└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # web-pentesting-checklist 2 | 3 | ## Pre-Engagement 4 | 5 | ### Recon & analysis 6 | 7 | * [ ] Identify web server & technologies 8 | * [ ] [Subdomains Enumeration](https://medium.com/@_tas/subdomain-enumeration-try-hack-me-learnings-d9def486e5b) 9 | * [ ] [Directory enumeration](../enumeration/web/crawl-fuzz.md) 10 | * [ ] Find[ leaked ids, emails](../recon/public-info-gathering.md) \([pwndb](https://github.com/davidtavarez/pwndb)\) 11 | * [ ] Identify WAF 12 | * [ ] Crawl all the site for interesting keywords like password, token, etc 13 | * [ ] Test for debug parameters 14 | * [ ] Identify data entry points 15 | * [ ] Try to locate /robots.txt /crossdomain.xml /clientaccesspolicy.xml /phpinfo.php /sitemap.xml 16 | * [ ] Review comments on source code 17 | * [ ] Check /.git 18 | * [ ] Shodan 19 | * [ ] Google dorking 20 | * [ ] Check waybackurls \([gau](https://github.com/lc/gau) and [waybackurls](https://github.com/tomnomnom/waybackurls)\) 21 | 22 | ### Network tests 23 | 24 | * [ ] Check ICMP packets allowed 25 | * [ ] Check DMARC policies \([spoofcheck](https://github.com/BishopFox/spoofcheck)\) 26 | * [ ] Look services on other ports than 80 and 443 27 | * [ ] Check UDP ports \([udp-proto-scanner](https://github.com/CiscoCXSecurity/udp-proto-scanner) or nmap\) 28 | * [ ] Test SSL \([testssl](https://github.com/drwetter/testssl.sh)\) 29 | 30 | ### Preparation 31 | 32 | * [ ] Study site structure 33 | * [ ] Make a list with all possible test cases 34 | 35 | ## User management 36 | 37 | ### Registration 38 | 39 | * [ ] Duplicate registration 40 | * [ ] Overwrite existing user \(existing user takeover\) 41 | * [ ] Username uniqueness 42 | * [ ] Weak password policy 43 | * [ ] Insufficient email verification process 44 | * [ ] Weak registration implementation or allows disposable email addresses 45 | * [ ] Fuzz after user creation to check if any folder have been overwritten or created with your profile name 46 | * [ ] Add only spaces in password 47 | 48 | ### Authentication 49 | 50 | * [ ] Username enumeration 51 | * [ ] Resilience to password guessing 52 | * [ ] Account recovery function 53 | * [ ] "Remember me" function 54 | * [ ] Impersonation function 55 | * [ ] Unsafe distribution of credentials 56 | * [ ] Fail-open conditions 57 | * [ ] Multi-stage mechanisms 58 | * [ ] [SQL Injections](../enumeration/web/sqli.md) 59 | * [ ] Auto-complete testing 60 | * [ ] Lack of password confirmation on change email, password or 2FA 61 | * [ ] Weak login function over HTTP and HTTPS if both are available 62 | * [ ] User account lockout mechanism on brute force attack 63 | * [ ] Check for password wordlist \([cewl](https://github.com/digininja/CeWL) and [burp-goldenNuggets](https://github.com/GainSec/GoldenNuggets-1)\) 64 | * [ ] Test 0auth login functionality for [Open Redirection](../enumeration/web/ssrf.md) 65 | * [ ] Test response tampering in [SAML ](../enumeration/webservices/onelogin-saml-login.md)authentication 66 | * [ ] In OTP check guessable codes and race conditions 67 | * [ ] If [JWT](../enumeration/webservices/jwt.md), check common flaws 68 | * [ ] Browser cache weakness \(eg Pragma, Expires, Max-age\) 69 | 70 | ### Session 71 | 72 | * [ ] Session handling 73 | * [ ] Test tokens for meaning 74 | * [ ] Test tokens for predictability 75 | * [ ] Insecure transmission of tokens 76 | * [ ] Disclosure of tokens in logs 77 | * [ ] Mapping of tokens to sessions 78 | * [ ] Session termination 79 | * [ ] Session fixation 80 | * [ ] [Cross-site request forgery](../enumeration/web/csrf.md) 81 | * [ ] Cookie scope 82 | * [ ] Decode Cookie \(Base64, hex, URL etc.\) 83 | * [ ] Cookie expiration time 84 | * [ ] Check HTTPOnly and Secure flags 85 | * [ ] Use same cookie from a different effective IP address or system 86 | * [ ] Access controls 87 | * [ ] Effectiveness of controls using multiple accounts 88 | * [ ] Insecure access control methods \(request parameters, Referer header, etc\) 89 | * [ ] Check for concurrent login through different machine/IP 90 | * [ ] Bypass [AntiCSRF ](../enumeration/web/csrf.md#csrf-token-bypass)tokens 91 | 92 | ### Profile/Account details 93 | 94 | * [ ] Find parameter with user id and try to tamper in order to get the details of other users 95 | * [ ] Create a list of features that are pertaining to a user account only and try CSRF 96 | * [ ] Change email id and update with any existing email id. Check if its getting validated on server or not. 97 | * [ ] Check any new email confirmation link and what if user doesn't confirm. 98 | * [ ] File [upload](../enumeration/web/upload-bypasses.md): Unsafe File upload, No Antivirus, No Size Limit, File extension, Filter Bypass, [burp](https://github.com/portswigger/upload-scanner) 99 | * [ ] CSV import/export: Command Injection, XSS, macro injection 100 | * [ ] Check profile picture URL and find email id/user info or EXIF Geolocation Data 101 | * [ ] Imagetragick in picture profile upload 102 | * [ ] [Metadata ](https://github.com/exiftool/exiftool)of all downloadable files 103 | * [ ] Account deletion option and try to reactivate with "Forgot password" feature 104 | * [ ] Try bruteforce enumeration when change any user unique parameter. 