Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist
A OWASP Based Checklist With 500+ Test Cases
https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist
bug bugbounty checklist penetration-testing penetration-testing-framework pentesting web website
Last synced: about 2 months ago
JSON representation
A OWASP Based Checklist With 500+ Test Cases
- Host: GitHub
- URL: https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist
- Owner: Hari-prasaanth
- Created: 2022-06-09T01:33:04.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-10-26T01:16:42.000Z (about 2 years ago)
- Last Synced: 2024-08-04T01:17:04.672Z (5 months ago)
- Topics: bug, bugbounty, checklist, penetration-testing, penetration-testing-framework, pentesting, web, website
- Homepage:
- Size: 3.56 MB
- Stars: 573
- Watchers: 12
- Forks: 127
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- All-In-One-CyberSecurity-Resources - Web-Checklists
README
# WEB APPLICATION PENTESTING CHECKLIST
**OWASP Based Checklist 🌟🌟**
**500+ Test Cases 🚀🚀**
Notion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998
- **INFORMATION GATHERING**
**Open Source Reconnaissance**
- [ ] Perform Google Dorks search
- [ ] Perform OSINT
**Fingerprinting Web Server**
- [ ] Find the type of Web Server
- [ ] Find the version details of the Web Server
**Looking For Metafiles**
- [ ] View the Robots.txt file
- [ ] View the Sitemap.xml file
- [ ] View the Humans.txt file
- [ ] View the Security.txt file
**Enumerating Web Server’s Applications**
- [ ] Enumerating with Nmap
- [ ] Enumerating with Netcat
- [ ] Perform a DNS lookup
- [ ] Perform a Reverse DNS lookup
**Review The Web Contents**
- [ ] Inspect the page source for sensitive info
- [ ] Try to find Sensitive Javascript codes
- [ ] Try to find any keys
- [ ] Make sure the autocomplete is disabled
**Identifying Application’s Entry Points**
- [ ] Identify what the methods used are?
- [ ] Identify where the methods used are?
- [ ] Identify the Injection point
**Mapping Execution Paths**
- [ ] Use Burp Suite
- [ ] Use Dirsearch
- [ ] Use Gobuster
**Fingerprint Web Application Framework**
- [ ] Use the Wappalyzer browser extension
- [ ] Use Whatweb
- [ ] View URL extensions
- [ ] View HTML source code
- [ ] View the cookie parameter
- [ ] View the HTTP headers
**Map Application Architecture**
- [ ] Map the overall site structure
- **CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING**
**Test Network Configuration**
- [ ] Check the network configuration
- [ ] Check for default settings
- [ ] Check for default credentials
**Test Application Configuration**
- [ ] Ensure only required modules are used
- [ ] Ensure unwanted modules are disabled
- [ ] Ensure the server can handle DOS
- [ ] Check how the application is handling 4xx & 5xx errors
- [ ] Check for the privilege required to run
- [ ] Check logs for sensitive info
**Test File Extension Handling**
- [ ] Ensure the server won’t return sensitive extensions
- [ ] Ensure the server won’t accept malicious extensions
- [ ] Test for file upload vulnerabilities
**Review Backup & Unreferenced Files**
- [ ] Ensure unreferenced files don’t contain any sensitive info
- [ ] Ensure the namings of old and new backup files
- [ ] Check the functionality of unreferenced pages
**Enumerate Infrastructure & Admin Interfaces**
- [ ] Try to find the Infrastructure Interface
- [ ] Try to find the Admin Interface
- [ ] Identify the hidden admin functionalities
