Skip to content

bhavesh-pardhi/Bughunters-Arsenal

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

WEB APPLICATION PENTESTING CHECKLIST

MasterHead

🌟🌟 OWASP Based Checklist 🌟🌟

🧑‍💻⚡ 500+ Test Cases ⚡🧑‍💻


CONTENT



  • INFORMATION GATHERING

    • Open Source Reconnaissance
      • Perform Google Dorks search
      • Perform OSINT
    • Fingerprinting Web Server
      • Find the type of Web Server
      • Find the version details of the Web Server
    • Looking For Metafiles
      • View the Robots.txt file
      • View the Sitemap.xml file
      • View the Humans.txt file
      • View the Security.txt file
    • Enumerating Web Server’s Applications
      • Enumerating with Nmap
      • Enumerating with Netcat
      • Perform a DNS lookup
      • Perform a Reverse DNS lookup
    • Review The Web Contents
      • Inspect the page source for sensitive info
      • Try to find Sensitive Javascript codes
      • Try to find any keys
      • Make sure the autocomplete is disabled
    • Identifying Application’s Entry Points
      • Identify what the methods used are?
      • Identify where the methods used are?
      • Identify the Injection point
    • Mapping Execution Paths
      • Use Burp Suite
      • Use Dirsearch
      • Use Gobuster
    • Fingerprint Web Application Framework
      • Use the Wappalyzer browser extension
      • Use Whatweb
      • View URL extensions
      • View HTML source code
      • View the cookie parameter
      • View the HTTP headers
    • Map Application Architecture
      • Map the overall site structure

  • CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING

    • Test Network Configuration

      • Check the network configuration
      • Check for default settings
      • Check for default credentials
    • Test Application Configuration

      • Ensure only required modules are used
      • Ensure unwanted modules are disabled
      • Ensure the server can handle DOS
      • Check how the application is handling 4xx & 5xx errors
      • Check for the privilege required to run
      • Check logs for sensitive info
    • Test File Extension Handling

      • Ensure the server won’t return sensitive extensions
      • Ensure the server won’t accept malicious extensions
      • Test for file upload vulnerabilities
    • Review Backup & Unreferenced Files

      • Ensure unreferenced files don’t contain any sensitive info
      • Ensure the namings of old and new backup files
      • Check the functionality of unreferenced pages
    • Enumerate Infrastructure & Admin Interfaces

      • Try to find the Infrastructure Interface
      • Try to find the Admin Interface
      • Identify the hidden admin functionalities
    • Testing HTTP Methods

      • Discover the supported methods
      • Ensure the PUT method is disabled
      • Ensure the OPTIONS method is disabled
      • Test access control bypass
      • Test for XST attacks
      • Test for HTTP method overriding
    • Test HSTS

      • Ensure HSTS is enabled
    • Test RIA Cross Domain Policy

      • Check for Adobe’s Cross Domain Policy
      • Ensure it has the least privilege
    • Test File Permission

      • Ensure the permissions for sensitive files
      • Test for directory enumeration
    • Test For Subdomain Takeover

      • Test DNS, A, and CNAME records for subdomain takeover
      • Test NS records for subdomain takeover
      • Test 404 response for subdomain takeover
    • Test Cloud Storage

      • Check the sensitive paths of AWS
      • Check the sensitive paths of Google Cloud
      • Check the sensitive paths of Azure

  • IDENTITY MANAGEMENT TESTING

    • Test Role Definitions
      • Test for forced browsing
      • Test for IDOR (Insecure Direct Object Reference)
      • Test for parameter tampering
      • Ensure low privilege users can’t able to access high privilege resources
    • Test User Registration Process
      • Ensure the same user or identity can’t register again and again
      • Ensure the registrations are verified
      • Ensure disposable email addresses are rejected
      • Check what proof is required for successful registration
    • Test Account Provisioning Process
      • Check the verification for the provisioning process
      • Check the verification for the de-provisioning process
      • Check the provisioning rights for an admin user to other users
      • Check whether a user is able to de-provision themself or not?
      • Check for the resources of a de-provisioned user
    • Testing For Account Enumeration
      • Check the response when a valid username and password entered
      • Check the response when a valid username and an invalid password entered
      • Check the response when an invalid username and password entered
      • Ensure the rate-limiting functionality is enabled in username and password fields
    • Test For Weak Username Policy
      • Check the response for both valid and invalid usernames
      • Check for username enumeration

