vulnerability)
  • Verify Log4j2 version and config
  • Check Spring Framework version for Spring4Shell

• Security Advisories

  • Review Appian security bulletins
  • Check for recent security updates
  • Analyze patch levels and missing updates

Authentication & Authorization Testing

1. Authentication Mechanisms

• Login Functionality

  • Test SQL injection in login forms
  • Check for auth bypass vulnerabilities
  • Test brute force protection
  • Verify password complexity requirements

• Default Credentials

  • Test common defaults (admin/admin, etc.)
  • Check for hardcoded credentials
  • Verify default account status

• Multi-Factor Authentication

  • Test MFA bypass techniques
  • Check for MFA enforcement
  • Verify MFA implementation security

2. Session Management

• Session Security

  • Test for session fixation vulnerabilities
  • Check session timeout configuration
  • Verify session invalidation on logout
  • Test for concurrent session handling

• Session Tokens

  • Analyze session token generation
  • Check for predictable session IDs
  • Test for session token manipulation
  • Verify secure token storage

3. Access Control Testing

• Role-Based Access Control (RBAC)

  • Test for privilege escalation
  • Check for horizontal privilege escalation
  • Verify role assignment controls
  • Test for role manipulation

• CVE-2025-50434 Testing

  • Test for unauthorized information access
  • Check access control bypass techniques
  • Verify proper authorization checks
  • Test for direct object reference vulnerabilities

Input Validation & Injection Testing

1. SQL Injection

• Database Injection
  • Test for error-based SQL injection
  • Check for union-based SQL injection
  • Test for blind SQL injection
  • Verify parameterized query usage

• NoSQL Injection
  • Test for MongoDB injection
  • Check for CouchDB injection
  • Test for other NoSQL databases

2. Cross-Site Scripting (XSS)

• Reflected XSS

  • Test all input parameters
  • Check for XSS in error messages
  • Test for XSS in search functionality
  • Verify output encoding

• Stored XSS

  • Test file upload functionality
  • Check user profile fields
  • Test comment/feedback systems
  • Verify data persistence

• DOM-based XSS

  • Analyze client-side JavaScript
  • Test URL fragment manipulation
  • Check for unsafe DOM operations

3. Command Injection

• System Command Injection
  • Test file upload functionality
  • Check system integration points
  • Test for command execution
  • Verify input sanitization

4. Other Injection Types

• LDAP Injection

  • Test LDAP query parameters
  • Check for LDAP filter injection
  • Verify LDAP query construction

• XML Injection

  • Test XML processing functionality
  • Check for XXE vulnerabilities
  • Test for XML bomb attacks

File Upload & Download Testing

1. File Upload Security

• Malicious File Upload

  • Test for webshell uploads
  • Check file type validation
  • Test for double extension attacks
  • Verify file content scanning

• Path Traversal

  • Test for directory traversal
  • Check for file inclusion vulnerabilities
  • Test for path manipulation
  • Verify file system access controls

2. File Download Security

• Unauthorized File Access
  • Test for direct file access
  • Check for file enumeration
  • Test for sensitive file exposure
  • Verify download authorization

API Security Testing

1. REST API Testing

• Authentication & Authorization

  • Test API authentication mechanisms
  • Check for API key security
  • Test for token-based authentication
  • Verify API access controls

• Input Validation

  • Test for API parameter injection
  • Check for mass assignment vulnerabilities
  • Test for API rate limiting
  • Verify input sanitization

• Insecure Direct Object References

  • Test for IDOR vulnerabilities
  • Check for resource enumeration
  • Test for unauthorized data access
  • Verify proper authorization checks

2. GraphQL Testing

• GraphQL Security
  • Test for introspection queries
  • Check for query depth attacks
  • Test for query complexity attacks
  • Verify GraphQL authorization

Third-Party Component Testing

1. Log4j2 Vulnerability (CVE-2021-44228)

• Version Detection

  • Check Log4j2 version in use
  • Verify if version is vulnerable
  • Check for Log4j2 configuration

• Exploitation Testing

  • Test for JNDI injection
  • Check for LDAP payload execution
  • Test for RMI payload execution
  • Verify DNS payload execution

• Mitigation Verification
  • Check for Log4j2 2.17.1+ version
  • Verify system property settings
  • Check for network restrictions
  • Test for WAF protection

2. Spring4Shell Vulnerability (CVE-2022-22965)

• Version Detection

  • Check Spring Framework version
  • Verify if version is vulnerable
  • Check for Spring configuration

