{"id":13722609,"url":"https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist","last_synced_at":"2025-05-07T15:31:38.011Z","repository":{"id":37346699,"uuid":"501465493","full_name":"Hari-prasaanth/Web-App-Pentest-Checklist","owner":"Hari-prasaanth","description":"A OWASP Based Checklist With 500+ Test Cases","archived":false,"fork":false,"pushed_at":"2022-10-26T01:16:42.000Z","size":3735,"stargazers_count":639,"open_issues_count":0,"forks_count":134,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-11-14T12:50:08.127Z","etag":null,"topics":["bug","bugbounty","checklist","penetration-testing","penetration-testing-framework","pentesting","web","website"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hari-prasaanth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-09T01:33:04.000Z","updated_at":"2024-11-13T05:44:18.000Z","dependencies_parsed_at":"2023-01-19T12:00:42.549Z","dependency_job_id":null,"html_url":"https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hari-prasaanth%2FWeb-App-Pentest-Checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hari-prasaanth%2FWeb-App-Pentest-Checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hari-prasaanth%2FWeb-App-Pentest-Checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hari-prasaanth%2FWeb-App-Pentest-Checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hari-prasaanth","download_url":"https://codeload.github.com/Hari-prasaanth/Web-App-Pentest-Checklist/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252905838,"owners_count":21822873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug","bugbounty","checklist","penetration-testing","penetration-testing-framework","pentesting","web","website"],"created_at":"2024-08-03T01:01:30.823Z","updated_at":"2025-05-07T15:31:36.813Z","avatar_url":"https://github.com/Hari-prasaanth.png","language":null,"funding_links":[],"categories":["Main Resources -"],"sub_categories":["Free"],"readme":"\n\n\n# WEB APPLICATION PENTESTING CHECKLIST\n\n**OWASP Based Checklist 🌟🌟**\n\n**500+ Test Cases 🚀🚀**\n\nNotion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998\n\u003c/br\u003e\u003c/br\u003e\n\n- **INFORMATION GATHERING**\n \n **Open Source Reconnaissance**\n \n - [ ] Perform Google Dorks search\n - [ ] Perform OSINT\n \n **Fingerprinting Web Server**\n \n - [ ] Find the type of Web Server\n - [ ] Find the version details of the Web Server\n \n **Looking For Metafiles**\n \n - [ ] View the Robots.txt file\n - [ ] View the Sitemap.xml file\n - [ ] View the Humans.txt file\n - [ ] View the Security.txt file\n \n **Enumerating Web Server’s Applications**\n \n - [ ] Enumerating with Nmap\n - [ ] Enumerating with Netcat\n - [ ] Perform a DNS lookup\n - [ ] Perform a Reverse DNS lookup\n \n **Review The Web Contents**\n \n - [ ] Inspect the page source for sensitive info\n - [ ] Try to find Sensitive Javascript codes\n - [ ] Try to find any keys\n - [ ] Make sure the autocomplete is disabled\n \n **Identifying Application’s Entry Points**\n \n - [ ] Identify what the methods used are?\n - [ ] Identify where the methods used are?\n - [ ] Identify the Injection point\n \n **Mapping Execution Paths**\n \n - [ ] Use Burp Suite\n - [ ] Use Dirsearch\n - [ ] Use Gobuster\n \n **Fingerprint Web Application Framework**\n \n - [ ] Use the Wappalyzer browser extension\n - [ ] Use Whatweb\n - [ ] View URL extensions\n - [ ] View HTML source code\n - [ ] View the cookie parameter\n - [ ] View the HTTP headers\n \n **Map Application Architecture**\n \n - [ ] Map the overall site structure\n \n- **CONFIGURATION \u0026 DEPLOYMENT MANAGEMENT TESTING**\n \n **Test Network Configuration**\n \n - [ ] Check the network configuration\n - [ ] Check for default settings\n - [ ] Check for default credentials\n \n **Test