Web Application Testing Checklist

🔍 Reconnaissance

Information Gathering

  • Identify technology stack (Wappalyzer, WhatWeb)
  • Enumerate subdomains (Subfinder, Amass, crt.sh)
  • Directory bruteforcing (Gobuster, Feroxbuster)
  • Check robots.txt, sitemap.xml
  • Identify WAF (wafw00f)
  • Review JavaScript files for endpoints
  • Check for exposed .git, .svn, .env files
  • Analyze HTTP headers (security headers)

Application Mapping

  • Map all entry points (forms, APIs, file uploads)
  • Identify user roles and permissions
  • Document authentication mechanisms
  • List all API endpoints
  • Identify sensitive functionality

🔐 Authentication Testing

Login Mechanism

  • Test for username enumeration
  • Check password policy strength
  • Test account lockout mechanism
  • Brute force protection assessment
  • Test "Remember Me" functionality
  • Check for default credentials
  • Test password reset flow

Session Management

  • Analyze session token entropy
  • Test session fixation
  • Check session timeout
  • Test concurrent session handling
  • Verify secure cookie flags (HttpOnly, Secure, SameSite)
  • Test logout functionality
  • CSRF token validation

Multi-Factor Authentication

  • Test MFA bypass techniques
  • Check for MFA code reuse
  • Test rate limiting on MFA
  • Verify MFA enforcement consistency

🔓 Authorization Testing

Access Control

  • Test horizontal privilege escalation
  • Test vertical privilege escalation
  • IDOR vulnerability testing
  • Test direct object references
  • Check API endpoint authorization
  • Test parameter manipulation
  • Verify role-based access controls

Business Logic

  • Test payment bypass
  • Check quantity manipulation
  • Test discount/coupon abuse
  • Verify workflow sequence
  • Test race conditions
  • Check for negative values

💉 Injection Testing

SQL Injection

  • Test all input parameters
  • Error-based SQLi
  • Union-based SQLi
  • Blind SQLi (Boolean, Time-based)
  • Out-of-band SQLi
  • Second-order SQLi
  • Test stored procedures

Cross-Site Scripting (XSS)

  • Reflected XSS
  • Stored XSS
  • DOM-based XSS
  • Test different contexts (HTML, JS, attribute)
  • Filter bypass techniques
  • Check CSP implementation

Other Injections

  • Command injection (OS)
  • LDAP injection
  • XML/XXE injection
  • Template injection (SSTI)
  • Header injection (CRLF)
  • Path traversal

📤 File Upload Testing

  • Test file type restrictions
  • Check file extension validation
  • Test MIME type validation
  • Upload malicious files (webshell)
  • Test filename manipulation
  • Check upload size limits
  • Test for path traversal in filename
  • Verify file content validation

🌐 API Security

REST API

  • Test authentication mechanisms
  • Check rate limiting
  • Test mass assignment
  • Verify input validation
  • Check for sensitive data exposure
  • Test HTTP methods (PUT, DELETE, PATCH)
  • Check for API versioning issues

GraphQL

  • Test introspection query
  • Check for batching attacks
  • Test query depth limits
  • Verify field-level authorization
  • Test for injection in queries

🔒 Cryptography

  • Check TLS/SSL configuration (testssl.sh)
  • Verify certificate validity
  • Test for weak ciphers
  • Check password storage (hashing)
  • Verify encryption at rest
  • Test JWT implementation
  • Check for hardcoded secrets

📊 Reporting Severity Guide

Severity CVSS Score Example
Critical 9.0 - 10.0 RCE, SQLi with admin access
High 7.0 - 8.9 Privilege escalation, Auth bypass
Medium 4.0 - 6.9 Stored XSS, CSRF
Low 0.1 - 3.9 Information disclosure
Info 0.0 Best practice recommendations

🛠️ Tools Reference

# Reconnaissance
subfinder -d target.com -o subs.txt
httpx -l subs.txt -o live.txt
nuclei -l live.txt -t cves/


Web scanning

nikto -h https://target.com
sqlmap -u "https://target.com/page?id=1" --batch
ffuf -u https://target.com/FUZZ -w wordlist.txt


Proxy

burpsuite / mitmproxy / OWASP ZAP
Last updated: 2024