Professional Documents
Culture Documents
Web Pentesting Checklist
Web Pentesting Checklist
CHECKLIST
/
om
INFORMATION GATHERING
t.c
1. Open Source Reconnaissance
po
☐ Perform Google Dorks search
gs
☐ Perform OSINT
lo
.b
2. Fingerprinting Web Server
th
/
om
☐ Identify where the methods used are?
t.c
☐ Identify the Injection point
po
gs
7. Mapping Execution Paths
☐ Use Burp Suite
lo
.b
☐ Use Dirsearch
th
☐ Use Gobuster
an
sa
☐ Use Whatweb
ar
//h
/
om
☐ Ensure only required modules are used
☐ Ensure unwanted modules are disabled
t.c
☐ Ensure the server can handle DOS
po
☐ Check how the application is handling 4xx & 5xx errors
gs
☐ Check for the privilege required to run
lo
.b
☐ Check logs for sensitive info
th
an
/
☐ Test for HTTP method overriding
om
t.c
7. Test HSTS
po
☐ Ensure HSTS is enabled
gs
8. Test RIA Cross Domain Policy
☐ Check for Adobe’s Cross Domain Policy lo
.b
th
/
om
2. Test User Registration Process
t.c
☐ Ensure the same user or identity can’t register again and again
po
☐ Ensure the registrations are verified
gs
☐ Ensure disposable email addresses are rejected
lo
☐ Check what proof is required for successful registration
.b
th
an
AUTHENTICATION TESTING
/
om
☐ Check for the HTTP register or sign-in page
☐ Check for HTTP forgot password page
t.c
☐ Check for HTTP change password
po
☐ Check for resources on HTTP after logout
gs
☐ Test for forced browsing to HTTP pages
lo
.b
th
☐ Ensure the account has been locked after 3-5 incorrect attempts
☐ Ensure the system accepts only the valid CAPTCHA
☐ Ensure the system rejects the invalid CAPTCHA
☐ Ensure CAPTCHA code regenerated after reloaded
☐ Ensure CAPTCHA reloads after entering the wrong code
☐ Ensure the user has a recovery option for a lockout account
4. Test For Bypassing Authentication Schema
☐ Test forced browsing directly to the internal dashboard without login
☐ Test for session ID prediction
☐ Test for authentication parameter tampering
☐ Test for SQL injection on the login page
☐ Test to gain access with the help of session ID
/
☐ Test multiple logins allowed or not?
om
t.c
5. Test For Vulnerable Remember Password
po
☐ Ensure that the stored password is encrypted
gs
☐ Ensure that the stored password is on the server-side
lo
.b
6. Test For Browser Cache Weakness
th
/
om
☐ Ensure the token must expire after not being used for a long time
t.c
10. Test For Weak Password Change Function
po
☐ Check if the old password asked to make a change
gs
☐ Check for the uniqueness of the forgotten password
☐ Check for blank password change lo
.b
th
☐ Ensure the other sessions got destroyed after the password change
ra
ip
/
om
t.c
2. Testing Traversal With Encoding
☐ Test Traversal with Base64 encoding
po
☐ Test Traversal with URL encoding
gs
☐ Test Traversal with ASCII encoding
lo
.b
☐ Test Traversal with HTML encoding
th
/
om
☐ Test for bypassing the security measures
t.c
☐ Test for forced browsing
po
☐ Test for IDOR
gs
☐ Test for parameter tampering to high privileged user
lo
.b
7. Test For Insecure Direct Object Reference
th
/
☐ Check for session cookies and cookie expiration date/time
om
☐ Check for session fixation
t.c
☐ Check for concurrent login
po
☐ Check for session after logout
gs
☐ Check for session after closing the browser
lo
.b
☐ Try decoding cookies (Base64, Hex, URL, etc)
th
an
/
om
☐ Check by comparing the CSRF tokens for multiple dummy accounts
t.c
☐ Check CSRF by interchanging POST with GET method
