Web Application Pentesting
The following is a curated checklist for web application penetration testing. This is not a comprehensive list but rather a growing one. I will incorporate things as I move on with the journey. It will serve as a great starting point for beginners.
Reconnaissance
Reconnaissance in web application penetration testing gathers vital information about the target, including domain names, IP addresses, and potential vulnerabilities. This initial phase is crucial, forming the basis for subsequent testing stages. Thorough reconnaissance enables ethical hackers to tailor their approach, prioritize testing efforts, and simulate realistic attack scenarios, identifying and addressing vulnerabilities before exploitation. It serves as a vital intelligence-gathering step for a targeted and efficient strategy to enhance web application security.
Manual Exploration
Review the website thoroughly, examining each component. Approach every button with caution and test them systematically.
Any Browser
Fingerprinting
Gain an understanding of the website's foundational technology.
Any Browser, Nikto, Wappalyzer
Spider/Crawl/VA
Conduct a basic vulnerability scan to explore various sections of the websites. Be attentive to hidden content.
BurpSuite Pro, Nikto, OWASP Zap
Directory Enumeration
Search for hidden directories utilizing a wordlist.
Burp Intruder, Gobuster, FFUF
Hidden Contents
Examine files that reveal content, such as the robots.txt file.
Any Browser
Understanding User Roles
Recognize various user roles and their respective authorized privileges.
Any Browser
Web Server Enumeration
Map the network of the web server and detect various open ports.
NMAP, Rust Scan
Misconfiguration Check
Misconfiguration checks in web application penetration testing identify and rectify improperly configured settings that may lead to vulnerabilities. These errors, often from oversights in servers and databases, can inadvertently expose sensitive information and create entry points for attackers. Detecting and addressing these issues is crucial to prevent unauthorized access and potential data breaches, playing a vital role in enhancing overall web application security.
Check for Administrative URLs
Examine restrictions on administrative access.
Any Browser
Application Platform Configuration
Identify default installation files/directories, observe how server errors are managed, comprehend minimal privileges, and review software logging.
Any Browser, FFuF, Gobuster, Burp Intruder
File Upload: File Extension Handling
Find important files. Check for the extension usage in file upload.
BurpSuite, Caido
HTTP Strict Transport Security
Check whether the proper Strict-Transport-Security header is in place or not.
BurpSuite, Caido, Any Browser
OWASP Secure Headers Project
Check for common Security Headers that should be in place
BurpSuite, Caido, Any Browser
Client-side Code Check
Examine client-side code for sensitive data, such as API keys and credentials.
Any Browser
Secure Transmission
Secure Transmission testing in web application penetration testing focuses on evaluating and ensuring the security of data during transmission. It examines communication protocols, encryption algorithms, and certificate management to identify vulnerabilities that may compromise data confidentiality and integrity. This assessment safeguards against eavesdropping, man-in-the-middle attacks, and other threats, playing a crucial role in enhancing the overall security of web applications by addressing risks associated with data transmission.
Check SSL
Check SSL Version, Algorithms
Burp SSL Scanner, sslscan, NMAP
HTTPS Communication
Check credentials only delivered over HTTPS
Any Browser
Check Session Tokens: JWT
Find important files. Check for the extension usage in file upload.
Any Browser, jwt.io, jwthawk
Authentication
Authentication testing in web application penetration evaluates access control and user verification processes, identifying vulnerabilities to prevent unauthorized access and account compromise. Scrutinizing login mechanisms, password policies, and multi-factor authentication, it strengthens security by addressing weaknesses in user verification systems, reducing the risk of breaches.
Default Credentials
Testing for default credentials of common applications, Testing for default password of new accounts.
Burp Suite, Hydra
User Enumeration
Check for other users if they can be accessed or revealed or not.
Any Browser, Burp Suite
Authentication Bypass
Checking if user authentication can be bypassed or not.
Any Browser, Burp Suite
Password Policy
Checking for whether a proper password policy is in place or not.
Any Browser, Burp Suite
Password Reset/Change
Check for Password Reset or Password change process. See if any key is leaked.
Any Browser, Burp Suite
CAPTCHA Testing
Testing captcha validity and bypass.
