Pentest Book
  • /home/six2dez/.pentest-book
  • Contribute/Donate
  • Recon
    • Public info gathering
    • Root domains
    • Subdomain Enum
      • Subdomain Takeover
    • Webs recon
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Files
    • SSL/TLS
    • Ports
    • Web Attacks
      • General Info
      • Quick tricks
      • Header injections
      • Bruteforcing
      • Online hashes cracked
      • Crawl/Fuzz
      • LFI/RFI
      • File upload
      • SQLi
      • SSRF
      • Open redirects
      • XSS
      • CSP
      • XXE
      • Cookie Padding
      • Webshells
      • CORS
      • CSRF
      • Web Cache Poisoning
      • Broken Links
      • Clickjacking
      • HTTP Request Smuggling
      • Web Sockets
      • CRLF
      • IDOR
      • Web Cache Deception
      • Session fixation
      • Email attacks
      • Pastejacking
      • HTTP Parameter pollution
      • SSTI
      • Prototype Pollution
      • Command Injection
      • Deserialization
      • DNS rebinding
    • Web Technologies
      • APIs
      • JS
      • ASP.NET
      • JWT
      • GitHub
      • GitLab
      • WAFs
      • Firebird
      • Wordpress
      • WebDav
      • Joomla
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • Drupal
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Tomcat
      • Adobe AEM
      • Magento
      • SAP
      • MFA/2FA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Sharepoint
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • LLM/AI/ML/prompt testing
    • Code review
    • Pentesting Web checklist
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • BugBounty
    • Exploiting
    • tools everywhere
Powered by GitBook
On this page
  • Recon phase
  • Large scope
  • Medium scope
  • Small scope
  • Network
  • Preparation
  • User management
  • Registration
  • Authentication
  • Session
  • Profile/Account details
  • Forgot/reset password
  • Input handling
  • Error handling
  • Application Logic
  • Other checks
  • Infrastructure
  • CAPTCHA
  • Security Headers

Was this helpful?

Edit on GitHub
Export as PDF
  1. Others

Pentesting Web checklist

PreviousCode reviewNextInternal Pentest

Last updated 2 years ago

Was this helpful?

Recon phase

  • Large: a whole company with multiple domains

  • Medium: a single domain

  • Small: a single website

Large scope

Medium scope

Small scope

Network

Preparation

User management

Registration

Authentication

Session

Profile/Account details

Forgot/reset password

Input handling

Error handling

Application Logic

Other checks

Infrastructure

CAPTCHA

Security Headers

Identify web server, technologies and database ()

Web fuzzing ( and )

Find ()

Identify WAF (, )

/Github tools (, )

Get urls ( , , )

Check potential vulnerable urls ()

Automatic XSS finder ()

Broken link hijacking ()

Get all JS files (, )

JS hardcoded APIs and secrets ()

JS analysis (, , , )

Run automated scanner ()

Test CORS (, )

Check DMARC/SPF policies ()

Open ports with

to all ports

Check UDP ports ( or nmap)

Test ()

If got creds, try password for all the services discovered

(also my%00email@mail.com for account tko)

Check for password wordlist ( and )

Test 0auth login functionality for

Test response tampering in authentication

If , check common flaws

Try login with common

Bypass tokens

Create a list of features that are pertaining to a user account only and try

File : , No Size Limit, File extension, Filter Bypass, extension, RCE

Check profile picture URL and find email id/user info or

of all downloadable files (Geolocation, usernames)

HTTP in GET & POST (X Forwarded Host)

Path , LFI and RFI

in any request, change content-type to text/xml

Stored

injection with ' and '--+-

injection

HTTP Request

in previously discovered open ports

Try to discover hidden parameters (or )

Check for test credit card number allowed like 4111 1111 1111 1111 ( )

hosting misconfiguration ()

Test storage

Bypass with OCR tool ()

httpx
Directory enumeration
ffuf
wordlist
leaked ids, emails
pwndb
whatwaf
wafw00f
gau
waybackurls
gospider
gf-patterns
dalfox
blc
subjs
xnLinkFinder
nuclei-tokens
subjs
JSA
xnLinkFinder
getjswords
nuclei
CORScanner
corsy
spoofcheck
Shodan
udp-proto-scanner
SSL
testssl
spraying
Insufficient email verification process
SQL Injections
cewl
burp-goldenNuggets
Open Redirection
SAML
JWT
credentials
Cross-site request forgery
CSRF
upload
eicar
burp
EXIF Geolocation Data
Metadata
Reflected XSS
header injection
traversal
XXE
XSS
SQL
NoSQL
Smuggling
Open redirect
SSRF
arjun
parameth
sample1
sample2
Virtual
VHostScan
cloud
easy one
amass
asnlookup
metabigor
bgp
acquisitions
viewdns
Enumerate subdomains
amass
subfinder
puredns
wordlist
gotator
ripgen
wordlist
httpx
Subdomain takeovers
nuclei-takeovers
cloud assets
cloudenum
Transfer zone
gowitness
webscreenshot
aquatone
githound
gitdorks_go
Port scan
ASN
Shodan
Google dorking
GitHub dorking
AntiCSRF