**Testing HTTP Methods**
- [ ] Discover the supported methods
- [ ] Ensure the PUT method is disabled
- [ ] Ensure the OPTIONS method is disabled
- [ ] Test access control bypass
- [ ] Test for XST attacks
- [ ] Test for HTTP method overriding
**Test HSTS**
- [ ] Ensure HSTS is enabled
**Test RIA Cross Domain Policy**
- [ ] Check for Adobe’s Cross Domain Policy
- [ ] Ensure it has the least privilege
**Test File Permission**
- [ ] Ensure the permissions for sensitive files
- [ ] Test for directory enumeration
**Test For Subdomain Takeover**
- [ ] Test DNS, A, and CNAME records for subdomain takeover
- [ ] Test NS records for subdomain takeover
- [ ] Test 404 response for subdomain takeover
**Test Cloud Storage**
- [ ] Check the sensitive paths of AWS
- [ ] Check the sensitive paths of Google Cloud
- [ ] Check the sensitive paths of Azure
- **IDENTITY MANAGEMENT TESTING**
**Test Role Definitions**
- [ ] Test for forced browsing
- [ ] Test for IDOR (Insecure Direct Object Reference)
- [ ] Test for parameter tampering
- [ ] Ensure low privilege users can’t able to access high privilege resources
**Test User Registration Process**
- [ ] Ensure the same user or identity can’t register again and again
- [ ] Ensure the registrations are verified
- [ ] Ensure disposable email addresses are rejected
- [ ] Check what proof is required for successful registration
**Test Account Provisioning Process**
- [ ] Check the verification for the provisioning process
- [ ] Check the verification for the de-provisioning process
- [ ] Check the provisioning rights for an admin user to other users
- [ ] Check whether a user is able to de-provision themself or not?
- [ ] Check for the resources of a de-provisioned user
**Testing For Account Enumeration**
- [ ] Check the response when a valid username and password entered
- [ ] Check the response when a valid username and an invalid password entered
- [ ] Check the response when an invalid username and password entered
- [ ] Ensure the rate-limiting functionality is enabled in username and password fields
**Test For Weak Username Policy**
- [ ] Check the response for both valid and invalid usernames
- [ ] Check for username enumeration
- **AUTHENTICATION TESTING**
**Test For Un-Encrypted Channel**
- [ ] Check for the HTTP login page
- [ ] Check for the HTTP register or sign-in page
- [ ] Check for HTTP forgot password page
- [ ] Check for HTTP change password
- [ ] Check for resources on HTTP after logout
- [ ] Test for forced browsing to HTTP pages
**Test For Default Credentials**
- [ ] Test with default credentials
- [ ] Test organization name as credentials
- [ ] Test for response manipulation
- [ ] Test for the default username and a blank password
- [ ] Review the page source for credentials
**Test For Weak Lockout Mechanism**
- [ ] Ensure the account has been locked after 3-5 incorrect attempts
- [ ] Ensure the system accepts only the valid CAPTCHA
- [ ] Ensure the system rejects the invalid CAPTCHA
- [ ] Ensure CAPTCHA code regenerated after reloaded
- [ ] Ensure CAPTCHA reloads after entering the wrong code
- [ ] Ensure the user has a recovery option for a lockout account
**Test For Bypassing Authentication Schema**
- [ ] Test forced browsing directly to the internal dashboard without login
- [ ] Test for session ID prediction
- [ ] Test for authentication parameter tampering
- [ ] Test for SQL injection on the login page
- [ ] Test to gain access with the help of session ID
- [ ] Test multiple logins allowed or not?