Application Configuration**\n \n - [ ] Ensure only required modules are used\n - [ ] Ensure unwanted modules are disabled\n - [ ] Ensure the server can handle DOS\n - [ ] Check how the application is handling 4xx \u0026 5xx errors\n - [ ] Check for the privilege required to run\n - [ ] Check logs for sensitive info\n \n **Test File Extension Handling**\n \n - [ ] Ensure the server won’t return sensitive extensions\n - [ ] Ensure the server won’t accept malicious extensions\n - [ ] Test for file upload vulnerabilities\n \n **Review Backup \u0026 Unreferenced Files**\n \n - [ ] Ensure unreferenced files don’t contain any sensitive info\n - [ ] Ensure the namings of old and new backup files\n - [ ] Check the functionality of unreferenced pages\n \n **Enumerate Infrastructure \u0026 Admin Interfaces**\n \n - [ ] Try to find the Infrastructure Interface\n - [ ] Try to find the Admin Interface\n - [ ] Identify the hidden admin functionalities\n \n **Testing HTTP Methods**\n \n - [ ] Discover the supported methods\n - [ ] Ensure the PUT method is disabled\n - [ ] Ensure the OPTIONS method is disabled\n - [ ] Test access control bypass\n - [ ] Test for XST attacks\n - [ ] Test for HTTP method overriding\n \n **Test HSTS**\n \n - [ ] Ensure HSTS is enabled\n \n **Test RIA Cross Domain Policy**\n \n - [ ] Check for Adobe’s Cross Domain Policy\n - [ ] Ensure it has the least privilege\n \n **Test File Permission**\n \n - [ ] Ensure the permissions for sensitive files\n - [ ] Test for directory enumeration\n \n **Test For Subdomain Takeover**\n \n - [ ] Test DNS, A, and CNAME records for subdomain takeover\n - [ ] Test NS records for subdomain takeover\n - [ ] Test 404 response for subdomain takeover\n \n **Test Cloud Storage**\n \n - [ ] Check the sensitive paths of AWS\n - [ ] Check the sensitive paths of Google Cloud\n - [ ] Check the sensitive paths of Azure\n \n- **IDENTITY MANAGEMENT TESTING**\n \n **Test Role Definitions**\n \n - [ ] Test for forced browsing\n - [ ] Test for IDOR (Insecure Direct Object Reference)\n - [ ] Test for parameter tampering\n - [ ] Ensure low privilege users can’t able to access high privilege resources\n \n **Test User Registration Process**\n \n - [ ] Ensure the same user or identity can’t register again and again\n - [ ] Ensure the registrations are verified\n - [ ] Ensure disposable email addresses are rejected\n - [ ] Check what proof is required for successful registration\n \n **Test Account Provisioning Process**\n \n - [ ] Check the verification for the provisioning process\n - [ ] Check the verification for the de-provisioning process\n - [ ] Check the provisioning rights for an admin user to other users\n - [ ] Check whether a user is able to de-provision themself or not?\n - [ ] Check for the resources of a de-provisioned user\n \n **Testing For Account Enumeration**\n \n - [ ] Check the response when a valid username and password entered\n - [ ] Check the response when a valid username and an invalid password entered\n - [ ] Check the response when an invalid username and password entered\n - [ ] Ensure the rate-limiting functionality is enabled in username and password fields\n \n **Test For Weak Username Policy**\n \n - [ ] Check the response for both valid and invalid usernames\n - [ ] Check for username enumeration\n \n- **AUTHENTICATION TESTING**\n \n **Test For Un-Encrypted Channel**\n \n - [ ] Check for the HTTP login page\n - [ ] Check for the HTTP register or sign-in page\n - [ ] Check for HTTP forgot password page\n - [ ] Check for HTTP change password\n - [ ] Check for resources on HTTP after logout\n - [ ] Test for forced browsing to HTTP pages\n \n **Test For Default Credentials**\n \n - [ ] Test with default credentials\n - [ ] Test organization name as