Web Pentesting Checklist
A raw checklist compiled from day-to-day test cases, Hackerone reports and unusual observations.

1. CVE

2. Session Fixation

  • same character length + arbitrary/repetitive sequence
  • expired cookie value
  • expired cookie value from another user role

3. XSS

  • Check in account login/signin ReturnUrl parameter. The payload may be reflected in another page after login[https://hackerone.com/reports/438240]
  • All functions
  • All parameters
  • POST to GET with URL Encoding
  • Double URL Encoding
  • UTF-16 Encoding
  • XSS in caption of image. It is executed when the image is rendered.

4. DOM XSS

5. CORS

  • OPTIONS Enabled? [Only required when we send extra headers]
  • Set Origin Header to null
  • To send cookies -> withCredentials=true

6. SAML

  • Message Expiration
  • Message Replay
  • Signature missing
  • Signature validated
  • Self-Signed Signature
  • XML Signature Wrapping
  • XML External Entity
  • Dupe Key Confusion

7. Unrestricted File Upload

  • Bypassing Client side protection
  • .txtD.exe [replace D(44) with 00 in Hex]
  • Null Byte Injection
  • Double Extensions [.txt.exe]
  • ZIP containing EICAR file
  • Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior - not sure, if it exists for more?)
  • Check if signature for file upload (so that it is not tampered) is being checked with its file name and not the content inside it.

8. Formula Injection

9. SSL/TLS

  • Test reneg upto 10-15 times only using openssl

10. Hidden HTML Elements

  • disabled="disabled"
  • ng-disabled="data.isViewOnly"

11. Anti-CSRF

  • Try to re-use one user Anti-CSRF Token on another user account
  • Try to use the already used token
  • Try to check whether token is getting validated or not
  • Try to check that the token validation is based on partial length check or full length check

12. json CSRF

  • Change Content-Type from application/json to text/plain
  • Flash CSRF using "spider" (compatibility: firefox 60.0, chrome(all) )

13. CSRF

  • _method=post in GET parameter to switch put request to post
  • Checking for any unique token in body of the request
  • Checking for any unique token in request headers
  • Checking Content-Type of the request header –> If the request of the body is application/json, we’ll check whether other content types are accepted or not like application/x-www-form-urlencoded and what not.
  • Checking for any referer checks [missing referrer header if allowed by application - ]

14. Dangerous Request Methods

  • TRACE

15. Session not invalidated

  • check if the session is invalidated by sending in-session request
  • Check using 2 concurrent browsers that if password has been reset for one account, then the same account logged in another browser should automatically logout. [Session Not Invalidated After Password Reset]

16. Time-of-check Time-of-use (TOCTOU) Race Condition

  • Race condition allows multiple execution of same request[2nd request results in failure but race condition allows it.]
  • Race condition allows to execute multiple requests for which checks when failed are being raced down eg. use bonus points more than once. [Burp Intruder]
  • Claim multiple tokens through intruder and block another user from acessing a token if there is a limited pool [https://hackerone.com/reports/488985]

17. Miscellaneous

18. Cache Poisoning

19. Violation of secure design principles

20. Improper Access Control - Generic

21. Improper Authentication

  • An error in our OAuth2 flow for central.uber.com allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into central.uber.com, the state parameter for login.uber.com contained a redirect location instead of a CSRF token. As a result, an attacker could modify the state parameter to have a poisoned central.uber.com path which would redirect to a custom domain after login and allow them to steal an account OAuth access token.[https://hackerone.com/reports/206591]
  • If a user has an access token to an app, see if that can still be used after the user is removed. [https://hackerone.com/reports/700831]

22. Privilege Escalation

23. OTP Bypass

  • Changing the reply of OTP validation from server - "false" to "true" and the client(js) sends another subsequent request to server which is performed without remembering that the OTP was denied previously.

24. Graphql Injection

25. IDOR (Insecure Direct Object Reference)

26. XXE

  • Blind XXE through URL Redirect [eg. abc.com?q=attacker_host/mal.xml]
  • Basic OOB
  • OOB using Parameter Entities eg. %

27. Password change does not require current password

  • Send a blank value in the parameter both from the UI and burp
  • Completely remove the parameter and its value

28. No Account Lockout Policy

  • Try to login using the different browser, ip to bypass account lockout.

