This document provides a checklist of tests for web application penetration testing. It lists the name of each test, a brief description of the test case, and a column to record the test result. The tests cover various phases of testing including reconnaissance, registration feature testing, session management, authentication, post-login activities, forgot password testing, open redirection, SQL injection, cross-site scripting, CSRF, and SSO testing.

1. CHECKLIST
WEB
APPLICATION
PENETRATION TESTING

2. www.infosectrain.com
Test Name Test Case Result
Identify Web Server, Technologies,
and Database
Verify that the website is hosted on an HTTP server, front-end technologies,
and back-end with PostgreSQL database.
ASN (Autonomous System
Number) & IP Space Enumeration
and Service Enumeration
Ensure the enumeration tool’s accuracy in obtaining ASNs,
identifying IP addresses within a specified range, and detecting open ports and
services on a target IP address.
Google Dorking
Ensure that the Google Dorking technique effectively retrieves sensitive
information from public internet search engine results.
Directory Enumeration Ensure that the directory enumeration process accurately
identifies and lists directories and files within a specified web server directory.
Reverse Lookup
Ensure that the reverse lookup functionality accurately maps IP
addresses to domain names.
JS Files Analysis
Confirm that the JS files analysis function accurately identifies
vulnerabilities and security issues in JavaScript files.
Subdomain Enumeration and
Bruteforcing
Confirm that the subdomain enumeration and brute-forcing
functionality accurately discover subdomains associated with the
target domain
Port Scanning
Verify that the port scanning tool correctly identifies open ports on a target
IP address or network.
Reconnaissance Phase

3. Test Name Test Case Result
Duplicate Registration/Overwrite
Existing User
Verify that the registration process prevents duplicate registration
and overwriting of existing user accounts.
Weak Password Policy
Confirm that the registration process enforces a strong
password policy.
Reuse of Existing Usernames
Ensure that the registration process prevents the reuse of
the existing usernames.
Insufficient Email Verification Process Verify that the email verification process adequately verifies
user email addresses.
Weak Registration Implementation -
Allows Disposable Email Addresses
Confirm that the registration process does not allow registration with
disposable email addresses.
Weak Registration Implementation-
Over HTTP
Verify that the registration process is securely implemented and does
not allow registration over an unencrypted HTTP connection.
Overwrite Default Web Application Pages
Confirm that the registration process does not allow specially crafted
usernames that could potentially overwrite or manipulate default
web application pages.
www.infosectrain.com
Registration Feature Testing

4. Test Name Test Case Result
Decode Cookies Using Standard
Decoding Algorithms
Verify that cookies can be successfully decoded using standard
decoding algorithms.
Modify Cookie:Session Token Value Verify if the application correctly handles slight modifications to
session cookie token values.
Test Self-Registration with Similar
Usernames
Check if the application handles self-registration with usernames
containing small variations.
Check Session Cookies and Cookie
Expiration Date/Time
Verify that session cookies have appropriate expiration settings.
Identify Cookie Domain Scope Ensure that session cookies are scoped to the appropriate domain.
Check for HttpOnly Flag in Cookie Confirm that session cookies are marked with the HttpOnly flag.
Check for Secure Flag in Cookie
Ensure that session cookies are marked with the Secure flag if the
application is served over SSL.
www.infosectrain.com
Session Management Testing

5. Test Name Test Case Result
Username Enumeration Verify that the system does not allow username enumeration.
Bypass Authentication using
SQL Injections
Test for bypassing authentication using various SQL injections on the
username and password fields.
Lack of Password Confirmation
Confirm that the system enforces password confirmation when
changing email addresses and passwords and managing 2FA.
Access Violation without Authentication
Check if using resources without authentication is possible,
leading to access violations.
SSL Transmission of User Credentials Confirm that user credentials are transmitted over SSL.
OAuth Login Functionality
Check OAuth login functionality, including roles and potential
security vulnerabilities.
Two-Factor Authentication
Misconfiguration
Check the misconfiguration of two-factor authentication for response
manipulation, status codes, code leakage, reusability, brute-force
protection, integrity validation, and null values.
www.infosectrain.com
Authentication Testing