credentials\n - [ ] Test for response manipulation\n - [ ] Test for the default username and a blank password\n - [ ] Review the page source for credentials\n \n **Test For Weak Lockout Mechanism**\n \n - [ ] Ensure the account has been locked after 3-5 incorrect attempts\n - [ ] Ensure the system accepts only the valid CAPTCHA\n - [ ] Ensure the system rejects the invalid CAPTCHA\n - [ ] Ensure CAPTCHA code regenerated after reloaded\n - [ ] Ensure CAPTCHA reloads after entering the wrong code\n - [ ] Ensure the user has a recovery option for a lockout account\n \n **Test For Bypassing Authentication Schema**\n \n - [ ] Test forced browsing directly to the internal dashboard without login\n - [ ] Test for session ID prediction\n - [ ] Test for authentication parameter tampering\n - [ ] Test for SQL injection on the login page\n - [ ] Test to gain access with the help of session ID\n - [ ] Test multiple logins allowed or not?\n \n **Test For Vulnerable Remember Password**\n \n - [ ] Ensure that the stored password is encrypted\n - [ ] Ensure that the stored password is on the server-side\n \n **Test For Browser Cache Weakness**\n \n - [ ] Ensure proper cache-control is set on sensitive pages\n - [ ] Ensure no sensitive data is stored in the browser cache storage\n \n **Test For Weak Password Policy**\n \n - [ ] Ensure the password policy is set to strong\n - [ ] Check for password reusability\n - [ ] Check the user is prevented to use his username as a password\n - [ ] Check for the usage of common weak passwords\n - [ ] Check the minimum password length to be set\n - [ ] Check the maximum password length to be set\n \n **Testing For Weak Security Questions**\n \n - [ ] Check for the complexity of the questions\n - [ ] Check for brute-forcing\n \n **Test For Weak Password Reset Function**\n \n - [ ] Check what information is required to reset the password\n - [ ] Check for password reset function with HTTP\n - [ ] Test the randomness of the password reset tokens\n - [ ] Test the uniqueness of the password reset tokens\n - [ ] Test for rate limiting on password reset tokens\n - [ ] Ensure the token must expire after being used\n - [ ] Ensure the token must expire after not being used for a long time\n \n **Test For Weak Password Change Function**\n \n - [ ] Check if the old password asked to make a change\n - [ ] Check for the uniqueness of the forgotten password\n - [ ] Check for blank password change\n - [ ] Check for password change function with HTTP\n - [ ] Ensure the old password is not displayed after changed\n - [ ] Ensure the other sessions got destroyed after the password change\n \n **Test For Weak Authentication In Alternative Channel**\n \n - [ ] Test authentication on the desktop browsers\n - [ ] Test authentication on the mobile browsers\n - [ ] Test authentication in a different country\n - [ ] Test authentication in a different language\n - [ ] Test authentication on desktop applications\n - [ ] Test authentication on mobile applications\n \n- **AUTHORIZATION TESTING**\n \n **Testing Directory Traversal File Include**\n \n - [ ] Identify the injection point on the URL\n - [ ] Test for Local File Inclusion\n - [ ] Test for Remote File Inclusion\n - [ ] Test Traversal on the URL parameter\n - [ ] Test Traversal on the cookie parameter\n \n **Testing Traversal With Encoding**\n \n - [ ] Test Traversal with Base64 encoding\n - [ ] Test Traversal with URL encoding\n - [ ] Test Traversal with ASCII encoding\n - [ ] Test Traversal with HTML encoding\n - [ ] Test Traversal with Hex encoding\n - [ ] Test Traversal with Binary encoding\n - [ ] Test Traversal with Octal encoding\n - [ ] Test Traversal with Gzip encoding\n \n **Testing Travesal With Different OS Schemes**\n \n - [ ] Test Traversal with