105 | * [ ] Check application request re-authentication for sensitive operations 106 | * [ ] Try parameter pollution to add two values of same field 107 | 108 | ### Forgot password 109 | 110 | * [ ] Invalidate session on Logout and Password reset 111 | * [ ] Uniqueness of forget password reset link/code 112 | * [ ] Reset links expiration time 113 | * [ ] Find user id or other sensitive fields in reset link and tamper them 114 | * [ ] Request 2 reset passwords links and use the older 115 | * [ ] Check if many requests have sequential tokens 116 | 117 | ## Input handling 118 | 119 | * [ ] Fuzz all request parameters 120 | * [ ] Identify all reflected data 121 | * [ ] [Reflected XSS](../enumeration/web/xss.md) 122 | * [ ] HTTP[ header injection](../enumeration/web/header-injections.md) in GET & POST \(X Forwarded Host\) 123 | * [ ] Arbitrary redirection 124 | * [ ] Stored attacks 125 | * [ ] OS command injection 126 | * [ ] Path [traversal](../enumeration/web/lfi-rfi.md) 127 | * [ ] Script injection 128 | * [ ] File inclusion 129 | * [ ] SMTP injection 130 | * [ ] Native software flaws \(buffer overflow, integer bugs, format strings\) 131 | * [ ] SOAP injection 132 | * [ ] LDAP injection 133 | * [ ] XPath injection 134 | * [ ] [XXE](../enumeration/web/xxe.md) in any request, change content-type to text/xml 135 | * [ ] Stored [XSS](../enumeration/web/xss.md) 136 | * [ ] [SQL ](../enumeration/web/sqli.md)injection 137 | * [ ] [NoSQL ](../enumeration/webservices/nosql-and-and-mongodb.md)injection 138 | * [ ] HTTP Request [Smuggling](../enumeration/web/request-smuggling.md) 139 | * [ ] [Open redirect](../enumeration/web/ssrf.md) 140 | * [ ] [SSRF ](../enumeration/web/ssrf.md)in previously discovered open ports 141 | * [ ] xmlrpc.php DOS and user enumeration 142 | * [ ] HTTP dangerous methods OPTIONS PUT DELETE 143 | 144 | ### Error handling 145 | 146 | * [ ] Access custom pages like /whatever\_fake.php \(.aspx,.html,.etc\) 147 | * [ ] Add multiple parameters in GET and POST request using different values 148 | * [ ] Add "\[\]", "\]\]", and "\[\[" in cookie values and parameter values to create errors 149 | * [ ] Generate error by giving input as "/~randomthing/%s" at the end of URL 150 | * [ ] Use Burp Intruder "Fuzzing Full" List in input to generate error codes 151 | * [ ] Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE 152 | 153 | ## Application Logic 154 | 155 | * [ ] Identify the logic attack surface 156 | * [ ] Test transmission of data via the client 157 | * [ ] Test for reliance on client-side input validation 158 | * [ ] Thick-client components \(Java, ActiveX, Flash\) 159 | * [ ] Multi-stage processes for logic flaws 160 | * [ ] Handling of incomplete input 161 | * [ ] Trust boundaries 162 | * [ ] Transaction logic 163 | * [ ] Implemented CAPTCHA in email forms to avoid flooding 164 | * [ ] Tamper product id, price or quantity value in any action \(add, modify, delete, place, pay...\) 165 | * [ ] Tamper gift or discount codes 166 | * [ ] Reuse gift codes 167 | * [ ] Try parameter pollution to use gift code two times in same request 168 | * [ ] Try stored XSS in non-limited fields like address 169 | * [ ] Check in payment form if CVV and card number is in clear text or masked 170 | * [ ] Check if is processed by the app itself or sent to 3rd parts 171 | * [ ] IDOR from other users details ticket/cart/shipment 172 | * [ ] Check PRINT or PDF creation for IDOR 173 | * [ ] Check unsubscribe button with user enumeration 174 | * [ ] Parameter pollution on social media sharing links 175 | * [ ] CORS \([corsy](https://github.com/s0md3v/Corsy)\) 176 | * [ ] Change POST sensitive requests to GET 177 | 178 | ## Other checks 179 | 180 | ### Hosting 181 | 182 | * [ ] Segregation in shared infrastructures 183 | * [ ] Segregation between ASP-hosted applications 184 | * [ ] Web server vulnerabilities 185 | * [ ] Dangerous HTTP methods 186 | * [ ] Proxy functionality 187 | * [ ] [Virtual ](../enumeration/webservices/vhosts.md)hosting misconfiguration 188 | * [ ] Check for internal numeric IP's in request 189 | * [ ] Check for external numeric IP's and resolve it 190 | * [ ] References to [cloud ](../enumeration/cloud/cloud-info-recon.md)assets 191 | 192 | ### CAPTCHA 193 | 194 | * [ ] Send old captcha value. 195 | * [ ] Send old captcha value with old session ID. 196 | * [ ] Request captcha absolute path like www.url.com/captcha/1.png 197 | * [ ] Remove captcha with any adblocker and request again 198 | * [ ] Bypass with OCR tool 199 | 200 | ### Headers 201 | 202 | * [ ] X-XSS-Protection 203 | * [ ] Strict-Transport-Security 204 | * [ ] Content-Security-Policy 205 | * [ ] Public-Key-Pins 206 | * [ ] X-Frame-Options 207 | * [ ] X-Content-Type-Options 208 | * [ ] Referer-Policy 209 | * [ ] Cache-Control 210 | * [ ] Expires 211 | --------------------------------------------------------------------------------