This document has been downloaded from

www.ministryofsecurity.co
Follow ministryofsecurity for more such infosec content.

WEB APPLICATION PENTESTING

CHECKLIST

OWASP Based Checklist 🌟🌟

500+ Test Cases 🚀🚀

/
om
INFORMATION GATHERING

.c
1. Open Source Reconnaissance

t
po
☐ Perform Google Dorks search

gs
☐ Perform OSINT
2. Fingerprinting Web Server
b lo
h.
☐ Find the type of Web Server
nt

☐ Find the version details of the Web Server

a
sa
ra

3. Looking For Metafiles

ip

☐ View the Robots.txt file

ar

☐ View the Sitemap.xml file

//h

☐ View the Humans.txt file

s:
tp

☐ View the Security.txt file

ht

4. Enumerating Web Server’s Applications

☐ Enumerating with Nmap
☐ Enumerating with Netcat
☐ Perform a DNS lookup
☐ Perform a Reverse DNS lookup
5. Review The Web Contents
☐ Inspect the page source for sensitive info
☐ Try to find Sensitive Javascript codes
☐ Try to find any keys
☐ Make sure the autocomplete is disabled
6. Identifying Application’s Entry Points
☐ Identify what the methods used are?

/
om
☐ Identify where the methods used are?

.c
☐ Identify the Injection point

t
po
gs
7. Mapping Execution Paths
☐ Use Burp Suite
☐ Use Dirsearch
b lo
h.

☐ Use Gobuster
nt
a
sa

8. Fingerprint Web Application Framework

ra

☐ Use the Wappalyzer browser extension

ip

☐ Use Whatweb
ar
//h

☐ View URL extensions

s:

☐ View HTML source code

tp

☐ View the cookie parameter

ht

☐ View the HTTP headers

9. Map Application Architecture
☐ Map the overall site structure
CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

1. Test Network Configuration

☐ Check the network configuration
☐ Check for default settings
☐ Check for default credentials
2. Test Application Configuration

/
om
☐ Ensure only required modules are used
☐ Ensure unwanted modules are disabled

t .c
☐ Ensure the server can handle DOS

po
☐ Check how the application is handling 4xx & 5xx errors

gs
☐ Check for the privilege required to run
☐ Check logs for sensitive info
b lo
h.
nt

3. Test File Extension Handling

a
sa

☐ Ensure the server won’t return sensitive extensions

ra

☐ Ensure the server won’t accept malicious extensions

ip

☐ Test for file upload vulnerabilities

ar
//h

4. Review Backup & Unreferenced Files

s:

☐ Ensure unreferenced files don’t contain any sensitive info

tp
ht

☐ Ensure the namings of old and new backup files

☐ Check the functionality of unreferenced pages
5. Enumerate Infrastructure & Admin Interfaces
☐ Try to find the Infrastructure Interface
☐ Try to find the Admin Interface
☐ Identify the hidden admin functionalities
6. Testing HTTP Methods
☐ Discover the supported methods
☐ Ensure the PUT method is disabled
☐ Ensure the OPTIONS method is disabled
☐ Test access control bypass
☐ Test for XST attacks

/
☐ Test for HTTP method overriding

om
.c
7. Test HSTS

t
po
☐ Ensure HSTS is enabled

gs
8. Test RIA Cross Domain Policy
☐ Check for Adobe’s Cross Domain Policy
b lo
h.
☐ Ensure it has the least privilege
a nt
sa

9. Test File Permission

☐ Ensure the permissions for sensitive files
ra
ip

☐ Test for directory enumeration

ar
//h

10. Test For Subdomain Takeover

s:

☐ Test DNS, A, and CNAME records for subdomain takeover

tp

☐ Test NS records for subdomain takeover

ht

☐ Test 404 response for subdomain takeover

11. Test Cloud Storage
☐ Check the sensitive paths of AWS
☐ Check the sensitive paths of Google Cloud
☐ Check the sensitive paths of Azure
IDENTITY MANAGEMENT TESTING

