{"id":13782133,"url":"https://github.com/harshinsecurity/web-pentesting-checklist","last_synced_at":"2026-01-16T19:26:01.982Z","repository":{"id":41407805,"uuid":"307052275","full_name":"harshinsecurity/web-pentesting-checklist","owner":"harshinsecurity","description":"checklist for testing the web applications","archived":false,"fork":false,"pushed_at":"2023-02-25T05:50:11.000Z","size":6,"stargazers_count":225,"open_issues_count":0,"forks_count":66,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-17T17:42:58.074Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/harshinsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-25T08:09:40.000Z","updated_at":"2024-11-09T20:23:14.000Z","dependencies_parsed_at":"2024-08-03T18:12:48.161Z","dependency_job_id":"7cd9aa2c-113f-4a5a-9521-9693611c5ce3","html_url":"https://github.com/harshinsecurity/web-pentesting-checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/harshinsecurity%2Fweb-pentesting-checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/harshinsecurity%2Fweb-pentesting-checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/harshinsecurity%2Fweb-pentesting-checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/harshinsecurity%2Fweb-pentesting-checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/harshinsecurity","download_url":"https://codeload.github.com/harshinsecurity/web-pentesting-checklist/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253588654,"owners_count":21932295,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:01:33.259Z","updated_at":"2026-01-16T19:26:01.969Z","avatar_url":"https://github.com/harshinsecurity.png","language":null,"readme":"# web-pentesting-checklist\n\n## Pre-Engagement\n\n### Recon \u0026 analysis\n\n* [ ] Identify web server \u0026 technologies\n* [ ] [Subdomains Enumeration](https://medium.com/@_tas/subdomain-enumeration-try-hack-me-learnings-d9def486e5b)\n* [ ] [Directory enumeration](../enumeration/web/crawl-fuzz.md)\n* [ ] Find[ leaked ids, emails](../recon/public-info-gathering.md) \\([pwndb](https://github.com/davidtavarez/pwndb)\\)\n* [ ] Identify WAF\n* [ ] Crawl all the site for interesting keywords like password, token, etc\n* [ ] Test for debug parameters\n* [ ] Identify data entry points\n* [ ] Try to locate /robots.txt /crossdomain.xml /clientaccesspolicy.xml /phpinfo.php /sitemap.xml\n* [ ] Review comments on source code\n* [ ] Check /.git\n* [ ] Shodan\n* [ ] Google dorking \n* [ ] Check waybackurls \\([gau](https://github.com/lc/gau) and [waybackurls](https://github.com/tomnomnom/waybackurls)\\)\n\n### Network tests\n\n* [ ] Check ICMP packets allowed\n* [ ] Check DMARC policies \\([spoofcheck](https://github.com/BishopFox/spoofcheck)\\)\n* [ ] Look services on other ports than 80 and 443\n* [ ] Check UDP ports \\([udp-proto-scanner](https://github.com/CiscoCXSecurity/udp-proto-scanner) or nmap\\)\n* [ ] Test SSL \\([testssl](https://github.com/drwetter/testssl.sh)\\)\n\n### Preparation\n\n* [ ] Study site structure\n* [ ] Make a list with all possible test cases\n\n## User management\n\n### Registration\n\n* [ ] Duplicate registration\n* [ ] Overwrite existing user \\(existing user takeover\\)\n* [ ] Username uniqueness\n* [ ] Weak password policy\n* [ ] Insufficient email verification process\n* [ ] Weak registration implementation or allows disposable email addresses\n* [ ] Fuzz after user creation to check if any folder have been overwritten or created with your profile name\n* [ ] Add only spaces in password\n\n### Authentication\n\n* [ ] Username enumeration\n* [ ] Resilience to password guessing\n* [ ] Account recovery function\n* [ ] \"Remember me\" function\n* [ ] Impersonation function\n* [ ] Unsafe distribution of