• Exploitation Testing

  • Test for data binding exploitation
  • Check for class loader manipulation
  • Test for remote code execution
  • Verify payload execution

3. Other Third-Party Components

• Component Inventory
  • Identify all third-party libraries
  • Check for known vulnerabilities
  • Verify component versions
  • Test for component-specific attacks

Denial of Service Testing

1. CVE-2007-6509 Testing

• Port 5400 Testing
  • Test for crafted packet attacks
  • Check for DoS vulnerability
  • Verify service availability
  • Test for service recovery

2. Application-Level DoS

• Resource Exhaustion

  • Test for memory exhaustion
  • Check for CPU exhaustion
  • Test for disk space exhaustion
  • Verify resource limits

• Request Flooding

  • Test for HTTP flood attacks
  • Check for slowloris attacks
  • Test for large payload attacks
  • Verify rate limiting

Configuration & Infrastructure Testing

1. Security Misconfigurations

• Default Configurations

  • Check for default credentials
  • Verify default service settings
  • Test for debug mode enabled
  • Check for verbose error messages

• Directory Permissions

  • Check for world-readable files
  • Verify directory permissions
  • Test for sensitive file access
  • Check for backup file exposure

2. SSL/TLS Configuration

• Certificate Analysis
  • Check certificate validity
  • Verify certificate chain
  • Test for weak ciphers
  • Check for SSL/TLS version support

3. Network Security

• Firewall Configuration
  • Check for unnecessary open ports
  • Verify network segmentation
  • Test for internal network access
  • Check for DMZ configuration

Business Logic Testing

1. Workflow Security

• Process Flow Testing
  • Test for workflow bypass
  • Check for step skipping
  • Test for approval bypass
  • Verify process integrity

2. Data Validation

• Business Rule Testing
  • Test for data validation bypass
  • Check for business logic flaws
  • Test for data manipulation
  • Verify business rule enforcement

Post-Exploitation Testing

1. Privilege Escalation

• System Privileges
  • Test for local privilege escalation
  • Check for sudo privileges
  • Test for SUID binaries
  • Verify user permissions

2. Data Access

• Sensitive Data
  • Test for database access
  • Check for file system access
  • Test for configuration access
  • Verify data encryption

3. Persistence

• Backdoor Installation
  • Test for user account creation
  • Check for service installation
  • Test for scheduled task creation
  • Verify persistence mechanisms

Reporting & Documentation

1. Vulnerability Documentation

• Finding Documentation
  • Document all vulnerabilities found
  • Assign CVSS scores
  • Provide proof of concept
  • Include remediation steps

2. Risk Assessment

• Risk Analysis
  • Assess business impact
  • Evaluate exploitability
  • Determine remediation priority
  • Provide risk mitigation strategies

3. Remediation Recommendations

• Security Improvements
  • Provide specific remediation steps
  • Suggest security controls
  • Recommend monitoring solutions
  • Include best practices

Tools & Resources

1. Automated Testing Tools

• Vulnerability Scanners
  • Nessus/OpenVAS
  • Burp Suite Professional
  • OWASP ZAP
  • Nikto

2. Manual Testing Tools

• Network Tools

  • Nmap
  • Netcat
  • Wireshark
  • tcpdump

• Web Application Tools

  • Burp Suite
  • OWASP ZAP
  • SQLMap
  • XSSer

3. Custom Scripts

• Exploitation Scripts
  • Log4j2 exploitation
  • Spring4Shell exploitation
  • Access control testing
  • DoS testing

Compliance & Standards

1. Security Standards

• OWASP Top 10
  • Test for all OWASP Top 10 vulnerabilities
  • Verify compliance with OWASP guidelines
  • Check for OWASP best practices

2. Industry Standards

• PCI DSS (if applicable)
• HIPAA (if applicable)
• SOX (if applicable)
• ISO 27001 (if applicable)

Continuous Monitoring

1. Security Monitoring

• Log Analysis
  • Set up security event monitoring
  • Configure alerting for suspicious activities
  • Implement log correlation
  • Verify log integrity

2. Vulnerability Management

• Regular Assessments
  • Schedule regular penetration tests
  • Implement vulnerability scanning
  • Monitor for new CVEs
  • Maintain patch management process

---

Disclaimer: This checklist is for authorized security testing only. Always ensure you have proper authorization before testing any systems.