Skip to content

Web application penetration testing checklist

2 min read
security hacking

A checklist I use when testing web applications for vulnerabilities. Originally compiled from InfoSec Write-ups and expanded with my own findings from bug bounty hunting.

Fingerprinting

  • Identify known vulnerabilities in web/app servers
  • Generate site structure map
  • Identify underlying web technology
  • Uncover HTTP services on non-standard ports
  • Brute force subdomains
  • Identify firewall (WAF)
  • Find sensitive keywords in HTML sources (admin, todo, redir, etc.)
  • Analyze JavaScript files for endpoints, keys, and secrets

Session Management

  • Identify session cookies and decode them (base64, hex, etc.)
  • Modify one character in the cookie token. Does the session persist?
  • Check token leakage via referrer header to third parties
  • Check cookie expiration time, domain scope, and flags (HttpOnly, Secure, SameSite)
  • Replay session cookie from a different IP. Does it still work?
  • Test concurrent login from different IPs
  • Check if user data is stored in cookie values

Authentication

  • Test username enumeration on login and registration
  • Try SQL injection on login form
  • Access resources without authentication
  • Check if credentials are sent over HTTP
  • Test account lockout threshold
  • Test OAuth for open redirect
  • Check for weak password policy
  • Check duplicate registration with same email for account takeover

Password Reset

  • Check if reset link/code is unique and expires
  • Tamper with user identification parameters
  • Test if token is invalidated after use
  • Check if active sessions are destroyed on password change
  • Request two reset links. Does the older one still work?
  • Send continuous reset requests to find sequential tokens

XSS

  • Test what’s sanitized vs. what’s not
  • Try XSStrike for automated testing
  • Upload files with XSS in filename: "><img src=x onerror=alert(document.domain)>.txt
  • If <script> is blocked, try <h1>, <img>, <svg> tags
  • If quotes are filtered: /><img src=d onerror=confirm(/site/);>
  • Try URL encoding: %3cscript%3ealert(document.cookie)%3c/script%3e
  • Try base64 encoded payloads
  • Try polyglot payloads
  • Upload JavaScript via image files using gifsicle
  • Change request method from POST to GET

Business Logic

  • Tamper product IDs to buy high-value items at low prices
  • Tamper quantity/price values in purchase requests
  • Reuse gift vouchers with old values
  • Use parameter pollution to apply vouchers twice
  • View/manage other users’ booking details via IDOR
  • Modify refund amounts via parameter tampering

Error Handling

  • Access non-existent pages to check error information leakage
  • Add special characters ([], ]], [[) to cookie and parameter values
  • Use fuzzing to trigger unusual error codes
  • Check if stack traces or debug info are exposed