1. Test Role Definitions

☐ Test for forced browsing
☐ Test for IDOR (Insecure Direct Object Reference)
☐ Test for parameter tampering
☐ Ensure low privilege users can’t able to access high privilege resources

/
om
2. Test User Registration Process

.c
☐ Ensure the same user or identity can’t register again and again

t
po
☐ Ensure the registrations are verified

gs
☐ Ensure disposable email addresses are rejected
lo
☐ Check what proof is required for successful registration
b
h.
nt

3. Test Account Provisioning Process

a

☐ Check the verification for the provisioning process

sa
ra

☐ Check the verification for the de-provisioning process

ip

☐ Check the provisioning rights for an admin user to other users

ar

☐ Check whether a user is able to de-provision themself or not?

//h

☐ Check for the resources of a de-provisioned user

s:
tp
ht

4. Testing For Account Enumeration

☐ Check the response when a valid username and password entered
☐ Check the response when a valid username and an invalid password entered
☐ Check the response when an invalid username and password entered
☐ Ensure the rate-limiting functionality is enabled in username and password
fields
5. Test For Weak Username Policy
☐ Check the response for both valid and invalid usernames
☐ Check for username enumeration

AUTHENTICATION TESTING

1. Test For Un-Encrypted Channel

☐ Check for the HTTP login page

/
om
☐ Check for the HTTP register or sign-in page
☐ Check for HTTP forgot password page

.c
t
☐ Check for HTTP change password

po
☐ Check for resources on HTTP after logout

gs
☐ Test for forced browsing to HTTP pages b lo
h.
2. Test For Default Credentials
nt

☐ Test with default credentials

a
sa

☐ Test organization name as credentials

ra

☐ Test for response manipulation

ip

☐ Test for the default username and a blank password

ar
//h

☐ Review the page source for credentials

s:
tp

3. Test For Weak Lockout Mechanism

ht

☐ Ensure the account has been locked after 3-5 incorrect attempts
☐ Ensure the system accepts only the valid CAPTCHA
☐ Ensure the system rejects the invalid CAPTCHA
☐ Ensure CAPTCHA code regenerated after reloaded
☐ Ensure CAPTCHA reloads after entering the wrong code
☐ Ensure the user has a recovery option for a lockout account
4. Test For Bypassing Authentication Schema
☐ Test forced browsing directly to the internal dashboard without login
☐ Test for session ID prediction
☐ Test for authentication parameter tampering
☐ Test for SQL injection on the login page
☐ Test to gain access with the help of session ID

/
☐ Test multiple logins allowed or not?

om
.c
5. Test For Vulnerable Remember Password

t
po
☐ Ensure that the stored password is encrypted

gs
☐ Ensure that the stored password is on the server-side
6. Test For Browser Cache Weakness
b lo
h.
☐ Ensure proper cache-control is set on sensitive pages
nt

☐ Ensure no sensitive data is stored in the browser cache storage

a
sa
ra

7. Test For Weak Password Policy

ip

☐ Ensure the password policy is set to strong

ar

☐ Check for password reusability

//h

☐ Check the user is prevented to use his username as a password

s:
tp

☐ Check for the usage of common weak passwords

ht

☐ Check the minimum password length to be set

☐ Check the maximum password length to be set
8. Testing For Weak Security Questions
☐ Check for the complexity of the questions
☐ Check for brute-forcing
9. Test For Weak Password Reset Function
☐ Check what information is required to reset the password
☐ Check for password reset function with HTTP
☐ Test the randomness of the password reset tokens
☐ Test the uniqueness of the password reset tokens
☐ Test for rate limiting on password reset tokens
☐ Ensure the token must expire after being used

/
om
☐ Ensure the token must expire after not being used for a long time

.c
10. Test For Weak Password Change Function

t
po
☐ Check if the old password asked to make a change

gs
☐ Check for the uniqueness of the forgotten password
☐ Check for blank password change b lo
h.
☐ Check for password change function with HTTP
nt

