For web pentesting, there are lots to be test. Below I have created a mandatory list what i never miss to test. The Goal? Reverse Shell!

Note: This checklist created with help of owasp testing guide and with help of other resource found in the Internet.

Recon/Enumeration

  • Discover information using Google, Bing, Shodan, GitHub, Twitter, and LinkedIn
  • Check if robots.txt, crossdomain.xml, clientaccesspolicy.xml, phpinfo.php sitemap.xml exist
  • Identify Web Application Firewall
  • Brute force subdomain
  • DNS Reverse Lookup
  • Brute Foce Files and Directory
  • Analyze SSL
  • Crawl entire site
  • Find Emails, Employees, Phone numbers etc
  • Wayback history
  • Nmap Scan all ports(Including UDP) and do banner grabbing
  • Identify input point

Error Handling

  • Request fake pages
  • Try Different HTTP method such as TRACE, OPTIONS, DEBUG, NONE
  • Request multiple parameters with different values(I.E test1=1&test1=2)
  • Add [], [[, ]] in Parameters(I.E ?id[]=hello, ?id=[hello])
  • Fuzz various headers value, and parameters with Burp suite intruder

Preparation

  • Study site structure
  • List all possible test URLs

User Management

During Registration

  • Check for duplicate registration
  • Test for Username uniqueness
  • Weak Password policy
  • Email Verification Process
  • Check if allow disposable email for registration
  • Input vague characters such as ' or * in registration fields and all spaces for passwords

After Registration

  • After registration brute force files and folder
  • Find Parameters and tamper to get other users information
  • Analyze Email/password change, or password reset confirmation link
  • Attempt to change other user’s password/email
  • Check for file upload and other input validation vulnerability
  • Check meta data of downloadable files

Authentication

  • Username Enumeration
  • Lockout Policy
  • Default Password
  • Password Brute Forcing
  • Test Remember Me
  • 0auth
  • 2FA Testing
  • Browser cache weakness (eg Pragma, Expires, Max-age)

Input Validation

  • XSS(Reflected/DOM/Stored)
  • SQL Injection
  • HTTP Header Injection(X-Forwarded-Host)
  • Arbitrary Redirection
  • Command Injection
  • Code Injection
  • LFI/RFI
  • Path Traversal
  • SOAP Injection
  • LDAP Injection
  • XPath Injection
  • XXE
  • De-serialization
  • Insecure File Upload
  • ClickJacking
  • XSS Inclusion
  • HTML Injection
  • CSS Injection
  • Javascript Execution
  • Server-Side Template Injection
  • Browser Storage

Application Logic

To be completed!