WEB APPLICATION PENTESTING

CHECKLIST

OWASP Based Checklist 🌟🌟

500+ Test Cases 🚀🚀

/
om
INFORMATION GATHERING

t.c
1. Open Source Reconnaissance

po
☐ Perform Google Dorks search

gs
☐ Perform OSINT

lo
2. Fingerprinting Web Server
.b
99
☐ Find the type of Web Server
th

☐ Find the version details of the Web Server

an
sa

3. Looking For Metafiles

ra

☐ View the Robots.txt file

ip
ar

☐ View the Sitemap.xml file

//h

☐ View the Humans.txt file

s:

☐ View the Security.txt file

tp
ht

4. Enumerating Web Server’s Applications

☐ Enumerating with Nmap
☐ Enumerating with Netcat
☐ Perform a DNS lookup
☐ Perform a Reverse DNS lookup
5. Review The Web Contents
☐ Inspect the page source for sensitive info
☐ Try to find Sensitive Javascript codes
☐ Try to find any keys
☐ Make sure the autocomplete is disabled
6. Identifying Application’s Entry Points

/
om
☐ Identify what the methods used are?
☐ Identify where the methods used are?

t.c
☐ Identify the Injection point

po
gs
7. Mapping Execution Paths

lo
☐ Use Burp Suite
☐ Use Dirsearch
.b
99
th

☐ Use Gobuster
an

8. Fingerprint Web Application Framework

sa

☐ Use the Wappalyzer browser extension

ra
ip

☐ Use Whatweb
ar

☐ View URL extensions

//h

☐ View HTML source code

s:

☐ View the cookie parameter

tp
ht

☐ View the HTTP headers

9. Map Application Architecture
☐ Map the overall site structure
CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

1. Test Network Configuration

☐ Check the network configuration
☐ Check for default settings
☐ Check for default credentials
2. Test Application Configuration

/
om
☐ Ensure only required modules are used

t.c
☐ Ensure unwanted modules are disabled

po
☐ Ensure the server can handle DOS

gs
☐ Check how the application is handling 4xx & 5xx errors

lo
☐ Check for the privilege required to run
.b
☐ Check logs for sensitive info
99
th

3. Test File Extension Handling

an

☐ Ensure the server won’t return sensitive extensions

sa

☐ Ensure the server won’t accept malicious extensions

ra
ip

☐ Test for file upload vulnerabilities

ar
//h

4. Review Backup & Unreferenced Files

s:

☐ Ensure unreferenced files don’t contain any sensitive info

tp

☐ Ensure the namings of old and new backup files

ht

☐ Check the functionality of unreferenced pages

5. Enumerate Infrastructure & Admin Interfaces
☐ Try to find the Infrastructure Interface
☐ Try to find the Admin Interface
☐ Identify the hidden admin functionalities
6. Testing HTTP Methods
☐ Discover the supported methods
☐ Ensure the PUT method is disabled
☐ Ensure the OPTIONS method is disabled
☐ Test access control bypass
☐ Test for XST attacks

/
om
☐ Test for HTTP method overriding

t.c
7. Test HSTS

po
☐ Ensure HSTS is enabled

gs
lo
8. Test RIA Cross Domain Policy
☐ Check for Adobe’s Cross Domain Policy .b
99
☐ Ensure it has the least privilege
th
an

9. Test File Permission

sa

☐ Ensure the permissions for sensitive files

ra

☐ Test for directory enumeration

ip
ar

10. Test For Subdomain Takeover

//h

☐ Test DNS, A, and CNAME records for subdomain takeover

s:
tp

☐ Test NS records for subdomain takeover

ht

☐ Test 404 response for subdomain takeover

11. Test Cloud Storage
☐ Check the sensitive paths of AWS
☐ Check the sensitive paths of Google Cloud
☐ Check the sensitive paths of Azure
IDENTITY MANAGEMENT TESTING