☐ Ensure the old password is not displayed after changed

a
sa

☐ Ensure the other sessions got destroyed after the password change
ra
ip

11. Test For Weak Authentication In Alternative Channel

ar

☐ Test authentication on the desktop browsers

//h

☐ Test authentication on the mobile browsers

s:
tp

☐ Test authentication in a different country

ht

☐ Test authentication in a different language

☐ Test authentication on desktop applications
☐ Test authentication on mobile applications
AUTHORIZATION TESTING

1. Testing Directory Traversal File Include

☐ Identify the injection point on the URL
☐ Test for Local File Inclusion
☐ Test for Remote File Inclusion
☐ Test Traversal on the URL parameter
☐ Test Traversal on the cookie parameter

/
om
.c
2. Testing Traversal With Encoding

t
☐ Test Traversal with Base64 encoding

po
☐ Test Traversal with URL encoding

gs
☐ Test Traversal with ASCII encoding
☐ Test Traversal with HTML encoding
b lo
h.
nt

☐ Test Traversal with Hex encoding

a

☐ Test Traversal with Binary encoding

sa

☐ Test Traversal with Octal encoding

ra
ip

☐ Test Traversal with Gzip encoding

ar
//h

3. Testing Travesal With Different OS Schemes

s:

☐ Test Traversal with Unix schemes

tp

☐ Test Traversal with Windows schemes

ht

☐ Test Traversal with Mac schemes

4. Test Other Encoding Techniques
☐ Test Traversal with Double encoding
☐ Test Traversal with all characters encode
☐ Test Traversal with only special characters encode
5. Test Authorization Schema Bypass
☐ Test for Horizontal authorization schema bypass
☐ Test for Vertical authorization schema bypass
☐ Test override the target with custom headers
6. Test For Privilege Escalation
☐ Identify the injection point

/
om
☐ Test for bypassing the security measures

.c
☐ Test for forced browsing

t
po
☐ Test for IDOR

gs
☐ Test for parameter tampering to high privileged user
7. Test For Insecure Direct Object Reference
b lo
h.
☐ Test to change the ID parameter
nt

☐ Test to add parameters at the endpoints

a
sa

☐ Test for HTTP parameter pollution

ra

☐ Test by adding an extension at the end

ip
ar

☐ Test with outdated API versions

//h

☐ Test by wrapping the ID with an array

s:

☐ Test by wrapping the ID with a JSON object

tp

☐ Test for JSON parameter pollution

ht

☐ Test by changing the case

☐ Test for path traversal
☐ Test by changing words
☐ Test by changing methods
SESSION MANAGEMENT TESTING
1. Test For Session Management Schema
☐ Ensure all Set-Cookie directives are secure
☐ Ensure no cookie operation takes place over an unencrypted channel
☐ Ensure the cookie can’t be forced over an unencrypted channel
☐ Ensure the HTTPOnly flag is enabled
☐ Check if any cookies are persistent

/
☐ Check for session cookies and cookie expiration date/time

om
☐ Check for session fixation

t .c
☐ Check for concurrent login

po
☐ Check for session after logout

gs
☐ Check for session after closing the browser
b
☐ Try decoding cookies (Base64, Hex, URL, etc)lo
h.
nt

2. Test For Cookie Attributes

a
sa

☐ Ensure the cookie must be set with the secure attribute

ra

☐ Ensure the cookie must be set with the path attribute

ip

☐ Ensure the cookie must have the HTTPOnly flag

ar
//h

3. Test For Session Fixation

s:

☐ Ensure new cookies have been issued upon a successful authentication

tp
ht

☐ Test manipulating the cookies

4. Test For Exposed Session Variables
☐ Test for encryption
☐ Test for GET and POST vulnerabilities
☐ Test if GET request incorporating the session ID used
☐ Test by interchanging POST with GET method
5. Test For Back Refresh Attack
☐ Test after password change
☐ Test after logout
6. Test For Cross Site Request Forgery
☐ Check if the token is validated on the server-side or not
☐ Check if the token is validated for full or partial length

