25 KiB
WEB APPLICATION PENTESTING CHECKLIST
OWASP Based Checklist 🌟🌟
500+ Test Cases 🚀🚀
Notion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998
-
INFORMATION GATHERING
Open Source Reconnaissance
- Perform Google Dorks search
- Perform OSINT
Fingerprinting Web Server
- Find the type of Web Server
- Find the version details of the Web Server
Looking For Metafiles
- View the Robots.txt file
- View the Sitemap.xml file
- View the Humans.txt file
- View the Security.txt file
Enumerating Web Server’s Applications
- Enumerating with Nmap
- Enumerating with Netcat
- Perform a DNS lookup
- Perform a Reverse DNS lookup
Review The Web Contents
- Inspect the page source for sensitive info
- Try to find Sensitive Javascript codes
- Try to find any keys
- Make sure the autocomplete is disabled
Identifying Application’s Entry Points
- Identify what the methods used are?
- Identify where the methods used are?
- Identify the Injection point
Mapping Execution Paths
- Use Burp Suite
- Use Dirsearch
- Use Gobuster
Fingerprint Web Application Framework
- Use the Wappalyzer browser extension
- Use Whatweb
- View URL extensions
- View HTML source code
- View the cookie parameter
- View the HTTP headers
Map Application Architecture
- Map the overall site structure
-
CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING
Test Network Configuration
- Check the network configuration
- Check for default settings
- Check for default credentials
Test Application Configuration
- Ensure only required modules are used
- Ensure unwanted modules are disabled
- Ensure the server can handle DOS
- Check how the application is handling 4xx & 5xx errors
- Check for the privilege required to run
- Check logs for sensitive info
Test File Extension Handling
- Ensure the server won’t return sensitive extensions
- Ensure the server won’t accept malicious extensions
- Test for file upload vulnerabilities
Review Backup & Unreferenced Files
- Ensure unreferenced files don’t contain any sensitive info
- Ensure the namings of old and new backup files
- Check the functionality of unreferenced pages
Enumerate Infrastructure & Admin Interfaces
- Try to find the Infrastructure Interface
- Try to find the Admin Interface
- Identify the hidden admin functionalities
Testing HTTP Methods
- Discover the supported methods
- Ensure the PUT method is disabled
- Ensure the OPTIONS method is disabled
- Test access control bypass
- Test for XST attacks
- Test for HTTP method overriding
Test HSTS
- Ensure HSTS is enabled
Test RIA Cross Domain Policy
- Check for Adobe’s Cross Domain Policy
- Ensure it has the least privilege
Test File Permission
- Ensure the permissions for sensitive files
- Test for directory enumeration
Test For Subdomain Takeover
- Test DNS, A, and CNAME records for subdomain takeover
- Test NS records for subdomain takeover
- Test 404 response for subdomain takeover
Test Cloud Storage
- Check the sensitive paths of AWS
- Check the sensitive paths of Google Cloud
- Check the sensitive paths of Azure
-
IDENTITY MANAGEMENT TESTING
Test Role Definitions
- Test for forced browsing
- Test for IDOR (Insecure Direct Object Reference)
- Test for parameter tampering
- Ensure low privilege users can’t able to access high privilege resources
Test User Registration Process
- Ensure the same user or identity can’t register again and again
- Ensure the registrations are verified
- Ensure disposable email addresses are rejected
- Check what proof is required for successful registration
Test Account Provisioning Process
- Check the verification for the provisioning process
- Check the verification for the de-provisioning process
- Check the provisioning rights for an admin user to other users
- Check whether a user is able to de-provision themself or not?
- Check for the resources of a de-provisioned user
Testing For Account Enumeration
- Check the response when a valid username and password entered
- Check the response when a valid username and an invalid password entered
- Check the response when an invalid username and password entered
- Ensure the rate-limiting functionality is enabled in username and password fields
Test For Weak Username Policy
- Check the response for both valid and invalid usernames
- Check for username enumeration
-
AUTHENTICATION TESTING
Test For Un-Encrypted Channel
- Check for the HTTP login page
- Check for the HTTP register or sign-in page
- Check for HTTP forgot password page
- Check for HTTP change password
- Check for resources on HTTP after logout
- Test for forced browsing to HTTP pages
Test For Default Credentials
- Test with default credentials
- Test organization name as credentials
- Test for response manipulation
- Test for the default username and a blank password
- Review the page source for credentials
Test For Weak Lockout Mechanism
- Ensure the account has been locked after 3-5 incorrect attempts
- Ensure the system accepts only the valid CAPTCHA
- Ensure the system rejects the invalid CAPTCHA
- Ensure CAPTCHA code regenerated after reloaded
- Ensure CAPTCHA reloads after entering the wrong code
- Ensure the user has a recovery option for a lockout account
Test For Bypassing Authentication Schema
- Test forced browsing directly to the internal dashboard without login
- Test for session ID prediction
- Test for authentication parameter tampering
- Test for SQL injection on the login page
- Test to gain access with the help of session ID
- Test multiple logins allowed or not?
