Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. AppSec Testing
  3. Checklists

WEB APP PENTESTING CHECKLIST

PreviousChecklistsNextAPI Testing Checklist

Last updated 5 months ago

This OWASP based checklist was developed to include additional useful details and techniques for modern application assessments (Always in-progress)

Excel Version (in-depth) of Checklist is also available fore download here:

Scope configuration:

Nongreedy match .*?website.com$

INFORMATION GATHERING

Open Source Reconnaissance -


CONFIGURATION & DEPLOYMENT MANAGEMENT TESTING


IDENTITY MANAGEMENT TESTING


AUTHENTICATION TESTING


AUTHORIZATION TESTING

Testing Traversal With Encoding -

Testing Traversal With Different OS Schemes -

Test Other Encoding Techniques


SESSION MANAGEMENT TESTING

Test For Back Refresh Attack


INPUT VALIDATION TESTING

Test For Local File Inclusion

Test For Remote File Inclusion

Testing for Mass Assignment - WSTG-INPV-20


ERROR HANDLING TESTING


WEAK CRYPTOGRAPHY TESTING


BUSINESS LOGIC TESTING

  • Start a transaction and proceed past points that trigger credits or points to a user's account. Then cancel or alter the transaction to test if the points or credits are correctly adjusted.

  • On content management or bulletin board systems, enter valid initial text or values, then attempt to append, edit, or remove data to leave it in an invalid state, ensuring the system prevents saving incorrect information.


CLIENT SIDE TESTING

Note: the limitations of automated testing in detecting DOM-based XSS, emphasizing the need for manual testing. This includes examining areas where parameters are referred to that could be exploited by an attacker, where code is dynamically written to the page, or where the DOM is modified or scripts are directly executed.

Testing for Client-side Resource Manipulation - WSTG-CLNT-06

OTHER COMMON ISSUES

Test For No-Rate Limiting

Test For EXIF Geodata

Test For Broken Link Hijack

Test For SPF

Test For Weak 2FA

Test For Weak OTP Implementation

Fingerprinting Web Server -

Looking For Metafiles -

Enumerating Web Server’s Applications -

Review The Web Contents -

Identifying Application’s Entry Points -

Mapping Execution Paths -

Fingerprint Web Application Framework - ,(Merged)

