Web Application Penetration Testing Checklist

1
WEB APPLICATION
PENETRATION TESTING CHECKLIST
2
Reconnaissance Phase
Test Name Test Case Result
Identify Web Server, Technologies, Verify that the website is hosted on an HTTP server, front-end technologies, and back-end with PostgreSQL database.
ASN (Autonomous System Number) IP Space Enumeration and Service Enumeration Ensure the enumeration tools accuracy in obtaining ASNs, identifying IP addresses within a specified range, and detecting open ports and services on a target IP address.
Google Dorking Ensure that the Google Dorking technique effectively retrieves sensitive information from public internet search engine results.
Directory Enumeration Ensure that the directory enumeration process accurately identifies and lists directories and files within a specified web server directory.
Reverse Lookup Ensure that the reverse lookup functionality accurately maps IP addresses to domain names.
JS Files Analysis Confirm that the JS files analysis function accurately identifies vulnerabilities and security issues in JavaScript files.
Bruteforcing Confirm that the subdomain enumeration and brute-forcing functionality accurately discover subdomains associated with the target domain
Port Scanning Verify that the port scanning tool correctly identifies open ports on a target IP address or network.

www.infosectrain.com
3
Registration Feature Testing
Test Name Test Case Result
Duplicate Registration/Overwrite Existing User Verify that the registration process prevents duplicate registration and overwriting of existing user accounts.
Weak Password Policy Confirm that the registration process enforces a strong password policy.
Reuse of Existing Usernames Ensure that the registration process prevents the reuse of the existing usernames.
Insufficient Email Verification Process Verify that the email verification process adequately verifies user email addresses.
Weak Registration Implementation - Allows Disposable Email Addresses Confirm that the registration process does not allow registration with disposable email addresses.
Weak Registration Implementation- Over HTTP Verify that the registration process is securely implemented and does not allow registration over an unencrypted HTTP connection.
Confirm that the registration process does not allow specially crafted usernames that could potentially overwrite or manipulate default web application pages.
www.infosectrain.com
4
Session Management Testing
Test Name Test Case Result
Decode Cookies Using Standard Decoding Algorithms Verify that cookies can be successfully decoded using standard decoding algorithms.
Modify CookieSession Token Value Verify if the application correctly handles slight modifications to session cookie token values.
Test Self-Registration with Similar Usernames Check if the application handles self-registration with usernames containing small variations.
Check Session Cookies and Cookie Expiration Date/Time Verify that session cookies have appropriate expiration settings.
Identify Cookie Domain Scope Ensure that session cookies are scoped to the appropriate domain.
Check for HttpOnly Flag in Cookie Confirm that session cookies are marked with the HttpOnly flag.
Check for Secure Flag in Cookie Ensure that session cookies are marked with the Secure flag if the application is served over SSL.
www.infosectrain.com
5
Authentication Testing
Test Name Test Case Result
Username Enumeration Verify that the system does not allow username enumeration.
Bypass Authentication using SQL Injections Test for bypassing authentication using various SQL injections on the username and password fields.
Lack of Password Confirmation Confirm that the system enforces password confirmation when changing email addresses and passwords and managing 2FA.
Access Violation without Authentication Check if using resources without authentication is possible, leading to access violations.
SSL Transmission of User Credentials Confirm that user credentials are transmitted over SSL.
OAuth Login Functionality Check OAuth login functionality, including roles and potential security vulnerabilities.
Two-Factor Authentication Misconfiguration Check the misconfiguration of two-factor authentication for response manipulation, status codes, code leakage, reusability, brute-force protection, integrity validation, and null values.
www.infosectrain.com
6
Post Login Testing
Test Name Test Case Result
Active Account User ID and Tampering Attempt Identify a parameter in the application that uses the active account user ID and attempts tampering to change the details of other accounts
Enumerate Features Specific to a User Account and Conduct CSRF Testing Create a list of features specific to a user account and test for Cross-Site Request Forgery (CSRF) vulnerabilities.
