├── Images ├── Cat.png ├── Subcat.png └── Title.png ├── README.md └── Web Application Checklist.pdf /Images/Cat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hari-prasaanth/Web-App-Pentest-Checklist/191e8dd7cdae65fbe9610fd93c88b5cd442cf956/Images/Cat.png -------------------------------------------------------------------------------- /Images/Subcat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hari-prasaanth/Web-App-Pentest-Checklist/191e8dd7cdae65fbe9610fd93c88b5cd442cf956/Images/Subcat.png -------------------------------------------------------------------------------- /Images/Title.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hari-prasaanth/Web-App-Pentest-Checklist/191e8dd7cdae65fbe9610fd93c88b5cd442cf956/Images/Title.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # WEB APPLICATION PENTESTING CHECKLIST 5 | 6 | **OWASP Based Checklist 🌟🌟** 7 | 8 | **500+ Test Cases 🚀🚀** 9 | 10 | Notion link: https://hariprasaanth.notion.site/WEB-APPLICATION-PENTESTING-CHECKLIST-0f02d8074b9d4af7b12b8da2d46ac998 11 |

12 | 13 | - **INFORMATION GATHERING** 14 | 15 | **Open Source Reconnaissance** 16 | 17 | - [ ] Perform Google Dorks search 18 | - [ ] Perform OSINT 19 | 20 | **Fingerprinting Web Server** 21 | 22 | - [ ] Find the type of Web Server 23 | - [ ] Find the version details of the Web Server 24 | 25 | **Looking For Metafiles** 26 | 27 | - [ ] View the Robots.txt file 28 | - [ ] View the Sitemap.xml file 29 | - [ ] View the Humans.txt file 30 | - [ ] View the Security.txt file 31 | 32 | **Enumerating Web Server’s Applications** 33 | 34 | - [ ] Enumerating with Nmap 35 | - [ ] Enumerating with Netcat 36 | - [ ] Perform a DNS lookup 37 | - [ ] Perform a Reverse DNS lookup 38 | 39 | **Review The Web Contents** 40 | 41 | - [ ] Inspect the page source for sensitive info 42 | - [ ] Try to find Sensitive Javascript codes 43 | - [ ] Try to find any keys 44 | - [ ] Make sure the autocomplete is disabled 45 | 46 | **Identifying Application’s Entry Points** 47 | 48 | - [ ] Identify what the methods used are? 49 | - [ ] Identify where the methods used are? 50 | - [ ] Identify the Injection point 51 | 52 | **Mapping Execution Paths** 53 | 54 | - [ ] Use Burp Suite 55 | - [ ] Use Dirsearch 56 | - [ ] Use Gobuster 57 | 58 | **Fingerprint Web Application Framework** 59 | 60 | - [ ] Use the Wappalyzer browser extension 61 | - [ ] Use Whatweb 62 | - [ ] View URL extensions 63 | - [ ] View HTML source code 64 | - [ ] View the cookie parameter 65 | - [ ] View the HTTP headers 66 | 67 | **Map Application Architecture** 68 | 69 | - [ ] Map the overall site structure 70 | 71 | - **CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING** 72 | 73 | **Test Network Configuration** 74 | 75 | - [ ] Check the network configuration 76 | - [ ] Check for default settings 77 | - [ ] Check for default credentials 78 | 79 | **Test Application Configuration** 80 | 81 | - [ ] Ensure only required modules are used 82 | - [ ] Ensure unwanted modules are disabled 83 | - [ ] Ensure the server can handle DOS 84 | - [ ] Check how the application is handling 4xx & 5xx errors 85 | - [ ] Check for the privilege required to run 86 | - [ ] Check logs for sensitive info 87 | 88 | **Test File Extension Handling** 89 | 90 | - [ ] Ensure the server won’t return sensitive extensions 91 | - [ ] Ensure the server won’t accept malicious extensions 92 | - [ ] Test for file upload vulnerabilities 93 | 94 | **Review Backup & Unreferenced Files** 95 | 96 | - [ ] Ensure unreferenced files don’t contain any sensitive info 97 | - [ ] Ensure the namings of old and new backup files 98 | - [ ] Check the functionality of unreferenced pages 99 | 100 | **Enumerate Infrastructure & Admin Interfaces** 101 | 102 | - [ ] Try to find the Infrastructure Interface 103 | - [ ] Try to find the Admin Interface 104 | - [ ] Identify the hidden admin functionalities 105 | 106 | **Testing HTTP Methods** 107 | 108 | - [ ] Discover the supported methods 109 | - [ ] Ensure the PUT method is disabled 110 | - [ ] Ensure the OPTIONS method is disabled 111 | - [ ] Test access control bypass 112 | - [ ] Test for XST attacks 113 | - [ ] Test for HTTP method overriding 114 | 115 | **Test HSTS** 116 | 117 | - [ ] Ensure HSTS is enabled 118 | 119 | **Test RIA Cross Domain Policy** 120 | 121 | - [ ] Check for Adobe’s Cross Domain Policy 122 | - [ ] Ensure it has the least privilege 123 | 124 | **Test File Permission** 125 | 126 | - [ ] Ensure the permissions for sensitive files 127 | - [ ] Test for directory enumeration 128 | 129 | **Test For Subdomain Takeover** 130 | 131 | - [ ] Test DNS, A, and CNAME records for subdomain takeover 132 | - [ ] Test NS records for subdomain takeover 133 | - [ ] Test 404 response for subdomain takeover 134 | 135 | **Test Cloud Storage** 136 | 137 | - [ ] Check the sensitive paths of AWS 138 | - [ ] Check the sensitive paths of Google Cloud 139 | - [ ] Check the sensitive paths of Azure 140 | 141 | - **IDENTITY MANAGEMENT TESTING** 142 | 143 | **Test Role Definitions** 144 | 145 | - [ ] Test for forced browsing 146 | - [ ] Test for IDOR (Insecure Direct Object Reference) 147 | - [ ] Test for parameter tampering 148 | - [ ] Ensure low privilege users can’t able to access high privilege resources 149 | 150 | **Test User Registration Process** 151 | 152 | - [ ] Ensure the same user or identity can’t register again and again 153 | - [ ] Ensure the registrations are verified 154 | - [ ] Ensure disposable email addresses are rejected 155 | - [ ] Check what proof is required for successful registration 156 | 157 | **Test Account Provisioning Process** 158 | 159 | - [ ] Check the verification for the provisioning process 160 | - [ ] Check the verification for the de-provisioning process 161 | - [ ] Check the provisioning rights for an admin user to other users 162 | - [ ] Check whether a user is able to de-provision themself or not? 163 | - [ ] Check for the resources of a de-provisioned user 164 | 165 | **Testing For Account Enumeration** 166 | 167 | - [ ] Check the response when a valid username and password entered 168 | - [ ] Check the response when a valid username and an invalid password entered 169 | - [ ] Check the response when an invalid username and password entered 170 | - [ ] Ensure the rate-limiting functionality is enabled in username and password fields 171 | 172 | **Test For Weak Username Policy** 173 | 174 | - [ ] Check the response for both valid and invalid usernames 175 | - [ ] Check for username enumeration 176 | 177 | - **AUTHENTICATION TESTING** 178 | 179 | **Test For Un-Encrypted Channel** 180 | 181 | - [ ] Check for the HTTP login page 182 | - [ ] Check for the HTTP register or sign-in page 183 | - [ ] Check for HTTP forgot password page 184 | - [ ] Check for HTTP change password 185 | - [ ] Check for resources on HTTP after logout 186 | - [ ] Test for forced browsing to HTTP pages 187 | 188 | **Test For Default Credentials** 189 | 190 | - [ ] Test with default credentials 191 | - [ ] Test organization name as credentials 192 | - [ ] Test for response manipulation 193 | - [ ] Test for the default username and a blank password 194 | - [ ] Review the page source for credentials 195 | 196 | **Test For Weak Lockout Mechanism** 197 | 198 | - [ ] Ensure the account has been locked after 3-5 incorrect attempts 199 | - [ ] Ensure the system accepts only the valid CAPTCHA 200 | - [ ] Ensure the system rejects the invalid CAPTCHA 201 | - [ ] Ensure CAPTCHA code regenerated after reloaded 202 | - [ ] Ensure CAPTCHA reloads after entering the wrong code 203 | - [ ] Ensure the user has a recovery option for a lockout account 204 | 205 | **Test For Bypassing Authentication Schema** 206 | 207 | - [ ] Test forced browsing directly to the internal dashboard without login 208 | - [ ] Test for session ID prediction 209 | - [ ] Test for authentication parameter tampering 210 | - [ ] Test for SQL injection on the login page 211 | - [ ] Test to gain access with the help of session ID 212 | - [ ] Test multiple logins allowed or not? 213 | 214 | **Test For Vulnerable Remember Password** 215 | 216 | - [ ] Ensure that the stored password is encrypted 217 | - [ ] Ensure that the stored password is on the server-side 218 | 219 | **Test For Browser Cache Weakness** 220 | 221 | - [ ] Ensure proper cache-control is set on sensitive pages 222 | - [ ] Ensure no sensitive data is stored in the browser cache storage 223 | 224 | **Test For Weak Password Policy** 225 | 226 | - [ ] Ensure the password policy is set to strong 227 | - [ ] Check for password reusability 228 | - [ ] Check the user is prevented to use his username as a password 229 | - [ ] Check for the usage of common weak passwords 230 | - [ ] Check the minimum password length to be set 231 | - [ ] Check the maximum password length to be set 232 | 233 | **Testing For Weak Security Questions** 234 | 235 | - [ ] Check for the complexity of the questions 236 | - [ ] Check for brute-forcing 237 | 238 | **Test For Weak Password Reset Function** 239 | 240 | - [ ] Check what information is required to reset the password 241 | - [ ] Check for password reset function with HTTP 242 | - [ ] Test the randomness of the password reset tokens 243 | - [ ] Test the uniqueness of the password reset tokens 244 | - [ ] Test for rate limiting on password reset tokens 245 | - [ ] Ensure the token must expire after being used 246 | - [ ] Ensure the token must expire after not being used for a long time 247 | 248 | **Test For Weak Password Change Function** 249 | 250 | - [ ] Check if the old password asked to make a change 251 | - [ ] Check for the uniqueness of the forgotten password 252 | - [ ] Check for blank password change 253 | - [ ] Check for password change function with HTTP 254 | - [ ] Ensure the old password is not displayed after changed 255 | - [ ] Ensure the other sessions got destroyed after the password change 256 | 257 | **Test For Weak Authentication In Alternative Channel** 258 | 259 | - [ ] Test authentication on the desktop browsers 260 | - [ ] Test authentication on the mobile browsers 261 | - [ ] Test authentication in a different country 262 | - [ ] Test authentication in a different language 263 | - [ ] Test authentication on desktop applications 264 | - [ ] Test authentication on mobile applications 265 | 266 | - **AUTHORIZATION TESTING** 267 | 268 | **Testing Directory Traversal File Include** 269 | 270 | - [ ] Identify the injection point on the URL 271 | - [ ] Test for Local File Inclusion 272 | - [ ] Test for Remote File Inclusion 273 | - [ ] Test Traversal on the URL parameter 274 | - [ ] Test Traversal on the cookie parameter 275 | 276 | **Testing Traversal With Encoding** 277 | 278 | - [ ] Test Traversal with Base64 encoding 279 | - [ ] Test Traversal with URL encoding 280 | - [ ] Test Traversal with ASCII encoding 281 | - [ ] Test Traversal with HTML encoding 282 | - [ ] Test Traversal with Hex encoding 283 | - [ ] Test Traversal with Binary encoding 284 | - [ ] Test Traversal with Octal encoding 285 | - [ ] Test Traversal with Gzip encoding 286 | 287 | **Testing Travesal With Different OS Schemes** 288 | 289 | - [ ] Test Traversal with Unix schemes 290 | - [ ] Test Traversal with Windows schemes 291 | - [ ] Test Traversal with Mac schemes 292 | 293 | **Test Other Encoding Techniques** 294 | 295 | - [ ] Test Traversal with Double encoding 296 | - [ ] Test Traversal with all characters encode 297 | - [ ] Test Traversal with only special characters encode 298 | 299 | **Test Authorization Schema Bypass** 300 | 301 | - [ ] Test for Horizontal authorization schema bypass 302 | - [ ] Test for Vertical authorization schema bypass 303 | - [ ] Test override the target with custom headers 304 | 305 | **Test For Privilege Escalation** 306 | 307 | - [ ] Identify the injection point 308 | - [ ] Test for bypassing the security measures 309 | - [ ] Test for forced browsing 310 | - [ ] Test for IDOR 311 | - [ ] Test for parameter tampering to high privileged user 312 | 313 | **Test For Insecure Direct Object Reference** 314 | 315 | - [ ] Test to change the ID parameter 316 | - [ ] Test to add parameters at the endpoints 317 | - [ ] Test for HTTP parameter pollution 318 | - [ ] Test by adding an extension at the end 319 | - [ ] Test with outdated API versions 320 | - [ ] Test by wrapping the ID with an array 321 | - [ ] Test by wrapping the ID with a JSON object 322 | - [ ] Test for JSON parameter pollution 323 | - [ ] Test by changing the case 324 | - [ ] Test for path traversal 325 | - [ ] Test by changing words 326 | - [ ] Test by changing methods 327 | 328 | - **SESSION MANAGEMENT TESTING** 329 | 330 | **Test For Session Management Schema** 331 | 332 | - [ ] Ensure all Set-Cookie directives are secure 333 | - [ ] Ensure no cookie operation takes place over an unencrypted channel 334 | - [ ] Ensure the cookie can’t be forced over an unencrypted channel 335 | - [ ] Ensure the HTTPOnly flag is enabled 336 | - [ ] Check if any cookies are persistent 337 | - [ ] Check for session cookies and cookie expiration date/time 338 | - [ ] Check for session fixation 339 | - [ ] Check for concurrent login 340 | - [ ] Check for session after logout 341 | - [ ] Check for session after closing the browser 342 | - [ ] Try decoding cookies (Base64, Hex, URL, etc) 343 | 344 | **Test For Cookie Attributes** 345 | 346 | - [ ] Ensure the cookie must be set with the secure attribute 347 | - [ ] Ensure the cookie must be set with the path attribute 348 | - [ ] Ensure the cookie must have the HTTPOnly flag 349 | 350 | **Test For Session Fixation** 351 | 352 | - [ ] Ensure new cookies have been issued upon a successful authentication 353 | - [ ] Test manipulating the cookies 354 | 355 | **Test For Exposed Session Variables** 356 | 357 | - [ ] Test for encryption 358 | - [ ] Test for GET and POST vulnerabilities 359 | - [ ] Test if GET request incorporating the session ID used 360 | - [ ] Test by interchanging POST with GET method 361 | 362 | **Test For Back Refresh Attack** 363 | 364 | - [ ] Test after password change 365 | - [ ] Test after logout 366 | 367 | **Test For Cross Site Request Forgery** 368 | 369 | - [ ] Check if the token is validated on the server-side or not 370 | - [ ] Check if the token is validated for full or partial length 371 | - [ ] Check by comparing the CSRF tokens for multiple dummy accounts 372 | - [ ] Check CSRF by interchanging POST with GET method 373 | - [ ] Check CSRF by removing the CSRF token parameter 374 | - [ ] Check CSRF by removing the CSRF token and using a blank parameter 375 | - [ ] Check CSRF by using unused tokens 376 | - [ ] Check CSRF by replacing the CSRF token with its own values 377 | - [ ] Check CSRF by changing the content type to form-multipart 378 | - [ ] Check CSRF by changing or deleting some characters of the CSRF token 379 | - [ ] Check CSRF by changing the referrer to Referrer 380 | - [ ] Check CSRF by changing the host values 381 | - [ ] Check CSRF alongside clickjacking 382 | 383 | **Test For Logout Functionality** 384 | 385 | - [ ] Check the log out function on different pages 386 | - [ ] Check for the visibility of the logout button 387 | - [ ] Ensure after logout the session was ended 388 | - [ ] Ensure after logout we can’t able to access the dashboard by pressing the back button 389 | - [ ] Ensure proper session timeout has been set 390 | 391 | **Test For Session Timeout** 392 | 393 | - [ ] Ensure there is a session timeout exists 394 | - [ ] Ensure after the timeout, all of the tokens are destroyed 395 | 396 | **Test For Session Puzzling** 397 | 398 | - [ ] Identify all the session variables 399 | - [ ] Try to break the logical flow of the session generation 400 | 401 | **Test For Session Hijacking** 402 | 403 | - [ ] Test session hijacking on target that doesn’t has HSTS enabled 404 | - [ ] Test by login with the help of captured