/
om
☐ Check by comparing the CSRF tokens for multiple dummy accounts

.c
☐ Check CSRF by interchanging POST with GET method

t
po
☐ Check CSRF by removing the CSRF token parameter

gs
☐ Check CSRF by removing the CSRF token and using a blank parameter
☐ Check CSRF by using unused tokens b lo
☐ Check CSRF by replacing the CSRF token with its own values
h.
nt

☐ Check CSRF by changing the content type to form-multipart

a
sa

☐ Check CSRF by changing or deleting some characters of the CSRF token

ra

☐ Check CSRF by changing the referrer to Referrer

ip

☐ Check CSRF by changing the host values

ar

☐ Check CSRF alongside clickjacking

//h
s:

7. Test For Logout Functionality

tp

☐ Check the logout function on different pages

ht

☐ Check for the visibility of the logout button

☐ Ensure after logout the session was ended
☐ Ensure after logout we can’t able to access the dashboard by pressing the
back button
☐ Ensure proper session timeout has been set
8. Test For Session Timeout
☐ Ensure there is a session timeout exists
☐ Ensure after the timeout, all of the tokens are destroyed
9. Test For Session Puzzling
☐ Identify all the session variables
☐ Try to break the logical flow of the session generation

/
om
10. Test For Session Hijacking
☐ Test session hijacking on target that doesn’t has HSTS enabled

t .c
☐ Test by login with the help of captured cookies

po
gs
INPUT VALIDATION TESTING b lo
h.
1. Test For Reflected Cross Site Scripting
nt

☐ Ensure these characters are filtered <>’’&””

a
sa

☐ Test with a character escape sequence

ra

☐ Test by replacing < and > with HTML entities &lt; and &gt;
ip

☐ Test payload with both lower and upper case

ar
//h

☐ Test to break firewall regex by new line /r/n

s:

☐ Test with double encoding

tp

☐ Test with recursive filters

ht

☐ Test injecting anchor tags without whitespace

☐ Test by replacing whitespace with bullets
☐ Test by changing HTTP methods
2. Test For Stored Cross Site Scripting
☐ Identify stored input parameters that will reflect on the client side
☐ Look for input parameters on the profile page
☐ Look for input parameters on the shopping cart page
☐ Look for input parameters on the file upload page
☐ Look for input parameters on the settings page
☐ Look for input parameters on the forum, comment page

/
om
☐ Test uploading a file with XSS payload as its file name
☐ Test with HTML tags

t .c
po
3. Test For HTTP Parameter Pollution

gs
☐ Identify the backend server and parsing method used
☐ Try to access the injection point b lo
h.
☐ Try to bypass the input filters using HTTP Parameter Pollution
a nt
sa

4. Test For SQL Injection

☐ Test SQL Injection on authentication forms
ra
ip

☐ Test SQL Injection on the search bar

ar

☐ Test SQL Injection on editable characteristics

//h

☐ Try to find SQL keywords or entry point detections

s:
tp

☐ Try to inject SQL queries

ht

☐ Use tools like SQLmap or Hackbar

☐ Use Google dorks to find the SQL keywords
☐ Try GET based SQL Injection
☐ Try POST based SQL Injection
☐ Try COOKIE based SQL Injection
☐ Try HEADER based SQL Injection
☐ Try SQL Injection with null bytes before the SQL query
☐ Try SQL Injection with URL encoding
☐ Try SQL Injection with both lower and upper cases
☐ Try SQL Injection with SQL Tamper scripts
☐ Try SQL Injection with SQL Time delay payloads
☐ Try SQL Injection with SQL Conditional delays
☐ Try SQL Injection with Boolean based SQL

/
om
☐ Try SQL Injection with Time based SQL

t .c
5. Test For LDAP Injection

po
☐ Use LDAP search filters

gs
☐ Try LDAP Injection for access control bypassb lo
h.
6. Testing For XML Injection
nt

