Web Application Penetration Checklist

Dhanesh Dodia - HeyDanny
5 min readMar 29


Testing Methodology or Approach


This checklist is a high level checklist that contains a high level guide what approach we shall follow while testing a web application. This checklist is a generic checklist and does not totally cover all test cases that might apply on web apps.

Fingerprinting Application:

· Identify known vulnerabilities in web/app servers.

· Generate Site Structure.

· Identify underlying web technology.

· Uncover HTTP services running on ports other than ports 80 and 443.

· Brute fore subdomains with online tools and GitHub scripts.

· Identify firewall

· Find sensitive keywords in HTML sources such as admin, HTTP, todo, redir, etc.

· Perform JavaScript recon (analyze JS)

Network Testing:

· Test for Ping (ICMP echo packets).

· Test for zone transfer.

· Find all services running using NMAP.

· Perform Nessus scan.

· Test all common UDP ports and related issues.

Session Management Testing:

· Identify actual session cookies out of bulk cookies.

· Decode cookies using standard algorithms such as base64, hex, etc.

· Modify 1 character in cookie token and resubmit, check whether the session still exists.

· Token leakage via referrer header — Untrusted 3rd party.

· Check session cookie expiration time.

· Identify cookie domain scope.

· Check flags HTTP Only, Secure flag, and same site.

· Check before and after session cookie values.

· Reply to the session cookie from a different public IP address and check if the app maintains.

· Check concurrent login through different IPs.

· Check if any user pertaining information is stored in cookie value or not.

Registration Feature Testing:

· Check for duplicate registration with the same email id for account takeover.

· Check for a weak password policy.

· Check for a stored username as a part of the welcome message post-authentication and tr.

· Check for the insufficient email verification process.

· Weak registration implementation — Allows disposable email addresses.

Login Feature Testing:

· Check username enumeration.

· Bypass login panel with common login SQL injection payloads using Burpsuite intruder.

· Try accessing resources without authentication.

· Check if user creds are sent over HTTP.

· Check if user creds can forcefully be submitted over HTTP while HTTPS both.

· Check account lockout threshold value.

· Create a custom password wordlist and try brute force.

· Test 0auth functionality.

· Test 0auth functionality for open redirect.

Error Codes Testing:

· Try accessing custom pages after the root directory such as ‘yourname.php’, ‘your name.php’

· Add multiple parameters in the same post get requests using different values and generate.

· Add [],]], and [[ in cookie values and parameter value to create errors.

· Try to generate an unusual error code by giving input as /-yourname/%s at the end of word.

· Use the fuzzing technique to create errors and determine any information leakage.

Post Login My Account Testing:

· Try CSRF on various features that are pertaining to a single user account.

· Post login change email id and update with any existing email id. Check if it’s getting.

· Test for file upload. Test no AV detection, No size limit, Extension Bypass.

· Open the profile picture in the new tab and check the URL. Find email is/user id info. EXIF

· Check the account deletion option if the application provides it and confirm that via forgot password.

· Change email id, account id, and user id parameter and try to brute-force other users’ ID.

· Check whether the application re-authenticates for performing a sensitive operation for PO (Purchase Order).

Forget Password Testing:

· Failure to invalidate session on logout and password reset.

· Check if forget the password reset link/code uniqueness.

· Check if the reset link does get expire or not if it’s not used by the user for a certain amount.

· Find user account identification parameter and tamper id or parameter value or change.

· Check for a weak password policy.

· Weak password reset implementation Token is not invalidated after use.

· If the reset link has another parameter such as date and time, then change date and time.

· Check if security questions are asked? Lockout — How many guesses are allowed?

· Add only spaces in a new password and confirmed password. Then hit Enter and see.

· Does it display the old password on the same page after completion of forgetting the password.

· Ask for two passwords reset links and use the older ones from the user’s email.

· Check if the active session gets destroyed upon changing the password or not?

· Weak password reset implementation Password reset token sent over HTTP.

· Send continuous forget password requests so that it may send sequential tokens.

Contact Us Form Testing:

· Is CAPTCHA implemented on the contact us form in order to restrict email flooding attacks.

· Does it allow uploading files on the server?

Product Purchase Testing:

· Buy now — Tamper product ID to purchase other high valued products at a low price.

· Buy now — Tamper product data in order to increase the number of products with a small value.

· Gift/Voucher — Tamper gift/voucher count in the request (ifto increase/decrease.

· Gift/Voucher — Tamper gift/voucher value to increase/decrease the value of the voucher.

· Gift/Voucher — Reuse gift/voucher by using old gift values in parameter tampering.

· Gift/Voucher — Check the uniqueness of the gift/voucher parameter and try guessing other voucher values.

· Gift/Voucher — Use parameter pollution technique to add some vouchers twice by adding 2 times in parameter.

Flight/Hotel/Railway Booking Testing:

· Booking details — View and Manage other users’ booking details.

· Booking details — Check reservation status for other users/on behalf of other users.

· Ticket/Vouchers — View other users’ vouchers/e-tickets from the PRINT option.

· Ticket/Vouchers — Check if sensitive data is passed in the GET request.

· Ticket/Voucher — If an e-ticket/voucher is sent by email then check for email flooding.

· Refund — View other users’ refund status if refund tracking is allowed then gain other users’ refund tracking status.

· Cancellation — Gain higher cancellation amount with parameter modifying for amount.

· Booking — Do 1st person booking and add 5 more other persons in the same prize.

· Booking — Hotel — Book normal room — Select Delux room in the same prize.

Cross-Site Scripting Testing:

· Test what’s being sanitized and what’s not.

· Try XSS using XSS strike tool by Somdev Sangwan.

· Upload file using “><img src=x onerror=alert(document.domain)>.txt.

· Try all variations of IMG SRC onerror payloads.

· If script tags are banned, use <h1> and other HTML tags.

· If the output is reflected back inside the javascript as a value of any variable just use alert.

· If “ are filtered then use this payload /><img src=d onerror=confirm(/site/);>

· Upload a javascript using Image file — Use gifsicle tool.

· Unusual way to execute your JS payload is to change method from POST to GET.

· Tag attribute value 1. Input landed — <input type=”text” name=”state” value=”INPUT

· Syntax Encoding payload %3cscript%3ealert(document.cookie)%3c/script%3e.

· ASP.NET IE9 Filter evasion — HTML entities — <%tag style=”test:expression(alert(‘

· ASP.NET IE9 Filter Evasion — HTML entities — <&tag style=’test:expression(alert(123))

· Try base64 payload.

· If the logout button just performs the redirection, then use old classic XSS payload.

· Try Polyglot payload.