Unix schemes\n - [ ] Test Traversal with Windows schemes\n - [ ] Test Traversal with Mac schemes\n \n **Test Other Encoding Techniques**\n \n - [ ] Test Traversal with Double encoding\n - [ ] Test Traversal with all characters encode\n - [ ] Test Traversal with only special characters encode\n \n **Test Authorization Schema Bypass**\n \n - [ ] Test for Horizontal authorization schema bypass\n - [ ] Test for Vertical authorization schema bypass\n - [ ] Test override the target with custom headers\n \n **Test For Privilege Escalation**\n \n - [ ] Identify the injection point\n - [ ] Test for bypassing the security measures\n - [ ] Test for forced browsing\n - [ ] Test for IDOR\n - [ ] Test for parameter tampering to high privileged user\n \n **Test For Insecure Direct Object Reference**\n \n - [ ] Test to change the ID parameter\n - [ ] Test to add parameters at the endpoints\n - [ ] Test for HTTP parameter pollution\n - [ ] Test by adding an extension at the end\n - [ ] Test with outdated API versions\n - [ ] Test by wrapping the ID with an array\n - [ ] Test by wrapping the ID with a JSON object\n - [ ] Test for JSON parameter pollution\n - [ ] Test by changing the case\n - [ ] Test for path traversal\n - [ ] Test by changing words\n - [ ] Test by changing methods\n \n- **SESSION MANAGEMENT TESTING**\n \n **Test For Session Management Schema**\n \n - [ ] Ensure all Set-Cookie directives are secure\n - [ ] Ensure no cookie operation takes place over an unencrypted channel\n - [ ] Ensure the cookie can’t be forced over an unencrypted channel\n - [ ] Ensure the HTTPOnly flag is enabled\n - [ ] Check if any cookies are persistent\n - [ ] Check for session cookies and cookie expiration date/time\n - [ ] Check for session fixation\n - [ ] Check for concurrent login\n - [ ] Check for session after logout\n - [ ] Check for session after closing the browser\n - [ ] Try decoding cookies (Base64, Hex, URL, etc)\n \n **Test For Cookie Attributes**\n \n - [ ] Ensure the cookie must be set with the secure attribute\n - [ ] Ensure the cookie must be set with the path attribute\n - [ ] Ensure the cookie must have the HTTPOnly flag\n \n **Test For Session Fixation**\n \n - [ ] Ensure new cookies have been issued upon a successful authentication\n - [ ] Test manipulating the cookies\n \n **Test For Exposed Session Variables**\n \n - [ ] Test for encryption\n - [ ] Test for GET and POST vulnerabilities\n - [ ] Test if GET request incorporating the session ID used\n - [ ] Test by interchanging POST with GET method\n \n **Test For Back Refresh Attack**\n \n - [ ] Test after password change\n - [ ] Test after logout\n \n **Test For Cross Site Request Forgery**\n \n - [ ] Check if the token is validated on the server-side or not\n - [ ] Check if the token is validated for full or partial length\n - [ ] Check by comparing the CSRF tokens for multiple dummy accounts\n - [ ] Check CSRF by interchanging POST with GET method\n - [ ] Check CSRF by removing the CSRF token parameter\n - [ ] Check CSRF by removing the CSRF token and using a blank parameter\n - [ ] Check CSRF by using unused tokens\n - [ ] Check CSRF by replacing the CSRF token with its own values\n - [ ] Check CSRF by changing the content type to form-multipart\n - [ ] Check CSRF by changing or deleting some characters of the CSRF token\n - [ ] Check CSRF by changing the referrer to Referrer\n - [ ] Check CSRF by changing the host values\n - [ ] Check CSRF alongside clickjacking\n \n **Test For Logout Functionality**\n \n - [ ] Check the log out function on different pages\n - [ ] Check for the visibility of the logout button\n - [ ] Ensure after logout the session was ended\n - [ ] Ensure after logout we can’t able to access the dashboard by pressing the back button\n - [ ] Ensure proper session timeout has been set\n \n **Test For Session Timeout**\n \n - [ ] Ensure there is a session timeout exists\n - [ ] Ensure after the timeout, all of the tokens are destroyed\n \n **Test For Session Puzzling**\n \n - [ ] Identify all the session variables\n - [ ] Try to break the logical flow of the session generation\n \n **Test For Session Hijacking**\n \n - [ ] Test session hijacking on target that doesn’t has HSTS enabled\n - [ ] Test by login with the help of captured cookies\n \n- **INPUT VALIDATION TESTING**\n \n **Test For Reflected Cross Site Scripting**\n \n - [ ] Ensure these characters are filtered \u003c\u003e’’\u0026””\n - [ ] Test with a character escape sequence\n - [ ] Test by replacing \u003c and \u003e with HTML entities \u0026lt; and \u0026gt;\n - [ ] Test payload with both lower and upper case\n - [ ] Test to break firewall regex by new line /r/n\n - [ ] Test with double encoding\n - [ ] Test with recursive filters\n - [ ] Test injecting anchor tags without whitespace\n - [ ] Test by replacing whitespace with bullets\n - [ ] Test by changing HTTP methods\n \n **Test For Stored Cross Site Scripting**\n \n - [ ] Identify stored input parameters that will reflect on the client-side\n - [ ] Look for input parameters on the profile page\n - [ ] Look for input parameters on the shopping cart page\n - [ ] Look for input parameters on the file upload page\n - [ ] Look for input parameters on the settings page\n - [ ] Look for input parameters on the forum, comment page\n - [ ] Test uploading a file with XSS payload as its file name\n - [ ] Test with HTML tags\n \n **Test For HTTP Parameter Pollution**\n \n - [ ] Identify the backend server and parsing method used\n - [ ] Try to access the injection point\n - [ ] Try to bypass the input filters using HTTP Parameter Pollution\n \n **Test For SQL Injection**\n \n - [ ] Test SQL Injection on authentication forms\n - [ ] Test SQL Injection on the search bar\n - [ ] Test SQL Injection on editable characteristics\n - [ ] Try to find SQL keywords or entry point detections\n - [ ] Try to inject SQL queries\n - [ ] Use tools like SQLmap or Hackbar\n - [ ] Use Google dorks to find the SQL keywords\n - [ ] Try GET based SQL Injection\n - [ ] Try POST based SQL Injection\n - [ ] Try COOKIE based SQL Injection\n - [ ] Try HEADER based SQL Injection\n - [ ] Try SQL Injection with null bytes before the SQL query\n - [ ] Try SQL Injection with URL encoding\n - [ ] Try SQL Injection with both lower and upper cases\n - [ ] Try SQL Injection with SQL Tamper scripts\n - [ ] Try SQL Injection with SQL Time delay payloads\n - [ ] Try SQL Injection with SQL Conditional delays\n - [ ] Try SQL Injection with Boolean based SQL\n - [ ] Try SQL Injection with Time based SQL\n \n **Test For LDAP Injection**\n \n - [ ] Use LDAP search filters\n - [ ] Try LDAP Injection for access control bypass\n \n **Testing For XML Injection**\n \n - [ ] Check if the application is using XML for processing\n - [ ] Identify the XML Injection point by XML metacharacter\n - [ ] Construct XSS payload on top of XML\n \n **Test For Server Side Includes**\n \n - [ ] Use Google dorks to find the SSI\n - [ ] Construct RCE on top of SSI\n - [ ] Construct other injections on top of SSI\n - [ ] Test Injecting SSI on login pages, header fields, referrer, etc\n \n **Test For XPATH Injection**\n \n - [ ] Identify XPATH Injection point\n - [ ] Test for XPATH Injection\n \n **Test For IMAP SMTP Injection**\n \n - [ ] Identify IMAP SMTP Injection point\n - [ ] Understand the data flow\n - [ ] Understand the deployment structure of the system\n - [ ] Assess the injection impact\n \n **Test For Local File Inclusion**\n \n - [ ] Look for LFI keywords\n - [ ] Try to change the local path\n - [ ] Use the LFI payload list\n - [ ] Test LFI by adding a null byte at the end\n \n **Test For Remote File Inclusion**\n \n - [ ] Look for RFI keywords\n - [ ] Try to change the remote path\n - [ ] Use the RFI payload list\n \n **Test For Command Injection**\n \n - [ ] Identify the Injection points\n - [ ] Look for Command Injection keywords\n - [ ] Test Command Injection using different delimiters\n - [ ] Test Command Injection with payload list\n - [ ] Test Command Injection with different OS commands\n \n **Test For Format String Injection**\n \n - [ ] Identify the Injection points\n - [ ] Use different format parameters as payloads\n - [ ] Assess the injection impact\n \n **Test For Host Header Injection**\n \n - [ ] Test for HHI by changing the real Host parameter\n - [ ] Test for HHI by adding X-Forwarded Host parameter\n - [ ] Test for HHI by swapping the real Host and X-Forwarded Host parameter\n - [ ] Test for HHI by adding two Host parameters\n - [ ] Test for HHI by adding the target values in front of the original values\n - [ ] Test for HHI by adding the target with a slash after the original values\n - [ ] Test for HHI with other injections on the Host parameter\n - [ ] Test for HHI by password reset poisoning\n \n **Test For Server Side Request Forgery**\n \n - [ ] Look for SSRF keywords\n - [ ] Search for SSRF keywords only under the request header and body\n - [ ] Identify the Injection points\n - [ ] Test if the Injection points are exploitable\n - [ ] Assess the injection impact\n \n **Test For Server Side Template Injection**\n \n - [ ] Identify the Template injection vulnerability points\n - [ ] Identify the Templating engine\n - [ ] Use the tplmap to exploit\n \n- **ERROR HANDLING TESTING**\n \n **Test For Improper Error Handling**\n \n - [ ] Identify the error output\n - [ ] Analyze the different outputs returned\n - [ ] Look for common error handling flaws\n - [ ] Test error handling by modifying the URL parameter\n - [ ] Test error handling by uploading unrecognized file formats\n - [ ] Test error handling by entering unrecognized inputs\n - [ ] Test error handling by making all possible errors\n \n- **WEAK CRYPTOGRAPHY TESTING**\n \n **Test For Weak Transport Layer Security**\n \n - [ ] Test for DROWN weakness on SSLv2 protocol\n - [ ] Test for POODLE weakness on SSLv3 protocol\n - [ ] Test for BEAST weakness on TLSv1.0 protocol\n - [ ] Test for FREAK weakness on export cipher suites\n - [ ] Test for Null ciphers\n - [ ] Test for NOMORE weakness on RC4\n - [ ] Test for LUCKY 13 weakness on CBC mode ciphers\n - [ ] Test for CRIME weakness on TLS compression\n - [ ] Test for LOGJAM on DHE keys\n - [ ] Ensure the digital certificates should have at least 2048 bits of key length\n - [ ] Ensure the digital certificates should have at least SHA-256 signature algorithm\n - [ ] Ensure the digital certificates should not use MDF and SHA-1\n - [ ] Ensure the validity of the digital certificate\n - [ ] Ensure the minimum key length requirements\n - [ ] Look for weak cipher suites\n \n- **BUSINESS LOGIC TESTING**\n \n **Test For Business Logic**\n \n - [ ] Identify the logic of how the application works\n - [ ] Identify the functionality of all the buttons\n - [ ] Test by changing the numerical values into high or negative values\n - [ ] Test by changing the quantity\n - [ ] Test by modifying the payments\n - [ ] Test for parameter tampering\n \n **Test For Malicious File Upload**\n \n - [ ] Test malicious file upload by uploading malicious files\n - [ ] Test malicious file upload by putting your IP address on the file name\n - [ ] Test malicious file upload by right to left override\n - [ ] Test malicious file upload by encoded file name\n - [ ] Test malicious file upload by XSS payload