6. Test Name Test Case Result
Active Account User ID and
Tampering Attempt
Identify a parameter in the application that uses the active account
user ID and attempts tampering to change the details
of other accounts
Enumerate Features Specific to a User
Account and Conduct CSRF Testing
Create a list of features specific to a user account and test for
Cross-Site Request Forgery (CSRF) vulnerabilities.
Change Email and Confirm Server-Side
Validation
Ensure if changing the email address is validated on the server side
and whether the application sends email confirmation links to
new users.
Verify Account Deletion Option with Forgot
Password Feature
Verify the account deletion option and confirm it via the
forgot password feature.
Change Email, Account ID, and User ID
Parameters for Brute Force
Change the email, account ID, and user ID parameters and attempt
brute force attacks on other users’ passwords.
www.infosectrain.com
Post Login Testing

7. Test Name Test Case Result
Failure to Expire Sessions Upon
Logout and Password Reset
Ensure the session is invalidated on logout and password reset.
Check if Forgot Password Reset
Link/Code Uniqueness
Ensure the uniqueness of the password reset link/code.
Check Expiry of Password Reset Link
Verify if the reset link expires if not used within a specific time frame.
Find User Account Identification
Parameter and Attempt Tampering
Identify the user account identification parameter and attempt to tamper
with it to change another user’s password.
Check for Weak Password Policy Examine if password reset enforces a strong password policy.
Check if Active Session Gets
Destroyed upon Changing the
Password
Verify if the active session is destroyed when changing the password.
www.infosectrain.com
Forgot Password Testing

8. Test Name Test Case Result
Test Common Injection Parameters Examine common injection parameters for potential vulnerabilities.
Change URL Parameter Values
Examine if changing the URL parameter value redirects to
the specified URL.
Test Single Slash and URL Encoding Ensure using a single slash and URL encoding in URL parameters.
Use Whitelisted Domain or Keyword
Check if using a whitelisted domain or keyword in parameters
bypasses filters.
Use “//” to Bypass HTTP Blacklisted
Keyword
Check if using “//” in parameters bypasses HTTP blacklisted keywords.
Use Null Byte (%00) to Bypass
Blacklist Filter
Check if using a null byte (%00) in parameters bypasses
blacklist filters.
Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters.
www.infosectrain.com
Open Redirection Testing

9. Test Name Test Case Result
Supply an Arbitrary Host Header Check the application’s handling of arbitrary host headers.
Check for Flawed Validation Verify if the application has flawed validation for Host headers.
Check Ambiguous Requests
Send ambiguous requests with various Host header manipulations to
observe the application’s behavior.
Inject Host Override Headers
Test the injection of host override headers to ensure that the
application accepts and processes these headers.
www.infosectrain.com
Host Header Injection

10. Test Name Test Case Result
Entry Point Detection Identify vulnerable entry points for SQL injection.
Use SQLmap to Identify Vulnerable
Parameters
Ensure that SQLmap identifies parameters vulnerable to SQL injection.
Run the SQL Injection Scanner on All
Requests
Check if the SQL injection scanner identifies and reports any
SQL injection vulnerabilities.
Bypassing Web Application Firewall
(WAF)
Ensure bypass techniques are effective against the WAF
(Web Application Firewall).
Time Delays Verify the effectiveness of time delays for each database system.
Conditional Delays
Evaluate the impact of conditional time delays for each
database system.
Use ° Symbol to Bypass Check if the “°” symbol in parameters bypasses security filters.
www.infosectrain.com
SQL Injection Testing

11. Test Name Test Case Result
Use HTML Tags if Script Tags Are Banned
Check if the HTML tags are executed as XSS.
Reflect Output Inside JavaScript Variable Check if the output is reflected inside a JavaScript variable and if an
alert payload can be used.
Upload JavaScript Using Image File Check if the JavaScript code is executed when the image is displayed.
Change Method From POST to GET
Check if the payload is executed using the modified method from
POST to GET can bypass filters.
Syntax Encoding Payload Check if the syntax-encoded payload is executed as XSS.
XSS Firewall Bypass
Verify whether the employed XSS firewall bypass techniques effectively
circumvent the XSS firewall.
www.infosectrain.com
Cross-Site Scripting Testing

