WEB

APPLICATION
PENETRATION TESTING
CHECKLIST

Test Name
Identify Web Server, Technologies,
and Database
ASN (Autonomous System
Number) & IP Space Enumeration identifying IP addresses within a specified range, and detecting open ports and
and Service Enumeration
Google Dorking
Directory Enumeration
identifies and lists directories and files within a specified web server directory.
Reverse Lookup
JS Files Analysis
Subdomain Enumeration and
Bruteforcing
Port Scanning
Reconnaissance Phase
Test Case Result
Verify that the website is hosted on an HTTP server, front-end technologies,
and back-end with PostgreSQL database.
Ensure the enumeration tool’s accuracy in obtaining ASNs,
services on a target IP address.
Ensure that the Google Dorking technique effectively retrieves sensitive
information from public internet search engine results.
Ensure that the directory enumeration process accurately
Ensure that the reverse lookup functionality accurately maps IP
addresses to domain names.
Confirm that the JS files analysis function accurately identifies
vulnerabilities and security issues in JavaScript files.
Confirm that the subdomain enumeration and brute-forcing
functionality accurately discover subdomains associated with the
target domain
Verify that the port scanning tool correctly identifies open ports on a target
IP address or network.
www.infosectrain.com
 Registration Feature Testing

Test Name Test Case Result

Duplicate Registration/Overwrite Verify that the registration process prevents duplicate registration
Existing User and overwriting of existing user accounts.

Confirm that the registration process enforces a strong

Weak Password Policy password policy.

Ensure that the registration process prevents the reuse of

Reuse of Existing Usernames
the existing usernames.

Insufficient Email Verification Process Verify that the email verification process adequately verifies
user email addresses.

Weak Registration Implementation - Confirm that the registration process does not allow registration with
Allows Disposable Email Addresses disposable email addresses.

Weak Registration Implementation- Verify that the registration process is securely implemented and does
Over HTTP not allow registration over an unencrypted HTTP connection.

Confirm that the registration process does not allow specially crafted
Overwrite Default Web Application Pages usernames that could potentially overwrite or manipulate default
web application pages.

www.infosectrain.com
 Session Management Testing

Test Name Test Case Result

Decode Cookies Using Standard Verify that cookies can be successfully decoded using standard
Decoding Algorithms decoding algorithms.

Modify Cookie:Session Token Value Verify if the application correctly handles slight modifications to
session cookie token values.

Test Self-Registration with Similar Check if the application handles self-registration with usernames
Usernames containing small variations.

Check Session Cookies and Cookie

Verify that session cookies have appropriate expiration settings.
Expiration Date/Time

Identify Cookie Domain Scope Ensure that session cookies are scoped to the appropriate domain.

Check for HttpOnly Flag in Cookie Confirm that session cookies are marked with the HttpOnly flag.

Ensure that session cookies are marked with the Secure flag if the
Check for Secure Flag in Cookie application is served over SSL.

www.infosectrain.com
 Authentication Testing

Test Name Test Case Result

Username Enumeration Verify that the system does not allow username enumeration.

Bypass Authentication using Test for bypassing authentication using various SQL injections on the
SQL Injections username and password fields.

Confirm that the system enforces password confirmation when

Lack of Password Confirmation
changing email addresses and passwords and managing 2FA.

Check if using resources without authentication is possible,

Access Violation without Authentication
leading to access violations.

SSL Transmission of User Credentials Confirm that user credentials are transmitted over SSL.

Check OAuth login functionality, including roles and potential

OAuth Login Functionality security vulnerabilities.
Check the misconfiguration of two-factor authentication for response
Two-Factor Authentication manipulation, status codes, code leakage, reusability, brute-force
Misconfiguration protection, integrity validation, and null values.

www.infosectrain.com
 Post Login Testing

Test Name Test Case Result

Identify a parameter in the application that uses the active account

Active Account User ID and
user ID and attempts tampering to change the details
Tampering Attempt
of other accounts

Enumerate Features Specific to a User Create a list of features specific to a user account and test for
Account and Conduct CSRF Testing Cross-Site Request Forgery (CSRF) vulnerabilities.