☐ Check if the application is using XML for processing

a
sa

☐ Identify the XML Injection point by XML metacharacter

ra

☐ Construct XSS payload on top of XML

ip
ar

7. Test For Server Side Includes

//h

☐ Use Google dorks to find the SSI

s:

☐ Construct RCE on top of SSI

tp

☐ Construct other injections on top of SSI

ht

☐ Test Injecting SSI on login pages, header fields, referrer, etc

8. Test For XPATH Injection
☐ Identify XPATH Injection point
☐ Test for XPATH Injection
9. Test For IMAP SMTP Injection
☐ Identify IMAP SMTP Injection point
☐ Understand the data flow
☐ Understand the deployment structure of the system
☐ Assess the injection impact
10. Test For Local File Inclusion
☐ Look for LFI keywords

/
om
☐ Try to change the local path

.c
☐ Use LFI payload list

t
po
☐ Test LFI by adding a null byte at the end

gs
lo
11. Test For Remote File Inclusion b
☐ Look for RFI keywords
h.

☐ Try to change the remote path

a nt

☐ Use RFI payload list

sa
ra

12. Test For Command Injection

ip

☐ Identify the Injection points

ar
//h

☐ Look for Command Injection keywords

s:

☐ Test Command Injection using different delimiters

tp

☐ Test Command Injection with payload list

ht

☐ Test Command Injection with different OS commands

13. Test For Format String Injection
☐ Identify the Injection points
☐ Use different format parameters as payloads
☐ Assess the injection impact
14. Test For Host Header Injection
☐ Test for HHI by changing the real Host parameter
☐ Test for HHI by adding X-Forwarded Host parameter
☐ Test for HHI by swapping the real Host and X-Forwarded Host parameter
☐ Test for HHI by adding two Host parameters
☐ Test for HHI by adding the target values in front of the original values

/
☐ Test for HHI by adding the target with a slash after the original values

om
☐ Test for HHI with other injections on the Host parameter

.c
☐ Test for HHI by password reset poisoning

t
po
gs
15. Test For Server Side Reqest Forgery
☐ Look for SSRF keywords b lo
☐ Search for SSRF keywords only under the request header and body
h.
nt

☐ Identify the Injection points

a
sa

☐ Test if the Injection points are exploitable

ra

☐ Assess the injection impact

ip
ar

16. Test For Server Side Template Injection

//h

☐ Identify the Template injection vulnerability points

s:

☐ Identify the Templating engine

tp

☐ Use the tplmap to exploit

ht

ERROR HANDLING TESTING

1. Test For Improper Error Handling

☐ Identify the error output
☐ Analyze the different outputs returned
☐ Look for common error handling flaws
☐ Test error handling by modifying the URL parameter
☐ Test error handling by uploading unrecognized file formats
☐ Test error handling by entering unrecognized inputs
☐ Test error handling by making all possible errors

/
WEAK CRYPTOGRAPHY TESTING

om
.c
1. Test For Weak Transport Layer Security

t
☐ Test for DROWN weakness on SSLv2 protocol

po
☐ Test for POODLE weakness on SSLv3 protocol

gs
☐ Test for BEAST weakness on TLSv1.0 protocol
b lo
☐ Test for FREAK weakness on export cipher suites
h.
nt

☐ Test for Null ciphers

a

☐ Test for NOMORE weakness on RC4

sa

☐ Test for LUCKY 13 weakness on CBC mode ciphers

ra
ip

☐ Test for CRIME weakness on TLS compression

ar

☐ Test for LOGJAM on DHE keys

//h

☐ Ensure the digital certificates should have at least 2048 bits of key length
s:
tp

☐ Ensure the digital certificates should have at least SHA - 256 signature
ht

algorithm
☐ Ensure the digital certificates should not use MDF and SHA - 1
☐ Ensure the validity of the digital certificate
☐ Ensure the minimum key length requirements
☐ Look for weak cipher suites
BUSINESS LOGIC TESTING

1. Test For Business Logic

☐ Identify the logic of how the application works
☐ Identify the functionality of all the buttons
☐ Test by changing the numerical values into high or negative values
☐ Test by changing the quantity
☐ Test by modifying the payments

