Web Application Penetration Testing Checklist

by KCyber Experts

INFORMATION GATHERING ☐ Ensure unwanted modules are disabled

1. Open Source Reconnaissance ☐ Ensure the server can handle DOS
☐ Perform Google Dorks search ☐ Check how the application is handling 4xx & 5xx
☐ Perform OSINT errors
2. Fingerprinting Web Server ☐ Check for the privilege required to run
☐ Find the type of Web Server ☐ Check logs for sensitive info
☐ Find the version details of the Web Server 3. Test File Extension Handling
3. Looking For Metafiles ☐ Ensure the server won’t return sensitive extensions
☐ View the Robots.txt file ☐ Ensure the server won’t accept malicious extensions
☐ View the Sitemap.xml file ☐ Test for file upload vulnerabilities
☐ View the Humans.txt file 4. Review Backup & Unreferenced Files
☐ Ensure unreferenced files don’t contain any sensitive i
☐ View the Security.txt file
☐ Ensure the naming of old and new backup files
4. Enumerating Web Server’s Applications
☐ Check the functionality of unreferenced pages
☐ Enumerating with Nmap
☐ Enumerating with Netcat
5. Enumerate Infrastructure & Admin Interfaces
☐ Perform a DNS lookup
☐ Try to find the Infrastructure Interface
☐ Perform a Reverse DNS lookup
☐ Try to find the Admin Interface
5. Review The Web Contents
☐ Identify the hidden admin functionalities
☐ Inspect the page source for sensitive info
6. Testing HTTP Methods
☐ Try to find Sensitive Javascript codes
☐ Discover the supported methods
☐ Try to find any keys
☐ Ensure the PUT method is disabled
☐ Make sure the autocomplete is disabled
☐ Ensure the OPTIONS method is disabled
6. Identifying Application’s Entry Points
☐ Test access control bypass
☐ Identify what the methods used are?
☐ Test for XST attacks
☐ Identify where the methods used are?
☐ Test for HTTP method overriding
☐ Identify the Injection point
7. Test HSTS
7. Mapping Execution Paths
☐ Ensure HSTS is enabled
☐ Use Burp Suite
8. Test RIA Cross Domain Policy
☐ Use Dirsearch
☐ Check for Adobe’s Cross Domain Policy
☐ Use Gobuster
☐ Ensure it has the least privilege
8. Fingerprint Web Application Framework
9. Test File Permission
☐ Use the Wappalyzer browser extension
☐ Ensure the permissions for sensitive files
☐ Use Whatweb
☐ Test for directory enumeration
☐ View URL extensions
10. Test For Subdomain Takeover
☐ View HTML source code
☐ View the cookie parameter
☐ Test DNS, A, and CNAME records for subdomain tak
☐ View the HTTP headers
☐ Test NS records for subdomain takeover
9. Map Application Architecture
☐ Test 404 response for subdomain takeover
☐ Map the overall site structure
11. Test Cloud Storage
CONFIGURATION & DEPLOYMENT ☐ Check the sensitive paths of AWS
MANAGEMENT TESTING ☐ Check the sensitive paths of Google Cloud
1. Test Network Configuration ☐ Check the sensitive paths of Azure
☐ Check the network configuration IDENTITY MANAGEMENT TESTING
☐ Check for default settings 1. Test Role Definitions
☐ Check for default credentials ☐ Test for forced browsing
2. Test Application Configuration ☐ Test for IDOR (Insecure Direct Object
☐ Ensure only required modules are used Reference)
 Web Application Penetration Testing Checklist
by KCyber Experts
☐ Test for parameter tampering code
☐ Ensure low privilege users can’t able to access ☐ Ensure the user has a recovery option for a lockout
high privilege resources account
2. Test User Registration Process
☐ Ensure the same user or identity can’t register again 4.
andTest
again
For Bypassing Authentication Schema
☐ Ensure the registrations are verified ☐ Test forced browsing directly to the internal dashboard
☐ Ensure disposable email addresses are rejected ☐ Test for session ID prediction
☐ Check what proof is required for successful registration
☐ Test for authentication parameter tampering
3. Test Account Provisioning Process ☐ Test for SQL injection on the login page
☐ Check the verification for the provisioning process ☐ Test to gain access with the help of session ID
☐ Check the verification for the de-provisioning process☐ Test multiple logins allowed or not?
