JA Jobyer Ahmed

Web Pentesting Checklist

Jan 12, 2021 2 min read

On this page

For web pentesting, there are lots to be test. Below I have created a mandatory list what i never miss to test. The Goal? Reverse Shell!

Note: This checklist created with help of owasp testing guide and with help of other resource found in the Internet.

Recon/Enumeration

  • Discover information using Google, Bing, Shodan, GitHub, Twitter, and LinkedIn
  • Check if robots.txt, crossdomain.xml, clientaccesspolicy.xml, phpinfo.php sitemap.xml exist
  • Identify Web Application Firewall
  • Brute force subdomain
  • DNS Reverse Lookup
  • Brute Foce Files and Directory
  • Analyze SSL
  • Crawl entire site
  • Find Emails, Employees, Phone numbers etc
  • Wayback history
  • Nmap Scan all ports(Including UDP) and do banner grabbing
  • Identify input point

Error Handling

  • Request fake pages
  • Try Different HTTP method such as TRACE, OPTIONS, DEBUG, NONE
  • Request multiple parameters with different values(I.E test1=1&test1=2)
  • Add [], [[, ]] in Parameters(I.E ?id[]=hello, ?id=[hello])
  • Fuzz various headers value, and parameters with Burp suite intruder

Preparation

  • Study site structure
  • List all possible test URLs

User Management

During Registration

  • Check for duplicate registration
  • Test for Username uniqueness
  • Weak Password policy
  • Email Verification Process
  • Check if allow disposable email for registration
  • Input vague characters such as ' or * in registration fields and all spaces for passwords

After Registration

  • After registration brute force files and folder
  • Find Parameters and tamper to get other users information
  • Analyze Email/password change, or password reset confirmation link
  • Attempt to change other user’s password/email
  • Check for file upload and other input validation vulnerability
  • Check meta data of downloadable files

Authentication

  • Username Enumeration
  • Lockout Policy
  • Default Password
  • Password Brute Forcing
  • Test Remember Me
  • 0auth
  • 2FA Testing
  • Browser cache weakness (eg Pragma, Expires, Max-age)

Input Validation

  • XSS(Reflected/DOM/Stored)
  • SQL Injection
  • HTTP Header Injection(X-Forwarded-Host)
  • Arbitrary Redirection
  • Command Injection
  • Code Injection
  • LFI/RFI
  • Path Traversal
  • SOAP Injection
  • LDAP Injection
  • XPath Injection
  • XXE
  • De-serialization
  • Insecure File Upload
  • ClickJacking
  • XSS Inclusion
  • HTML Injection
  • CSS Injection
  • Javascript Execution
  • Server-Side Template Injection
  • Browser Storage

Application Logic

To be completed!

Jobyer Ahmed
Written by
Jobyer Ahmed
Founder and Cybersecurity Professional
Jobyer Ahmed is the founder and cybersecurity professional at Bytium LLC. He works across offensive and defensive security, including penetration testing, red-team operations, and vulnerability management, with a focus on practical and audit-ready security improvements.
LinkedIn YouTube GitHub Twitter Email WhatsApp
PreviousLinux Privilege Escalation NextWeb App Enumeration