/WebPentestChecklist

Workflow for pentesting web applications.

Web penetration testing checklist

Map the application

  • Explore visible content
  • Consult visible resources
  • Discover hidden content
  • Discover default content
  • Test for debug parameters
  • Perform a discovery in burp

Analyze the application

  • Identify functionality
  • Identify data entry points
  • Identify the technology used
  • Map the attack surface

Test client side controls

  • Test transmission of data via the client
  • Test client side control over client input
  • Test browser extension components

Test authentication mechanism

  • Understand the mecanism
  • Test password quality
  • Test username enumeration
  • Test resilience to password guessing
  • Test account recovery functions
  • Test remember me functions
  • Test impersonation functions
  • Test username uniqueness
  • Test predictability of autogenerated credentials
  • Check unsafe transmission of credentials
  • Check unsafe distribution of credentials
  • Test insecure storage
  • Test logic flaws
  • Test unauthorized access to functions

Test session management mechanism

  • Understand the mecanism
  • Test token for meaning
  • Test token for predictibility
  • Check insecure transmission of tokens
  • Check disclosure of tokens in logs
  • Check mapping of tokens to sessions
  • Test token termination
  • Check session fixation
  • Check for CSRF
  • Check cookie scope

Test authorization mechanism

  • Understand access control requirements
  • Test with multiple accounts with different roles
  • Test with limited access
  • Test insecure access control methods

Test for input vulnerabilities

  • Fuzz all request parameters and url
  • Test for SQLinjections
  • Test for XSS
  • Test for response injection
  • Test for OS command injection
  • Test for path traversal
  • Test for code injection
  • Test for file inclusion
  • Test for SMTP injection
  • Test for native software known vulnerabilities
  • Test for SOAP vulnerabilities
  • Test for LDAP injection
  • Test for XPath injection
  • Test backend request injection
  • Test for XXE injection
  • Test insecure access control methods

Test for logic flaws

  • Identify the key attack surface
  • Test multistage processes
  • Test handling of incomplete input
  • Test trust boundries
  • Test transaction logic
  • Test race condition

Test for shared hosting vulnerabilities

  • Test segragation in shared infrastructure
  • Test segregation between hosts

Test application server vulnerabilities

  • Test for default credentials
  • Test for default content
  • Test for dangerous http methods
  • Test for proxy functionnalities
  • Test for VM misconfiguration
  • Test for webserver software bugs and updates
  • Test for web application firewall rules

Miscellaneous checks

  • Check for DOM based attacks
  • Check for local privacy vulnerabilities
  • Check for weak SSL ciphers
  • Check for same origin policy configuration
  • Check for http headers security
  • Check for HttpOnly tags