12. Test Name Test Case Result
Validation of CSRF Token
Confirm whether the CSRF token validation rejects a GET request when
the validation process depends on the request method.
CSRF Token Presence Validation
Check if the application only accept requests with a valid
CSRF token.
The CSRF Token Is Independent of
the User Session
Check if the CSRF token is not associated with the user’s session and
ensure it validate the CSRF token even after the
user session has ended.
validate the CSRF token even after the
user session has ended.
Ensure that the application should validate the CSRF token when the
non-session cookie is included.
Verify Referer Header Presence
Ensure that application should only accept requests with
a valid Referer header.
www.infosectrain.com
CSRF Testing

13. Test Name Test Case Result
FUZZ on the Internal System After SSO
Redirect
Conduct fuzzing on an internal system following redirection to the SSO
system to identify vulnerabilities or misconfigurations
within the internal system.
Craft SAML Request and Server
Interaction
Craft a SAML request with a token and analyze how the server
processes the crafted SAML request.
Test for XML Signature Wrapping
Vulnerabilities
Check if the server is vulnerable to XML Signature Wrapping.
Inject XXE Payloads in SAML Response Check if the server processes the XXE payloads.
SSO for Takeover Assess the possibility of taking over the victim’s account.
SSRF Using Cookie Header URLs
Check if SSRF can be achieved by modifying the IP in the
Cookie header URLs.
www.infosectrain.com
SSO Vulnerabilities

14. Test Name Test Case Result
Change Content Type for XML Injection Verify if the server is vulnerable to XML Injection.
Blind XXE with Out-of-Band Interaction Identifies if the server is vulnerable to Blind XXE attacks.
Errors Parsing Origin Headers
Check if Cross-Origin Resource Sharing (CORS)-related errors
can be triggered.
Whitelisted Null Origin Value Check if the server whitelists null Origin values.
Bypassing Filters Check if filters can be bypassed.
Cloud Instances Check if SSRF vulnerabilities can access cloud instance data.
www.infosectrain.com
XML Injection Testing

15. Test Name Test Case Result
Null Byte (%00) Bypass Check if null bytes can bypass upload restrictions.
Content-Type Bypass Check if content type manipulation can bypass restrictions.
Magic Byte Bypass Identify if magic byte manipulation can bypass upload checks.
Client-Side Validation Bypass Check if client-side validation can circumvent upload restrictions.
Blacklisted Extension Bypass Check if the application effectively enforces extension restrictions.
Homographic Character Bypass Check if homographic characters can bypass filters.
www.infosectrain.com
File Upload Testing

16. Test Name Test Case Result
Missing Captcha Field Integrity Checks Verify if the application performs integrity checks on the Captcha field
and rejects incomplete submissions.
HTTP Verb Manipulation Check if changing HTTP verbs impacts Captcha validation.
Reusable Captcha Check if Captchas are single-use or can be reused.
Server-Side Validation for CAPTCHA Check if the server performs proper Captcha validation independently.
OCR Image Recognition Check if OCR tools can successfully recognize Captcha content.
Absolute Path Retrieval Check if Captcha images are accessible via absolute paths.
www.infosectrain.com
CAPTCHA Testing

17. Test Name Test Case Result
Brute-Forcing Secret Keys
Check if the application’s secret key is resistant to
brute-force attacks.
Creating a Fresh Token Using the “none”
Algorithm
Verify if the application accepts or rejects tokens signed with the
“none” algorithm.
Changing the Signing Algorithm
of the Token
Check how the application responds to changes in the
signing algorithm.
Signing the Asymmetrically-Signed Token
to Symmetric Algorithm Match
Check if the application allows signing transitions from asymmetric
to symmetric algorithms.
www.infosectrain.com
JWT Token testing

18. Test Name Test Case Result
Intercepting and Modifying WebSocket
Messages
Check intercept WebSocket messages and modify the content.
WebSockets Man-in-the-Middle
(MITM) Attempts
Perform a Man-in-the-Middle attack on WebSocket communication.
Test Secret Header WebSocket
Check if the WebSocket implementation relies on secret headers
for authentication.
Content Stealing in Websockets Check if access to sensitive data is transmitted via WebSocket.
Token Authentication Testing in
Websockets
Evaluate if the token-based authentication is secure.
www.infosectrain.com
Websockets Testing

