salah23222/pentest-checklist

# Web Application Penetration Testing Checklist A **stack-agnostic**, framework-independent penetration testing checklist for assessing the security of **any** web application — regardless of the language (PHP, Node.js, Python, Java, Go, Ruby, .NET, …), framework, or hosting stack. Built on industry-standard methodologies: **OWASP WSTG v4.2**, **OWASP ASVS L2**, **OWASP API Security Top 10**, **PTES**, and **NIST SP 800-115**. ## Legal & Ethical Notice This checklist is intended **only** for authorized security testing — your own systems, or systems you have **explicit written permission** to test. Unauthorized access to computer systems is illegal in most jurisdictions. Always obtain a signed Authorization Letter / Rules of Engagement and an NDA before starting. ## Table of Contents 0. [Pre-Engagement & Scope](#0-pre-engagement--scope) 1. [Information Gathering (WSTG-INFO)](#1-information-gathering-wstg-info) 2. [Configuration & Deployment (WSTG-CONF)](#2-configuration--deployment-wstg-conf) 3. [Identity Management (WSTG-IDNT)](#3-identity-management-wstg-idnt) 4. [Authentication (WSTG-ATHN)](#4-authentication-wstg-athn) 5. [Authorization (WSTG-ATHZ)](#5-authorization-wstg-athz) 6. [Session Management (WSTG-SESS)](#6-session-management-wstg-sess) 7. [Input Validation (WSTG-INPV)](#7-input-validation-wstg-inpv) 8. [Error Handling (WSTG-ERRH)](#8-error-handling-wstg-errh) 9. [Cryptography (WSTG-CRYP)](#9-cryptography-wstg-cryp) 10. [Business Logic (WSTG-BUSL)](#10-business-logic-wstg-busl) 11. [Client-Side (WSTG-CLNT)](#11-client-side-wstg-clnt) 12. [File Upload](#12-file-upload) 13. [API Security](#13-api-security) 14. [Reporting & Retest](#14-reporting--retest) 15. [Reference Tools](#15-reference-tools) ## 0. Pre-Engagement & Scope - [ ] **Define scope:** domains/IP ranges, modules/features, environments (production vs. staging). - [ ] **Test type:** Black-box, **Grey-box** (recommended — accounts at multiple privilege levels: viewer, regular user, admin), or White-box. - [ ] **Rules of Engagement:** testing windows, DoS avoidance, backup before start, emergency contact channel. - [ ] **Inclusions/exclusions:** install/setup scripts, backup tools, third-party integrations — in or out of scope? - [ ] **Authorization:** signed Authorization Letter + NDA on file. ## 1. Information Gathering (WSTG-INFO) - [ ] Fingerprint the server and tech stack (language/runtime, web server, database versions) via headers and error pages. - [ ] Inspect `robots.txt`, `sitemap.xml`, `manifest`, service workers (`sw.js`), and other PWA files. - [ ] Enumerate paths and files (dirbuster/feroxbuster/ffuf) — use a normal browser User-Agent to bypass UA-based blocking. - [ ] Hunt for exposed sensitive files: `.env*`, `.git/`, `*.bak`, `*.sql`, `*.config`, `composer.*`, `package.json`, `*.yml`, dependency lockfiles. - [ ] Analyze client-side JavaScript (sources, comments, hardcoded keys, hidden endpoints). - [ ] Search engines + Wayback Machine + public leaks (GitHub, Pastebin, gists) for secrets. - [ ] Attempt direct access to sensitive server-side files (bootstrap, config, security core, install SQL). ## 2. Configuration & Deployment (WSTG-CONF) - [ ] Check security headers (CSP, HSTS, X-Frame-Options/frame-ancestors, X-Content-Type-Options, Referrer-Policy, COOP/COEP/CORP). - [ ] Analyze CSP for bypasses (nonce reuse, `unsafe-inline`/`unsafe-eval`, overly broad allowlisted domains, JSONP gadgets). - [ ] Test HTTP methods (OPTIONS/PUT/DELETE/TRACE/TRACK) and HTTP verb tampering. - [ ] Review cookie attributes (HttpOnly, Secure, SameSite, Domain/Path). - [ ] **Web-server config:** verify that file-access restrictions actually hold in production. Rules written for one server (e.g. `.htaccess` on Apache) are **silently ignored** on others (e.g. nginx) — escalate any gap to critical. - [ ] Test TLS/SSL (protocol versions, cipher suites, certificate validity, HSTS preload). - [ ] Look for verbose error messages / stack traces / version disclosure. - [ ] Find exposed admin or management interfaces (`/admin/*`, DB admin panels, install/setup endpoints). - [ ] Test setup/install kill-switches and IP allowlists — are they actually enforced in production? ## 3. Identity Management (WSTG-IDNT) - [ ] User enumeration via login / password-reset / registration responses (do replies differ for valid vs. invalid users?). - [ ] Account registration policy — who can create accounts, and through which endpoints? - [ ] Test privileged user-creation endpoints — can an unauthorized actor create an account or assign a role? Is the role allowlist enforced? - [ ] Enumerate roles and permissions and map them to accounts. ## 4. Authentication (WSTG-ATHN) - [ ] Brute force against login — verify lockout (e.g. N attempts) and per-IP rate limiting. - [ ] Lockout bypass: account rotation, header spoofing (`X-Forwarded-For` must **not** affect the trusted client IP — server should use the real socket address). - [ ] Credential stuffing and weak-password acceptance. - [ ] Password hash strength (bcrypt/argon2 with appropriate cost) and timing attacks on login. - [ ] "Remember me" logic, session expiry, and complete logout (server-side invalidation). - [ ] **MFA:** TOTP