Change Email and Confirm Server-Side Validation Ensure if changing the email address is validated on the server side and whether the application sends email confirmation links to new users.
Verify Account Deletion Option with Forgot Password Feature Verify the account deletion option and confirm it via the forgot password feature.
Change Email, Account ID, and User ID Parameters for Brute Force Change the email, account ID, and user ID parameters and attempt brute force attacks on other users passwords.
www.infosectrain.com
7
Forgot Password Testing
Test Name Test Case Result
Failure to Expire Sessions Upon Logout and Password Reset Ensure the session is invalidated on logout and password reset.
Check if Forgot Password Reset Link/Code Uniqueness Ensure the uniqueness of the password reset link/code.
Check Expiry of Password Reset Link Verify if the reset link expires if not used within a specific time frame.
Find User Account Identification Parameter and Attempt Tampering Identify the user account identification parameter and attempt to tamper with it to change another users password.
Check for Weak Password Policy Examine if password reset enforces a strong password policy.
Check if Active Session Gets Destroyed upon Changing the Password Verify if the active session is destroyed when changing the password.
www.infosectrain.com
8
Open Redirection Testing
Test Name Test Case Result
Test Common Injection Parameters Examine common injection parameters for potential vulnerabilities.
Change URL Parameter Values Examine if changing the URL parameter value redirects to the specified URL.
Test Single Slash and URL Encoding Ensure using a single slash and URL encoding in URL parameters.
Use Whitelisted Domain or Keyword Check if using a whitelisted domain or keyword in parameters bypasses filters.
Use // to Bypass HTTP Blacklisted Keyword Check if using // in parameters bypasses HTTP blacklisted keywords.
Use Null Byte (00) to Bypass Blacklist Filter Check if using a null byte (00) in parameters bypasses blacklist filters.
Use Symbol to Bypass Check if the symbol in parameters bypasses security filters.
www.infosectrain.com
9
Host Header Injection
Test Name Test Case Result
Supply an Arbitrary Host Header Check the applications handling of arbitrary host headers.
Check for Flawed Validation Verify if the application has flawed validation for Host headers.
Check Ambiguous Requests Send ambiguous requests with various Host header manipulations to observe the applications behavior.
Inject Host Override Headers Test the injection of host override headers to ensure that the application accepts and processes these headers.
www.infosectrain.com
10
SQL Injection Testing
Test Name Test Case Result
Entry Point Detection Identify vulnerable entry points for SQL injection.
Use SQLmap to Identify Vulnerable Parameters Ensure that SQLmap identifies parameters vulnerable to SQL injection.
Run the SQL Injection Scanner on All Requests Check if the SQL injection scanner identifies and reports any SQL injection vulnerabilities.
Bypassing Web Application Firewall (WAF) Ensure bypass techniques are effective against the WAF (Web Application Firewall).
Time Delays Verify the effectiveness of time delays for each database system.
Conditional Delays Evaluate the impact of conditional time delays for each database system.
Use Symbol to Bypass Check if the symbol in parameters bypasses security filters.
www.infosectrain.com
11
Cross-Site Scripting Testing
Test Name Test Case Result
Use HTML Tags if Script Tags Are Banned Check if the HTML tags are executed as XSS.
Reflect Output Inside JavaScript Variable Check if the output is reflected inside a JavaScript variable and if an alert payload can be used.
Upload JavaScript Using Image File Check if the JavaScript code is executed when the image is displayed.
Change Method From POST to GET Check if the payload is executed using the modified method from POST to GET can bypass filters.
Syntax Encoding Payload Check if the syntax-encoded payload is executed as XSS.
XSS Firewall Bypass Verify whether the employed XSS firewall bypass techniques effectively circumvent the XSS firewall.
www.infosectrain.com
12
CSRF Testing
Test Name Test Case Result
Validation of CSRF Token Confirm whether the CSRF token validation rejects a GET request when the validation process depends on the request method.
CSRF Token Presence Validation Check if the application only accept requests with a valid CSRF token.
The CSRF Token Is Independent of the User Session Check if the CSRF token is not associated with the users session and ensure it validate the CSRF token even after the user session has ended.
validate the CSRF token even after the user session has ended. Ensure that the application should validate the CSRF token when the non-session cookie is included.
Verify Referer Header Presence Ensure that application should only accept requests with a valid Referer header.
www.infosectrain.com
13
SSO Vulnerabilities
Test Name Test Case Result
FUZZ on the Internal System After SSO Redirect Conduct fuzzing on an internal system following redirection to the SSO system to identify vulnerabilities or misconfigurations within the internal system.
Craft SAML Request and Server Interaction Craft a SAML request with a token and analyze how the server processes the crafted SAML request.
Test for XML Signature Wrapping Vulnerabilities Check if the server is vulnerable to XML Signature Wrapping.
Inject XXE Payloads in SAML Response Check if the server processes the XXE payloads.
SSO for Takeover Assess the possibility of taking over the victims account.
SSRF Using Cookie Header URLs Check if SSRF can be achieved by modifying the IP in the Cookie header URLs.
www.infosectrain.com
14
XML Injection Testing
Test Name Test Case Result
Change Content Type for XML Injection Verify if the server is vulnerable to XML Injection.
Blind XXE with Out-of-Band Interaction Identifies if the server is vulnerable to Blind XXE attacks.
Errors Parsing Origin Headers Check if Cross-Origin Resource Sharing (CORS)-related errors can be triggered.
Whitelisted Null Origin Value Check if the server whitelists null Origin values.
Bypassing Filters Check if filters can be bypassed.
Cloud Instances Check if SSRF vulnerabilities can access cloud instance data.
www.infosectrain.com
15
File Upload Testing
Test Name Test Case Result
Null Byte (00) Bypass Check if null bytes can bypass upload restrictions.
Content-Type Bypass Check if content type manipulation can bypass restrictions.
Magic Byte Bypass Identify if magic byte manipulation can bypass upload checks.
Client-Side Validation Bypass Check if client-side validation can circumvent upload restrictions.
Blacklisted Extension Bypass Check if the application effectively enforces extension restrictions.
Homographic Character Bypass Check if homographic characters can bypass filters.
www.infosectrain.com
16
CAPTCHA Testing
Test Name Test Case Result
Missing Captcha Field Integrity Checks Verify if the application performs integrity checks on the Captcha field and rejects incomplete submissions.
HTTP Verb Manipulation Check if changing HTTP verbs impacts Captcha validation.
Reusable Captcha Check if Captchas are single-use or can be reused.
Server-Side Validation for CAPTCHA Check if the server performs proper Captcha validation independently.
OCR Image Recognition Check if OCR tools can successfully recognize Captcha content.
Absolute Path Retrieval Check if Captcha images are accessible via absolute paths.
www.infosectrain.com
17
JWT Token testing
Test Name Test Case Result
Brute-Forcing Secret Keys Check if the applications secret key is resistant to brute-force attacks.
Creating a Fresh Token Using the none Algorithm Verify if the application accepts or rejects tokens signed with the none algorithm.
Changing the Signing Algorithm of the Token Check how the application responds to changes in the signing algorithm.
Signing the Asymmetrically-Signed Token to Symmetric Algorithm Match Check if the application allows signing transitions from asymmetric to symmetric algorithms.
www.infosectrain.com
18
Websockets Testing
Test Name Test Case Result
Intercepting and Modifying WebSocket Messages Check intercept WebSocket messages and modify the content.
WebSockets Man-in-the-Middle (MITM) Attempts Perform a Man-in-the-Middle attack on WebSocket communication.
Test Secret Header WebSocket Check if the WebSocket implementation relies on secret headers for authentication.