credentials\n* [ ] Fail-open conditions\n* [ ] Multi-stage mechanisms\n* [ ] [SQL Injections](../enumeration/web/sqli.md)\n* [ ] Auto-complete testing\n* [ ] Lack of password confirmation on change email, password or 2FA\n* [ ] Weak login function over HTTP and HTTPS if both are available\n* [ ] User account lockout mechanism on brute force attack\n* [ ] Check for password wordlist \\([cewl](https://github.com/digininja/CeWL) and [burp-goldenNuggets](https://github.com/GainSec/GoldenNuggets-1)\\)\n* [ ] Test 0auth login functionality for [Open Redirection](../enumeration/web/ssrf.md)\n* [ ] Test response tampering in [SAML ](../enumeration/webservices/onelogin-saml-login.md)authentication\n* [ ] In OTP check guessable codes and race conditions\n* [ ] If [JWT](../enumeration/webservices/jwt.md), check common flaws\n* [ ] Browser cache weakness \\(eg Pragma, Expires, Max-age\\)\n\n### Session\n\n* [ ] Session handling\n* [ ] Test tokens for meaning\n* [ ] Test tokens for predictability\n* [ ] Insecure transmission of tokens\n* [ ] Disclosure of tokens in logs\n* [ ] Mapping of tokens to sessions\n* [ ] Session termination\n* [ ] Session fixation\n* [ ] [Cross-site request forgery](../enumeration/web/csrf.md)\n* [ ] Cookie scope\n* [ ] Decode Cookie \\(Base64, hex, URL etc.\\)\n* [ ] Cookie expiration time\n* [ ] Check HTTPOnly and Secure flags\n* [ ] Use same cookie from a different effective IP address or system\n* [ ] Access controls\n* [ ] Effectiveness of controls using multiple accounts\n* [ ] Insecure access control methods \\(request parameters, Referer header, etc\\)\n* [ ] Check for concurrent login through different machine/IP\n* [ ] Bypass [AntiCSRF ](../enumeration/web/csrf.md#csrf-token-bypass)tokens\n\n### Profile/Account details\n\n* [ ] Find parameter with user id and try to tamper in order to get the details of other users\n* [ ] Create a list of features that are pertaining to a user account only and try CSRF\n* [ ] Change email id and update with any existing email id. Check if its getting validated on server or not.\n* [ ] Check any new email confirmation link and what if user doesn't confirm.\n* [ ] File [upload](../enumeration/web/upload-bypasses.md): Unsafe File upload,  No Antivirus, No Size Limit, File extension, Filter Bypass, [burp](https://github.com/portswigger/upload-scanner)\n* [ ] CSV import/export: Command Injection, XSS, macro injection\n* [ ] Check profile picture URL and find email id/user info or EXIF Geolocation Data\n* [ ] Imagetragick in picture profile upload\n* [ ] [Metadata ](https://github.com/exiftool/exiftool)of all downloadable files\n* [ ] Account deletion option and try to reactivate with \"Forgot password\" feature\n* [ ] Try bruteforce enumeration when change any user unique parameter.\n* [ ] Check application request re-authentication for sensitive operations\n* [ ] Try parameter pollution to add two values of same field\n\n### Forgot password\n\n* [ ] Invalidate session on Logout and Password reset\n* [ ] Uniqueness of forget password reset link/code\n* [ ] Reset links expiration time\n* [ ] Find user id or other sensitive fields in reset link and tamper them\n* [ ] Request 2 reset passwords links and use the older\n* [ ] Check if many requests have sequential tokens\n\n## Input handling\n\n* [ ] Fuzz all request parameters\n* [ ] Identify all reflected data\n* [ ] [Reflected XSS](../enumeration/web/xss.md)\n* [ ] HTTP[ header injection](../enumeration/web/header-injections.md) in GET \u0026 POST \\(X Forwarded Host\\)\n* [ ] Arbitrary redirection\n* [ ] Stored attacks\n* [ ] OS command injection\n* [ ] Path [traversal](../enumeration/web/lfi-rfi.md)\n* [ ] Script injection\n* [ ] File inclusion\n* [ ] SMTP