Pen Test Checklist for Web Applications

Penetration Test is not an easy task. Security Engineer should be ready with all the tools and techniques to identify security flaws in application.

This blog provide a penetration testing checklist guide to test the web application for security flaws.

Preparation of Pen Test

  • Identify the scope - Endpoints, URLs, Number of Static and Dynamic pages
  • Ask developer to create staging environment similar to production environment
  • Whitelist IP addresses that need to be use by Pen Tester to attack application

Type of Penetration Testing

  • Black Box - No support available from the developer side
  • Gray Box - Partial support available from the developer side
  • White Box - Full support available from the developer side

Documentation Required in case of Gray Box and White Box Penetration Testing

  • Design Document
  • User Manual Document
  • Access Control Document
  • Data Flow charts
  • Usernames and Passwords for different roles

Stages of Penetration Testing

As a Pen Tester, you should know the steps to test the web application for vulnerabilities. There are generally five steps to follow to perform penetration testing:

1. Reconnaissance of Target
2. Scanning of Web Application using Automated Scanner
3. Assessment of Identified Security Flaws
4. Try of Exploitation
5. Reporting of Results

1. Reconnaissance

Reconnaissance is a process of collecting all the technical information related to the target. Below are the information you should collect related to the target.

  • Identify Web Server and Technologies - by using tool Wappalyzer
  • Search Engine Discovery Reconnaissance for Information Leakage - refer detail blog on using search engines for hacking web application
  • Identify Webserver Metafiles for Information Leakage
  • Enumerate Applications on Webserver
  • Review Webpage Content for Information Leakage
  • Identify Application Entry Points
  • Map Execution Paths Through Application
  • Fingerprint Web Application Framework
  • Map Application Architecture

Reconnaissance is further divided into Active Reconnaissance and Passive Reconnaissance.

2. Scanning of Web Application using Automated Scanner

As covering and reviewing for vulnerabilities of whole application is next to impossible, it is always recommended to scan web application with automated scanner like BurpSuite, AppScan, NetSparker, etc.

3. Assessment of Identified Security Flaws

Once vulnerabilities discovered by the Automated Scanner, assessment of those security flaws should be start. Generally, lot of false positive issues have been provided by Automated Scanner. As a Pen Tester, you should be able to discard false positive in this particular stage.

Manual Techniques also need to apply to test business logic flaws in the web application. In addition, other manual techniques to identify vulnerabilities in web applications.

4. Try of Exploitation

In this step, Pen Tester try to exploit identified vulnerabilities in the web application. This will showcase the severity of issues to the developers and other stakeholders.

5. Reporting of Results

This is very important step to provide all details related to identified security flaws.

Two types of report may be prepared for reporting of results.

Detailed report with all details of vulnerabilities and POC will be provided to developer to resolve the issues.

Higher Management is looking for a report which is concise without losing details of vulnerabilities identified during the Penetration Testing.

Following PenTest Checklist is recommended as per OWASP Testing Guide to Test the Web Application

Configuration and Deployment Management Testing

  • Network Infrastructure Configuration
  • Application Platform Configuration
  • File Extensions Handling for Sensitive Information
  • Review Old Backup and Unreferenced Files for Sensitive Information
  • Infrastructure and Application Admin Interfaces
  • HTTP Methods
  • HTTP Strict Transport Security
  • RIA Cross Domain Policy
  • File Permission
  • Subdomain Takeover
  • Cloud Storage

Identity Management Testing

  • Role Definitions
  • Account Provisioning Process
  • Account Enumeration and Guessable User Account
  • Weak or Unenforced Username Policy

Authentication Testing

  • Credentials Transported over an Encrypted Channel
  • Default Credentials
  • Weak Lock Out Mechanism
  • Bypassing Authentication Schema
  • Vulnerable Remember Password
  • Browser Cache Weaknesses
  • Weak Password Policy
  • Weak Security Question Answer
  • Weak Password Change or Reset Functionalities
  • Weaker Authentication in Alternative Channel

Authorization Testing

  • Directory Traversal File Include
  • Bypassing Authorization Schema
  • Privilege Escalation
  • Insecure Direct Object References

Session Management Testing

  • Session Management Schema
  • Cookies Attributes
  • Session Fixation
  • Exposed Session Variables
  • Cross Site Request Forgery
  • Logout Functionality
  • Session Timeout
  • Session Puzzling
  • Session Hijacking

Input Validation Testing

  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • HTTP Verb Tampering
  • HTTP Parameter Pollution

SQL Injection

  • Oracle
  • MySQL
  • SQL Server
  • PostgreSQL
  • MS Access
  • NoSQL Injection
  • ORM Injection
  • Client-side

LDAP Injection

XML Injection

SSI Injection

XPath Injection

IMAP SMTP Injection

Code Injection

  • Local File Inclusion
  • Remote File Inclusion

Command Injection

Format String Injection

Incubated Vulnerability

HTTP Splitting Smuggling

HTTP Incoming Requests

Host Header Injection

Server-side Template Injection

Server-Side Request Forgery

Error Handling

  • Improper Error Handling
  • Stack Traces

Weak Cryptography

  • Weak Transport Layer Security
  • Padding Oracle
  • Sensitive Information Sent via Unencrypted Channels
  • Weak Encryption

Test for Business Logic

  • Business Logic Data Validation
  • Ability to Forge Requests
  • Test Integrity Checks
  • Process Timing
  • Number of Times a Function Can Be Used Limits
  • Circumvention of Work Flows
  • Defenses Against Application Misuse
  • Upload of Unexpected File Types
  • Upload of Malicious Files

Client-side Testing

  • DOM-Based Cross Site Scripting
  • JavaScript Execution
  • HTML Injection
  • Client-side URL Redirect
  • CSS Injection
  • Client-side Resource Manipulation
  • Cross Origin Resource Sharing
  • Cross Site Flashing
  • Clickjacking
  • WebSocket Testing
  • Web Messaging
  • Browser Storage
  • Cross Site Script Inclusion

API Testing

Testing of GraphQL

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

OWASP API Top 10 - 2023 7 Facts You Should Know About WormGPT OWASP Top 10 for Large Language Models (LLMs) Applications Top 10 Blockchain Security Issues What is Cyber Warfare?