1. Test Role Definitions

☐ Test for forced browsing
☐ Test for IDOR (Insecure Direct Object Reference)
☐ Test for parameter tampering
☐ Ensure low privilege users can’t able to access high privilege resources

/
om
t.c
2. Test User Registration Process

po
☐ Ensure the same user or identity can’t register again and again

gs
☐ Ensure the registrations are verified

lo
☐ Ensure disposable email addresses are rejected
.b
☐ Check what proof is required for successful registration
99
th

3. Test Account Provisioning Process

an

☐ Check the verification for the provisioning process

sa

☐ Check the verification for the de-provisioning process

ra

☐ Check the provisioning rights for an admin user to other users

ip
ar

☐ Check whether a user is able to de-provision themself or not?

//h

☐ Check for the resources of a de-provisioned user

s:
tp

4. Testing For Account Enumeration

ht

☐ Check the response when a valid username and password entered

☐ Check the response when a valid username and an invalid password entered
☐ Check the response when an invalid username and password entered
☐ Ensure the rate-limiting functionality is enabled in username and password
fields
5. Test For Weak Username Policy
☐ Check the response for both valid and invalid usernames
☐ Check for username enumeration

AUTHENTICATION TESTING

1. Test For Un-Encrypted Channel

☐ Check for the HTTP login page

/
om
☐ Check for the HTTP register or sign-in page

t.c
☐ Check for HTTP forgot password page

po
☐ Check for HTTP change password

gs
☐ Check for resources on HTTP after logout

lo
☐ Test for forced browsing to HTTP pages
.b
99
2. Test For Default Credentials
th

☐ Test with default credentials

an

☐ Test organization name as credentials

sa

☐ Test for response manipulation

ra
ip

☐ Test for the default username and a blank password

ar

☐ Review the page source for credentials

//h
s:

3. Test For Weak Lockout Mechanism

tp

☐ Ensure the account has been locked after 3-5 incorrect attempts
ht

☐ Ensure the system accepts only the valid CAPTCHA

☐ Ensure the system rejects the invalid CAPTCHA
☐ Ensure CAPTCHA code regenerated after reloaded
☐ Ensure CAPTCHA reloads after entering the wrong code
☐ Ensure the user has a recovery option for a lockout account
4. Test For Bypassing Authentication Schema
☐ Test forced browsing directly to the internal dashboard without login
☐ Test for session ID prediction
☐ Test for authentication parameter tampering
☐ Test for SQL injection on the login page
☐ Test to gain access with the help of session ID

/
om
☐ Test multiple logins allowed or not?

t.c
5. Test For Vulnerable Remember Password

po
☐ Ensure that the stored password is encrypted

gs
☐ Ensure that the stored password is on the server-side

lo
6. Test For Browser Cache Weakness
.b
99
☐ Ensure proper cache-control is set on sensitive pages
th

☐ Ensure no sensitive data is stored in the browser cache storage

an
sa

7. Test For Weak Password Policy

ra

☐ Ensure the password policy is set to strong

ip
ar

☐ Check for password reusability

//h

☐ Check the user is prevented to use his username as a password

s:

☐ Check for the usage of common weak passwords

tp

☐ Check the minimum password length to be set

ht

☐ Check the maximum password length to be set

8. Testing For Weak Security Questions
☐ Check for the complexity of the questions
☐ Check for brute-forcing
9. Test For Weak Password Reset Function
☐ Check what information is required to reset the password
☐ Check for password reset function with HTTP
☐ Test the randomness of the password reset tokens
☐ Test the uniqueness of the password reset tokens
☐ Test for rate limiting on password reset tokens
☐ Ensure the token must expire after being used

/
om
☐ Ensure the token must expire after not being used for a long time

t.c
po
10. Test For Weak Password Change Function
☐ Check if the old password asked to make a change

gs
☐ Check for the uniqueness of the forgotten password

lo
☐ Check for blank password change .b
99
☐ Check for password change function with HTTP
th