Test For Vulnerable Remember Password
- Ensure that the stored password is encrypted
- Ensure that the stored password is on the server-side
Test For Browser Cache Weakness
- Ensure proper cache-control is set on sensitive pages
- Ensure no sensitive data is stored in the browser cache storage
Test For Weak Password Policy
- Ensure the password policy is set to strong
- Check for password reusability
- Check the user is prevented to use his username as a password
- Check for the usage of common weak passwords
- Check the minimum password length to be set
- Check the maximum password length to be set
Testing For Weak Security Questions
- Check for the complexity of the questions
- Check for brute-forcing
Test For Weak Password Reset Function
- Check what information is required to reset the password
- Check for password reset function with HTTP
- Test the randomness of the password reset tokens
- Test the uniqueness of the password reset tokens
- Test for rate limiting on password reset tokens
- Ensure the token must expire after being used
- Ensure the token must expire after not being used for a long time
Test For Weak Password Change Function
- Check if the old password asked to make a change
- Check for the uniqueness of the forgotten password
- Check for blank password change
- Check for password change function with HTTP
- Ensure the old password is not displayed after changed
- Ensure the other sessions got destroyed after the password change
Test For Weak Authentication In Alternative Channel
- Test authentication on the desktop browsers
- Test authentication on the mobile browsers
- Test authentication in a different country
- Test authentication in a different language
- Test authentication on desktop applications
- Test authentication on mobile applications
-
AUTHORIZATION TESTING
Testing Directory Traversal File Include
- Identify the injection point on the URL
- Test for Local File Inclusion
- Test for Remote File Inclusion
- Test Traversal on the URL parameter
- Test Traversal on the cookie parameter
Testing Traversal With Encoding
- Test Traversal with Base64 encoding
- Test Traversal with URL encoding
- Test Traversal with ASCII encoding
- Test Traversal with HTML encoding
- Test Traversal with Hex encoding
- Test Traversal with Binary encoding
- Test Traversal with Octal encoding
- Test Traversal with Gzip encoding
Testing Travesal With Different OS Schemes
- Test Traversal with Unix schemes
- Test Traversal with Windows schemes
- Test Traversal with Mac schemes
Test Other Encoding Techniques
- Test Traversal with Double encoding
- Test Traversal with all characters encode
- Test Traversal with only special characters encode
Test Authorization Schema Bypass
- Test for Horizontal authorization schema bypass
- Test for Vertical authorization schema bypass
- Test override the target with custom headers
Test For Privilege Escalation
- Identify the injection point
- Test for bypassing the security measures
- Test for forced browsing
- Test for IDOR
- Test for parameter tampering to high privileged user
Test For Insecure Direct Object Reference
- Test to change the ID parameter
- Test to add parameters at the endpoints
- Test for HTTP parameter pollution
- Test by adding an extension at the end
- Test with outdated API versions
- Test by wrapping the ID with an array
- Test by wrapping the ID with a JSON object
- Test for JSON parameter pollution
- Test by changing the case
- Test for path traversal
- Test by changing words
- Test by changing methods
-
SESSION MANAGEMENT TESTING
Test For Session Management Schema
- Ensure all Set-Cookie directives are secure
- Ensure no cookie operation takes place over an unencrypted channel
- Ensure the cookie can’t be forced over an unencrypted channel
- Ensure the HTTPOnly flag is enabled
- Check if any cookies are persistent
- Check for session cookies and cookie expiration date/time
- Check for session fixation
- Check for concurrent login
- Check for session after logout
- Check for session after closing the browser
- Try decoding cookies (Base64, Hex, URL, etc)
Test For Cookie Attributes
- Ensure the cookie must be set with the secure attribute
- Ensure the cookie must be set with the path attribute
- Ensure the cookie must have the HTTPOnly flag
Test For Session Fixation
- Ensure new cookies have been issued upon a successful authentication
- Test manipulating the cookies
Test For Exposed Session Variables
- Test for encryption
- Test for GET and POST vulnerabilities
- Test if GET request incorporating the session ID used
- Test by interchanging POST with GET method
Test For Back Refresh Attack
- Test after password change
- Test after logout
Test For Cross Site Request Forgery
- Check if the token is validated on the server-side or not
- Check if the token is validated for full or partial length
- Check by comparing the CSRF tokens for multiple dummy accounts
- Check CSRF by interchanging POST with GET method
- Check CSRF by removing the CSRF token parameter
