Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN

WEB
APPLICATION
PENETRATION
TESTING
CHECKLISTS
FOR
BEGINNERS

GOVERDHAN PANDEY
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
2

Title: Web Penetration Testing Checklist for Bug Hunters

Introduction:
- Web penetration testing is vital for identifying vulnerabilities in web
applications.

Purpose:
- Provide a detailed checklist for bug hunters to conduct effective web
penetration testing.

Importance of a Checklist:
- Ensures comprehensive coverage across different areas of web
application security.
- Maintains consistency in testing methodologies and approaches.

Structure of the Checklist:

- Categorized checklist covering various aspects of web application
security.
- Specific testing techniques and considerations included for each
category.

Target Audience:
- Bug hunters, security researchers, and penetration testers benefit from
the checklist.

Disclaimer:
- The checklist is a general guide and may not cover all possible
vulnerabilities or testing scenarios.
- Adherence to ethical hacking practices and obtaining proper
authorization is crucial.

GOVERDHAN PANDEY
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
3

1. Information Gathering:

Enumerate subdomains using tools like Sublist3r, DNSdumpster,

or sublist3r.
Gather DNS information to identify potential targets and their IP
addresses.
Perform WHOIS lookup to gather information about the domain
owner and registrar.
Conduct domain research to uncover publicly available
information about the target.
Search for online footprints, such as social media profiles or
leaked data, to gather additional intelligence.

2. Configuration and Deployment Management:

Check for default credentials on administrative interfaces (e.g.,

admin/admin, root/root).
Test for weak passwords by using password cracking tools (e.g.,
John the Ripper, Hashcat).
Verify secure configuration of web servers (e.g., Apache, Nginx)
and frameworks (e.g., Django, Ruby on Rails).
Review server and application logs for potential information leaks
or error messages that reveal sensitive information.

3. Authentication and Session Management:

Test for weak or guessable passwords by using password

cracking tools or password spraying attacks.
Check for vulnerabilities in the password reset process, such as
predictable tokens or insecure email notifications.
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
4

Test for session fixation, session hijacking, and session timeout

vulnerabilities.
Verify the implementation of proper authentication controls, such
as account lockouts, password complexity requirements, and
CAPTCHA for preventing automated attacks.

4. Authorization and Access Control:

Test for insecure direct object references (IDOR) by manipulating

parameters or object identifiers.
Verify that user roles and permissions are properly enforced,
limiting access to appropriate functionality and data.
Check for privilege escalation vulnerabilities by attempting to
escalate privileges or access data beyond the assigned role.
Review access control mechanisms for horizontal and vertical
privilege escalation possibilities.

5. Input Validation and Output Encoding:

Test for SQL injection vulnerabilities by injecting SQL queries

into input fields and parameters.
Check for command injection and OS command injection
vulnerabilities by injecting malicious commands into input fields.
Verify that input validation and output encoding techniques are
implemented to prevent XSS and other code injection attacks.
Test for file inclusion and path traversal vulnerabilities by
manipulating file input parameters.

6. Cross-Site Scripting (XSS):

Test for reflected XSS vulnerabilities by injecting payloads into

input fields and query parameters and checking if the payload is
rendered in the response.
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
5

Test for stored XSS vulnerabilities by injecting payloads into

user-generated content and verifying if the payload is persisted
and executed.
Check that proper output encoding and input sanitization
techniques are implemented to prevent XSS attacks.
Test for DOM-based XSS vulnerabilities by manipulating
client-side scripts and identifying if the payload is executed within
the DOM.

7. Cross-Site Request Forgery (CSRF):

Test for CSRF vulnerabilities by crafting malicious requests that

force user interactions (e.g., changing settings, making financial
transactions).
Verify the effectiveness of CSRF protection mechanisms, such as
anti-CSRF tokens, by attempting to bypass or tamper with them.
Check if sensitive actions can be performed without appropriate
CSRF protection, potentially leading to unauthorized actions being
executed on behalf of the victim user.

8. Security Headers:

Check for the presence and correct configuration of security

headers like Content Security Policy (CSP), X-Frame-Options,
X-XSS-Protection, HTTP Strict Transport Security (HSTS), etc.
Verify that these headers are properly set and provide the desired
security protections, such as preventing XSS, clickjacking, or
protocol downgrade attacks.

9. File and Resource Management:

Test for arbitrary file upload vulnerabilities by attempting to upload

malicious files with various extensions.
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
6

Check for insecure direct object references (IDOR) to sensitive

files or resources by manipulating URLs or parameters.
Verify that file uploads are properly validated and restricted to
intended file types.
Review file and resource permissions to ensure unauthorized
access is prevented.

10. Business Logic:

Identify logical flaws in the application's workflows and

processes, such as insufficient validation of critical operations or
missing authorization checks.
Test for vulnerabilities related to business logic abuse and
bypass, such as bypassing payment mechanisms or manipulating
business rules.
Verify that access controls and authorization mechanisms are
enforced for critical functions and sensitive data.

11. Error Handling and Information Leakage:

Test for error-based vulnerabilities and information disclosure by

intentionally triggering errors and reviewing the responses.
Verify that error messages do not reveal sensitive information,
such as stack traces, database details, or internal server paths.
Check for potential information leakage through verbose error
messages, debug endpoints, or hidden comments in the
application's HTML source code.

12. SSL/TLS and Cryptography:

Verify that SSL/TLS is properly implemented and configured,

ensuring the use of secure protocols and strong cipher suites.
Check for SSL/TLS vulnerabilities, such as weak cipher suites,
expired or self-signed certificates, or protocol downgrade attacks.
Web Penetration Testing Checklist for Bug Hunters by GOVERDHAN
7

Review encryption algorithms and key management practices for

the protection of sensitive data.
Test for secure storage and handling of cryptographic keys and
credentials.

13. API Testing (if applicable):

Test for vulnerabilities in API endpoints, such as injection attacks

(SQL, command, or XML), authentication bypass, or excessive
data exposure.
Verify the proper implementation of authentication and
authorization mechanisms for API interactions, such as OAuth, API
keys, or JWT tokens.
Review rate limiting and access controls for API resources to
prevent abuse and unauthorized access.

Note: This detailed checklist provides a comprehensive breakdown of

various testing areas. However, it is essential to adapt the testing
approach based on the specific application, technologies, and potential
attack vectors.

Remember to always conduct penetration testing ethically and with

proper authorization. Obtain permission from the website owner before
performing any security assessments or penetration tests.

Follow :

https://www.linkedin.com/in/goverdhankumar
https://github.com/wh04m1i
https://linktr.ee/g0v3rdh4n