/
om
☐ Test for parameter tampering

t .c
po
2. Test For Malicious File Upload
☐ Test malicious file upload by uploading malicious files

gs
☐ Test malicious file upload by putting your IP address on the file name
b lo
☐ Test malicious file upload by right to left override
h.
nt

☐ Test malicious file upload by encoded file name

a

☐ Test malicious file upload by XSS payload on the file name

sa

☐ Test malicious file upload by RCE payload on the file name

ra
ip

☐ Test malicious file upload by LFI payload on the file name

ar

☐ Test malicious file upload by RFI payload on the file name

//h

☐ Test malicious file upload by SQL payload on the file name

s:
tp

☐ Test malicious file upload by other injections on the file name

ht

☐ Test malicious file upload by Inserting the payload inside of an image by the
bmp.pl tool
☐ Test malicious file upload by uploading large files (leads to DOS)
CLIENT SIDE TESTING

1. Test For DOM Based Cross Site Scripting

☐ Try to identify DOM sinks
☐ Build payloads to that DOM sink type
2. Test For URL Redirect
☐ Look for URL redirect parameters

/
om
☐ Test for URL redirection on domain parameters
☐ Test for URL redirection by using a payload list

.c
t
☐ Test for URL redirection by using a whitelisted word at the end

po
☐ Test for URL redirection by creating a new subdomain with the same as the

gs
target
☐ Test for URL redirection by XSS
b lo
h.
☐ Test for URL redirection by profile URL flaw
a nt
sa

3. Test For Cross Origin Resource Sharing

ra

☐ Look for “Access-Control-Allow-Origin” on the response

ip

☐ Use the CORS HTML exploit code for further exploitation

ar
//h

4. Test For Clickjacking

s:

☐ Ensure “X-Frame-Options” headers are enabled

tp

☐ Exploit with iframe HTML code for POC

ht
OTHER COMMON ISSUES

1. Test For No-Rate Limiting

☐ Ensure rate limiting is enabled
☐ Try to bypass rate limiting by changing the case of the endpoints
☐ Try to bypass rate limiting by adding / at the end of the URL
☐ Try to bypass rate limiting by adding HTTP headers
☐ Try to bypass rate limiting by adding HTTP headers twice

/
om
☐ Try to bypass rate limiting by adding Origin headers

.c
☐ Try to bypass rate limiting by IP rotation

t
po
☐ Try to bypass rate limiting by using null bytes at the end

gs
☐ Try to bypass rate limiting by using race conditions
b lo
h.
2. Test For EXIF Geodata
nt

☐ Ensure the website is striping the geodata

a

☐ Test with EXIF checker

sa
ra

3. Test For Broken Link Hijack

ip

☐ Ensure there is no broken links are there

ar
//h

☐ Test broken links by using the blc tool

s:
tp

4. Test For SPF

ht

☐ Ensure the website is having SPF record

☐ Test SPF by nslookup command
5. Test For Weak 2FA
☐ Try to bypass 2FA by using poor session management
☐ Try to bypass 2FA via the OAuth mechanism
☐ Try to bypass 2FA via brute-forcing
☐ Try to bypass 2FA via response manipulation
☐ Try to bypass 2FA by using activation links to login
☐ Try to bypass 2FA by using status code manipulation

/
om
☐ Try to bypass 2FA by changing the email or password
☐ Try to bypass 2FA by using a null or empty entry

t.c
po
☐ Try to bypass 2FA by changing the boolean into false

gs
☐ Try to bypass 2FA by removing the 2FA parameter on the request
6. Test For Weak OTP Implementation
b lo
h.
☐ Try to bypass OTP by entering the old OTP
nt

☐ Try to bypass OTP by brute-forcing

a
sa

☐ Try to bypass OTP by using a null or empty entry

ra

☐ Try to bypass OTP by response manipulation

ip
ar

☐ Try to bypass OTP by status code manipulation

//h
s:
tp
ht