  • AUTHENTICATION TESTING

    • Test For Un-Encrypted Channel
      • Check for the HTTP login page
      • Check for the HTTP register or sign-in page
      • Check for HTTP forgot password page
      • Check for HTTP change password
      • Check for resources on HTTP after logout
      • Test for forced browsing to HTTP pages
    • Test For Default Credentials
      • Test with default credentials
      • Test organization name as credentials
      • Test for response manipulation
      • Test for the default username and a blank password
      • Review the page source for credentials
    • Test For Weak Lockout Mechanism
      • Ensure the account has been locked after 3-5 incorrect attempts
      • Ensure the system accepts only the valid CAPTCHA
      • Ensure the system rejects the invalid CAPTCHA
      • Ensure CAPTCHA code regenerated after reloaded
      • Ensure CAPTCHA reloads after entering the wrong code
      • Ensure the user has a recovery option for a lockout account
    • Test For Bypassing Authentication Schema
      • Test forced browsing directly to the internal dashboard without login
      • Test for session ID prediction
      • Test for authentication parameter tampering
      • Test for SQL injection on the login page
      • Test to gain access with the help of session ID
      • Test multiple logins allowed or not?
    • Test For Vulnerable Remember Password
      • Ensure that the stored password is encrypted
      • Ensure that the stored password is on the server-side
    • Test For Browser Cache Weakness
      • Ensure proper cache-control is set on sensitive pages
      • Ensure no sensitive data is stored in the browser cache storage
    • Test For Weak Password Policy
      • Ensure the password policy is set to strong
      • Check for password reusability
      • Check the user is prevented to use his username as a password
      • Check for the usage of common weak passwords
      • Check the minimum password length to be set
      • Check the maximum password length to be set
    • Testing For Weak Security Questions
      • Check for the complexity of the questions
      • Check for brute-forcing
    • Test For Weak Password Reset Function
      • Check what information is required to reset the password
      • Check for password reset function with HTTP
      • Test the randomness of the password reset tokens
      • Test the uniqueness of the password reset tokens
      • Test for rate limiting on password reset tokens
      • Ensure the token must expire after being used
      • Ensure the token must expire after not being used for a long time
    • Test For Weak Password Change Function
      • Check if the old password asked to make a change
      • Check for the uniqueness of the forgotten password
      • Check for blank password change
      • Check for password change function with HTTP
      • Ensure the old password is not displayed after changed
      • Ensure the other sessions got destroyed after the password change
    • Test For Weak Authentication In Alternative Channel
      • Test authentication on the desktop browsers
      • Test authentication on the mobile browsers
      • Test authentication in a different country
      • Test authentication in a different language
      • Test authentication on desktop applications
      • Test authentication on mobile applications

  • AUTHORIZATION TESTING

    • Testing Directory Traversal File Include
      • Identify the injection point on the URL
      • Test for Local File Inclusion
      • Test for Remote File Inclusion
      • Test Traversal on the URL parameter
      • Test Traversal on the cookie parameter
    • Testing Traversal With Encoding
      • Test Traversal with Base64 encoding
      • Test Traversal with URL encoding
      • Test Traversal with ASCII encoding
      • Test Traversal with HTML encoding
      • Test Traversal with Hex encoding
      • Test Traversal with Binary encoding
      • Test Traversal with Octal encoding
      • Test Traversal with Gzip encoding
    • Testing Travesal With Different OS Schemes
      • Test Traversal with Unix schemes
      • Test Traversal with Windows schemes
      • Test Traversal with Mac schemes
    • Test Other Encoding Techniques
      • Test Traversal with Double encoding
      • Test Traversal with all characters encode
      • Test Traversal with only special characters encode
    • Test Authorization Schema Bypass
      • Test for Horizontal authorization schema bypass
      • Test for Vertical authorization schema bypass
      • Test override the target with custom headers
    • Test For Privilege Escalation
      • Identify the injection point
      • Test for bypassing the security measures
      • Test for forced browsing
      • Test for IDOR
      • Test for parameter tampering to high privileged user
    • Test For Insecure Direct Object Reference
      • Test to change the ID parameter
      • Test to add parameters at the endpoints
      • Test for HTTP parameter pollution
      • Test by adding an extension at the end
      • Test with outdated API versions
      • Test by wrapping the ID with an array
      • Test by wrapping the ID with a JSON object
      • Test for JSON parameter pollution
      • Test by changing the case
      • Test for path traversal
      • Test by changing words
      • Test by changing methods

