Pen Test Checklist for Web Applications
Penetration Test is not an easy task. Security Engineers should be ready with all the tools and techniques to identify security flaws in applications.
This blog provides a penetration testing checklist guide to test the web application for security flaws.
Preparation of Pen Test
- Sign agreement with client for performing penetration testing
- Identify the scope - Endpoints, URLs, Number of Static and Dynamic pages
- Ask a developer to create a staging environment similar to the production environment
- Whitelist IP addresses that need to be used by Pen Tester to attack application
Type of Penetration Testing
- Black Box - No support available from the developer side
- Gray Box - Partial support available from the developer side
- White Box - Full support available from the developer side
Documentation Required for Penetration Testing
- Design Document
- User Manual Document
- Access Control Document
- Data Flow charts
- Usernames and Passwords for different roles
Stages of Penetration Testing
As a Pen Tester, you should know the steps to test the web application for vulnerabilities. There are generally five steps to follow to perform penetration testing:
| 1. Reconnaissance of Target |
| 2. Scanning of Web Applications using an Automated Scanner |
| 3. Assessment of Identified Security Flaws |
| 4. Try of Exploitation |
| 5. Reporting of Results |
1. Reconnaissance
Reconnaissance is a process of collecting all the technical information related to the target. Below are the information you should collect related to the target.
- Identify Web Server and Technologies - by using the tool Wappalyzer
- Search Engine Discovery Reconnaissance for Information Leakage - refer detail blog on using search engines for hacking web application
- Identify Webserver Metafiles for Information Leakage
- Enumerate Applications on Webserver
- Review Webpage Content for Information Leakage
- Identify Application Entry Points
- Map Execution Paths Through Application
- Fingerprint Web Application Framework
- Map Application Architecture
Reconnaissance is further divided into Active Reconnaissance and Passive Reconnaissance.
2. Scanning of Web Applications using an Automated Scanner
As covering and reviewing for vulnerabilities in the whole application is next to impossible, it is always recommended to scan web applications with automated scanners like BurpSuite, AppScan, NetSparker, etc.
3. Assessment of Identified Security Flaws
Once vulnerabilities are discovered by the Automated Scanner, assessment of those security flaws should be started. Generally, a lot of false positive issues have been provided by Automated Scanner. As a Pen Tester, you should be able to discard false positives in this particular stage.
Manual Techniques also need to be applied to test business logic flaws in the web application. In addition, other manual techniques to identify vulnerabilities in web applications.
4. Try of Exploitation
In this step, Pen Tester tries to exploit identified vulnerabilities in the web application. This will showcase the severity of issues to the developers and other stakeholders.
5. Reporting of Results
This is a very important step to provide all details related to identified security flaws.
Two types of report may be prepared for reporting of results.
A detailed report with all details of vulnerabilities and POC will be provided to the developer to resolve the issues.
Higher Management is looking for a concise report without losing details of vulnerabilities identified during the Penetration Testing.
PenTest Checklist as per the OWASP Testing Guide
Configuration and Deployment Management Testing
- Network Infrastructure Configuration
- Application Platform Configuration
- File Extensions Handling for Sensitive Information
- Review Old Backup and Unreferenced Files for Sensitive Information
- Infrastructure and Application Admin Interfaces
- HTTP Methods
- HTTP Strict Transport Security
- RIA Cross Domain Policy
- File Permission
- Subdomain Takeover
- Cloud Storage
Identity Management Testing
- Role Definitions
- Account Provisioning Process
- Account Enumeration and Guessable User Account
- Weak or Unenforced Username Policy
Authentication Testing
- Credentials Transported over an Encrypted Channel
- Default Credentials
- Weak Lock-Out Mechanism
- Bypassing Authentication Schema
- Vulnerable Remember Password
- Browser Cache Weaknesses
- Weak Password Policy
- Weak Security Question Answer
- Weak Password Change or Reset Functionalities
- Weaker Authentication in Alternative Channel
Authorization Testing
- Directory Traversal File Include
- Bypassing Authorization Schema
- Privilege Escalation
- Insecure Direct Object References
Session Management Testing
- Session Management Schema
- Cookies Attributes
- Session Fixation
- Exposed Session Variables
- Cross-Site Request Forgery
- Logout Functionality
- Session Timeout
- Session Puzzling
- Session Hijacking
Input Validation Testing
- Reflected cross-site scripting
- Stored cross-site scripting
- HTTP Verb Tampering
- HTTP Parameter Pollution
SQL Injection
- Oracle
- MySQL
- SQL Server
- PostgreSQL
- MS Access
- NoSQL Injection
- ORM Injection
- Client-side
LDAP Injection
XML Injection
SSI Injection
XPath Injection
IMAP SMTP Injection
Code Injection
- Local File Inclusion
- Remote File Inclusion
Command Injection
Format String Injection
Incubated Vulnerability
HTTP Splitting Smuggling
HTTP Incoming Requests
Host Header Injection
Server-side Template Injection
Server-Side Request Forgery
Error Handling
- Improper Error Handling
- Stack Traces
Weak Cryptography
- Weak Transport Layer Security
- Padding Oracle
- Sensitive Information Sent via Unencrypted Channels
- Weak Encryption
Test for Business Logic
- Business Logic Data Validation
- Ability to Forge Requests
- Test Integrity Checks
- Process Timing
- Number of Times a Function Can Be Used Limits
- Circumvention of Work Flows
- Defenses Against Application Misuse
- Upload of Unexpected File Types
- Upload of Malicious Files
Client-side Testing
- DOM-Based Cross-Site Scripting
- JavaScript Execution
- HTML Injection
- Client-side URL Redirect
- CSS Injection
- Client-side Resource Manipulation
- Cross-Origin Resource Sharing
- Cross-Site Flashing
- Clickjacking
- WebSocket Testing
- Web Messaging
- Browser Storage
- Cross-Site Script Inclusion
API Testing
Testing of GraphQL
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