Change Email and Confirm Server-Side Ensure if changing the email address is validated on the server side
Validation and whether the application sends email confirmation links to
new users.

Verify Account Deletion Option with Forgot Verify the account deletion option and confirm it via the
Password Feature forgot password feature.

Change Email, Account ID, and User ID Change the email, account ID, and user ID parameters and attempt
Parameters for Brute Force brute force attacks on other users’ passwords.

www.infosectrain.com
 Forgot Password Testing
Test Name Test Case Result

Failure to Expire Sessions Upon

Ensure the session is invalidated on logout and password reset.
Logout and Password Reset

Check if Forgot Password Reset

Ensure the uniqueness of the password reset link/code.
Link/Code Uniqueness

Check Expiry of Password Reset Link

Verify if the reset link expires if not used within a specific time frame.

Find User Account Identification Identify the user account identification parameter and attempt to tamper
Parameter and Attempt Tampering with it to change another user’s password.

Check for Weak Password Policy Examine if password reset enforces a strong password policy.

Check if Active Session Gets

Destroyed upon Changing the Verify if the active session is destroyed when changing the password.
Password

www.infosectrain.com
 Open Redirection Testing

Test Name Test Case Result

Test Common Injection Parameters Examine common injection parameters for potential vulnerabilities.

Examine if changing the URL parameter value redirects to

Change URL Parameter Values
the specified URL.

Test Single Slash and URL Encoding Ensure using a single slash and URL encoding in URL parameters.

Check if using a whitelisted domain or keyword in parameters

Use Whitelisted Domain or Keyword
bypasses filters.

Use “//” to Bypass HTTP Blacklisted Check if using “//” in parameters bypasses HTTP blacklisted keywords.
Keyword

Use Null Byte (%00) to Bypass Check if using a null byte (%00) in parameters bypasses
Blacklist Filter blacklist filters.

Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters.

www.infosectrain.com
 Host Header Injection

Test Name Test Case Result

Supply an Arbitrary Host Header Check the application’s handling of arbitrary host headers.

Check for Flawed Validation Verify if the application has flawed validation for Host headers.

Send ambiguous requests with various Host header manipulations to

Check Ambiguous Requests
observe the application’s behavior.

Test the injection of host override headers to ensure that the

Inject Host Override Headers application accepts and processes these headers.

www.infosectrain.com
 SQL Injection Testing

Test Name Test Case Result

Entry Point Detection Identify vulnerable entry points for SQL injection.

Use SQLmap to Identify Vulnerable

Ensure that SQLmap identifies parameters vulnerable to SQL injection.
Parameters

Run the SQL Injection Scanner on All Check if the SQL injection scanner identifies and reports any
Requests SQL injection vulnerabilities.

Bypassing Web Application Firewall Ensure bypass techniques are effective against the WAF
(WAF) (Web Application Firewall).

Time Delays Verify the effectiveness of time delays for each database system.

Evaluate the impact of conditional time delays for each

Conditional Delays
database system.

Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters.

www.infosectrain.com
 Cross-Site Scripting Testing

Test Name Test Case Result

Check if the HTML tags are executed as XSS.

Use HTML Tags if Script Tags Are Banned

Reflect Output Inside JavaScript Variable Check if the output is reflected inside a JavaScript variable and if an
alert payload can be used.

Upload JavaScript Using Image File Check if the JavaScript code is executed when the image is displayed.

Check if the payload is executed using the modified method from

Change Method From POST to GET
POST to GET can bypass filters.

Syntax Encoding Payload Check if the syntax-encoded payload is executed as XSS.

Verify whether the employed XSS firewall bypass techniques effectively

XSS Firewall Bypass
circumvent the XSS firewall.

www.infosectrain.com
 CSRF Testing

Test Name Test Case Result

Confirm whether the CSRF token validation rejects a GET request when
Validation of CSRF Token
the validation process depends on the request method.

