Netspi Web Application Penetration Testing Checklist
Netspi Web Application Penetration Testing Checklist
Grouping tests into logical categories can make it easier Trying to fit every verbose testing procedure into your
to build and maintain checklists over time. Many people checklist may not be plausible but including links to
look to the OWASP Top 10 for guidance, but NetSPI relevant information can help you. NetSPI recommends
recommends you choose categories that will help meet limiting procedures to the most common scenarios and
your goals. linking to the outliners. Including a small summary with
resources and any troubleshooting that occurred during
Common categories that NetSPI recommends:
the first use can greatly increase the speed with which
• Authentication Bypass they can be used.
• Injections Issues
• Sensitive Data Exposure
4. Choosing a Testing Checklist Platform
• Application Functionality and Business Logic Checks
• 3rd Party Components Checks Choosing the right checklist solution can help free up
• Session Management more time for digging into vulnerabilities and issues not
• Weak Application Configuration Checks covered in your baseline checklist process.
• Weak Server Configuration Checks There are several checklist platforms available on the
internet that can be leveraged to create and maintain a
• Weak Platform Configuration Checks list of common tasks. NetSPI recommends using one that
has the capability to tie the tests to the findings that
will ultimately turn into the report or ticket for the
2. Create Test Baselines business owner. This will help reduce redundant tasks
and increase the speed at which your team can get
No checklist will cover every scenario for all applications results to the people who need them.
but creating tests that cover core technologies and For more information on our software platform, check
processes used during most web application penetration out NetSPI Resolve™.
tests will save you time and ensure that you and your
organization are covering the most common
vulnerabilities. Online resources to get you started:
5. Track and Remediate
• OWASP Testing Guide
• Web Application Hackers Handbook Checklist The whole point of testing for web application
vulnerabilities is to fix them before someone else can
Project Specific Information take advantage of them. Having an established process
A checklist serves as a place to store required for delivering identified vulnerabilities to the right
procedures for engagements. It can also be a valuable people should be your first step at the end of your test.
place to store information discovered before, during, and
after a test. A dynamic checklist creates a single source Bug Bounty Hunters
of information related to the test. This information can
also include: channel – or work through a broker like HackerOne and
• Connection Information Bugcrowd.
To learn more about NetSPI’s security testing and vulnerability assessment services,
visit www.netspi.com