☐ Check the provisioning rights for an admin user to other users
5. Test For Vulnerable Remember Password
☐ Check whether a user is able to de-provision themself or not?
☐ Ensure that the stored password is encrypted
☐ Check for the resources of a de-provisioned user ☐ Ensure that the stored password is on the server-side
4. Testing For Account Enumeration 6. Test For Browser Cache Weakness
☐ Check the response when a valid username
☐ Ensure proper cache-control is set on sensitive pages
and password entered
☐ Ensure no sensitive data is stored in the browser
☐ Check the response when a valid username
cache storage
and an invalid password entered
☐ Check the response when an invalid username 7. Test For Weak Password Policy
and password entered ☐ Ensure the password policy is set to strong
☐ Ensure the rate-limiting functionality is ☐ Check for password reusability
enabled in username and password fields ☐ Check the user is prevented to use his username as a pa
5. Test For Weak Username Policy ☐ Check for the usage of common weak passwords
☐ Check the response for both valid and invalid ☐ Check the minimum password length to be set
usernames ☐ Check the maximum password length to be set
☐ Check for username enumeration 8. Testing For Weak Security Questions
AUTHENTICATION TESTING
☐ Check for the complexity of the questions
1. Test For Un-Encrypted Channel
☐ Check for brute-forcing
☐ Check for the HTTP login page
9. Test For Weak Password Reset Function
☐ Check for the HTTP register or sign-in page ☐ Check what information is required to reset the
☐ Check for HTTP forgot password page password
☐ Check for HTTP change password ☐ Check for password reset function with HTTP
☐ Check for resources on HTTP after logout
☐ Test the randomness of the password reset tokens
☐ Test for forced browsing to HTTP pages
☐ Test the uniqueness of the password reset tokens
2. Test For Default Credentials
☐ Test for rate limiting on password reset tokens
☐ Test with default credentials
☐ Ensure the token must expire after being used
☐ Test organization name as credentials
☐ Ensure the token must expire after not being
☐ Test for response manipulation used for a long time
☐ Test for the default username and a blank
password
10. Test For Weak Password Change Function
☐ Review the page source for credentials
☐ Check if the old password asked to make a
3. Test For Weak Lockout Mechanism
change
☐ Ensure the account has been locked after 3-5
☐ Check for the uniqueness of the forgotten
incorrect attempts
password
☐ Ensure the system accepts only the valid CAPTCHA
☐ Ensure the system rejects the invalid CAPTCHA ☐ Check for blank password change
☐ Check for password change function with
☐ Ensure CAPTCHA code regenerated after reloaded
HTTP
☐ Ensure CAPTCHA reloads after entering the wrong
 Web Application Penetration Testing Checklist
by KCyber Experts
☐ Ensure the old password is not displayed after 7. Test For Insecure Direct Object Reference
changed ☐ Test to change the ID parameter
☐ Ensure the other sessions got destroyed after ☐ Test to add parameters at the endpoints
the password change ☐ Test for HTTP parameter pollution
☐ Test by adding an extension at the end
11. Test For Weak Authentication In Alternative Channel☐ Test with outdated API versions
☐ Test authentication on the desktop browsers ☐ Test by wrapping the ID with an array
☐ Test authentication on the mobile browsers ☐ Test by wrapping the ID with a JSON object
☐ Test authentication in a different country ☐ Test for JSON parameter pollution
☐ Test authentication in a different language ☐ Test by changing the case
☐ Test authentication on desktop applications ☐ Test for path traversal
☐ Test authentication on mobile applications ☐ Test by changing words
AUTHORIZATION TESTING ☐ Test by changing methods
1. Testing Directory Traversal File Include SESSION MANAGEMENT TESTING
☐ Identify the injection point on the URL 1. Test For Session Management Schema
☐ Test for Local File Inclusion ☐ Ensure all Set-Cookie directives are secure
☐ Test for Remote File Inclusion ☐ Ensure no cookie operation takes place over an
☐ Test Traversal on the URL parameter unencrypted channel
☐ Test Traversal on the cookie parameter ☐ Ensure the cookie can’t be forced over an