bypass, code reuse, brute force on the code, bypass via an alternate flow, and the fail-open vs. fail-closed behavior when the MFA store/table is unavailable. - [ ] **Password change/reset:** token strength, invalidation of other sessions, no token leakage in URLs/referrers/logs. - [ ] **Setup/install password gates:** brute force, bypass, session fixation after unlock. ## 5. Authorization (WSTG-ATHZ) - [ ] **Horizontal IDOR:** access another user's/tenant's records by changing an `id` on every endpoint (reports, dashboards, finance, records). - [ ] **Vertical privilege escalation:** can a low-privilege user reach admin functions via direct links? - [ ] **Tenant/department scoping:** attempt to switch context (e.g. a `?dept=` / `?org=` parameter) with an unauthorized account — must fail. - [ ] **Flat access models:** where any authenticated user can write operational data — verify per-action role checks exist server-side. - [ ] Forced browsing to every admin endpoint without privilege. - [ ] Mass assignment / parameter tampering (`role`, `department_id`, `is_admin`, `owner_id` fields). - [ ] Authorization-check bypass via case differences or normalization quirks in permission keys. ## 6. Session Management (WSTG-SESS) - [ ] Session ID randomness, length, and entropy. - [ ] Session ID regeneration after login (session fixation). - [ ] **Single active session:** if enforced, verify the other device is actually evicted (token-hash binding). - [ ] Idle timeout and absolute maximum session lifetime. - [ ] **CSRF:** attempt forgery on every state-changing POST/PUT/DELETE — test token-guard bypasses and any endpoints that skip CSRF protection. - [ ] Cookie fixation/theft (XSS → session) and IP binding. ## 7. Input Validation (WSTG-INPV) - [ ] **SQL / NoSQL Injection** (manual + sqlmap) on every parameter — especially `ORDER BY` / dynamic column names, search, and filters. - [ ] **XSS** — reflected, stored, and DOM-based. Focus on rich-text fields, internationalized input, and AJAX responses written via `innerHTML`/`.html()`. - [ ] **Command Injection** — verify dangerous exec functions are disabled/avoided. - [ ] **LFI/RFI** and dynamic include/require logic. - [ ] **Path Traversal** on upload/download endpoints. - [ ] **SSRF** on any URL fetch / import / webhook feature. - [ ] **XXE** on any XML processing. - [ ] **Insecure Deserialization** on user-controlled input. - [ ] **CSV/Formula Injection** in exports (Excel/CSV/Sheets). - [ ] **Open Redirect** on redirect/return-URL parameters. - [ ] **Host Header Injection** and HTTP Request Smuggling. - [ ] **Template Injection (SSTI)** in any server-rendered templating. ## 8. Error Handling (WSTG-ERRH) - [ ] Information disclosure via errors (file paths, queries, versions, request IDs, internal hostnames). - [ ] Fail-open vs. fail-closed behavior when components fail (DB, rate-limit store, MFA store, cache). ## 9. Cryptography (WSTG-CRYP) - [ ] Encryption of sensitive data at rest and key strength. - [ ] Application secret/key — strength, rotation, and blast radius if leaked (often exposed in `.env` backups). - [ ] Sensitive data sent over HTTP (must be HTTPS) + cookie `Secure` flag. - [ ] Token randomness (CSRF, session, reset, MFA recovery) — must use a CSPRNG (`random_bytes`/`crypto`), never weak `rand()`. ## 10. Business Logic (WSTG-BUSL) - [ ] **Approval/financial workflows:** skip approval steps, self-approval, value tampering after approval, race conditions. - [ ] Bypass of budget/quantity/date limits. - [ ] Request replay and concurrency handling (TOCTOU). - [ ] Workflow-order bypass via direct access or out-of-sequence requests. ## 11. Client-Side (WSTG-CLNT) - [ ] DOM XSS, `postMessage` abuse, sensitive data in `localStorage`/`sessionStorage`. - [ ] CORS misconfiguration, clickjacking (`frame-ancestors`), tabnabbing (`target=_blank` without `rel=noopener`). - [ ] Outdated JS libraries with known CVEs (retire.js). ## 12. File Upload - [ ] Extension/MIME allowlist bypass (double extension, magic bytes, null byte). - [ ] Upload an executable file and try to reach it — does the server execute it in the upload directory? - [ ] Path traversal in filenames, zip-slip, zip bomb, size limits. ## 13. API Security - [ ] Authn/authz on every endpoint — do `/api/*` and AJAX endpoints actually return 401/403? - [ ] BOLA/BFLA (OWASP API Top 10), excessive data exposure, rate limiting. - [ ] Content-Type enforcement, JSON injection, mass assignment. - [ ] GraphQL-specific: introspection exposure, batching/aliasing abuse, depth/complexity limits. ## 14. Reporting & Retest - [ ] Report with CVSS v3.1 scoring + reproduction steps + evidence (PoC). - [ ] Severity classification + business impact + remediation guidance. - [ ] **Retest** after fixes to confirm closure. - [ ] Map findings to OWASP ASVS L2 (and any applicable compliance framework) for assurance. ## 15. Reference Tools Burp Suite · OWASP ZAP · sqlmap · ffuf / feroxbuster · nuclei · nikto · testssl.sh · retire.js · nmap · Semgrep / CodeQL (SAST) · custom scripts. ## License Released under the [MIT License](LICENSE). Use freely with attribution. *Based on OWASP WSTG v4.2, OWASP ASVS L2, OWASP API Security Top 10, PTES, and NIST SP 800-115.*