**Test For Vulnerable Remember Password**
- [ ] Ensure that the stored password is encrypted
- [ ] Ensure that the stored password is on the server-side
**Test For Browser Cache Weakness**
- [ ] Ensure proper cache-control is set on sensitive pages
- [ ] Ensure no sensitive data is stored in the browser cache storage
**Test For Weak Password Policy**
- [ ] Ensure the password policy is set to strong
- [ ] Check for password reusability
- [ ] Check the user is prevented to use his username as a password
- [ ] Check for the usage of common weak passwords
- [ ] Check the minimum password length to be set
- [ ] Check the maximum password length to be set
**Testing For Weak Security Questions**
- [ ] Check for the complexity of the questions
- [ ] Check for brute-forcing
**Test For Weak Password Reset Function**
- [ ] Check what information is required to reset the password
- [ ] Check for password reset function with HTTP
- [ ] Test the randomness of the password reset tokens
- [ ] Test the uniqueness of the password reset tokens
- [ ] Test for rate limiting on password reset tokens
- [ ] Ensure the token must expire after being used
- [ ] Ensure the token must expire after not being used for a long time
**Test For Weak Password Change Function**
- [ ] Check if the old password asked to make a change
- [ ] Check for the uniqueness of the forgotten password
- [ ] Check for blank password change
- [ ] Check for password change function with HTTP
- [ ] Ensure the old password is not displayed after changed
- [ ] Ensure the other sessions got destroyed after the password change
**Test For Weak Authentication In Alternative Channel**
- [ ] Test authentication on the desktop browsers
- [ ] Test authentication on the mobile browsers
- [ ] Test authentication in a different country
- [ ] Test authentication in a different language
- [ ] Test authentication on desktop applications
- [ ] Test authentication on mobile applications
- **AUTHORIZATION TESTING**
**Testing Directory Traversal File Include**
- [ ] Identify the injection point on the URL
- [ ] Test for Local File Inclusion
- [ ] Test for Remote File Inclusion
- [ ] Test Traversal on the URL parameter
- [ ] Test Traversal on the cookie parameter
**Testing Traversal With Encoding**
- [ ] Test Traversal with Base64 encoding
- [ ] Test Traversal with URL encoding
- [ ] Test Traversal with ASCII encoding
- [ ] Test Traversal with HTML encoding
- [ ] Test Traversal with Hex encoding
- [ ] Test Traversal with Binary encoding
- [ ] Test Traversal with Octal encoding
- [ ] Test Traversal with Gzip encoding
**Testing Travesal With Different OS Schemes**
- [ ] Test Traversal with Unix schemes
- [ ] Test Traversal with Windows schemes
- [ ] Test Traversal with Mac schemes
**Test Other Encoding Techniques**
- [ ] Test Traversal with Double encoding
- [ ] Test Traversal with all characters encode
- [ ] Test Traversal with only special characters encode
**Test Authorization Schema Bypass**
- [ ] Test for Horizontal authorization schema bypass
- [ ] Test for Vertical authorization schema bypass
- [ ] Test override the target with custom headers
**Test For Privilege Escalation**
- [ ] Identify the injection point
- [ ] Test for bypassing the security measures
- [ ] Test for forced browsing
- [ ] Test for IDOR
- [ ] Test for parameter tampering to high privileged user
**Test For Insecure Direct Object Reference**
- [ ] Test to change the ID parameter
- [ ] Test to add parameters at the endpoints
- [ ] Test for HTTP parameter pollution
- [ ] Test by adding an extension at the end
- [ ] Test with outdated API versions
- [ ] Test by wrapping the ID with an array
- [ ] Test by wrapping the ID with a JSON object
- [ ] Test for JSON parameter pollution
- [ ] Test by changing the case
- [ ] Test for path traversal
- [ ] Test by changing words
- [ ] Test by changing methods
- **SESSION MANAGEMENT TESTING**
**Test For Session Management Schema**
- [ ] Ensure all Set-Cookie directives are secure
- [ ] Ensure no cookie operation takes place over an unencrypted channel
- [ ] Ensure the cookie can’t be forced over an unencrypted channel