2. Testing Traversal With Encoding unencrypted channel
☐ Test Traversal with Base64 encoding ☐ Ensure the HTTPOnly flag is enabled
☐ Test Traversal with URL encoding ☐ Check if any cookies are persistent
☐ Test Traversal with ASCII encoding ☐ Check for session cookies and cookie expiration
☐ Test Traversal with HTML encoding date/time
☐ Test Traversal with Hex encoding ☐ Check for session fixation
☐ Test Traversal with Binary encoding ☐ Check for concurrent login
☐ Test Traversal with Octal encoding ☐ Check for session after logout
☐ Test Traversal with Gzip encoding ☐ Check for session after closing the browser
☐ Try de++++++++++++++++++++++++++++++++++
3. Testing Travesal With Different OS Schemes +++++++++++++++++++++++++++++++++++++++++
☐ Test Traversal with Unix schemes 2. Test For Cookie Attributes
☐ Test Traversal with Windows schemes ☐ Ensure the cookie must be set with the secure attribute
☐ Test Traversal with Mac schemes ☐ Ensure the cookie must be set with the path attribute
4. Test Other Encoding Techniques ☐ Ensure the cookie must have the HTTPOnly flag
☐ Test Traversal with Double encoding 3. Test For Session Fixation
☐ Test Traversal with all characters encode ☐ Ensure new cookies have been issued upon a
☐ Test Traversal with only special characters encode successful authentication
☐ Test manipulating the cookies
5. Test Authorization Schema Bypass
☐ Test for Horizontal authorization schema bypass 4. Test For Exposed Session Variables
☐ Test for Vertical authorization schema bypass ☐ Test for encryption
☐ Test override the target with custom headers ☐ Test for GET and POST vulnerabilities
6. Test For Privilege Escalation ☐ Test if GET request incorporating the session
☐ Identify the injection point ID used
☐ Test for bypassing the security measures ☐ Test by interchanging POST with GET
☐ Test for forced browsing method
☐ Test for IDOR 5. Test For Back Refresh Attack
☐ Test after password change
☐ Test for parameter tampering to high privileged user
 Web Application Penetration Testing Checklist
by KCyber Experts
☐ Test after logout ☐ Test by replacing < and > with HTML entities &lt;
6. Test For Cross Site Request Forgery and &gt;
☐ Check if the token is validated on the ☐ Test payload with both lower and upper case
server-side or not ☐ Test to break firewall regex by new line /r/n
☐ Check if the token is validated for full or ☐ Test with double encoding
partial length ☐ Test with recursive filters
☐ Check by comparing the CSRF tokens for ☐ Test injecting anchor tags without whitespace
multiple dummy accounts ☐ Test by replacing whitespace with bullets
☐ Check CSRF by interchanging POST with ☐ Test by changing HTTP methods
GET method 2. Test For Stored Cross Site Scripting
☐ Check CSRF by removing the CSRF token ☐ Identify stored input parameters that will reflect on
parameter the client side
☐ Look for input parameters on the profile page
☐ Check CSRF by removing the CSRF token
and using a blank parameter ☐ Look for input parameters on the shopping cart page
☐ Check CSRF by using unused tokens ☐ Look for input parameters on the file upload page
☐ Check CSRF by replacing the CSRF token ☐ Look for input parameters on the settings page
with its own values ☐ Look for input parameters on the forum, comment
☐ Check CSRF by changing the content type to page
form-multipart ☐ Test uploading a file with XSS payload as its file
☐ Check CSRF by changing or deleting some name
characters of the CSRF token ☐ Test with HTML tags
☐ Check CSRF by changing the referrer to 3. Test For HTTP Parameter Pollution
Referrer ☐ Identify the backend server and parsing method used
☐ Check CSRF by changing the host values ☐ Try to access the injection point
☐ Check CSRF alongside clickjacking ☐ Try to bypass the input filters using HTTP Parameter
Pollution
7. Test For Logout Functionality
4. Test For SQL Injection
☐ Check the logout function on different pages
☐ Check for the visibility of the logout button ☐ Test SQL Injection on authentication forms
☐ Ensure after logout the session was ended ☐ Test SQL Injection on the search bar
☐ Ensure after logout we can’t able to access the dashboard bySQL
☐ Test pressing the back
Injection button characteristics
on editable
