WEB APPLICATION PENTESTING CHECKLIST

OWASP Based Checklist 🌟🌟

500+ Test Cases 🚀🚀

Notion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998

• INFORMATION GATHERING

  Open Source Reconnaissance

  • Perform Google Dorks search
  • Perform OSINT

  Fingerprinting Web Server

  • Find the type of Web Server
  • Find the version details of the Web Server

  Looking For Metafiles

  • View the Robots.txt file
  • View the Sitemap.xml file
  • View the Humans.txt file
  • View the Security.txt file

  Enumerating Web Server’s Applications

  • Enumerating with Nmap
  • Enumerating with Netcat
  • Perform a DNS lookup
  • Perform a Reverse DNS lookup

  Review The Web Contents

  • Inspect the page source for sensitive info
  • Try to find Sensitive Javascript codes
  • Try to find any keys
  • Make sure the autocomplete is disabled

  Identifying Application’s Entry Points

  • Identify what the methods used are?
  • Identify where the methods used are?
  • Identify the Injection point

  Mapping Execution Paths

  • Use Burp Suite
  • Use Dirsearch
  • Use Gobuster

  Fingerprint Web Application Framework

  • Use the Wappalyzer browser extension
  • Use Whatweb
  • View URL extensions
  • View HTML source code
  • View the cookie parameter
  • View the HTTP headers

  Map Application Architecture

  • Map the overall site structure

• CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

  Test Network Configuration

  • Check the network configuration
  • Check for default settings
  • Check for default credentials

  Test Application Configuration

  • Ensure only required modules are used
  • Ensure unwanted modules are disabled
  • Ensure the server can handle DOS
  • Check how the application is handling 4xx & 5xx errors
  • Check for the privilege required to run
  • Check logs for sensitive info

  Test File Extension Handling

  • Ensure the server won’t return sensitive extensions
  • Ensure the server won’t accept malicious extensions
  • Test for file upload vulnerabilities

  Review Backup & Unreferenced Files

  • Ensure unreferenced files don’t contain any sensitive info
  • Ensure the namings of old and new backup files
  • Check the functionality of unreferenced pages

  Enumerate Infrastructure & Admin Interfaces

  • Try to find the Infrastructure Interface
  • Try to find the Admin Interface
  • Identify the hidden admin functionalities

  Testing HTTP Methods

  • Discover the supported methods
  • Ensure the PUT method is disabled
  • Ensure the OPTIONS method is disabled
  • Test access control bypass
  • Test for XST attacks
  • Test for HTTP method overriding

  Test HSTS

  • Ensure HSTS is enabled

  Test RIA Cross Domain Policy

  • Check for Adobe’s Cross Domain Policy
  • Ensure it has the least privilege

  Test File Permission

  • Ensure the permissions for sensitive files
  • Test for directory enumeration

  Test For Subdomain Takeover

  • Test DNS, A, and CNAME records for subdomain takeover
  • Test NS records for subdomain takeover
  • Test 404 response for subdomain takeover

  Test Cloud Storage

  • Check the sensitive paths of AWS
  • Check the sensitive paths of Google Cloud
  • Check the sensitive paths of Azure

• IDENTITY MANAGEMENT TESTING

  Test Role Definitions

  • Test for forced browsing
  • Test for IDOR (Insecure Direct Object Reference)
  • Test for parameter tampering
  • Ensure low privilege users can’t able to access high privilege resources

  Test User Registration Process

  • Ensure the same user or identity can’t register again and again
  • Ensure the registrations are verified
  • Ensure disposable email addresses are rejected
  • Check what proof is required for successful registration

  Test Account Provisioning Process

  • Check the verification for the provisioning process
  • Check the verification for the de-provisioning process
  • Check the provisioning rights for an admin user to other users
  • Check whether a user is able to de-provision themself or not?
  • Check for the resources of a de-provisioned user

  Testing For Account Enumeration

  • Check the response when a valid username and password entered
  • Check the response when a valid username and an invalid password entered
  • Check the response when an invalid username and password entered
  • Ensure the rate-limiting functionality is enabled in username and password fields