cookies 405 | 406 | - **INPUT VALIDATION TESTING** 407 | 408 | **Test For Reflected Cross Site Scripting** 409 | 410 | - [ ] Ensure these characters are filtered <>’’&”” 411 | - [ ] Test with a character escape sequence 412 | - [ ] Test by replacing < and > with HTML entities < and > 413 | - [ ] Test payload with both lower and upper case 414 | - [ ] Test to break firewall regex by new line /r/n 415 | - [ ] Test with double encoding 416 | - [ ] Test with recursive filters 417 | - [ ] Test injecting anchor tags without whitespace 418 | - [ ] Test by replacing whitespace with bullets 419 | - [ ] Test by changing HTTP methods 420 | 421 | **Test For Stored Cross Site Scripting** 422 | 423 | - [ ] Identify stored input parameters that will reflect on the client-side 424 | - [ ] Look for input parameters on the profile page 425 | - [ ] Look for input parameters on the shopping cart page 426 | - [ ] Look for input parameters on the file upload page 427 | - [ ] Look for input parameters on the settings page 428 | - [ ] Look for input parameters on the forum, comment page 429 | - [ ] Test uploading a file with XSS payload as its file name 430 | - [ ] Test with HTML tags 431 | 432 | **Test For HTTP Parameter Pollution** 433 | 434 | - [ ] Identify the backend server and parsing method used 435 | - [ ] Try to access the injection point 436 | - [ ] Try to bypass the input filters using HTTP Parameter Pollution 437 | 438 | **Test For SQL Injection** 439 | 440 | - [ ] Test SQL Injection on authentication forms 441 | - [ ] Test SQL Injection on the search bar 442 | - [ ] Test SQL Injection on editable characteristics 443 | - [ ] Try to find SQL keywords or entry point detections 444 | - [ ] Try to inject SQL queries 445 | - [ ] Use tools like SQLmap or Hackbar 446 | - [ ] Use Google dorks to find the SQL keywords 447 | - [ ] Try GET based SQL Injection 448 | - [ ] Try POST based SQL Injection 449 | - [ ] Try COOKIE based SQL Injection 450 | - [ ] Try HEADER based SQL Injection 451 | - [ ] Try SQL Injection with null bytes before the SQL query 452 | - [ ] Try SQL Injection with URL encoding 453 | - [ ] Try SQL Injection with both lower and upper cases 454 | - [ ] Try SQL Injection with SQL Tamper scripts 455 | - [ ] Try SQL Injection with SQL Time delay payloads 456 | - [ ] Try SQL Injection with SQL Conditional delays 457 | - [ ] Try SQL Injection with Boolean based SQL 458 | - [ ] Try SQL Injection with Time based SQL 459 | 460 | **Test For LDAP Injection** 461 | 462 | - [ ] Use LDAP search filters 463 | - [ ] Try LDAP Injection for access control bypass 464 | 465 | **Testing For XML Injection** 466 | 467 | - [ ] Check if the application is using XML for processing 468 | - [ ] Identify the XML Injection point by XML metacharacter 469 | - [ ] Construct XSS payload on top of XML 470 | 471 | **Test For Server Side Includes** 472 | 473 | - [ ] Use Google dorks to find the SSI 474 | - [ ] Construct RCE on top of SSI 475 | - [ ] Construct other injections on top of SSI 476 | - [ ] Test Injecting SSI on login pages, header fields, referrer, etc 477 | 478 | **Test For XPATH Injection** 479 | 480 | - [ ] Identify XPATH Injection point 481 | - [ ] Test for XPATH Injection 482 | 483 | **Test For IMAP SMTP Injection** 484 | 485 | - [ ] Identify IMAP SMTP Injection point 486 | - [ ] Understand the data flow 487 | - [ ] Understand the deployment structure of the system 488 | - [ ] Assess the injection impact 489 | 490 | **Test For Local File Inclusion** 491 | 492 | - [ ] Look for LFI keywords 493 | - [ ] Try to change the local path 494 | - [ ] Use the LFI payload list 495 | - [ ] Test LFI by adding a null byte at the end 496 | 497 | **Test For Remote File Inclusion** 498 | 499 | - [ ] Look for RFI keywords 500 | - [ ] Try to change the remote path 501 | - [ ] Use the RFI payload list 502 | 503 | **Test For Command Injection** 504 | 505 | - [ ] Identify the Injection points 506 | - [ ] Look for Command Injection keywords 507 | - [ ] Test Command Injection using different delimiters 508 | - [ ] Test Command Injection with payload list 509 | - [ ] Test Command Injection with different OS commands 510 | 511 | **Test For Format String Injection** 512 | 513 | - [ ] Identify the Injection points 514 | - [ ] Use different format parameters as payloads 515 | - [ ] Assess the injection impact 516 | 517 | **Test For Host Header Injection** 518 | 519 | - [ ] Test for HHI by changing the real Host parameter 520 | - [ ] Test for HHI by adding X-Forwarded Host parameter 521 | - [ ] Test for HHI by swapping the real Host and X-Forwarded Host parameter 522 | - [ ] Test for HHI by adding two Host parameters 523 | - [ ] Test for HHI by adding the target values in front of the original values 524 | - [ ] Test for HHI by adding the target with a slash after the original values 525 | - [ ] Test for HHI with other injections on the Host parameter 526 | - [ ] Test for HHI by password reset poisoning 527 | 528 | **Test For Server Side Request Forgery** 529 | 530 | - [ ] Look for SSRF keywords 531 | - [ ] Search for SSRF keywords only under the request header and body 532 | - [ ] Identify the Injection points 533 | - [ ] Test if the Injection points are exploitable 534 | - [ ] Assess the injection impact 535 | 536 | **Test For Server Side Template Injection** 537 | 538 | - [ ] Identify the Template injection vulnerability points 539 | - [ ] Identify the Templating engine 540 | - [ ] Use the tplmap to exploit 541 | 542 | - **ERROR HANDLING TESTING** 543 | 544 | **Test For Improper Error Handling** 545 | 546 | - [ ] Identify the error output 547 | - [ ] Analyze the different outputs returned 548 | - [ ] Look for common error handling flaws 549 | - [ ] Test error handling by modifying the URL parameter 550 | - [ ] Test error handling by uploading unrecognized file formats 551 | - [ ] Test error handling by entering unrecognized inputs 552 | - [ ] Test error handling by making all possible errors 553 | 554 | - **WEAK CRYPTOGRAPHY TESTING** 555 | 556 | **Test For Weak Transport Layer Security** 557 | 558 | - [ ] Test for DROWN weakness on SSLv2 protocol 559 | - [ ] Test for POODLE weakness on SSLv3 protocol 560 | - [ ] Test for BEAST weakness on TLSv1.0 protocol 561 | - [ ] Test for FREAK weakness on export cipher suites 562 | - [ ] Test for Null ciphers 563 | - [ ] Test for NOMORE weakness on RC4 564 | - [ ] Test for LUCKY 13 weakness on CBC mode ciphers 565 | - [ ] Test for CRIME weakness on TLS compression 566 | - [ ] Test for LOGJAM on DHE keys 567 | - [ ] Ensure the digital certificates should have at least 2048 bits of key length 568 | - [ ] Ensure the digital certificates should have at least SHA-256 signature algorithm 569 | - [ ] Ensure the digital certificates should not use MDF and SHA-1 570 | - [ ] Ensure the validity of the digital certificate 571 | - [ ] Ensure the minimum key length requirements 572 | - [ ] Look for weak cipher suites 573 | 574 | - **BUSINESS LOGIC TESTING** 575 | 576 | **Test For Business Logic** 577 | 578 | - [ ] Identify the logic of how the application works 579 | - [ ] Identify the functionality of all the buttons 580 | - [ ] Test by changing the numerical values into high or negative values 581 | - [ ] Test by changing the quantity 582 | - [ ] Test by modifying the payments 583 | - [ ] Test for parameter tampering 584 | 585 | **Test For Malicious File Upload** 586 | 587 | - [ ] Test malicious file upload by uploading malicious files 588 | - [ ] Test malicious file upload by putting your IP address on the file name 589 | - [ ] Test malicious file upload by right to left override 590 | - [ ] Test malicious file upload by encoded file name 591 | - [ ] Test malicious file upload by XSS payload on the file name 592 | - [ ] Test malicious file upload by RCE payload on the file name 593 | - [ ] Test malicious file upload by LFI payload on the file name 594 | - [ ] Test malicious file upload by RFI payload on the