Content Stealing in Websockets Check if access to sensitive data is transmitted via WebSocket.
Token Authentication Testing in Websockets Evaluate if the token-based authentication is secure.
www.infosectrain.com
19
GraphQL Vulnerabilities Testing
Test Name Test Case Result
Inconsistent Authorization Checks Identify instances where authorization checks are not consistently applied across different parts of the GraphQL schema.
Missing Validation of Custom Scalars Identifies any custom scalar types that do not have adequate validation for input values.
Failure to Appropriately Rate-Limit Evaluate whether rate-limiting is adequately enforced to prevent abuse or DoS attacks.
Introspection Query Enabled/Disabled Determine if the server allows introspection queries that can reveal schema details.
www.infosectrain.com
20
WordPress Common Vulnerabilities
Test Name Test Case Result
XSPA in WordPress Identify if there are any exposed services or ports that may be susceptible to XSPA.
Bruteforce in wp-login.php Check if the application effectively prevents or mitigates brute-force login attempts.
Information Disclosure WordPress Username Enumerate usernames and confirm if the application reveals valid usernames.
Backup File wp-config Exposed Ensure that backup files or sensitive configuration files are not accessible.
Log Files Exposed Confirm if log files containing sensitive data are improperly exposed to unauthorized users.
Denial of Service via load-styles.php Assess if the file can be abused to launch DoS attacks.
www.infosectrain.com
21
Denial of Service
Test Name Test Case Result
Cookie Bomb Check if the application can handle an excessive number of cookies effectively.
Pixel Flood (Using Image with Huge Pixels) Assess the application for vulnerabilities related to Pixel Flood attacks.
Frame Flood (Using GIF with Huge Frame) Check for the application for potential Frame Flood vulnerabilities.
ReDoS (Regex DoS) Assess if the application is susceptible to ReDoS attacks due to insecure regular expressions.
CPDoS (Cache Poisoned Denial of Service) Check if attackers can poison the applications cache to cause a DoS condition.
www.infosectrain.com
22
Security Headers Testing
Test Name Test Case Result
X Frame Options Header Testing Ensure the application has X-Frame-Options set to DENY or allow specific domains.
X-XSS-Protection Header Testing Verify the existence and settings of the X-XSS-Protection header.
HSTS Header Testing Evaluate the presence and configuration of the HTTP Strict Transport Security (HSTS) header.
CSP Header Testing Check the presence and configuration of the Content Security Policy (CSP) header.
Cache Control Header Testing Check for the presence and correct configuration of Cache Control headers.
www.infosectrain.com
23
Role Authorization Testing
Test Name Test Case Result
Access Control Testing Verify the applications access control by attempting to access high-privileged resources with normal user privileges.
Forced Browsing Testing Verify forced browsing attempts to access restricted or unlinked resources.
Insecure Direct Object Reference (IDOR) Testing Check for IDOR vulnerabilities by attempting to access objects and data outside of the authorized scope.
Parameter Tampering Testing Assess the applications vulnerability to parameter tampering for privilege escalation.
www.infosectrain.com
24
Blind OS Command Injection Testing
Test Name Test Case Result
Time Delays Check if the application prevents time-based command injection.
Output Redirection Conduct blind OS command injection with out-of-band interactions.
www.infosectrain.com
25
Broken Cryptography
Test Name Test Case Result
Cryptography Implementation Flaw Check for implementation flaws, such as hard-coded encryption keys, weak algorithms, or improper initialization vectors.
Encrypted Information Compromised Verify if sensitive information, even when encrypted, can be compromised due to data leaks, insecure key storage, or weak encryption.
Weak Ciphers Used for Encryption Identify encryption mechanisms in use and check if weak ciphers are employed.
www.infosectrain.com
26
Found this useful?
To Get More Insights Through our FREE Course
Workshops eBooks White Paper Checklists
Mock Tests Press the Icon
www.infosectrain.com