  Test For Weak Username Policy

  • Check the response for both valid and invalid usernames
  • Check for username enumeration

• AUTHENTICATION TESTING

  Test For Un-Encrypted Channel

  • Check for the HTTP login page
  • Check for the HTTP register or sign-in page
  • Check for HTTP forgot password page
  • Check for HTTP change password
  • Check for resources on HTTP after logout
  • Test for forced browsing to HTTP pages

  Test For Default Credentials

  • Test with default credentials
  • Test organization name as credentials
  • Test for response manipulation
  • Test for the default username and a blank password
  • Review the page source for credentials

  Test For Weak Lockout Mechanism

  • Ensure the account has been locked after 3-5 incorrect attempts
  • Ensure the system accepts only the valid CAPTCHA
  • Ensure the system rejects the invalid CAPTCHA
  • Ensure CAPTCHA code regenerated after reloaded
  • Ensure CAPTCHA reloads after entering the wrong code
  • Ensure the user has a recovery option for a lockout account

  Test For Bypassing Authentication Schema

  • Test forced browsing directly to the internal dashboard without login
  • Test for session ID prediction
  • Test for authentication parameter tampering
  • Test for SQL injection on the login page
  • Test to gain access with the help of session ID
  • Test multiple logins allowed or not?

  Test For Vulnerable Remember Password

  • Ensure that the stored password is encrypted
  • Ensure that the stored password is on the server-side

  Test For Browser Cache Weakness

  • Ensure proper cache-control is set on sensitive pages
  • Ensure no sensitive data is stored in the browser cache storage

  Test For Weak Password Policy

  • Ensure the password policy is set to strong
  • Check for password reusability
  • Check the user is prevented to use his username as a password
  • Check for the usage of common weak passwords
  • Check the minimum password length to be set
  • Check the maximum password length to be set

  Testing For Weak Security Questions

  • Check for the complexity of the questions
  • Check for brute-forcing

  Test For Weak Password Reset Function

  • Check what information is required to reset the password
  • Check for password reset function with HTTP
  • Test the randomness of the password reset tokens
  • Test the uniqueness of the password reset tokens
  • Test for rate limiting on password reset tokens
  • Ensure the token must expire after being used
  • Ensure the token must expire after not being used for a long time

  Test For Weak Password Change Function

  • Check if the old password asked to make a change
  • Check for the uniqueness of the forgotten password
  • Check for blank password change
  • Check for password change function with HTTP
  • Ensure the old password is not displayed after changed
  • Ensure the other sessions got destroyed after the password change

  Test For Weak Authentication In Alternative Channel

  • Test authentication on the desktop browsers
  • Test authentication on the mobile browsers
  • Test authentication in a different country
  • Test authentication in a different language
  • Test authentication on desktop applications
  • Test authentication on mobile applications

• AUTHORIZATION TESTING

  Testing Directory Traversal File Include

  • Identify the injection point on the URL
  • Test for Local File Inclusion
  • Test for Remote File Inclusion
  • Test Traversal on the URL parameter
  • Test Traversal on the cookie parameter

  Testing Traversal With Encoding

  • Test Traversal with Base64 encoding
  • Test Traversal with URL encoding
  • Test Traversal with ASCII encoding
  • Test Traversal with HTML encoding
  • Test Traversal with Hex encoding
  • Test Traversal with Binary encoding
  • Test Traversal with Octal encoding
  • Test Traversal with Gzip encoding

  Testing Travesal With Different OS Schemes

  • Test Traversal with Unix schemes
  • Test Traversal with Windows schemes
  • Test Traversal with Mac schemes

  Test Other Encoding Techniques

  • Test Traversal with Double encoding
  • Test Traversal with all characters encode
  • Test Traversal with only special characters encode

  Test Authorization Schema Bypass

  • Test for Horizontal authorization schema bypass
  • Test for Vertical authorization schema bypass
  • Test override the target with custom headers