☐ Ensure the old password is not displayed after changed

an

☐ Ensure the other sessions got destroyed after the password change
sa
ra

11. Test For Weak Authentication In Alternative Channel

ip

☐ Test authentication on the desktop browsers

ar
//h

☐ Test authentication on the mobile browsers

s:

☐ Test authentication in a different country

tp

☐ Test authentication in a different language

ht

☐ Test authentication on desktop applications

☐ Test authentication on mobile applications
AUTHORIZATION TESTING

1. Testing Directory Traversal File Include

☐ Identify the injection point on the URL
☐ Test for Local File Inclusion
☐ Test for Remote File Inclusion
☐ Test Traversal on the URL parameter

/
om
☐ Test Traversal on the cookie parameter

t.c
2. Testing Traversal With Encoding

po
☐ Test Traversal with Base64 encoding

gs
☐ Test Traversal with URL encoding

lo
☐ Test Traversal with ASCII encoding
.b
☐ Test Traversal with HTML encoding
99
th

☐ Test Traversal with Hex encoding

an

☐ Test Traversal with Binary encoding

sa

☐ Test Traversal with Octal encoding

ra

☐ Test Traversal with Gzip encoding

ip
ar

3. Testing Travesal With Different OS Schemes

//h

☐ Test Traversal with Unix schemes

s:
tp

☐ Test Traversal with Windows schemes

ht

☐ Test Traversal with Mac schemes

4. Test Other Encoding Techniques
☐ Test Traversal with Double encoding
☐ Test Traversal with all characters encode
☐ Test Traversal with only special characters encode
5. Test Authorization Schema Bypass
☐ Test for Horizontal authorization schema bypass
☐ Test for Vertical authorization schema bypass
☐ Test override the target with custom headers
6. Test For Privilege Escalation
☐ Identify the injection point

/
om
☐ Test for bypassing the security measures

t.c
☐ Test for forced browsing

po
☐ Test for IDOR

gs
☐ Test for parameter tampering to high privileged user

lo
7. Test For Insecure Direct Object Reference
.b
99
☐ Test to change the ID parameter
th

☐ Test to add parameters at the endpoints

an
sa

☐ Test for HTTP parameter pollution

ra

☐ Test by adding an extension at the end

ip

☐ Test with outdated API versions

ar

☐ Test by wrapping the ID with an array

//h

☐ Test by wrapping the ID with a JSON object

s:
tp

☐ Test for JSON parameter pollution

ht

☐ Test by changing the case

☐ Test for path traversal
☐ Test by changing words
☐ Test by changing methods
SESSION MANAGEMENT TESTING
1. Test For Session Management Schema
☐ Ensure all Set-Cookie directives are secure
☐ Ensure no cookie operation takes place over an unencrypted channel
☐ Ensure the cookie can’t be forced over an unencrypted channel
☐ Ensure the HTTPOnly flag is enabled
☐ Check if any cookies are persistent

/
om
☐ Check for session cookies and cookie expiration date/time

t.c
☐ Check for session fixation

po
☐ Check for concurrent login

gs
☐ Check for session after logout

lo
☐ Check for session after closing the browser
.b
☐ Try decoding cookies (Base64, Hex, URL, etc)
99
th

2. Test For Cookie Attributes

an

☐ Ensure the cookie must be set with the secure attribute

sa

☐ Ensure the cookie must be set with the path attribute

ra
ip

☐ Ensure the cookie must have the HTTPOnly flag

ar
//h

3. Test For Session Fixation

s:

☐ Ensure new cookies have been issued upon a successful authentication

tp

☐ Test manipulating the cookies

ht

4. Test For Exposed Session Variables

☐ Test for encryption
☐ Test for GET and POST vulnerabilities
☐ Test if GET request incorporating the session ID used
☐ Test by interchanging POST with GET method
5. Test For Back Refresh Attack
☐ Test after password change
☐ Test after logout
6. Test For Cross Site Request Forgery
☐ Check if the token is validated on the server-side or not
☐ Check if the token is validated for full or partial length