☐ Ensure proper session timeout has been set ☐ Try to find SQL keywords or entry point detections
https://hariprasaanth.blogspot.com/ ☐ Try to inject SQL queries
8. Test For Session Timeout ☐ Use tools like SQLmap or Hackbar
☐ Ensure there is a session timeout exists ☐ Use Google dorks to find the SQL keywords
☐ Ensure after the timeout, all of the tokens are ☐ Try GET based SQL Injection
destroyed ☐ Try POST based SQL Injection
9. Test For Session Puzzling ☐ Try COOKIE based SQL Injection
☐ Identify all the session variables ☐ Try HEADER based SQL Injection
☐ Try to break the logical flow of the session generation
☐ Try SQL Injection with null bytes before the SQL quer
10. Test For Session Hijacking ☐ Try SQL Injection with URL encoding
☐ Test session hijacking on target that doesn’t has ☐ Try SQL Injection with both lower and upper cases
HSTS enabled ☐ Try SQL Injection with SQL Tamper scripts
☐ Test by login with the help of captured cookies
INPUT VALIDATION TESTING ☐ Try SQL Injection with SQL Time delay payloads
☐ Try SQL Injection with SQL Conditional delays
1. Test For Reflected Cross Site Scripting
☐ Ensure these characters are filtered <>’’&”” ☐ Try SQL Injection with Boolean based SQL
☐ Test with a character escape sequence ☐ Try SQL Injection with Time based SQL
 Web Application Penetration Testing Checklist
by KCyber Experts
5. Test For LDAP Injection ☐ Test for HHI by adding X-Forwarded Host
☐ Use LDAP search filters parameter
☐ Try LDAP Injection for access control bypass ☐ Test for HHI by swapping the real Host and
6. Testing For XML Injection X-Forwarded Host parameter
☐ Check if the application is using XML for ☐ Test for HHI by adding two Host parameters
processing ☐ Test for HHI by adding the target values in
☐ Identify the XML Injection point by XML front of the original values
metacharacter ☐ Test for HHI by adding the target with a slash
☐ Construct XSS payload on top of XML after the original values
7. Test For Server Side Includes ☐ Test for HHI with other injections on the Host
☐ Use Google dorks to find the SSI parameter
☐ Construct RCE on top of SSI ☐ Test for HHI by password reset poisoning
☐ Construct other injections on top of SSI 15. Test For Server Side Reqest Forgery
☐ Test Injecting SSI on login pages, header ☐ Look for SSRF keywords
fields, referrer, etc ☐ Search for SSRF keywords only under the request
8. Test For XPATH Injection header and body
☐ Identify XPATH Injection point ☐ Identify the Injection points
☐ Test for XPATH Injection ☐ Test if the Injection points are exploitable
9. Test For IMAP SMTP Injection ☐ Assess the injection impact
☐ Identify IMAP SMTP Injection point 16. Test For Server Side Template Injection
☐ Understand the data flow ☐ Identify the Template injection vulnerability points
☐ Understand the deployment structure of the system ☐ Identify the Templating engine
☐ Assess the injection impact ☐ Use the tplmap to exploit
10. Test For Local File Inclusion ERROR HANDLING TESTING
☐ Look for LFI keywords 1. Test For Improper Error Handling
☐ Try to change the local path ☐ Identify the error output
☐ Use LFI payload list ☐ Analyze the different outputs returned
☐ Test LFI by adding a null byte at the end ☐ Look for common error handling flaws
11. Test For Remote File Inclusion ☐ Test error handling by modifying the URL
☐ Look for RFI keywords parameter
☐ Try to change the remote path
☐ Test error handling by uploading unrecognized
☐ Use RFI payload list file formats
12. Test For Command Injection ☐ Test error handling by entering unrecognized
☐ Identify the Injection points inputs
☐ Look for Command Injection keywords
☐ Test error handling by making all possible
☐ Test Command Injection using different errors
delimiters WEAK CRYPTOGRAPHY TESTING
☐ Test Command Injection with payload list 1. Test For Weak Transport Layer Security
☐ Test Command Injection with different OS ☐ Test for DROWN weakness on SSLv2
commands protocol
13. Test For Format String Injection
☐ Test for POODLE weakness on SSLv3
☐ Identify the Injection points protocol
☐ Use different format parameters as payloads
☐ Test for BEAST weakness on TLSv1.0
☐ Assess the injection impact
protocol
14. Test For Host Header Injection
☐ Test for FREAK weakness on export cipher