- [ ] Ensure the HTTPOnly flag is enabled
- [ ] Check if any cookies are persistent
- [ ] Check for session cookies and cookie expiration date/time
- [ ] Check for session fixation
- [ ] Check for concurrent login
- [ ] Check for session after logout
- [ ] Check for session after closing the browser
- [ ] Try decoding cookies (Base64, Hex, URL, etc)
**Test For Cookie Attributes**
- [ ] Ensure the cookie must be set with the secure attribute
- [ ] Ensure the cookie must be set with the path attribute
- [ ] Ensure the cookie must have the HTTPOnly flag
**Test For Session Fixation**
- [ ] Ensure new cookies have been issued upon a successful authentication
- [ ] Test manipulating the cookies
**Test For Exposed Session Variables**
- [ ] Test for encryption
- [ ] Test for GET and POST vulnerabilities
- [ ] Test if GET request incorporating the session ID used
- [ ] Test by interchanging POST with GET method
**Test For Back Refresh Attack**
- [ ] Test after password change
- [ ] Test after logout
**Test For Cross Site Request Forgery**
- [ ] Check if the token is validated on the server-side or not
- [ ] Check if the token is validated for full or partial length
- [ ] Check by comparing the CSRF tokens for multiple dummy accounts
- [ ] Check CSRF by interchanging POST with GET method
- [ ] Check CSRF by removing the CSRF token parameter
- [ ] Check CSRF by removing the CSRF token and using a blank parameter
- [ ] Check CSRF by using unused tokens
- [ ] Check CSRF by replacing the CSRF token with its own values
- [ ] Check CSRF by changing the content type to form-multipart
- [ ] Check CSRF by changing or deleting some characters of the CSRF token
- [ ] Check CSRF by changing the referrer to Referrer
- [ ] Check CSRF by changing the host values
- [ ] Check CSRF alongside clickjacking
**Test For Logout Functionality**
- [ ] Check the log out function on different pages
- [ ] Check for the visibility of the logout button
- [ ] Ensure after logout the session was ended
- [ ] Ensure after logout we can’t able to access the dashboard by pressing the back button
- [ ] Ensure proper session timeout has been set
**Test For Session Timeout**
- [ ] Ensure there is a session timeout exists
- [ ] Ensure after the timeout, all of the tokens are destroyed
**Test For Session Puzzling**
- [ ] Identify all the session variables
- [ ] Try to break the logical flow of the session generation
**Test For Session Hijacking**
- [ ] Test session hijacking on target that doesn’t has HSTS enabled
- [ ] Test by login with the help of captured cookies
- **INPUT VALIDATION TESTING**
**Test For Reflected Cross Site Scripting**
- [ ] Ensure these characters are filtered <>’’&””
- [ ] Test with a character escape sequence
- [ ] Test by replacing < and > with HTML entities < and >
- [ ] Test payload with both lower and upper case
- [ ] Test to break firewall regex by new line /r/n
- [ ] Test with double encoding
- [ ] Test with recursive filters
- [ ] Test injecting anchor tags without whitespace
- [ ] Test by replacing whitespace with bullets
- [ ] Test by changing HTTP methods
**Test For Stored Cross Site Scripting**
- [ ] Identify stored input parameters that will reflect on the client-side
- [ ] Look for input parameters on the profile page
- [ ] Look for input parameters on the shopping cart page
- [ ] Look for input parameters on the file upload page
- [ ] Look for input parameters on the settings page
- [ ] Look for input parameters on the forum, comment page
- [ ] Test uploading a file with XSS payload as its file name
- [ ] Test with HTML tags
**Test For HTTP Parameter Pollution**
- [ ] Identify the backend server and parsing method used
- [ ] Try to access the injection point
- [ ] Try to bypass the input filters using HTTP Parameter Pollution
**Test For SQL Injection**
- [ ] Test SQL Injection on authentication forms
- [ ] Test SQL Injection on the search bar
- [ ] Test SQL Injection on editable characteristics
- [ ] Try to find SQL keywords or entry point detections
- [ ] Try to inject SQL queries
- [ ] Use tools like SQLmap or Hackbar
- [ ] Use Google dorks to find the SQL keywords
- [ ] Try GET based SQL Injection