/
om
☐ Check by comparing the CSRF tokens for multiple dummy accounts

t.c
☐ Check CSRF by interchanging POST with GET method

po
☐ Check CSRF by removing the CSRF token parameter

gs
☐ Check CSRF by removing the CSRF token and using a blank parameter

lo
☐ Check CSRF by using unused tokens .b
99
☐ Check CSRF by replacing the CSRF token with its own values
th

☐ Check CSRF by changing the content type to form-multipart

an

☐ Check CSRF by changing or deleting some characters of the CSRF token

sa

☐ Check CSRF by changing the referrer to Referrer

ra

☐ Check CSRF by changing the host values

ip
ar

☐ Check CSRF alongside clickjacking

//h
s:

7. Test For Logout Functionality

tp

☐ Check the logout function on different pages

ht

☐ Check for the visibility of the logout button

☐ Ensure after logout the session was ended
☐ Ensure after logout we can’t able to access the dashboard by pressing the
back button
☐ Ensure proper session timeout has been set
8. Test For Session Timeout
☐ Ensure there is a session timeout exists
☐ Ensure after the timeout, all of the tokens are destroyed
9. Test For Session Puzzling
☐ Identify all the session variables
☐ Try to break the logical flow of the session generation

/
om
10. Test For Session Hijacking

t.c
☐ Test session hijacking on target that doesn’t has HSTS enabled

po
☐ Test by login with the help of captured cookies

gs
lo
INPUT VALIDATION TESTING .b
99
1. Test For Reflected Cross Site Scripting
th

☐ Ensure these characters are filtered <>’’&””

an

☐ Test with a character escape sequence

sa

☐ Test by replacing < and > with HTML entities &lt; and &gt;
ra
ip

☐ Test payload with both lower and upper case

ar

☐ Test to break firewall regex by new line /r/n

//h

☐ Test with double encoding

s:
tp

☐ Test with recursive filters

ht

☐ Test injecting anchor tags without whitespace

☐ Test by replacing whitespace with bullets
☐ Test by changing HTTP methods
2. Test For Stored Cross Site Scripting
☐ Identify stored input parameters that will reflect on the client side
☐ Look for input parameters on the profile page
☐ Look for input parameters on the shopping cart page
☐ Look for input parameters on the file upload page
☐ Look for input parameters on the settings page
☐ Look for input parameters on the forum, comment page

/
om
☐ Test uploading a file with XSS payload as its file name

t.c
☐ Test with HTML tags

po
gs
3. Test For HTTP Parameter Pollution
☐ Identify the backend server and parsing method used

lo
☐ Try to access the injection point .b
99
☐ Try to bypass the input filters using HTTP Parameter Pollution
th
an

4. Test For SQL Injection

sa

☐ Test SQL Injection on authentication forms

ra

☐ Test SQL Injection on the search bar

ip

☐ Test SQL Injection on editable characteristics

ar
//h

☐ Try to find SQL keywords or entry point detections

s:

☐ Try to inject SQL queries

tp

☐ Use tools like SQLmap or Hackbar

ht

☐ Use Google dorks to find the SQL keywords

☐ Try GET based SQL Injection
☐ Try POST based SQL Injection
☐ Try COOKIE based SQL Injection
☐ Try HEADER based SQL Injection
☐ Try SQL Injection with null bytes before the SQL query
☐ Try SQL Injection with URL encoding
☐ Try SQL Injection with both lower and upper cases
☐ Try SQL Injection with SQL Tamper scripts
☐ Try SQL Injection with SQL Time delay payloads
☐ Try SQL Injection with SQL Conditional delays

/
☐ Try SQL Injection with Boolean based SQL

om
☐ Try SQL Injection with Time based SQL

t.c
po
5. Test For LDAP Injection

gs
☐ Use LDAP search filters

lo
☐ Try LDAP Injection for access control bypass
.b
99
6. Testing For XML Injection
th