Any Browser, Burp Suite
Cookie Flags
Check for the http-only and secure flags are set to 'true'
Any Browser, Burp Suite
Randomness
Check Session Cookie for Randomness
Burp Sequencer
CSRF Tokens
Check if the CSRF Tokens are properly in place.
Any Browser, Burp Suite
Authorization
Authorization testing in web application penetration evaluates access control policies, ensuring users have appropriate permissions to prevent unauthorized actions or data exposure. By examining roles and privileges, it strengthens security, reducing the risk of breaches by enforcing strict access control measures.
Directory Traversal
Testing for directory traversal and local file inclusion.
Any Browser, Burp Suite
Privilege Escalation
Testing for role/privilege manipulates the values of hidden variables.
Any Browser, Burp Suite
Check Session Tokens: JWT
Checking direct object referencing: Parameters
Any Browser, Burp Suite
Session Management
Session Management testing in web application penetration evaluates and strengthens the security of user sessions to prevent unauthorized access and protect sensitive data. It focuses on the secure creation, maintenance, and termination of sessions, mitigating the risk of session hijacking and unauthorized account access.
Session Management Schema
Checking the session management token. Strength of the session.
Burp Sequencer
Session Fixation
Manipulation, Change, or New Session Token Creating testing
Burp Suite, Any Reverse Proxy tool
Cross Site Request Forgery
Testing for CSRF & CSRF Tokens
Burp Suite
Logout
Checking re-use session tokens
Any Browser, Burp Suite
Data Validation
Data Validation testing in web application penetration evaluates user-input accuracy and security to prevent injection attacks. It scrutinizes input fields, ensuring effective validation and sanitization to mitigate risks of data manipulation. This testing is crucial for fortifying web applications against potential exploits.
Cross-Site Scripting
Check for XSS
Any Browser, Burp Suite
SQL Injection
Check for SQLi
Any Browser, Burp Suite, sqlmap
HTML Injection
Check for HTML Injection
Any Browser, Burp Suite
Command Injection
Check for Command to be executed or not
Any Browser
Overflow
Check for Buffer Overflow points in the variable parts
Any Browser
RCE/RFE
Check whether RCE/RFE is available or not. If found try for reverse shell.
Any Browser
NoSQL Injection
Check for NoSQLi in NoSQL DB
Any Browser, NoSQLMap
Parameter Fuzzing
Check for different HTTP Parameters
Any Browser, Burp Suite
OWASP Top 10 Checking
Checking the Latest OWASP Top 10 List
Any Browser and relevant tools
Error Handling
Error Handling testing in web application penetration evaluates how an application responds to errors, ensuring minimal information disclosure to prevent exploitation.
Analysis of Error Codes
Locate error codes generated from applications or web servers. Collect sensitive information from those errors (Web Server, Application Server, Database)
Any Browser, Burp Suite
Analysis of Stack Traces
Invalid Input/Empty inputs; Input that contains non-alphanumeric characters or query syntax; Access to internal pages without authentication; Bypassing application flow
Any Browser, Burp Suite
Documenting 5** Server Errors
Documenting all the internal server errors
Any Browser, Burp Suite
Business Logic
Business Logic testing in web application penetration evaluates critical processes to identify vulnerabilities and prevent unauthorized access or data manipulation.
Data Validation
Testing Business logic data validation. Insert logically invalid data into the system.
Any Browser, Burp Suite
Feature Misuse
Test the features for potential misuse
Any Browser, Burp Suite
File Upload
File Upload testing in web application penetration evaluates upload functionalities, checking for vulnerabilities to prevent unauthorized access, code execution, or data breaches.
Whitelist
Check for acceptable file types
Any Browser, Burp Suite
Volume
Test that file size limits, upload frequency, and total file counts are defined and are enforced
Any Browser, Burp Suite
Malicious File
Test for malicious files can be uploaded or not
Any Browser, Burp Suite
Filename Changing
Manipulation of file names and replacing the previous one
Any Browser, Burp Suite
Authentication & Authorization
Test that files and other media are integrated with the authentication and authorisation schemas
Any Browser, Burp Suite
Last updated