- Check CSRF by removing the CSRF token and using a blank parameter
- Check CSRF by using unused tokens
- Check CSRF by replacing the CSRF token with its own values
- Check CSRF by changing the content type to form-multipart
- Check CSRF by changing or deleting some characters of the CSRF token
- Check CSRF by changing the referrer to Referrer
- Check CSRF by changing the host values
- Check CSRF alongside clickjacking
Test For Logout Functionality
- Check the log out function on different pages
- Check for the visibility of the logout button
- Ensure after logout the session was ended
- Ensure after logout we can’t able to access the dashboard by pressing the back button
- Ensure proper session timeout has been set
Test For Session Timeout
- Ensure there is a session timeout exists
- Ensure after the timeout, all of the tokens are destroyed
Test For Session Puzzling
- Identify all the session variables
- Try to break the logical flow of the session generation
Test For Session Hijacking
- Test session hijacking on target that doesn’t has HSTS enabled
- Test by login with the help of captured cookies
-
INPUT VALIDATION TESTING
Test For Reflected Cross Site Scripting
- Ensure these characters are filtered <>’’&””
- Test with a character escape sequence
- Test by replacing < and > with HTML entities < and >
- Test payload with both lower and upper case
- Test to break firewall regex by new line /r/n
- Test with double encoding
- Test with recursive filters
- Test injecting anchor tags without whitespace
- Test by replacing whitespace with bullets
- Test by changing HTTP methods
Test For Stored Cross Site Scripting
- Identify stored input parameters that will reflect on the client-side
- Look for input parameters on the profile page
- Look for input parameters on the shopping cart page
- Look for input parameters on the file upload page
- Look for input parameters on the settings page
- Look for input parameters on the forum, comment page
- Test uploading a file with XSS payload as its file name
- Test with HTML tags
Test For HTTP Parameter Pollution
- Identify the backend server and parsing method used
- Try to access the injection point
- Try to bypass the input filters using HTTP Parameter Pollution
Test For SQL Injection
- Test SQL Injection on authentication forms
- Test SQL Injection on the search bar
- Test SQL Injection on editable characteristics
- Try to find SQL keywords or entry point detections
- Try to inject SQL queries
- Use tools like SQLmap or Hackbar
- Use Google dorks to find the SQL keywords
- Try GET based SQL Injection
- Try POST based SQL Injection
- Try COOKIE based SQL Injection
- Try HEADER based SQL Injection
- Try SQL Injection with null bytes before the SQL query
- Try SQL Injection with URL encoding
- Try SQL Injection with both lower and upper cases
- Try SQL Injection with SQL Tamper scripts
- Try SQL Injection with SQL Time delay payloads
- Try SQL Injection with SQL Conditional delays
- Try SQL Injection with Boolean based SQL
- Try SQL Injection with Time based SQL
Test For LDAP Injection
- Use LDAP search filters
- Try LDAP Injection for access control bypass
Testing For XML Injection
- Check if the application is using XML for processing
- Identify the XML Injection point by XML metacharacter
- Construct XSS payload on top of XML
Test For Server Side Includes
- Use Google dorks to find the SSI
- Construct RCE on top of SSI
- Construct other injections on top of SSI
- Test Injecting SSI on login pages, header fields, referrer, etc
Test For XPATH Injection
- Identify XPATH Injection point
- Test for XPATH Injection
Test For IMAP SMTP Injection
- Identify IMAP SMTP Injection point
- Understand the data flow
- Understand the deployment structure of the system
- Assess the injection impact
Test For Local File Inclusion
- Look for LFI keywords
- Try to change the local path
- Use the LFI payload list
- Test LFI by adding a null byte at the end
Test For Remote File Inclusion
- Look for RFI keywords
- Try to change the remote path
- Use the RFI payload list
Test For Command Injection
- Identify the Injection points
- Look for Command Injection keywords
- Test Command Injection using different delimiters
- Test Command Injection with payload list
- Test Command Injection with different OS commands
Test For Format String Injection
- Identify the Injection points
- Use different format parameters as payloads
- Assess the injection impact
Test For Host Header Injection
- Test for HHI by changing the real Host parameter
- Test for HHI by adding X-Forwarded Host parameter
- Test for HHI by swapping the real Host and X-Forwarded Host parameter
- Test for HHI by adding two Host parameters
- Test for HHI by adding the target values in front of the original values
- Test for HHI by adding the target with a slash after the original values
- Test for HHI with other injections on the Host parameter
- Test for HHI by password reset poisoning
Test For Server Side Request Forgery