  • SESSION MANAGEMENT TESTING

    • Test For Session Management Schema
      • Ensure all Set-Cookie directives are secure
      • Ensure no cookie operation takes place over an unencrypted channel
      • Ensure the cookie can’t be forced over an unencrypted channel
      • Ensure the HTTPOnly flag is enabled
      • Check if any cookies are persistent
      • Check for session cookies and cookie expiration date/time
      • Check for session fixation
      • Check for concurrent login
      • Check for session after logout
      • Check for session after closing the browser
      • Try decoding cookies (Base64, Hex, URL, etc)
    • Test For Cookie Attributes
      • Ensure the cookie must be set with the secure attribute
      • Ensure the cookie must be set with the path attribute
      • Ensure the cookie must have the HTTPOnly flag
    • Test For Session Fixation
      • Ensure new cookies have been issued upon a successful authentication
      • Test manipulating the cookies
    • Test For Exposed Session Variables
      • Test for encryption
      • Test for GET and POST vulnerabilities
      • Test if GET request incorporating the session ID used
      • Test by interchanging POST with GET method
    • Test For Back Refresh Attack
      • Test after password change
      • Test after logout
    • Test For Cross Site Request Forgery
      • Check if the token is validated on the server-side or not
      • Check if the token is validated for full or partial length
      • Check by comparing the CSRF tokens for multiple dummy accounts
      • Check CSRF by interchanging POST with GET method
      • Check CSRF by removing the CSRF token parameter
      • Check CSRF by removing the CSRF token and using a blank parameter
      • Check CSRF by using unused tokens
      • Check CSRF by replacing the CSRF token with its own values
      • Check CSRF by changing the content type to form-multipart
      • Check CSRF by changing or deleting some characters of the CSRF token
      • Check CSRF by changing the referrer to Referrer
      • Check CSRF by changing the host values
      • Check CSRF alongside clickjacking
    • Test For Logout Functionality
      • Check the log out function on different pages
      • Check for the visibility of the logout button
      • Ensure after logout the session was ended
      • Ensure after logout we can’t able to access the dashboard by pressing the back button
      • Ensure proper session timeout has been set
    • Test For Session Timeout
      • Ensure there is a session timeout exists
      • Ensure after the timeout, all of the tokens are destroyed
    • Test For Session Puzzling
      • Identify all the session variables
      • Try to break the logical flow of the session generation
    • Test For Session Hijacking
      • Test session hijacking on target that doesn’t has HSTS enabled
      • Test by login with the help of captured cookies