19. Test Name Test Case Result
Inconsistent Authorization Checks
Identify instances where authorization checks are not consistently
applied across different parts of the GraphQL schema.
Missing Validation of Custom Scalars
Identifies any custom scalar types that do not have adequate
validation for input values.
Failure to Appropriately Rate-Limit
Evaluate whether rate-limiting is adequately enforced to prevent
abuse or DoS attacks.
Introspection Query Enabled/Disabled
Determine if the server allows introspection queries that can reveal
schema details.
www.infosectrain.com
GraphQL Vulnerabilities Testing

20. Test Name Test Case Result
XSPA in WordPress Identify if there are any exposed services or ports that may be
susceptible to XSPA.
Bruteforce in wp-login.php
Check if the application effectively prevents or mitigates
brute-force login attempts.
Information Disclosure WordPress
Username
Enumerate usernames and confirm if the application reveals
valid usernames.
Backup File wp-config Exposed
Ensure that backup files or sensitive configuration files
are not accessible.
Log Files Exposed
Confirm if log files containing sensitive data are improperly exposed to
unauthorized users.
Denial of Service via load-styles.php Assess if the file can be abused to launch DoS attacks.
www.infosectrain.com
WordPress Common Vulnerabilities

21. Test Name Test Case Result
Cookie Bomb
Check if the application can handle an excessive number of
cookies effectively.
Pixel Flood (Using Image with Huge Pixels)
Assess the application for vulnerabilities related to
“Pixel Flood” attacks.
Frame Flood (Using GIF with Huge Frame) Check for the application for potential “Frame Flood” vulnerabilities.
ReDoS (Regex DoS)
Assess if the application is susceptible to ReDoS attacks due to
insecure regular expressions.
CPDoS (Cache Poisoned Denial
of Service)
Check if attackers can poison the application’s cache
to cause a DoS condition.
www.infosectrain.com
Denial of Service

22. Test Name Test Case Result
X Frame Options Header Testing
Ensure the application has X-Frame-Options set to DENY or
allow specific domains.
X-XSS-Protection Header Testing Verify the existence and settings of the X-XSS-Protection header.
HSTS Header Testing
Evaluate the presence and configuration of the HTTP Strict Transport
Security (HSTS) header.
CSP Header Testing
Check the presence and configuration of the Content Security
Policy (CSP) header.
Cache Control Header Testing
Check for the presence and correct configuration of Cache
Control headers.
www.infosectrain.com
Security Headers Testing

23. Test Name Test Case Result
Access Control Testing Verify the application’s access control by attempting to access
high-privileged resources with normal user privileges.
Forced Browsing Testing
Verify forced browsing attempts to access restricted or
unlinked resources.
Insecure Direct Object Reference
(IDOR) Testing
Check for IDOR vulnerabilities by attempting to access objects and
data outside of the authorized scope.
Parameter Tampering Testing
Assess the application’s vulnerability to parameter tampering
for privilege escalation.
www.infosectrain.com
Role Authorization Testing

24. Test Name Test Case Result
Time Delays Check if the application prevents time-based command injection.
Output Redirection Conduct blind OS command injection with out-of-band interactions.
www.infosectrain.com
Blind OS Command Injection Testing

25. Test Name Test Case Result
Cryptography Implementation Flaw
Check for implementation flaws, such as hard-coded encryption keys,
weak algorithms, or improper initialization vectors.
Encrypted Information Compromised
Verify if sensitive information, even when encrypted, can be
compromised due to data leaks, insecure key storage,
or weak encryption.
Weak Ciphers Used for Encryption
Identify encryption mechanisms in use and check
if weak ciphers are employed.
www.infosectrain.com
Broken Cryptography

26. Found this useful?
To Get More Insights Through our FREE
Course | Workshops | eBooks | White Paper
Checklists | Mock Tests
Press the Icon &
www.infosectrain.com