file name 595 | - [ ] Test malicious file upload by SQL payload on the file name 596 | - [ ] Test malicious file upload by other injections on the file name 597 | - [ ] Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool 598 | - [ ] Test malicious file upload by uploading large files (leads to DOS) 599 | 600 | - **CLIENT SIDE TESTING** 601 | 602 | **Test For DOM Based Cross Site Scripting** 603 | 604 | - [ ] Try to identify DOM sinks 605 | - [ ] Build payloads to that DOM sink type 606 | 607 | **Test For URL Redirect** 608 | 609 | - [ ] Look for URL redirect parameters 610 | - [ ] Test for URL redirection on domain parameters 611 | - [ ] Test for URL redirection by using a payload list 612 | - [ ] Test for URL redirection by using a whitelisted word at the end 613 | - [ ] Test for URL redirection by creating a new subdomain with the same as the target 614 | - [ ] Test for URL redirection by XSS 615 | - [ ] Test for URL redirection by profile URL flaw 616 | 617 | **Test For Cross Origin Resource Sharing** 618 | 619 | - [ ] Look for “Access-Control-Allow-Origin” on the response 620 | - [ ] Use the CORS HTML exploit code for further exploitation 621 | 622 | **Test For Clickjacking** 623 | 624 | - [ ] Ensure “X-Frame-Options” headers are enabled 625 | - [ ] Exploit with iframe HTML code for POC 626 | 627 | - **OTHER COMMON ISSUES** 628 | 629 | **Test For No-Rate Limiting** 630 | 631 | - [ ] Ensure rate limiting is enabled 632 | - [ ] Try to bypass rate limiting by changing the case of the endpoints 633 | - [ ] Try to bypass rate limiting by adding / at the end of the URL 634 | - [ ] Try to bypass rate limiting by adding HTTP headers 635 | - [ ] Try to bypass rate limiting by adding HTTP headers twice 636 | - [ ] Try to bypass rate limiting by adding Origin headers 637 | - [ ] Try to bypass rate limiting by IP rotation 638 | - [ ] Try to bypass rate limiting by using null bytes at the end 639 | - [ ] Try to bypass rate limiting by using race conditions 640 | 641 | **Test For EXIF Geodata** 642 | 643 | - [ ] Ensure the website is striping the geodata 644 | - [ ] Test with EXIF checker 645 | 646 | **Test For Broken Link Hijack** 647 | 648 | - [ ] Ensure there is no broken links are there 649 | - [ ] Test broken links by using the blc tool 650 | 651 | **Test For SPF** 652 | 653 | - [ ] Ensure the website is having SPF record 654 | - [ ] Test SPF by nslookup command 655 | 656 | **Test For Weak 2FA** 657 | 658 | - [ ] Try to bypass 2FA by using poor session management 659 | - [ ] Try to bypass 2FA via the OAuth mechanism 660 | - [ ] Try to bypass 2FA via brute-forcing 661 | - [ ] Try to bypass 2FA via response manipulation 662 | - [ ] Try to bypass 2FA by using activation links to login 663 | - [ ] Try to bypass 2FA by using status code manipulation 664 | - [ ] Try to bypass 2FA by changing the email or password 665 | - [ ] Try to bypass 2FA by using a null or empty entry 666 | - [ ] Try to bypass 2FA by changing the boolean into false 667 | - [ ] Try to bypass 2FA by removing the 2FA parameter on the request 668 | 669 | **Test For Weak OTP Implementation** 670 | 671 | - [ ] Try to bypass OTP by entering the old OTP 672 | - [ ] Try to bypass OTP by brute-forcing 673 | - [ ] Try to bypass OTP by using a null or empty entry 674 | - [ ] Try to bypass OTP by response manipulation 675 | - [ ] Try to bypass OTP by status code manipulation 676 | 677 | 678 | ### Shaped by: Hariprasaanth R 679 | 680 | **Reach Me: [LinkedIn](https://www.linkedin.com/in/hariprasaanth) [Portfolio](https://hariprasaanth.blogspot.com/) [Github](https://github.com/Hari-prasaanth)** 681 | -------------------------------------------------------------------------------- /Web Application Checklist.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hari-prasaanth/Web-App-Pentest-Checklist/191e8dd7cdae65fbe9610fd93c88b5cd442cf956/Web Application Checklist.pdf --------------------------------------------------------------------------------