  Test For Privilege Escalation

  • Identify the injection point
  • Test for bypassing the security measures
  • Test for forced browsing
  • Test for IDOR
  • Test for parameter tampering to high privileged user

  Test For Insecure Direct Object Reference

  • Test to change the ID parameter
  • Test to add parameters at the endpoints
  • Test for HTTP parameter pollution
  • Test by adding an extension at the end
  • Test with outdated API versions
  • Test by wrapping the ID with an array
  • Test by wrapping the ID with a JSON object
  • Test for JSON parameter pollution
  • Test by changing the case
  • Test for path traversal
  • Test by changing words
  • Test by changing methods

• SESSION MANAGEMENT TESTING

  Test For Session Management Schema

  • Ensure all Set-Cookie directives are secure
  • Ensure no cookie operation takes place over an unencrypted channel
  • Ensure the cookie can’t be forced over an unencrypted channel
  • Ensure the HTTPOnly flag is enabled
  • Check if any cookies are persistent
  • Check for session cookies and cookie expiration date/time
  • Check for session fixation
  • Check for concurrent login
  • Check for session after logout
  • Check for session after closing the browser
  • Try decoding cookies (Base64, Hex, URL, etc)

  Test For Cookie Attributes

  • Ensure the cookie must be set with the secure attribute
  • Ensure the cookie must be set with the path attribute
  • Ensure the cookie must have the HTTPOnly flag

  Test For Session Fixation

  • Ensure new cookies have been issued upon a successful authentication
  • Test manipulating the cookies

  Test For Exposed Session Variables

  • Test for encryption
  • Test for GET and POST vulnerabilities
  • Test if GET request incorporating the session ID used
  • Test by interchanging POST with GET method

  Test For Back Refresh Attack

  • Test after password change
  • Test after logout

  Test For Cross Site Request Forgery

  • Check if the token is validated on the server-side or not
  • Check if the token is validated for full or partial length
  • Check by comparing the CSRF tokens for multiple dummy accounts
  • Check CSRF by interchanging POST with GET method
  • Check CSRF by removing the CSRF token parameter
  • Check CSRF by removing the CSRF token and using a blank parameter
  • Check CSRF by using unused tokens
  • Check CSRF by replacing the CSRF token with its own values
  • Check CSRF by changing the content type to form-multipart
  • Check CSRF by changing or deleting some characters of the CSRF token
  • Check CSRF by changing the referrer to Referrer
  • Check CSRF by changing the host values
  • Check CSRF alongside clickjacking

  Test For Logout Functionality

  • Check the log out function on different pages
  • Check for the visibility of the logout button
  • Ensure after logout the session was ended
  • Ensure after logout we can’t able to access the dashboard by pressing the back button
  • Ensure proper session timeout has been set

  Test For Session Timeout

  • Ensure there is a session timeout exists
  • Ensure after the timeout, all of the tokens are destroyed

  Test For Session Puzzling

  • Identify all the session variables
  • Try to break the logical flow of the session generation

  Test For Session Hijacking

  • Test session hijacking on target that doesn’t has HSTS enabled
  • Test by login with the help of captured cookies

• INPUT VALIDATION TESTING

  Test For Reflected Cross Site Scripting

  • Ensure these characters are filtered <>’’&””
  • Test with a character escape sequence
  • Test by replacing < and > with HTML entities < and >
  • Test payload with both lower and upper case
  • Test to break firewall regex by new line /r/n
  • Test with double encoding
  • Test with recursive filters
  • Test injecting anchor tags without whitespace
  • Test by replacing whitespace with bullets
  • Test by changing HTTP methods

  Test For Stored Cross Site Scripting

  • Identify stored input parameters that will reflect on the client-side
  • Look for input parameters on the profile page
  • Look for input parameters on the shopping cart page
  • Look for input parameters on the file upload page
  • Look for input parameters on the settings page
  • Look for input parameters on the forum, comment page
  • Test uploading a file with XSS payload as its file name
  • Test with HTML tags