on the file name\n - [ ] Test malicious file upload by RCE payload on the file name\n - [ ] Test malicious file upload by LFI payload on the file name\n - [ ] Test malicious file upload by RFI payload on the file name\n - [ ] Test malicious file upload by SQL payload on the file name\n - [ ] Test malicious file upload by other injections on the file name\n - [ ] Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool\n - [ ] Test malicious file upload by uploading large files (leads to DOS)\n \n- **CLIENT SIDE TESTING**\n \n **Test For DOM Based Cross Site Scripting**\n \n - [ ] Try to identify DOM sinks\n - [ ] Build payloads to that DOM sink type\n \n **Test For URL Redirect**\n \n - [ ] Look for URL redirect parameters\n - [ ] Test for URL redirection on domain parameters\n - [ ] Test for URL redirection by using a payload list\n - [ ] Test for URL redirection by using a whitelisted word at the end\n - [ ] Test for URL redirection by creating a new subdomain with the same as the target\n - [ ] Test for URL redirection by XSS\n - [ ] Test for URL redirection by profile URL flaw\n \n **Test For Cross Origin Resource Sharing**\n \n - [ ] Look for “Access-Control-Allow-Origin” on the response\n - [ ] Use the CORS HTML exploit code for further exploitation\n \n **Test For Clickjacking**\n \n - [ ] Ensure “X-Frame-Options” headers are enabled\n - [ ] Exploit with iframe HTML code for POC\n \n- **OTHER COMMON ISSUES**\n \n **Test For No-Rate Limiting**\n \n - [ ] Ensure rate limiting is enabled\n - [ ] Try to bypass rate limiting by changing the case of the endpoints\n - [ ] Try to bypass rate limiting by adding / at the end of the URL\n - [ ] Try to bypass rate limiting by adding HTTP headers\n - [ ] Try to bypass rate limiting by adding HTTP headers twice\n - [ ] Try to bypass rate limiting by adding Origin headers\n - [ ] Try to bypass rate limiting by IP rotation\n - [ ] Try to bypass rate limiting by using null bytes at the end\n - [ ] Try to bypass rate limiting by using race conditions\n \n **Test For EXIF Geodata**\n \n - [ ] Ensure the website is striping the geodata\n - [ ] Test with EXIF checker\n \n **Test For Broken Link Hijack**\n \n - [ ] Ensure there is no broken links are there\n - [ ] Test broken links by using the blc tool\n \n **Test For SPF**\n \n - [ ] Ensure the website is having SPF record\n - [ ] Test SPF by nslookup command\n \n **Test For Weak 2FA**\n \n - [ ] Try to bypass 2FA by using poor session management\n - [ ] Try to bypass 2FA via the OAuth mechanism\n - [ ] Try to bypass 2FA via brute-forcing\n - [ ] Try to bypass 2FA via response manipulation\n - [ ] Try to bypass 2FA by using activation links to login\n - [ ] Try to bypass 2FA by using status code manipulation\n - [ ] Try to bypass 2FA by changing the email or password\n - [ ] Try to bypass 2FA by using a null or empty entry\n - [ ] Try to bypass 2FA by changing the boolean into false\n - [ ] Try to bypass 2FA by removing the 2FA parameter on the request\n \n **Test For Weak OTP Implementation**\n \n - [ ] Try to bypass OTP by entering the old OTP\n - [ ] Try to bypass OTP by brute-forcing\n - [ ] Try to bypass OTP by using a null or empty entry\n - [ ] Try to bypass OTP by response manipulation\n - [ ] Try to bypass OTP by status code manipulation\n \n\n### Shaped by: Hariprasaanth R\n\n**Reach Me: [LinkedIn](https://www.linkedin.com/in/hariprasaanth) [Portfolio](https://hariprasaanth.blogspot.com/) [Github](https://github.com/Hari-prasaanth)**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHari-prasaanth%2FWeb-App-Pentest-Checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHari-prasaanth%2FWeb-App-Pentest-Checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHari-prasaanth%2FWeb-App-Pentest-Checklist/lists"}