29. Open URL Redirect

30. Information Disclosure

31. Open ID Connect (OIDC)

32. Oauth [2.0]

  • Reflected XSS in Error Page
  • Invalidating oauth2 bearer token hardcoded in the application makes a service unavailable. [https://hackerone.com/reports/210779]
  • "callback_url" can include path instead of complete URI. Use path which consists of open URL redirect within the application and the oauth token will land on attacker site [https://hackerone.com/reports/110293]
  • The request that responds with a JWT. Try changing the email value in the final request of Oauth process to get the JWT bound to that email id entered. [https://hackerone.com/reports/729960]

33. SSRF

  • Using an IPv6 vector ([::]) Reports - https://hackerone.com/reports/386292 https://hackerone.com/reports/381129. Some Slack features like "Integrations / Phabricator" and "Integration / Slash Commands" allow users to submit URL that will be accessed by the backend servers. A blacklist tries to forbid access to internal resources (loopback, 10.0.0.0/8, 192.168.0.0/24, ...). This blacklist can be bypassed using "[::]" as the hostname. Only services binding all the interfaces and supporting IPv6 can be reached using that vector. :: is the IPv6 "unspecified" address, equivalent to 0.0.0.0 - the [] is notation to separate the address from the port specifier.
  • User can change svg-files that browser send to server, and can insert own xlink:href object and : 1.Link to local image files, to fingerprint versions of libraries installed on server 2."Billion laughs" attack, possible DoS attack to converter server 3.Try to change protocol to ftp and connect to ftp-servers 4.Try to exploit vulnerabilities like "Imagetragic", or XXE

34. XSSI (Cross Site Script Inclusion)

35. HTTP Request Smuggling attack

  • CL.TE
  • TE.CL
  • TE.TE

36. XPath Injection (Normal/Blind)

  • Check in language parameter (eg. lang=en)
  • Currency Parameters (eg. p=aed, p=inr)

37. XSPA (Cross-Site Port Attack)

  • Confirm if the IP addresses are internal and not the ones obtained from webhooks of external hosts

38. Server-Side Template Injection

39. Directory Traversal

  • URL Encode the file name whose access has been forbidden.
  • X-HTTP-Method: PUT
  • X-HTTP-Method-Override:
  • X-Method-Override:

41. Apache multiviews attack

  • GET /index HTTP/1.1

42. Business Logic flaw

43. Application Misconfiguration

44. DoS (Denial of Service)

  • Stacking up heavy resources on a page such that the page takes long enough to load which results in reverse proxy (eg. cloudflare) to disconnect the HTTP session [https://hackerone.com/reports/125587]

45. RCE (Remote Code Execution)

46. reCaptcha

  • Disable javascript to check if reCaptcha can be bypassed
  • TOCTOU race condition
  • Posting reviews/voting

47. JWT (JSON Web Tokens)

  • set Signature : "None", remove signature but keep the ".". Format - "H.P."
  • {“alg”: “HS256”,“typ”: “JWT”}.{“uid”: “1234567890”,“sessionid”: “ALPHANUMERIC ID”}.SIGNATURE > {}.{“uid”: “1234567890”}
  • JWT secret key to sign for RS256 algo. is present in javascript
  • Key Confusion Attack [RS to HS]
  • JWK [CVE-2018-0114 Attack]

48. Cryptographic Issues

  • CAA rule applied? [dns.google.com RR type - 257]

49. CSS Escape sequences

  • Image URL's in profile/About me are replaced by internal image proxy URL's. Replace text with hexadecimal as parser doesn't support CSS escape sequences [https://hackerone.com/reports/745953]

50. Cross-Site Information leak

51. SSO

52. Github

  • Search for sensitive keys eg. Cloud API keys

53. Cross site web socket hijacking (CSWSH)

54. SMTP injection

55. Spring Boot Actuator

56. Cloudflare bypass

57. 2020 Top portswigger research