Check if the application only accept requests with a valid

CSRF Token Presence Validation
CSRF token.

Check if the CSRF token is not associated with the user’s session and
The CSRF Token Is Independent of
ensure it validate the CSRF token even after the
the User Session
user session has ended.

validate the CSRF token even after the Ensure that the application should validate the CSRF token when the
user session has ended. non-session cookie is included.

Ensure that application should only accept requests with

Verify Referer Header Presence
a valid Referer header.

www.infosectrain.com
 SSO Vulnerabilities

Test Name Test Case Result

Conduct fuzzing on an internal system following redirection to the SSO

FUZZ on the Internal System After SSO system to identify vulnerabilities or misconfigurations
Redirect within the internal system.

Craft SAML Request and Server Craft a SAML request with a token and analyze how the server
Interaction processes the crafted SAML request.

Test for XML Signature Wrapping

Check if the server is vulnerable to XML Signature Wrapping.
Vulnerabilities

Inject XXE Payloads in SAML Response Check if the server processes the XXE payloads.

SSO for Takeover Assess the possibility of taking over the victim’s account.

Check if SSRF can be achieved by modifying the IP in the

SSRF Using Cookie Header URLs
Cookie header URLs.

www.infosectrain.com
 XML Injection Testing

Test Name Test Case Result

Change Content Type for XML Injection Verify if the server is vulnerable to XML Injection.

Blind XXE with Out-of-Band Interaction Identifies if the server is vulnerable to Blind XXE attacks.

Check if Cross-Origin Resource Sharing (CORS)-related errors

Errors Parsing Origin Headers
can be triggered.

Whitelisted Null Origin Value Check if the server whitelists null Origin values.

Bypassing Filters Check if filters can be bypassed.

Cloud Instances Check if SSRF vulnerabilities can access cloud instance data.

www.infosectrain.com
 File Upload Testing

Test Name Test Case Result

Null Byte (%00) Bypass Check if null bytes can bypass upload restrictions.

Content-Type Bypass Check if content type manipulation can bypass restrictions.

Magic Byte Bypass Identify if magic byte manipulation can bypass upload checks.

Client-Side Validation Bypass Check if client-side validation can circumvent upload restrictions.

Blacklisted Extension Bypass Check if the application effectively enforces extension restrictions.

Homographic Character Bypass Check if homographic characters can bypass filters.

www.infosectrain.com
 CAPTCHA Testing

Test Name Test Case Result

Missing Captcha Field Integrity Checks Verify if the application performs integrity checks on the Captcha field
and rejects incomplete submissions.

HTTP Verb Manipulation Check if changing HTTP verbs impacts Captcha validation.

Reusable Captcha Check if Captchas are single-use or can be reused.

Server-Side Validation for CAPTCHA Check if the server performs proper Captcha validation independently.

OCR Image Recognition Check if OCR tools can successfully recognize Captcha content.

Absolute Path Retrieval Check if Captcha images are accessible via absolute paths.

www.infosectrain.com
 JWT Token testing

Test Name Test Case Result

Check if the application’s secret key is resistant to

Brute-Forcing Secret Keys brute-force attacks.

Creating a Fresh Token Using the “none” Verify if the application accepts or rejects tokens signed with the
Algorithm “none” algorithm.

Changing the Signing Algorithm Check how the application responds to changes in the
of the Token signing algorithm.

Signing the Asymmetrically-Signed Token Check if the application allows signing transitions from asymmetric
to Symmetric Algorithm Match to symmetric algorithms.

www.infosectrain.com
 Websockets Testing

Test Name Test Case Result

Intercepting and Modifying WebSocket

Check intercept WebSocket messages and modify the content.
Messages

WebSockets Man-in-the-Middle
Perform a Man-in-the-Middle attack on WebSocket communication.
(MITM) Attempts

Check if the WebSocket implementation relies on secret headers

Test Secret Header WebSocket
for authentication.