- [ ] Try POST based SQL Injection
- [ ] Try COOKIE based SQL Injection
- [ ] Try HEADER based SQL Injection
- [ ] Try SQL Injection with null bytes before the SQL query
- [ ] Try SQL Injection with URL encoding
- [ ] Try SQL Injection with both lower and upper cases
- [ ] Try SQL Injection with SQL Tamper scripts
- [ ] Try SQL Injection with SQL Time delay payloads
- [ ] Try SQL Injection with SQL Conditional delays
- [ ] Try SQL Injection with Boolean based SQL
- [ ] Try SQL Injection with Time based SQL
**Test For LDAP Injection**
- [ ] Use LDAP search filters
- [ ] Try LDAP Injection for access control bypass
**Testing For XML Injection**
- [ ] Check if the application is using XML for processing
- [ ] Identify the XML Injection point by XML metacharacter
- [ ] Construct XSS payload on top of XML
**Test For Server Side Includes**
- [ ] Use Google dorks to find the SSI
- [ ] Construct RCE on top of SSI
- [ ] Construct other injections on top of SSI
- [ ] Test Injecting SSI on login pages, header fields, referrer, etc
**Test For XPATH Injection**
- [ ] Identify XPATH Injection point
- [ ] Test for XPATH Injection
**Test For IMAP SMTP Injection**
- [ ] Identify IMAP SMTP Injection point
- [ ] Understand the data flow
- [ ] Understand the deployment structure of the system
- [ ] Assess the injection impact
**Test For Local File Inclusion**
- [ ] Look for LFI keywords
- [ ] Try to change the local path
- [ ] Use the LFI payload list
- [ ] Test LFI by adding a null byte at the end
**Test For Remote File Inclusion**
- [ ] Look for RFI keywords
- [ ] Try to change the remote path
- [ ] Use the RFI payload list
**Test For Command Injection**
- [ ] Identify the Injection points
- [ ] Look for Command Injection keywords
- [ ] Test Command Injection using different delimiters
- [ ] Test Command Injection with payload list
- [ ] Test Command Injection with different OS commands
**Test For Format String Injection**
- [ ] Identify the Injection points
- [ ] Use different format parameters as payloads
- [ ] Assess the injection impact
**Test For Host Header Injection**
- [ ] Test for HHI by changing the real Host parameter
- [ ] Test for HHI by adding X-Forwarded Host parameter
- [ ] Test for HHI by swapping the real Host and X-Forwarded Host parameter
- [ ] Test for HHI by adding two Host parameters
- [ ] Test for HHI by adding the target values in front of the original values
- [ ] Test for HHI by adding the target with a slash after the original values
- [ ] Test for HHI with other injections on the Host parameter
- [ ] Test for HHI by password reset poisoning
**Test For Server Side Request Forgery**
- [ ] Look for SSRF keywords
- [ ] Search for SSRF keywords only under the request header and body
- [ ] Identify the Injection points
- [ ] Test if the Injection points are exploitable
- [ ] Assess the injection impact
**Test For Server Side Template Injection**
- [ ] Identify the Template injection vulnerability points
- [ ] Identify the Templating engine
- [ ] Use the tplmap to exploit
- **ERROR HANDLING TESTING**
**Test For Improper Error Handling**
- [ ] Identify the error output
- [ ] Analyze the different outputs returned
- [ ] Look for common error handling flaws
- [ ] Test error handling by modifying the URL parameter
- [ ] Test error handling by uploading unrecognized file formats
- [ ] Test error handling by entering unrecognized inputs
- [ ] Test error handling by making all possible errors
- **WEAK CRYPTOGRAPHY TESTING**
**Test For Weak Transport Layer Security**
- [ ] Test for DROWN weakness on SSLv2 protocol
- [ ] Test for POODLE weakness on SSLv3 protocol
- [ ] Test for BEAST weakness on TLSv1.0 protocol
- [ ] Test for FREAK weakness on export cipher suites
- [ ] Test for Null ciphers
- [ ] Test for NOMORE weakness on RC4
- [ ] Test for LUCKY 13 weakness on CBC mode ciphers
- [ ] Test for CRIME weakness on TLS compression
- [ ] Test for LOGJAM on DHE keys
- [ ] Ensure the digital certificates should have at least 2048 bits of key length
- [ ] Ensure the digital certificates should have at least SHA-256 signature algorithm