Map Application Architecture -

Test Network Configuration -

Test Application Configuration -

Test File Extension Handling -

Review Backup & Unreferenced Files -

Enumerate Infrastructure & Admin Interfaces -

Testing HTTP Methods -

Test HSTS -

Test RIA Cross Domain Policy -

Test File Permission -

Test For Subdomain Takeover -

Test Cloud Storage -

Testing for Content Security Policy -

Test Path Confusion -

Test Role Definitions -

Test User Registration Process -

Test Account Provisioning Process -

Testing For Account Enumeration -

Test For Weak Username Policy -

Test For Un-Encrypted Channel -

Test For Default Credentials -

Test For Weak Lockout Mechanism -

Test For Bypassing Authentication Schema -

Test For Vulnerable Remember Password -

Test For Browser Cache Weakness -

Test For Weak Password Policy -

Testing For Weak Security Questions -

Test For Weak Password Reset Function -

Test For Weak Password Change Function -

Test For Weak Authentication In Alternative Channel -

Testing Directory Traversal File Include -

Test Authorization Schema Bypass -

Test For Privilege Escalation -

Download Standalone Jython Jar file from and store

Test For Insecure Direct Object Reference -

Testing for OAuth Weaknesses -

Test For Session Management Schema -

Test For Cookie Attributes -

Test For Session Fixation -

Test For Exposed Session Variables -

Test For Cross Site Request Forgery -

Test For Weak Logout Functionality -

Test For Session Timeout -

Test For Session Puzzling -

Test For Session Hijacking -

Testing JSON Web Tokens -

Test For Reflected Cross Site Scripting -

Test For Stored Cross Site Scripting -

Test For HTTP Parameter Pollution -

Test For SQL Injection -

Test For LDAP Injection -

Testing For XML Injection -

Test For Server Side Includes -

Test For XPATH Injection -

Test For IMAP SMTP Injection -

Test For Code Injection -

Test for Command Injection -

Test For Format String Injection -

Testing for Incubated Vulnerability -

Testing for HTTP Splitting Smuggling -

Testing for HTTP Incoming Requests -

Test For Host Header Injection -

Test For Server Side Template Injection -

Test For Server Side Request Forgery -

Use an to test using various ways that IPv4 can be encoded

Test For Improper Error Handling -

Test For Weak Transport Layer Security -

Testing for Padding Oracle -

Testing for Sensitive Information Sent via Unencrypted Channels -

Testing for Weak Encryption -

Test Business Logic Data Validation -

Test Ability to Forge Requests -

Test Integrity Checks -

Test for Process Timing -

Test Number of Times a Function Can Be Used Limits -

Testing for the Circumvention of Work Flows -

Test Defenses Against Application Misuse -

Test Upload of Unexpected File Types -

Test For Malicious File Upload -

Test Payment Functionality -

Test For DOM Based Cross Site Scripting -

Testing for JavaScript Execution -

Testing for HTML Injection -

Test For URL Redirect -

Testing for CSS Injection -

Test For Cross Origin Resource Sharing -

Testing for Cross Site Flashing -

Test For Clickjacking -

If using Burp Suite, consider using ClickBandit:

Testing WebSockets -

Testing Web Messaging -

Testing Browser Storage -

Testing for Cross-Site Script Inclusion (XSSI) -

WSTG-INFO-02
WSTG-INFO-03
WSTG-INFO-04
WSTG-INFO-05
WSTG-INFO-06
WSTG-INFO-07
WSTG-INFO-08
WSTG-INFO-09
WSTG-INFO-10
WSTG-CONF-01
WSTG- CONF-02
WSTG-CONF-03
WSTG-CONF-04
WSTG-CONF-05
WSTG-CONF-06
WSTG-CONF-07
WSTG-CONF-08
WSTG-CONF-09
WSTG-CONF-10
WSTG-CONF-11
WSTG-CONF-12
WSTG-CONF-13
WSTG-IDNT-01
WSTG-IDNT-02
WSTG-IDNT-03
WSTG-IDNT-04
WSTG-IDNT-05
WSTG-ATHN-01
WSTG-ATHN-02
WSTG-ATHN-03
WSTG-ATHN-04
WSTG-ATHN-05
WSTG-ATHN-06
WSTG-ATHN-07
WSTG-ATHN-08
WSTG-ATHN-09
WSTG-ATHN-09
WSTG-ATHN-10
WSTG-ATHZ-01
WSTG-ATHZ-02
WSTG-ATHZ-03
https://www.jython.org/
WSTG-ATHZ-04
WSTG-ATHZ-05
WSTG-SESS-01
WSTG-SESS-02
WSTG-SESS-03
WSTG-SESS-04
WSTG-SESS-05
WSTG-SESS-06
WSTG-SESS-07
WSTG-SESS-08
WSTG-SESS-09
WSTG-SESS-10
WSTG-INPV-01
WSTG-INPV-02
WSTG-INPV-04
WSTG-INPV-05
WSTG-INPV-06
WSTG-INPV-07
WSTG-INPV-08
WSTG-INPV-09
WSTG-INPV-10
WSTG-INPV-11
WSTG-INPV-12
WSTG-INPV-13
WSTG-INPV-14
WSTG-INPV-15
WSTG-INPV-16
WSTG-INPV-17
WSTG-INPV-18
WSTG-INPV-19
Online IP encoder
WSTG-ERRH-01
WSTG-CRYP-01
WSTG-CRYP-02
WSTG-CRYP-03
WSTG-CRYP-04
WSTG-BUSL-01
WSTG-BUSL-02
WSTG-BUSL-03
WSTG-BUSL-04
WSTG-BUSL-05
WSTG-BUSL-06
WSTG-BUSL-07
WSTG-BUSL-08
WSTG-BUSL-09
WSTG-BUSL-10
WSTG-CLNT-01
WSTG-CLNT-02
WSTG-CLNT-03
WSTG-CLNT-04
WSTG-CLNT-05
WSTG-CLNT-07
WSTG-CLNT-08
WSTG-CLNT-09
https://portswigger.net/burp/documentation/desktop/tools/clickbandit
WSTG-CLNT-10
WSTG-CLNT-11
WSTG-CLNT-12
WSTG-CLNT-13
WSTG-INFO-01
GHDB
Infohunter
154KB
WSTG Checklist.xlsx
https://github.com/CristiVlad25/misc/tree/master