☐ Check if the application is using XML for processing

an

☐ Identify the XML Injection point by XML metacharacter

sa

☐ Construct XSS payload on top of XML

ra
ip

7. Test For Server Side Includes

ar

☐ Use Google dorks to find the SSI

//h

☐ Construct RCE on top of SSI

s:
tp

☐ Construct other injections on top of SSI

ht

☐ Test Injecting SSI on login pages, header fields, referrer, etc

8. Test For XPATH Injection
☐ Identify XPATH Injection point
☐ Test for XPATH Injection
9. Test For IMAP SMTP Injection
☐ Identify IMAP SMTP Injection point
☐ Understand the data flow
☐ Understand the deployment structure of the system
☐ Assess the injection impact
10. Test For Local File Inclusion

/
om
☐ Look for LFI keywords
☐ Try to change the local path

t.c
☐ Use LFI payload list

po
☐ Test LFI by adding a null byte at the end

gs
lo
11. Test For Remote File Inclusion
☐ Look for RFI keywords
.b
99
th

☐ Try to change the remote path

an

☐ Use RFI payload list

sa
ra

12. Test For Command Injection

ip

☐ Identify the Injection points

ar

☐ Look for Command Injection keywords

//h

☐ Test Command Injection using different delimiters

s:

☐ Test Command Injection with payload list

tp
ht

☐ Test Command Injection with different OS commands

13. Test For Format String Injection
☐ Identify the Injection points
☐ Use different format parameters as payloads
☐ Assess the injection impact
14. Test For Host Header Injection
☐ Test for HHI by changing the real Host parameter
☐ Test for HHI by adding X-Forwarded Host parameter
☐ Test for HHI by swapping the real Host and X-Forwarded Host parameter
☐ Test for HHI by adding two Host parameters
☐ Test for HHI by adding the target values in front of the original values

/
om
☐ Test for HHI by adding the target with a slash after the original values

t.c
☐ Test for HHI with other injections on the Host parameter

po
☐ Test for HHI by password reset poisoning

gs
15. Test For Server Side Reqest Forgery

lo
☐ Look for SSRF keywords .b
99
☐ Search for SSRF keywords only under the request header and body
th

☐ Identify the Injection points

an

☐ Test if the Injection points are exploitable

sa

☐ Assess the injection impact

ra
ip

16. Test For Server Side Template Injection

ar

☐ Identify the Template injection vulnerability points

//h

☐ Identify the Templating engine

s:
tp

☐ Use the tplmap to exploit

ht

ERROR HANDLING TESTING

1. Test For Improper Error Handling

☐ Identify the error output
☐ Analyze the different outputs returned
☐ Look for common error handling flaws
☐ Test error handling by modifying the URL parameter
☐ Test error handling by uploading unrecognized file formats
☐ Test error handling by entering unrecognized inputs
☐ Test error handling by making all possible errors

/
om
WEAK CRYPTOGRAPHY TESTING

t.c
1. Test For Weak Transport Layer Security

po
☐ Test for DROWN weakness on SSLv2 protocol

gs
☐ Test for POODLE weakness on SSLv3 protocol

lo
☐ Test for BEAST weakness on TLSv1.0 protocol
.b
☐ Test for FREAK weakness on export cipher suites
99
th

☐ Test for Null ciphers

an

☐ Test for NOMORE weakness on RC4

sa

☐ Test for LUCKY 13 weakness on CBC mode ciphers

ra

☐ Test for CRIME weakness on TLS compression

ip
ar

☐ Test for LOGJAM on DHE keys

//h

☐ Ensure the digital certificates should have at least 2048 bits of key length
s:

☐ Ensure the digital certificates should have at least SHA - 256 signature
tp

algorithm
ht

☐ Ensure the digital certificates should not use MDF and SHA - 1
☐ Ensure the validity of the digital certificate
☐ Ensure the minimum key length requirements
☐ Look for weak cipher suites
BUSINESS LOGIC TESTING

1. Test For Business Logic

☐ Identify the logic of how the application works
☐ Identify the functionality of all the buttons
☐ Test by changing the numerical values into high or negative values
☐ Test by changing the quantity