- Look for SSRF keywords
- Search for SSRF keywords only under the request header and body
- Identify the Injection points
- Test if the Injection points are exploitable
- Assess the injection impact
Test For Server Side Template Injection
- Identify the Template injection vulnerability points
- Identify the Templating engine
- Use the tplmap to exploit
-
ERROR HANDLING TESTING
Test For Improper Error Handling
- Identify the error output
- Analyze the different outputs returned
- Look for common error handling flaws
- Test error handling by modifying the URL parameter
- Test error handling by uploading unrecognized file formats
- Test error handling by entering unrecognized inputs
- Test error handling by making all possible errors
-
WEAK CRYPTOGRAPHY TESTING
Test For Weak Transport Layer Security
- Test for DROWN weakness on SSLv2 protocol
- Test for POODLE weakness on SSLv3 protocol
- Test for BEAST weakness on TLSv1.0 protocol
- Test for FREAK weakness on export cipher suites
- Test for Null ciphers
- Test for NOMORE weakness on RC4
- Test for LUCKY 13 weakness on CBC mode ciphers
- Test for CRIME weakness on TLS compression
- Test for LOGJAM on DHE keys
- Ensure the digital certificates should have at least 2048 bits of key length
- Ensure the digital certificates should have at least SHA-256 signature algorithm
- Ensure the digital certificates should not use MDF and SHA-1
- Ensure the validity of the digital certificate
- Ensure the minimum key length requirements
- Look for weak cipher suites
-
BUSINESS LOGIC TESTING
Test For Business Logic
- Identify the logic of how the application works
- Identify the functionality of all the buttons
- Test by changing the numerical values into high or negative values
- Test by changing the quantity
- Test by modifying the payments
- Test for parameter tampering
Test For Malicious File Upload
- Test malicious file upload by uploading malicious files
- Test malicious file upload by putting your IP address on the file name
- Test malicious file upload by right to left override
- Test malicious file upload by encoded file name
- Test malicious file upload by XSS payload on the file name
- Test malicious file upload by RCE payload on the file name
- Test malicious file upload by LFI payload on the file name
- Test malicious file upload by RFI payload on the file name
- Test malicious file upload by SQL payload on the file name
- Test malicious file upload by other injections on the file name
- Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
- Test malicious file upload by uploading large files (leads to DOS)
-
CLIENT SIDE TESTING
Test For DOM Based Cross Site Scripting
- Try to identify DOM sinks
- Build payloads to that DOM sink type
Test For URL Redirect
- Look for URL redirect parameters
- Test for URL redirection on domain parameters
- Test for URL redirection by using a payload list
- Test for URL redirection by using a whitelisted word at the end
- Test for URL redirection by creating a new subdomain with the same as the target
- Test for URL redirection by XSS
- Test for URL redirection by profile URL flaw
Test For Cross Origin Resource Sharing
- Look for “Access-Control-Allow-Origin” on the response
- Use the CORS HTML exploit code for further exploitation
Test For Clickjacking
- Ensure “X-Frame-Options” headers are enabled
- Exploit with iframe HTML code for POC
-
OTHER COMMON ISSUES
Test For No-Rate Limiting
- Ensure rate limiting is enabled
- Try to bypass rate limiting by changing the case of the endpoints
- Try to bypass rate limiting by adding / at the end of the URL
- Try to bypass rate limiting by adding HTTP headers
- Try to bypass rate limiting by adding HTTP headers twice
- Try to bypass rate limiting by adding Origin headers
- Try to bypass rate limiting by IP rotation
- Try to bypass rate limiting by using null bytes at the end
- Try to bypass rate limiting by using race conditions
Test For EXIF Geodata
- Ensure the website is striping the geodata
- Test with EXIF checker
Test For Broken Link Hijack
- Ensure there is no broken links are there
- Test broken links by using the blc tool
Test For SPF
- Ensure the website is having SPF record
- Test SPF by nslookup command
Test For Weak 2FA
- Try to bypass 2FA by using poor session management
- Try to bypass 2FA via the OAuth mechanism
- Try to bypass 2FA via brute-forcing
- Try to bypass 2FA via response manipulation
- Try to bypass 2FA by using activation links to login
- Try to bypass 2FA by using status code manipulation
- Try to bypass 2FA by changing the email or password
- Try to bypass 2FA by using a null or empty entry
- Try to bypass 2FA by changing the boolean into false
- Try to bypass 2FA by removing the 2FA parameter on the request
Test For Weak OTP Implementation
- Try to bypass OTP by entering the old OTP
- Try to bypass OTP by brute-forcing
- Try to bypass OTP by using a null or empty entry
- Try to bypass OTP by response manipulation
- Try to bypass OTP by status code manipulation