Web Application Penetration Checklist
This checklist is a high level checklist that contains a high level guide what approach we shall follow while testing a web application. This checklist is a generic checklist and does not totally cover all test cases that might apply on web apps.
Fingerprinting Application:
· Identify known vulnerabilities in web/app servers.
· Generate Site Structure.
· Identify underlying web technology.
· Uncover HTTP services running on ports other than ports 80 and 443.
· Brute fore subdomains with online tools and GitHub scripts.
· Identify firewall
· Find sensitive keywords in HTML sources such as admin, HTTP, todo, redir, etc.
· Perform JavaScript recon (analyze JS)
Network Testing:
· Test for Ping (ICMP echo packets).
· Test for zone transfer.
· Find all services running using NMAP.
· Perform Nessus scan.
· Test all common UDP ports and related issues.
Session Management Testing:
· Identify actual session cookies out of bulk cookies.
· Decode cookies using standard algorithms such as base64, hex, etc.
· Modify 1 character in cookie token and resubmit, check whether the session still exists.
· Token leakage via referrer header — Untrusted 3rd party.
· Check session cookie expiration time.
· Identify cookie domain scope.
· Check flags HTTP Only, Secure flag, and same site.
· Check before and after session cookie values.
· Reply to the session cookie from a different public IP address and check if the app maintains.
· Check concurrent login through different IPs.
· Check if any user pertaining information is stored in cookie value or not.
Registration Feature Testing:
· Check for duplicate registration with the same email id for account takeover.
· Check for a weak password policy.
· Check for a stored username as a part of the welcome message post-authentication and tr.
· Check for the insufficient email verification process.
· Weak registration implementation — Allows disposable email addresses.
Login Feature Testing:
· Check username enumeration.
· Bypass login panel with common login SQL injection payloads using Burpsuite intruder.
· Try accessing resources without authentication.
· Check if user creds are sent over HTTP.
· Check if user creds can forcefully be submitted over HTTP while HTTPS both.
· Check account lockout threshold value.
· Create a custom password wordlist and try brute force.
· Test 0auth functionality.
· Test 0auth functionality for open redirect.
Error Codes Testing:
· Try accessing custom pages after the root directory such as ‘yourname.php’, ‘your name.php’
· Add multiple parameters in the same post get requests using different values and generate.
· Add [],]], and [[ in cookie values and parameter value to create errors.
· Try to generate an unusual error code by giving input as /-yourname/%s at the end of word.
· Use the fuzzing technique to create errors and determine any information leakage.
Post Login My Account Testing:
· Try CSRF on various features that are pertaining to a single user account.
· Post login change email id and update with any existing email id. Check if it’s getting.
· Test for file upload. Test no AV detection, No size limit, Extension Bypass.
· Open the profile picture in the new tab and check the URL. Find email is/user id info. EXIF
· Check the account deletion option if the application provides it and confirm that via forgot password.
· Change email id, account id, and user id parameter and try to brute-force other users’ ID.
· Check whether the application re-authenticates for performing a sensitive operation for PO (Purchase Order).
Forget Password Testing:
· Failure to invalidate session on logout and password reset.
· Check if forget the password reset link/code uniqueness.
· Check if the reset link does get expire or not if it’s not used by the user for a certain amount.
· Find user account identification parameter and tamper id or parameter value or change.
· Check for a weak password policy.
· Weak password reset implementation Token is not invalidated after use.
· If the reset link has another parameter such as date and time, then change date and time.
· Check if security questions are asked? Lockout — How many guesses are allowed?
· Add only spaces in a new password and confirmed password. Then hit Enter and see.
· Does it display the old password on the same page after completion of forgetting the password.
· Ask for two passwords reset links and use the older ones from the user’s email.
· Check if the active session gets destroyed upon changing the password or not?
· Weak password reset implementation Password reset token sent over HTTP.
· Send continuous forget password requests so that it may send sequential tokens.
Contact Us Form Testing:
· Is CAPTCHA implemented on the contact us form in order to restrict email flooding attacks.
· Does it allow uploading files on the server?
Product Purchase Testing:
· Buy now — Tamper product ID to purchase other high valued products at a low price.
· Buy now — Tamper product data in order to increase the number of products with a small value.
· Gift/Voucher — Tamper gift/voucher count in the request (ifto increase/decrease.
· Gift/Voucher — Tamper gift/voucher value to increase/decrease the value of the voucher.
· Gift/Voucher — Reuse gift/voucher by using old gift values in parameter tampering.
· Gift/Voucher — Check the uniqueness of the gift/voucher parameter and try guessing other voucher values.
· Gift/Voucher — Use parameter pollution technique to add some vouchers twice by adding 2 times in parameter.
Flight/Hotel/Railway Booking Testing:
· Booking details — View and Manage other users’ booking details.
· Booking details — Check reservation status for other users/on behalf of other users.
· Ticket/Vouchers — View other users’ vouchers/e-tickets from the PRINT option.
· Ticket/Vouchers — Check if sensitive data is passed in the GET request.
· Ticket/Voucher — If an e-ticket/voucher is sent by email then check for email flooding.
· Refund — View other users’ refund status if refund tracking is allowed then gain other users’ refund tracking status.
· Cancellation — Gain higher cancellation amount with parameter modifying for amount.
· Booking — Do 1st person booking and add 5 more other persons in the same prize.
· Booking — Hotel — Book normal room — Select Delux room in the same prize.
Cross-Site Scripting Testing:
· Test what’s being sanitized and what’s not.
· Try XSS using XSS strike tool by Somdev Sangwan.
· Upload file using “><img src=x onerror=alert(document.domain)>.txt.
· Try all variations of IMG SRC onerror payloads.
· If script tags are banned, use <h1> and other HTML tags.
· If the output is reflected back inside the javascript as a value of any variable just use alert.
· If “ are filtered then use this payload /><img src=d onerror=confirm(/site/);>
· Upload a javascript using Image file — Use gifsicle tool.
· Unusual way to execute your JS payload is to change method from POST to GET.
· Tag attribute value 1. Input landed — <input type=”text” name=”state” value=”INPUT
· Syntax Encoding payload %3cscript%3ealert(document.cookie)%3c/script%3e.
· ASP.NET IE9 Filter evasion — HTML entities — <%tag style=”test:expression(alert(‘
· ASP.NET IE9 Filter Evasion — HTML entities — <&tag style=’test:expression(alert(123))
· Try base64 payload.
· If the logout button just performs the redirection, then use old classic XSS payload.
· Try Polyglot payload.
What's Your Reaction?
