Web Application28 items

Web Application Pentest Checklist

A structured penetration testing checklist for web applications covering all critical attack surfaces. This checklist guides testers through reconnaissance, vulnerability discovery, exploitation, and reporting phases aligned with OWASP and PTES methodologies.

OWASP Top 10OWASP WSTGPTESNIST SP 800-115

Progress: 0 of 28 items

Define scope of target URLs, subdomains, and IP rangesinfo

Document all in-scope and out-of-scope assets including third-party integrations.

Obtain signed authorization and rules of engagementinfo

Ensure legal authorization covers all testing activities including automated scanning.

References

PTES Pre-engagement Interactions

Identify testing environment (production, staging, or dev)

Confirm whether testing will be conducted against production or a mirrored environment.

Establish emergency contacts and communication channels

Document escalation procedures in case of service disruption or critical findings.

Review application architecture and technology stack documentation

Gather information about frameworks, languages, and infrastructure in use.

Enumerate subdomains using passive and active techniquesinfo

Use tools like Subfinder, Amass, and certificate transparency logs.

Commands

subfinder -d target.com -silent

amass enum -passive -d target.com

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r ".[].name_value" | sort -u

References

Perform directory and file brute-forcingmedium

Use Gobuster, Feroxbuster, or ffuf to discover hidden endpoints, backup files, and admin panels.

Commands

gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -t 50

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,204,301,302,403

feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

References

Identify web server, framework, and CMS versionslow

Fingerprint technologies using Wappalyzer, WhatWeb, or response header analysis.

Commands

whatweb -a 3 https://target.com

curl -sI https://target.com

References

OWASP WSTG - Fingerprint Web Server

Review robots.txt, sitemap.xml, and security.txt

Check for exposed paths, disallowed directories, and security contact information.

Commands

curl -s https://target.com/robots.txt

curl -s https://target.com/sitemap.xml

curl -s https://target.com/.well-known/security.txt

References

OWASP WSTG - Review Webserver Metafiles

Crawl the application and map all endpoints

Use Burp Suite Spider or ZAP to build a comprehensive site map.

References

OWASP WSTG - Map Application Architecture

Identify API endpoints and JavaScript-exposed routesmedium

Analyze JavaScript bundles and network traffic for undocumented API calls.

Commands

katana -u https://target.com -jc -d 5

gau target.com | grep -E "\.js$"

References

OWASP WSTG - Map Execution Paths Through Application

Test for SQL injection across all input parameterscritical

Use both manual payloads and automated tools like sqlmap on GET, POST, and cookie parameters.

Commands

sqlmap -u "https://target.com/page?id=1" --batch --risk=3 --level=5

sqlmap -r request.txt --batch --dbs

Evidence to capture

sqlmap output confirming the vulnerable parameter, DBMS version, and a screenshot of extracted database contents (or a benign proof such as `SELECT @@version`).

References

Cheat sheet · /cheat-sheets/sql-injection

Test for Cross-Site Scripting (reflected, stored, and DOM-based)high

Inject XSS payloads into form fields, URL parameters, headers, and dynamic content areas.

Evidence to capture

screenshot of the affected URL with the rendered XSS payload (e.g. an alert() box) and the raw HTTP request/response showing reflected input.

References

Cheat sheet · /cheat-sheets/xss

Assess authentication mechanisms for weaknesseshigh

Test for brute-force protections, credential stuffing resilience, default credentials, and password policy enforcement.

Commands

hydra -L users.txt -P passwords.txt https-post-form "/login:username=^USER^&password=^PASS^:F=invalid"

References

Test session management for fixation, hijacking, and expiration issueshigh

Verify session tokens are regenerated after login, cookies have Secure and HttpOnly flags, and sessions expire appropriately.

References

Check for insecure direct object references (IDOR)high

Attempt to access other users' resources by manipulating object identifiers in URLs and API calls.

Evidence to capture

paired Burp requests from two different user accounts showing User A successfully reading or modifying User B's resource (with redacted PII as appropriate).

References

Test for Server-Side Request Forgery (SSRF)critical

Probe URL parameters, file imports, and webhook configurations for internal network access.

Evidence to capture

raw response showing internal-only content (e.g. AWS metadata at 169.254.169.254 or an internal admin page) returned through the vulnerable parameter.

References

Cheat sheet · /cheat-sheets/ssrf

Verify CSRF protections on state-changing operationsmedium

Confirm anti-CSRF tokens are present and validated on all forms and AJAX requests.

References

Attempt privilege escalation between user rolescritical

Test horizontal and vertical privilege escalation by accessing endpoints belonging to higher-privileged roles.

Evidence to capture

side-by-side request/response pairs from a low-privilege account showing successful access to admin functionality, plus the resulting state change.

References

Test file upload functionality for remote code executioncritical

Upload web shells, polyglot files, and bypass extension/MIME type restrictions.

Evidence to capture

uploaded webshell URL plus screenshot/HTTP response demonstrating command execution (e.g. `id` output) on the application server.

References

Cheat sheet · /cheat-sheets/command-injection

Exploit identified injection vulnerabilities to assess impacthigh

Chain discovered vulnerabilities to demonstrate real-world impact such as data exfiltration.

Test for business logic flaws in transaction and workflow processeshigh

Bypass pricing logic, manipulate multi-step workflows, and test race conditions.

References

Verify security headers and Content Security Policy effectivenessmedium

Check for missing X-Frame-Options, HSTS, CSP, and other security headers.

Commands

curl -sI https://target.com

testssl.sh --headers https://target.com

References

Document all findings with proof-of-concept evidence

Include screenshots, HTTP request/response pairs, and reproduction steps.

Classify findings using CVSS scoring and business impact

Assign severity ratings based on exploitability, impact, and affected asset criticality.

Provide actionable remediation guidance for each finding

Include specific code fixes, configuration changes, and reference documentation.

Prepare executive summary for non-technical stakeholders

Summarize overall risk posture, critical findings, and prioritized remediation roadmap.

Clean up all testing artifacts and temporary accounts

Remove uploaded files, test data, and any accounts created during the engagement.

Related Vulnerabilities

Broken Access Control

critical

Injection

critical

Security Misconfiguration

medium

Server-Side Request Forgery

high

Industries Using This Checklist

Financial Services & Banking

Healthcare

Web Application Pentest Checklist

Pre-Engagement

Reconnaissance

Vulnerability Assessment

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy