Web-App Checklist Pentest
This is the checklist focused on pen-testing(dynamic assessment) of web applications, while most of the items can be also assessed by code auditing.
The checklist is based on the OWASP testing guide V4. Some items that are not practically helpful to assess security(e.g. finding security vulnerabilities) are excluded, because they refer to processes(e.g. using proxy) or provide high-level concepts(e.g. persistent attacks), or contains subjective issues (e.g. weak password or security questions)

Checklist - Simple

Input Validation

    Reflected XSS
    Stored XSS
    VERB tampering
    HTTP Parameter pollution
    SQL/ORM Injection
    LDAP injection
    XML External Entity(XXE)
    Server-Side Includes(SSI)
    XPath injection
    Local/Remote File Inclusion
    Command injection
    Buffer overflow
    HTTP response splitting

Session Management

    Bypass session management schema
    Cookies attributes
    Session Fixation
    Exposed Session Variables
    CSRF
    Logout functionality
    Session Timeout
    Session puzzling

Authentication

    Credentials transport over an encrypted channel
    Default credentials
    Weak lock out mechanism
    Bypassing authentication schema(direct page request)
    Bypassing authentication schema(parameter modification)
    Bypassing authentication schema(sql injection)
    Vulnerable remember password
    password reset functionalities
    Weaker authN in alternative channel

Authorization

    Path Traversal
    bypassing authorization schema
    Privilege escalation
    IDOR(Insecure Direct Object Reference)

Client Attack

    DOM XSS
    HTML Injection
    Open redirect
    CSS Injection
    Client Side Resource Manipulation
    Cross Origin Resource Sharing
    Cross Site Flashing
    Clickjacking
    websocket
    web messaging
    Local Storage

Configuration Management

    SSL/TLS
    Known platform vulnerabilities
    Files with sensitive information
    Errors with sensitive information

Business Logic

    Business logic data validation
    Upload of Malicious Files

Checklist - Verbose

Input Validation

    Reflected XSS: Check if HTML/script tags are reflected in the response
    Stored XSS: Check if HTML/script tags can be stored and viewed later when the page is requested
    VERB Tampering: Check if methods other than GET and POST are accepted
    HTTP Parameter pollution: Check if the target responds in any unexpected ways when supplying multiple parameters of the same name
    SQL/ORM Injection: Check if user input requests can manipulate the SQL queries in the backend
    LDAP Injection: Check if unexpected user information can be obtained by user input parameters
    XXE: Check if sensitive information can be retrieved via XXE if the target allows XML input
    SSI: Check if SSI directives can be injected
    XPath Injection: Check if user input requests can manipulate the XPath queries
    File Inclusion: (php) Test if file inclusion is possible via parameters
    Command Injection:Check if OS commands can be run via user input parameters
    Buffer overflow:
    Check if long values in headers, parameters cause crash in the backend
    HTTP response splitting: Check if HTTP splitting is possible when supplying %0d%0a in the user input data

Session Management

    Bypass session management schema: Check if any unexpected ways can cause bypass session management schema
    Cookies attributes: Check cookies if the following attributes are set: HttpOnly, secure
    Session Fixation: Check if the session cookie is the same between before login and after and if an arbitrary(not generated by the server) token can be fixed
    Exposed Session Variables: Check if sensitive information(e.g. session ID) is sent in the GET requests(e.g. In the query string)
    CSRF (Cross-Site Request Forgery): Check if requests can be performed repeatedly without any CSRF preventative mechanism when a user is logged in
    Logout functionality: Check if session is still activated after logout.
    Session Timeout: Check if session is still activated after required session timeout
    Session puzzling: Check if session variables are used in multiple locations and they can be used in unexpected ways

Authentication

    Credentials transport over an encrypted channel: Check if any sensitive data can be accessible via HTTP
    Default credentials: Check if the application can be accessed with default username/password
    Weak lock out mechanism: (only if brute force prevention matters) Check if the lock out mechanism to prevent brute-force attack is properly implemented
    Bypassing authentication schema(direct page request): Check if authentication can be bypassed by direct page request
    Bypassing authentication schema(parameter modification): Check if authentication can be bypassed by parameter modification
    Bypassing authentication schema(sql injection): Check if authentication can be bypassed by SQL injection
    Vulnerable remember password: Check if password is stored in plain-text in a cookie or local store. Examine the hashing mechanism if hashed.
    Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application.
    Test for password reset functionalities: Check if a user can reset other users' password
    Weaker authN in alternative channel: Test in mobile pages, different languages, partner websites
    User enumeration: Check if the server's responses are the same between when log-ins are requested as an existing user and as a non-existent user

Authorization

    Path Traversal: Check if restricted files can be accessed via '../' by testing file-operation related parameters
    bypassing authorization schema: Check if an user can access other users' information or privileges
    Privilege escalation: Check if a normal user can perform admin functions
    IDOR(Insecure Direct Object Reference): Check if a user can perform actions with another user's privilege by modifying parameters

Client Attack

    DOM XSS: Check if XSS is possible in the client side(e.g. In Javascript code, jquery, Angularjs, etc.)
    HTML Injection: Check if any user input is reflected in the HTML code
    Open redirect: Check if users can be forcedly redirected by user input parameters
    CSS Injection: Check where CSS is dynamically structured and if user input data can affect
    Client Side Resource Manipulation: Part of DOM XSS. Main test target is location.hash
    Cross Origin Resource Sharing: Check if Access-Control-Allow-Origin header is set to '*'. Check if requests from another site other than allowed in Access-Control-Allow-Origin header are processed
    Cross Site Flashing: (only if flash/actionscript is available) Check if external data can be input via user input parameters
    Clickjacking: Ensure if X-Frame-Options header exists in the server response.
    websocket: (only if websocket is available) test if there are any security issues
    web messaging (only if web messaging is available): Check how the target is restricting messages from untrusted domain and how the data is handled even for trusted domains.
    Local Storage: Review local storage in the browser and check if sensitive information is stored esp. in plaintext

Configuration Management

    SSL/TLS: Check if SSL/TLS is mis-configured. Tools such as sslscan can be used.
    Known platform vulnerabilities: (if testing running instance)
    Check if infrastructure/application platform's vulnerabilities exist
    Files for sensitive information: Check if default files, old files or backup files expose sensitive information
    Errors with sensitive information: Check if error messages contain sensitive information (e.g. private information, stack trace)

Business Logic

    Business logic data validation: Check if logically invalid data is properly handled
    Upload of Malicious Files: Find where file uploading is possible and check if a file of restricted extensions can be uploaded
Last modified 2mo ago