For web pentesting, there are lots to be test. Below I have created a mandatory list what i never miss to test. The Goal? Reverse Shell
!
Note: This checklist created with help of owasp testing guide and with help of other resource found in the Internet.
Recon/Enumeration
- Discover information using Google, Bing, Shodan, GitHub, Twitter, and LinkedIn
- Check if
robots.txt
,crossdomain.xml
,clientaccesspolicy.xml
,phpinfo.php
sitemap.xml
exist - Identify Web Application Firewall
- Brute force subdomain
- DNS Reverse Lookup
- Brute Foce Files and Directory
- Analyze SSL
- Crawl entire site
- Find Emails, Employees, Phone numbers etc
- Wayback history
- Nmap Scan all ports(Including UDP) and do banner grabbing
- Identify input point
Error Handling
- Request fake pages
- Try Different HTTP method such as TRACE, OPTIONS, DEBUG, NONE
- Request multiple parameters with different values(I.E
test1=1&test1=2
) - Add
[], [[, ]]
in Parameters(I.E?id[]=hello
,?id=[hello]
) - Fuzz various headers value, and parameters with Burp suite intruder
Preparation
- Study site structure
- List all possible test URLs
User Management
During Registration
- Check for duplicate registration
- Test for Username uniqueness
- Weak Password policy
- Email Verification Process
- Check if allow disposable email for registration
- Input vague characters such as
'
or*
in registration fields and all spaces for passwords
After Registration
- After registration brute force files and folder
- Find Parameters and tamper to get other users information
- Analyze Email/password change, or password reset confirmation link
- Attempt to change other user’s password/email
- Check for file upload and other input validation vulnerability
- Check meta data of downloadable files
Authentication
- Username Enumeration
- Lockout Policy
- Default Password
- Password Brute Forcing
- Test
Remember Me
- 0auth
- 2FA Testing
- Browser cache weakness (eg Pragma, Expires, Max-age)
Input Validation
- XSS(Reflected/DOM/Stored)
- SQL Injection
- HTTP Header Injection(X-Forwarded-Host)
- Arbitrary Redirection
- Command Injection
- Code Injection
- LFI/RFI
- Path Traversal
- SOAP Injection
- LDAP Injection
- XPath Injection
- XXE
- De-serialization
- Insecure File Upload
- ClickJacking
- XSS Inclusion
- HTML Injection
- CSS Injection
- Javascript Execution
- Server-Side Template Injection
- Browser Storage
Application Logic
To be completed!