- [ ] Ensure the digital certificates should not use MDF and SHA-1
- [ ] Ensure the validity of the digital certificate
- [ ] Ensure the minimum key length requirements
- [ ] Look for weak cipher suites
- **BUSINESS LOGIC TESTING**
**Test For Business Logic**
- [ ] Identify the logic of how the application works
- [ ] Identify the functionality of all the buttons
- [ ] Test by changing the numerical values into high or negative values
- [ ] Test by changing the quantity
- [ ] Test by modifying the payments
- [ ] Test for parameter tampering
**Test For Malicious File Upload**
- [ ] Test malicious file upload by uploading malicious files
- [ ] Test malicious file upload by putting your IP address on the file name
- [ ] Test malicious file upload by right to left override
- [ ] Test malicious file upload by encoded file name
- [ ] Test malicious file upload by XSS payload on the file name
- [ ] Test malicious file upload by RCE payload on the file name
- [ ] Test malicious file upload by LFI payload on the file name
- [ ] Test malicious file upload by RFI payload on the file name
- [ ] Test malicious file upload by SQL payload on the file name
- [ ] Test malicious file upload by other injections on the file name
- [ ] Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
- [ ] Test malicious file upload by uploading large files (leads to DOS)
- **CLIENT SIDE TESTING**
**Test For DOM Based Cross Site Scripting**
- [ ] Try to identify DOM sinks
- [ ] Build payloads to that DOM sink type
**Test For URL Redirect**
- [ ] Look for URL redirect parameters
- [ ] Test for URL redirection on domain parameters
- [ ] Test for URL redirection by using a payload list
- [ ] Test for URL redirection by using a whitelisted word at the end
- [ ] Test for URL redirection by creating a new subdomain with the same as the target
- [ ] Test for URL redirection by XSS
- [ ] Test for URL redirection by profile URL flaw
**Test For Cross Origin Resource Sharing**
- [ ] Look for “Access-Control-Allow-Origin” on the response
- [ ] Use the CORS HTML exploit code for further exploitation
**Test For Clickjacking**
- [ ] Ensure “X-Frame-Options” headers are enabled
- [ ] Exploit with iframe HTML code for POC
- **OTHER COMMON ISSUES**
**Test For No-Rate Limiting**
- [ ] Ensure rate limiting is enabled
- [ ] Try to bypass rate limiting by changing the case of the endpoints
- [ ] Try to bypass rate limiting by adding / at the end of the URL
- [ ] Try to bypass rate limiting by adding HTTP headers
- [ ] Try to bypass rate limiting by adding HTTP headers twice
- [ ] Try to bypass rate limiting by adding Origin headers
- [ ] Try to bypass rate limiting by IP rotation
- [ ] Try to bypass rate limiting by using null bytes at the end
- [ ] Try to bypass rate limiting by using race conditions
**Test For EXIF Geodata**
- [ ] Ensure the website is striping the geodata
- [ ] Test with EXIF checker
**Test For Broken Link Hijack**
- [ ] Ensure there is no broken links are there
- [ ] Test broken links by using the blc tool
**Test For SPF**
- [ ] Ensure the website is having SPF record
- [ ] Test SPF by nslookup command
**Test For Weak 2FA**
- [ ] Try to bypass 2FA by using poor session management
- [ ] Try to bypass 2FA via the OAuth mechanism
- [ ] Try to bypass 2FA via brute-forcing
- [ ] Try to bypass 2FA via response manipulation
- [ ] Try to bypass 2FA by using activation links to login
- [ ] Try to bypass 2FA by using status code manipulation
- [ ] Try to bypass 2FA by changing the email or password
- [ ] Try to bypass 2FA by using a null or empty entry
- [ ] Try to bypass 2FA by changing the boolean into false
- [ ] Try to bypass 2FA by removing the 2FA parameter on the request
**Test For Weak OTP Implementation**
- [ ] Try to bypass OTP by entering the old OTP
- [ ] Try to bypass OTP by brute-forcing
- [ ] Try to bypass OTP by using a null or empty entry
- [ ] Try to bypass OTP by response manipulation
- [ ] Try to bypass OTP by status code manipulation
### Shaped by: Hariprasaanth R
**Reach Me: [LinkedIn](https://www.linkedin.com/in/hariprasaanth) [Portfolio](https://hariprasaanth.blogspot.com/) [Github](https://github.com/Hari-prasaanth)**