  • INPUT VALIDATION TESTING

    • Test For Reflected Cross Site Scripting
      • Ensure these characters are filtered <>’’&””
      • Test with a character escape sequence
      • Test by replacing < and > with HTML entities < and >
      • Test payload with both lower and upper case
      • Test to break firewall regex by new line /r/n
      • Test with double encoding
      • Test with recursive filters
      • Test injecting anchor tags without whitespace
      • Test by replacing whitespace with bullets
      • Test by changing HTTP methods
    • Test For Stored Cross Site Scripting
      • Identify stored input parameters that will reflect on the client-side
      • Look for input parameters on the profile page
      • Look for input parameters on the shopping cart page
      • Look for input parameters on the file upload page
      • Look for input parameters on the settings page
      • Look for input parameters on the forum, comment page
      • Test uploading a file with XSS payload as its file name
      • Test with HTML tags
    • Test For HTTP Parameter Pollution
      • Identify the backend server and parsing method used
      • Try to access the injection point
      • Try to bypass the input filters using HTTP Parameter Pollution
    • Test For SQL Injection
      • Test SQL Injection on authentication forms
      • Test SQL Injection on the search bar
      • Test SQL Injection on editable characteristics
      • Try to find SQL keywords or entry point detections
      • Try to inject SQL queries
      • Use tools like SQLmap or Hackbar
      • Use Google dorks to find the SQL keywords
      • Try GET based SQL Injection
      • Try POST based SQL Injection
      • Try COOKIE based SQL Injection
      • Try HEADER based SQL Injection
      • Try SQL Injection with null bytes before the SQL query
      • Try SQL Injection with URL encoding
      • Try SQL Injection with both lower and upper cases
      • Try SQL Injection with SQL Tamper scripts
      • Try SQL Injection with SQL Time delay payloads
      • Try SQL Injection with SQL Conditional delays
      • Try SQL Injection with Boolean based SQL
      • Try SQL Injection with Time based SQL
    • Test For LDAP Injection
      • Use LDAP search filters
      • Try LDAP Injection for access control bypass
    • Testing For XML Injection
      • Check if the application is using XML for processing
      • Identify the XML Injection point by XML metacharacter
      • Construct XSS payload on top of XML
    • Test For Server Side Includes
      • Use Google dorks to find the SSI
      • Construct RCE on top of SSI
      • Construct other injections on top of SSI
      • Test Injecting SSI on login pages, header fields, referrer, etc
    • Test For XPATH Injection
      • Identify XPATH Injection point
      • Test for XPATH Injection
    • Test For IMAP SMTP Injection
      • Identify IMAP SMTP Injection point
      • Understand the data flow
      • Understand the deployment structure of the system
      • Assess the injection impact
    • Test For Local File Inclusion
      • Look for LFI keywords
      • Try to change the local path
      • Use the LFI payload list
      • Test LFI by adding a null byte at the end
    • Test For Remote File Inclusion
      • Look for RFI keywords
      • Try to change the remote path
      • Use the RFI payload list
    • Test For Command Injection
      • Identify the Injection points
      • Look for Command Injection keywords
      • Test Command Injection using different delimiters
      • Test Command Injection with payload list
      • Test Command Injection with different OS commands
    • Test For Format String Injection
      • Identify the Injection points
      • Use different format parameters as payloads
      • Assess the injection impact
    • Test For Host Header Injection
      • Test for HHI by changing the real Host parameter
      • Test for HHI by adding X-Forwarded Host parameter
      • Test for HHI by swapping the real Host and X-Forwarded Host parameter
      • Test for HHI by adding two Host parameters
      • Test for HHI by adding the target values in front of the original values
      • Test for HHI by adding the target with a slash after the original values
      • Test for HHI with other injections on the Host parameter
      • Test for HHI by password reset poisoning
    • Test For Server Side Request Forgery
      • Look for SSRF keywords
      • Search for SSRF keywords only under the request header and body
      • Identify the Injection points
      • Test if the Injection points are exploitable
      • Assess the injection impact
    • Test For Server Side Template Injection
      • Identify the Template injection vulnerability points
      • Identify the Templating engine
      • Use the tplmap to exploit

  • ERROR HANDLING TESTING

    • Test For Improper Error Handling
      • Identify the error output
      • Analyze the different outputs returned
      • Look for common error handling flaws
      • Test error handling by modifying the URL parameter
      • Test error handling by uploading unrecognized file formats
      • Test error handling by entering unrecognized inputs
      • Test error handling by making all possible errors

  • WEAK CRYPTOGRAPHY TESTING

    • Test For Weak Transport Layer Security
      • Test for DROWN weakness on SSLv2 protocol
      • Test for POODLE weakness on SSLv3 protocol
      • Test for BEAST weakness on TLSv1.0 protocol
      • Test for FREAK weakness on export cipher suites
      • Test for Null ciphers
      • Test for NOMORE weakness on RC4
      • Test for LUCKY 13 weakness on CBC mode ciphers
      • Test for CRIME weakness on TLS compression
      • Test for LOGJAM on DHE keys
      • Ensure the digital certificates should have at least 2048 bits of key length
      • Ensure the digital certificates should have at least SHA-256 signature algorithm
      • Ensure the digital certificates should not use MDF and SHA-1
      • Ensure the validity of the digital certificate
      • Ensure the minimum key length requirements
      • Look for weak cipher suites