po
☐ Check CSRF by removing the CSRF token parameter
gs
☐ Check CSRF by removing the CSRF token and using a blank parameter
☐ Check CSRF by using unused tokens
lo
.b
☐ Check CSRF by replacing the CSRF token with its own values
th
an
/
om
10. Test For Session Hijacking
☐ Test session hijacking on target that doesn’t has HSTS enabled
t.c
☐ Test by login with the help of captured cookies
po
gs
INPUT VALIDATION TESTING
lo
.b
th
☐ Test by replacing < and > with HTML entities < and >
ip
/
om
☐ Test uploading a file with XSS payload as its file name
☐ Test with HTML tags
t.c
po
3. Test For HTTP Parameter Pollution
gs
☐ Identify the backend server and parsing method used
☐ Try to access the injection point lo
.b
th
/
om
☐ Try SQL Injection with Time based SQL
t.c
5. Test For LDAP Injection
po
☐ Use LDAP search filters
gs
☐ Try LDAP Injection for access control bypass
lo
.b
th
6. Testing For XML Injection
an
/
om
☐ Try to change the local path
t.c
☐ Use LFI payload list
po
☐ Test LFI by adding a null byte at the end
gs
lo
11. Test For Remote File Inclusion .b
☐ Look for RFI keywords
th
/
☐ Test for HHI by adding the target with a slash after the original values
om
☐ Test for HHI with other injections on the Host parameter
t.c
☐ Test for HHI by password reset poisoning
po
gs
15. Test For Server Side Reqest Forgery
☐ Look for SSRF keywords
lo
.b
☐ Search for SSRF keywords only under the request header and body
th
an
/
WEAK CRYPTOGRAPHY TESTING
om
t.c
1. Test For Weak Transport Layer Security
☐ Test for DROWN weakness on SSLv2 protocol
po
☐ Test for POODLE weakness on SSLv3 protocol
gs
☐ Test for BEAST weakness on TLSv1.0 protocol
lo
.b
☐ Test for FREAK weakness on export cipher suites
th
☐ Ensure the digital certificates should have at least 2048 bits of key length
s:
tp
☐ Ensure the digital certificates should have at least SHA - 256 signature
ht
algorithm
☐ Ensure the digital certificates should not use MDF and SHA - 1
☐ Ensure the validity of the digital certificate
☐ Ensure the minimum key length requirements
☐ Look for weak cipher suites
BUSINESS LOGIC TESTING
/
om
☐ Test for parameter tampering
t.c
po
2. Test For Malicious File Upload
☐ Test malicious file upload by uploading malicious files
gs
☐ Test malicious file upload by putting your IP address on the file name
lo
.b
☐ Test malicious file upload by right to left override
th
☐ Test malicious file upload by Inserting the payload inside of an image by the
bmp.pl tool
☐ Test malicious file upload by uploading large files (leads to DOS)
CLIENT SIDE TESTING
/
om
☐ Test for URL redirection on domain parameters
☐ Test for URL redirection by using a payload list
t.c
☐ Test for URL redirection by using a whitelisted word at the end
po
☐ Test for URL redirection by creating a new subdomain with the same as the
gs
target
☐ Test for URL redirection by XSS lo
.b
th
/
om
☐ Try to bypass rate limiting by adding Origin headers
t.c
☐ Try to bypass rate limiting by IP rotation
po
☐ Try to bypass rate limiting by using null bytes at the end
gs
☐ Try to bypass rate limiting by using race conditions
lo
.b
2. Test For EXIF Geodata
th
/
om
☐ Try to bypass 2FA by changing the email or password
☐ Try to bypass 2FA by using a null or empty entry
t.c
po
☐ Try to bypass 2FA by changing the boolean into false
gs
☐ Try to bypass 2FA by removing the 2FA parameter on the request
lo
.b
6. Test For Weak OTP Implementation
th