Web Application Security Checklist for Penetration Testers#

As a penetration tester, having a systematic approach to web application security testing is crucial. This checklist covers the essential areas to examine during a web application security assessment.

Pre-Assessment Phase#

Information Gathering#

  • Identify all subdomains and virtual hosts
  • Map the application architecture
  • Identify technologies used (frameworks, servers, databases)
  • Gather information from public sources (Google dorking, Shodan)
  • Review source code if available

Scope Definition#

  • Confirm testing boundaries
  • Identify critical business functions
  • Understand user roles and access levels
  • Document testing methodology and timeline

Authentication & Session Management#

Authentication Testing#

  • Test for default credentials
  • Verify password policy enforcement
  • Test account lockout mechanisms
  • Check for username enumeration
  • Test multi-factor authentication bypass
  • Verify secure password recovery process

Session Management#

  • Analyze session token generation
  • Test session fixation vulnerabilities
  • Verify session timeout implementation
  • Check for concurrent session handling
  • Test session token transmission security

Input Validation & Injection Attacks#

SQL Injection#

  • Test all input parameters for SQL injection
  • Check for blind SQL injection
  • Test stored procedures for injection
  • Verify parameterized queries usage
  • Test NoSQL injection if applicable

Cross-Site Scripting (XSS)#

  • Test for reflected XSS in all parameters
  • Check for stored XSS in user inputs
  • Test DOM-based XSS vulnerabilities
  • Verify Content Security Policy implementation
  • Test XSS filter bypass techniques

Other Injection Types#

  • Command injection testing
  • LDAP injection assessment
  • XML injection (XXE) testing
  • Template injection vulnerabilities
  • Server-Side Request Forgery (SSRF)

Authorization & Access Control#

Vertical Privilege Escalation#

  • Test access to administrative functions
  • Verify role-based access controls
  • Check for direct object references
  • Test API endpoint authorization

Horizontal Privilege Escalation#

  • Test access to other users’ data
  • Verify user isolation
  • Check for insecure direct object references
  • Test parameter manipulation

Business Logic Flaws#

Workflow Testing#

  • Test business process bypass
  • Verify transaction integrity
  • Check for race conditions
  • Test time-based attacks
  • Verify input validation in business context

Data Validation#

  • Test negative values and edge cases
  • Verify data type validation
  • Check for business rule enforcement
  • Test concurrent operations

File Upload & Management#

Upload Security#

  • Test file type validation
  • Check file size restrictions
  • Verify malicious file detection
  • Test path traversal in uploads
  • Check for executable file upload

File Access#

  • Test directory traversal vulnerabilities
  • Verify access controls on uploaded files
  • Check for information disclosure
  • Test file inclusion vulnerabilities

Configuration & Deployment#

Server Configuration#

  • Check for default pages and files
  • Test HTTP methods allowed
  • Verify security headers implementation
  • Check for information disclosure in errors
  • Test SSL/TLS configuration

Application Configuration#

  • Review debug information exposure
  • Check for backup files
  • Test administrative interfaces
  • Verify logging and monitoring

Client-Side Security#

Browser Security#

  • Test for clickjacking vulnerabilities
  • Verify CSRF protection mechanisms
  • Check for sensitive data in client-side code
  • Test HTML5 security features
  • Verify secure cookie attributes

API Security (if applicable)#

REST API Testing#

  • Test API authentication mechanisms
  • Verify rate limiting implementation
  • Check for mass assignment vulnerabilities
  • Test API versioning security
  • Verify input validation in API endpoints

Reporting Phase#

Documentation#

  • Document all vulnerabilities found
  • Provide clear reproduction steps
  • Assess business impact and risk
  • Recommend specific remediation steps
  • Include proof-of-concept code where appropriate

Risk Assessment#

  • Categorize vulnerabilities by severity
  • Consider business context in risk rating
  • Prioritize remediation efforts
  • Provide timeline for fixes

Tools Recommendation#

Essential Tools#

  • Burp Suite Professional: Comprehensive web application testing
  • OWASP ZAP: Free alternative to Burp Suite
  • Nmap: Network discovery and port scanning
  • Gobuster/Dirb: Directory and file enumeration
  • SQLMap: Automated SQL injection testing

Specialized Tools#

  • Nikto: Web server scanner
  • Wfuzz: Web application fuzzer
  • XSSer: Cross-site scripting detection
  • Commix: Command injection testing
  • SSLyze: SSL/TLS configuration analysis

Conclusion#

This checklist provides a comprehensive framework for web application security testing. Remember that each application is unique, and this checklist should be adapted based on the specific technologies and business logic involved.

Regular updates to your testing methodology and staying current with the latest attack vectors are essential for effective penetration testing.

Always ensure you have proper authorization before conducting any security testing.