☐ Test for HHI by changing the real Host suites
parameter
☐ Test for Null ciphers
 Web Application Penetration Testing Checklist
by KCyber Experts
☐ Test for NOMORE weakness on RC4 ☐ Test malicious file upload by Inserting the payload
☐ Test for LUCKY 13 weakness on CBC mode inside of an image by the bmp.pl tool
ciphers ☐ Test malicious file upload by uploading large files
☐ Test for CRIME weakness on TLS (leads to DOS)
compression CLIENT SIDE TESTING
☐ Test for LOGJAM on DHE keys 1. Test For DOM Based Cross Site Scripting
☐ Ensure the digital certificates should have at ☐ Try to identify DOM sinks
Least 2048 bits of key length ☐ Build payloads to that DOM sink type
☐ Ensure the digital certificates should have at 2. Test For URL Redirect
least SHA - 256 signature algorithm ☐ Look for URL redirect parameters
☐ Ensure the digital certificates should not use ☐ Test for URL redirection on domain parameters
MDF and SHA - 1 ☐ Test for URL redirection by using a payload list
☐ Test for URL redirection by using a whitelisted
☐ Ensure the validity of the digital certificate
word at the end
☐ Ensure the minimum key length requirements
☐ Test for URL redirection by creating a new
☐ Look for weak cipher suites subdomain with the same as the target
BUSINESS LOGIC TESTING ☐ Test for URL redirection by XSS
1. Test For Business Logic ☐ Test for URL redirection by profile URL flaw
☐ Identify the logic of how the application 3. Test For Cross Origin Resource Sharing
works
☐ Look for “Access-Control-Allow-Origin” on the
response
☐ Identify the functionality of all the buttons
☐ Use the CORS HTML exploit code for further
☐ Test by changing the numerical values into exploitation
high or negative values 4. Test For Clickjacking
☐ Test by changing the quantity
☐ Ensure “X-Frame-Options” headers are
☐ Test by modifying the payments enabled
☐ Test for parameter tampering ☐ Exploit with iframe HTML code for POC
2. Test For Malicious File Upload OTHER COMMON ISSUES
☐ Test malicious file upload by uploading malicious 1. Test For No-Rate Limiting
files ☐ Ensure rate limiting is enabled
☐ Test malicious file upload by putting your IP address☐ Try to bypass rate limiting by changing the
on the file name case of the endpoints
☐ Test malicious file upload by right to left override ☐ Try to bypass rate limiting by adding / at the
☐ Test malicious file upload by encoded file name end of the URL
☐ Test malicious file upload by XSS payload on the ☐ Try to bypass rate limiting by adding HTTP
file name headers
☐ Test malicious file upload by RCE payload on the ☐ Try to bypass rate limiting by adding HTTP
file name headers twice
☐ Test malicious file upload by LFI payload on the ☐ Try to bypass rate limiting by adding Origin
file name headers
☐ Test malicious file upload by RFI payload on the ☐ Try to bypass rate limiting by IP rotation
file name ☐ Try to bypass rate limiting by using null bytes
☐ Test malicious file upload by SQL payload on the at the end
file name ☐ Try to bypass rate limiting by using race
☐ Test malicious file upload by other injections on the conditions
file name 2. Test For EXIF Geodata
☐ Ensure the website is striping the geodata
 Web Application Penetration Testing Checklist
by KCyber Experts
☐ Test with EXIF checker
3. Test For Broken Link Hijack
☐ Ensure there is no broken links are there
☐ Test broken links by using the blc tool
4. Test For SPF
☐ Ensure the website is having SPF record
☐ Test SPF by nslookup command
5. Test For Weak 2FA
☐ Try to bypass 2FA by using poor session
management
☐ Try to bypass 2FA via the OAuth mechanism
☐ Try to bypass 2FA via brute-forcing
☐ Try to bypass 2FA via response manipulation
☐ Try to bypass 2FA by using activation links to
login
☐ Try to bypass 2FA by using status code
manipulation
☐ Try to bypass 2FA by changing the email or
password
☐ Try to bypass 2FA by using a null or empty entry
☐ Try to bypass 2FA by changing the boolean into false
☐ Try to bypass 2FA by removing the 2FA parameter on the request
6. Test For Weak OTP Implementation
☐ Try to bypass OTP by entering the old OTP
☐ Try to bypass OTP by brute-forcing
☐ Try to bypass OTP by using a null or empty entry
☐ Try to bypass OTP by response manipulation
☐ Try to bypass OTP by status code manipulation