  Test For HTTP Parameter Pollution

  • Identify the backend server and parsing method used
  • Try to access the injection point
  • Try to bypass the input filters using HTTP Parameter Pollution

  Test For SQL Injection

  • Test SQL Injection on authentication forms
  • Test SQL Injection on the search bar
  • Test SQL Injection on editable characteristics
  • Try to find SQL keywords or entry point detections
  • Try to inject SQL queries
  • Use tools like SQLmap or Hackbar
  • Use Google dorks to find the SQL keywords
  • Try GET based SQL Injection
  • Try POST based SQL Injection
  • Try COOKIE based SQL Injection
  • Try HEADER based SQL Injection
  • Try SQL Injection with null bytes before the SQL query
  • Try SQL Injection with URL encoding
  • Try SQL Injection with both lower and upper cases
  • Try SQL Injection with SQL Tamper scripts
  • Try SQL Injection with SQL Time delay payloads
  • Try SQL Injection with SQL Conditional delays
  • Try SQL Injection with Boolean based SQL
  • Try SQL Injection with Time based SQL

  Test For LDAP Injection

  • Use LDAP search filters
  • Try LDAP Injection for access control bypass

  Testing For XML Injection

  • Check if the application is using XML for processing
  • Identify the XML Injection point by XML metacharacter
  • Construct XSS payload on top of XML

  Test For Server Side Includes

  • Use Google dorks to find the SSI
  • Construct RCE on top of SSI
  • Construct other injections on top of SSI
  • Test Injecting SSI on login pages, header fields, referrer, etc

  Test For XPATH Injection

  • Identify XPATH Injection point
  • Test for XPATH Injection

  Test For IMAP SMTP Injection

  • Identify IMAP SMTP Injection point
  • Understand the data flow
  • Understand the deployment structure of the system
  • Assess the injection impact

  Test For Local File Inclusion

  • Look for LFI keywords
  • Try to change the local path
  • Use the LFI payload list
  • Test LFI by adding a null byte at the end

  Test For Remote File Inclusion

  • Look for RFI keywords
  • Try to change the remote path
  • Use the RFI payload list

  Test For Command Injection

  • Identify the Injection points
  • Look for Command Injection keywords
  • Test Command Injection using different delimiters
  • Test Command Injection with payload list
  • Test Command Injection with different OS commands

  Test For Format String Injection

  • Identify the Injection points
  • Use different format parameters as payloads
  • Assess the injection impact

  Test For Host Header Injection

  • Test for HHI by changing the real Host parameter
  • Test for HHI by adding X-Forwarded Host parameter
  • Test for HHI by swapping the real Host and X-Forwarded Host parameter
  • Test for HHI by adding two Host parameters
  • Test for HHI by adding the target values in front of the original values
  • Test for HHI by adding the target with a slash after the original values
  • Test for HHI with other injections on the Host parameter
  • Test for HHI by password reset poisoning

  Test For Server Side Request Forgery

  • Look for SSRF keywords
  • Search for SSRF keywords only under the request header and body
  • Identify the Injection points
  • Test if the Injection points are exploitable
  • Assess the injection impact

  Test For Server Side Template Injection

  • Identify the Template injection vulnerability points
  • Identify the Templating engine
  • Use the tplmap to exploit

• ERROR HANDLING TESTING

  Test For Improper Error Handling

  • Identify the error output
  • Analyze the different outputs returned
  • Look for common error handling flaws
  • Test error handling by modifying the URL parameter
  • Test error handling by uploading unrecognized file formats
  • Test error handling by entering unrecognized inputs
  • Test error handling by making all possible errors