injection\n* [ ] Native software flaws \\(buffer overflow, integer bugs, format strings\\)\n* [ ] SOAP injection\n* [ ] LDAP injection\n* [ ] XPath injection\n* [ ] [XXE](../enumeration/web/xxe.md) in any request, change content-type to text/xml\n* [ ] Stored [XSS](../enumeration/web/xss.md)\n* [ ] [SQL ](../enumeration/web/sqli.md)injection\n* [ ] [NoSQL ](../enumeration/webservices/nosql-and-and-mongodb.md)injection\n* [ ] HTTP Request [Smuggling](../enumeration/web/request-smuggling.md)\n* [ ] [Open redirect](../enumeration/web/ssrf.md)\n* [ ] [SSRF ](../enumeration/web/ssrf.md)in previously discovered open ports\n* [ ] xmlrpc.php DOS and user enumeration\n* [ ] HTTP dangerous methods OPTIONS PUT DELETE\n\n### Error handling\n\n* [ ] Access custom pages like /whatever\\_fake.php \\(.aspx,.html,.etc\\)\n* [ ] Add multiple parameters in GET and POST request using different values\n* [ ] Add \"\\[\\]\", \"\\]\\]\", and \"\\[\\[\" in cookie values and parameter values to create errors\n* [ ] Generate error by giving input as \"/~randomthing/%s\" at the end of URL\n* [ ] Use Burp Intruder \"Fuzzing Full\" List in input to generate error codes\n* [ ] Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE\n\n## Application Logic\n\n* [ ] Identify the logic attack surface\n* [ ] Test transmission of data via the client\n* [ ] Test for reliance on client-side input validation\n* [ ] Thick-client components \\(Java, ActiveX, Flash\\)\n* [ ] Multi-stage processes for logic flaws\n* [ ] Handling of incomplete input\n* [ ] Trust boundaries\n* [ ] Transaction logic\n* [ ] Implemented CAPTCHA in email forms to avoid flooding\n* [ ] Tamper product id, price or quantity value in any action \\(add, modify, delete, place, pay...\\)\n* [ ] Tamper gift or discount codes\n* [ ] Reuse gift codes\n* [ ] Try parameter pollution to use gift code two times in same request\n* [ ] Try stored XSS in non-limited fields like address\n* [ ] Check in payment form if CVV and card number is in clear text or masked\n* [ ] Check if is processed by the app itself or sent to 3rd parts\n* [ ] IDOR from other users details ticket/cart/shipment\n* [ ] Check PRINT or PDF creation for IDOR\n* [ ] Check unsubscribe button with user enumeration\n* [ ] Parameter pollution on social media sharing links\n* [ ] CORS \\([corsy](https://github.com/s0md3v/Corsy)\\)\n* [ ] Change POST sensitive requests to GET\n\n## Other checks\n\n### Hosting\n\n* [ ] Segregation in shared infrastructures\n* [ ] Segregation between ASP-hosted applications\n* [ ] Web server vulnerabilities\n* [ ] Dangerous HTTP methods\n* [ ] Proxy functionality\n* [ ] [Virtual ](../enumeration/webservices/vhosts.md)hosting misconfiguration\n* [ ] Check for internal numeric IP's in request\n* [ ] Check for external numeric IP's and resolve it\n* [ ] References to [cloud ](../enumeration/cloud/cloud-info-recon.md)assets \n\n### CAPTCHA\n\n* [ ] Send old captcha value. \n* [ ] Send old captcha value with old session ID.\n* [ ] Request captcha absolute path like www.url.com/captcha/1.png\n* [ ] Remove captcha with any adblocker and request again\n* [ ] Bypass with OCR tool\n\n### Headers\n\n* [ ] X-XSS-Protection\n* [ ] Strict-Transport-Security\n* [ ] Content-Security-Policy\n* [ ] Public-Key-Pins\n* [ ] X-Frame-Options\n* [ ] X-Content-Type-Options\n* [ ] Referer-Policy\n* [ ] Cache-Control\n* [ ] Expires\n","funding_links":[],"categories":["WebApp/Bugbounty resources"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharshinsecurity%2Fweb-pentesting-checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fharshinsecurity%2Fweb-pentesting-checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fharshinsecurity%2Fweb-pentesting-checklist/lists"}