  • BUSINESS LOGIC TESTING

    • Test For Business Logic
      • Identify the logic of how the application works
      • Identify the functionality of all the buttons
      • Test by changing the numerical values into high or negative values
      • Test by changing the quantity
      • Test by modifying the payments
      • Test for parameter tampering
    • Test For Malicious File Upload
      • Test malicious file upload by uploading malicious files
      • Test malicious file upload by putting your IP address on the file name
      • Test malicious file upload by right to left override
      • Test malicious file upload by encoded file name
      • Test malicious file upload by XSS payload on the file name
      • Test malicious file upload by RCE payload on the file name
      • Test malicious file upload by LFI payload on the file name
      • Test malicious file upload by RFI payload on the file name
      • Test malicious file upload by SQL payload on the file name
      • Test malicious file upload by other injections on the file name
      • Test malicious file upload by Inserting the payload inside of an image by the bmp.pl tool
      • Test malicious file upload by uploading large files (leads to DOS)

  • CLIENT SIDE TESTING

    • Test For DOM Based Cross Site Scripting
      • Try to identify DOM sinks
      • Build payloads to that DOM sink type
    • Test For URL Redirect
      • Look for URL redirect parameters
      • Test for URL redirection on domain parameters
      • Test for URL redirection by using a payload list
      • Test for URL redirection by using a whitelisted word at the end
      • Test for URL redirection by creating a new subdomain with the same as the target
      • Test for URL redirection by XSS
      • Test for URL redirection by profile URL flaw
    • Test For Cross Origin Resource Sharing
      • Look for “Access-Control-Allow-Origin” on the response
      • Use the CORS HTML exploit code for further exploitation
    • Test For Clickjacking
      • Ensure “X-Frame-Options” headers are enabled
      • Exploit with iframe HTML code for POC

  • OTHER COMMON ISSUES

    • Test For No-Rate Limiting
      • Ensure rate limiting is enabled
      • Try to bypass rate limiting by changing the case of the endpoints
      • Try to bypass rate limiting by adding / at the end of the URL
      • Try to bypass rate limiting by adding HTTP headers
      • Try to bypass rate limiting by adding HTTP headers twice
      • Try to bypass rate limiting by adding Origin headers
      • Try to bypass rate limiting by IP rotation
      • Try to bypass rate limiting by using null bytes at the end
      • Try to bypass rate limiting by using race conditions
    • Test For Weak 2FA
      • Try to bypass 2FA by using poor session management
      • Try to bypass 2FA via the OAuth mechanism
      • Try to bypass 2FA via brute-forcing
      • Try to bypass 2FA via response manipulation
      • Try to bypass 2FA by using activation links to login
      • Try to bypass 2FA by using status code manipulation
      • Try to bypass 2FA by changing the email or password
      • Try to bypass 2FA by using a null or empty entry
      • Try to bypass 2FA by changing the boolean into false
      • Try to bypass 2FA by removing the 2FA parameter on the request
    • Test For Weak OTP Implementation
      • Try to bypass OTP by entering the old OTP
      • Try to bypass OTP by brute-forcing
      • Try to bypass OTP by using a null or empty entry
      • Try to bypass OTP by response manipulation
      • Try to bypass OTP by status code manipulation
    • Test For EXIF Geodata
      • Ensure the website is striping the geodata
      • Test with EXIF checker
    • Test For Broken Link Hijack
      • Ensure there is no broken links are there
      • Test broken links by using the blc tool
    • Test For SPF
      • Ensure the website is having SPF record
      • Test SPF by nslookup command



CONNECT WITH ME :

Twitter LinkedIn GitHub Snapchat Instagram HackerOne

SUPPORT :

Buy Me a Coffee