• WEAK CRYPTOGRAPHY TESTING

  Test For Weak Transport Layer Security

  • Test for DROWN weakness on SSLv2 protocol
  • Test for POODLE weakness on SSLv3 protocol
  • Test for BEAST weakness on TLSv1.0 protocol
  • Test for FREAK weakness on export cipher suites
  • Test for Null ciphers
  • Test for NOMORE weakness on RC4
  • Test for LUCKY 13 weakness on CBC mode ciphers
  • Test for CRIME weakness on TLS compression
  • Test for LOGJAM on DHE keys
  • Ensure the digital certificates should have at least 2048 bits of key length
  • Ensure the digital certificates should have at least SHA-256 signature algorithm
  • Ensure the digital certificates should not use MDF and SHA-1
  • Ensure the validity of the digital certificate
  • Ensure the minimum key length requirements
  • Look for weak cipher suites

• BUSINESS LOGIC TESTING

  Test For Business Logic

  • Identify the logic of how the application works
  • Identify the functionality of all the buttons
  • Test by changing the numerical values into high or negative values
  • Test by changing the quantity
  • Test by modifying the payments
  • Test for parameter tampering

  Test For Malicious File Upload

  • Test malicious file upload by uploading malicious files
  • Test malicious file upload by putting your IP address on the file name
  • Test malicious file upload by right to left override
  • Test malicious file upload by encoded file name
  • Test malicious file upload by XSS payload on the file name
  • Test malicious file upload by RCE payload on the file name
  • Test malicious file upload by LFI payload on the file name
  • Test malicious file upload by RFI payload on the file name
  • Test malicious file upload by SQL payload on the file name
  • Test malicious file upload by other injections on the file name
  • Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
  • Test malicious file upload by uploading large files (leads to DOS)

• CLIENT SIDE TESTING

  Test For DOM Based Cross Site Scripting

  • Try to identify DOM sinks
  • Build payloads to that DOM sink type

  Test For URL Redirect

  • Look for URL redirect parameters
  • Test for URL redirection on domain parameters
  • Test for URL redirection by using a payload list
  • Test for URL redirection by using a whitelisted word at the end
  • Test for URL redirection by creating a new subdomain with the same as the target
  • Test for URL redirection by XSS
  • Test for URL redirection by profile URL flaw

  Test For Cross Origin Resource Sharing

  • Look for “Access-Control-Allow-Origin” on the response
  • Use the CORS HTML exploit code for further exploitation

  Test For Clickjacking

  • Ensure “X-Frame-Options” headers are enabled
  • Exploit with iframe HTML code for POC

• OTHER COMMON ISSUES

  Test For No-Rate Limiting

  • Ensure rate limiting is enabled
  • Try to bypass rate limiting by changing the case of the endpoints
  • Try to bypass rate limiting by adding / at the end of the URL
  • Try to bypass rate limiting by adding HTTP headers
  • Try to bypass rate limiting by adding HTTP headers twice
  • Try to bypass rate limiting by adding Origin headers
  • Try to bypass rate limiting by IP rotation
  • Try to bypass rate limiting by using null bytes at the end
  • Try to bypass rate limiting by using race conditions

  Test For EXIF Geodata

  • Ensure the website is striping the geodata
  • Test with EXIF checker

  Test For Broken Link Hijack

  • Ensure there is no broken links are there
  • Test broken links by using the blc tool

  Test For SPF

  • Ensure the website is having SPF record
  • Test SPF by nslookup command

  Test For Weak 2FA

  • Try to bypass 2FA by using poor session management
  • Try to bypass 2FA via the OAuth mechanism
  • Try to bypass 2FA via brute-forcing
  • Try to bypass 2FA via response manipulation
  • Try to bypass 2FA by using activation links to login
  • Try to bypass 2FA by using status code manipulation
  • Try to bypass 2FA by changing the email or password
  • Try to bypass 2FA by using a null or empty entry
  • Try to bypass 2FA by changing the boolean into false
  • Try to bypass 2FA by removing the 2FA parameter on the request

  Test For Weak OTP Implementation

  • Try to bypass OTP by entering the old OTP
  • Try to bypass OTP by brute-forcing
  • Try to bypass OTP by using a null or empty entry
  • Try to bypass OTP by response manipulation
  • Try to bypass OTP by status code manipulation

Shaped by: Hariprasaanth R

Reach Me: LinkedIn Portfolio Github