/
om
☐ Test by modifying the payments
☐ Test for parameter tampering

t.c
po
2. Test For Malicious File Upload

gs
☐ Test malicious file upload by uploading malicious files

lo
☐ Test malicious file upload by putting your IP address on the file name
.b
☐ Test malicious file upload by right to left override
99
th

☐ Test malicious file upload by encoded file name

an

☐ Test malicious file upload by XSS payload on the file name

sa

☐ Test malicious file upload by RCE payload on the file name

ra

☐ Test malicious file upload by LFI payload on the file name

ip
ar

☐ Test malicious file upload by RFI payload on the file name

//h

☐ Test malicious file upload by SQL payload on the file name

s:

☐ Test malicious file upload by other injections on the file name

tp

☐ Test malicious file upload by Inserting the payload inside of an image by the
ht

bmp.pl tool
☐ Test malicious file upload by uploading large files (leads to DOS)
CLIENT SIDE TESTING

1. Test For DOM Based Cross Site Scripting

☐ Try to identify DOM sinks
☐ Build payloads to that DOM sink type
2. Test For URL Redirect
☐ Look for URL redirect parameters

/
om
☐ Test for URL redirection on domain parameters

t.c
☐ Test for URL redirection by using a payload list

po
☐ Test for URL redirection by using a whitelisted word at the end

gs
☐ Test for URL redirection by creating a new subdomain with the same as the

lo
target
☐ Test for URL redirection by XSS .b
99
☐ Test for URL redirection by profile URL flaw
th
an

3. Test For Cross Origin Resource Sharing

sa

☐ Look for “Access-Control-Allow-Origin” on the response

ra

☐ Use the CORS HTML exploit code for further exploitation

ip
ar
//h

4. Test For Clickjacking

☐ Ensure “X-Frame-Options” headers are enabled
s:
tp

☐ Exploit with iframe HTML code for POC

ht
OTHER COMMON ISSUES

1. Test For No-Rate Limiting

☐ Ensure rate limiting is enabled
☐ Try to bypass rate limiting by changing the case of the endpoints
☐ Try to bypass rate limiting by adding / at the end of the URL
☐ Try to bypass rate limiting by adding HTTP headers

/
om
☐ Try to bypass rate limiting by adding HTTP headers twice
☐ Try to bypass rate limiting by adding Origin headers

t.c
☐ Try to bypass rate limiting by IP rotation

po
☐ Try to bypass rate limiting by using null bytes at the end

gs
☐ Try to bypass rate limiting by using race conditions

lo
.b
99
2. Test For EXIF Geodata
th

☐ Ensure the website is striping the geodata

an

☐ Test with EXIF checker

sa
ra

3. Test For Broken Link Hijack

ip

☐ Ensure there is no broken links are there

ar

☐ Test broken links by using the blc tool

//h
s:

4. Test For SPF

tp

☐ Ensure the website is having SPF record

ht

☐ Test SPF by nslookup command

5. Test For Weak 2FA
☐ Try to bypass 2FA by using poor session management
☐ Try to bypass 2FA via the OAuth mechanism
☐ Try to bypass 2FA via brute-forcing
☐ Try to bypass 2FA via response manipulation
☐ Try to bypass 2FA by using activation links to login
☐ Try to bypass 2FA by using status code manipulation

/
om
☐ Try to bypass 2FA by changing the email or password

t.c
☐ Try to bypass 2FA by using a null or empty entry

po
☐ Try to bypass 2FA by changing the boolean into false

gs
☐ Try to bypass 2FA by removing the 2FA parameter on the request

lo
6. Test For Weak OTP Implementation .b
99
☐ Try to bypass OTP by entering the old OTP
th

☐ Try to bypass OTP by brute-forcing

an

☐ Try to bypass OTP by using a null or empty entry

sa
ra

☐ Try to bypass OTP by response manipulation

ip

☐ Try to bypass OTP by status code manipulation

ar
//h
s:
tp
ht