Content Stealing in Websockets Check if access to sensitive data is transmitted via WebSocket.

Token Authentication Testing in

Evaluate if the token-based authentication is secure.
Websockets

www.infosectrain.com
 GraphQL Vulnerabilities Testing

Test Name Test Case Result

Identify instances where authorization checks are not consistently

Inconsistent Authorization Checks
applied across different parts of the GraphQL schema.

Identifies any custom scalar types that do not have adequate

Missing Validation of Custom Scalars
validation for input values.

Evaluate whether rate-limiting is adequately enforced to prevent

Failure to Appropriately Rate-Limit
abuse or DoS attacks.

Determine if the server allows introspection queries that can reveal

Introspection Query Enabled/Disabled
schema details.

www.infosectrain.com
 WordPress Common Vulnerabilities

Test Name Test Case Result

XSPA in WordPress Identify if there are any exposed services or ports that may be
susceptible to XSPA.

Check if the application effectively prevents or mitigates

Bruteforce in wp-login.php
brute-force login attempts.

Information Disclosure WordPress Enumerate usernames and confirm if the application reveals
Username valid usernames.

Ensure that backup files or sensitive configuration files

Backup File wp-config Exposed
are not accessible.

Confirm if log files containing sensitive data are improperly exposed to

Log Files Exposed
unauthorized users.

Denial of Service via load-styles.php Assess if the file can be abused to launch DoS attacks.

www.infosectrain.com
 Denial of Service

Test Name Test Case Result

Check if the application can handle an excessive number of

Cookie Bomb
cookies effectively.

Assess the application for vulnerabilities related to

Pixel Flood (Using Image with Huge Pixels)
“Pixel Flood” attacks.

Frame Flood (Using GIF with Huge Frame) Check for the application for potential “Frame Flood” vulnerabilities.

Assess if the application is susceptible to ReDoS attacks due to

ReDoS (Regex DoS)
insecure regular expressions.

CPDoS (Cache Poisoned Denial Check if attackers can poison the application’s cache
of Service) to cause a DoS condition.

www.infosectrain.com
 Security Headers Testing

Test Name Test Case Result

Ensure the application has X-Frame-Options set to DENY or

X Frame Options Header Testing allow specific domains.

X-XSS-Protection Header Testing Verify the existence and settings of the X-XSS-Protection header.

Evaluate the presence and configuration of the HTTP Strict Transport

HSTS Header Testing
Security (HSTS) header.

Check the presence and configuration of the Content Security

CSP Header Testing
Policy (CSP) header.

Check for the presence and correct configuration of Cache

Cache Control Header Testing
Control headers.

www.infosectrain.com
 Role Authorization Testing

Test Name Test Case Result

Access Control Testing Verify the application’s access control by attempting to access
high-privileged resources with normal user privileges.

Verify forced browsing attempts to access restricted or

Forced Browsing Testing
unlinked resources.

Insecure Direct Object Reference Check for IDOR vulnerabilities by attempting to access objects and
(IDOR) Testing data outside of the authorized scope.

Assess the application’s vulnerability to parameter tampering

Parameter Tampering Testing for privilege escalation.

www.infosectrain.com
 Blind OS Command Injection Testing

Test Name Test Case Result

Time Delays Check if the application prevents time-based command injection.

Output Redirection Conduct blind OS command injection with out-of-band interactions.

www.infosectrain.com
 Broken Cryptography

Test Name Test Case Result

Check for implementation flaws, such as hard-coded encryption keys,

Cryptography Implementation Flaw
weak algorithms, or improper initialization vectors.

Verify if sensitive information, even when encrypted, can be

Encrypted Information Compromised compromised due to data leaks, insecure key storage,
or weak encryption.

Identify encryption mechanisms in use and check

Weak Ciphers Used for Encryption
if weak ciphers are employed.

www.infosectrain.com
Found this useful?
To Get More Insights Through our FREE
Course | Workshops | eBooks | White Paper
Checklists | Mock Tests

Press the Icon &

www.infosectrain.com