Web Application PenTest

Information Gathering/Information Leakage

  • Identify the product information with the latest version

  • Outdated components or known vulnerability (CVE) found in the identified product

  • Access to the default URL or admin page of the identified product

  • Any opening port other than 80 and 443

  • Any sensitive data found on the website


  • HTTPS is enabled and only TLS 1.2 or above is available

  • Correctness of the certification information

  • SSL Certificate strength, at least > 2048 bits

  • Weak Ciphers are supported


  • Only use the POST HTTP method to transfer the login data

  • Possible to change the valid session with another user id during the login process

  • Browser back to resend the login

  • Possible to identify user id from the application response/behaviour

  • Cached in session key or cookie with login information / sensitive data

  • Default / guessable login credentials used

  • Implemented effective logout mechanism, e.g. invalidate the session and login required

  • Implemented session timeout, e.g. max of 1 hour if no business requirement.

  • Implemented CAPTCHA or other brute force attack prevention mechanism

  • Implemented account locking mechanism

  • Does not allow multiple logins


  • Possible to obtain higher-level function access

  • Possible to obtain other user’s data

  • Is the site structure guessable and accessible

  • Vulnerable to Path Traversal attack

Password Management

  • What is the password policy

  • Allow change password

  • Implemented the maximal length of the password

  • Vulnerable to the reset password process

  • Session-Id stored in the cookie only

  • Vulnerable to the Session fixation or CSRF attack

  • Session-Id change after login

  • Session-Id guessable

  • The cookie session lifetime setting, expired when the browser is closed

  • Restricted the cookie access within the same domain, HTTP Only and secure flag enable

Broken Access Control

  • Higher Privilege functions should not be able to be executed by lower privilege

  • Server-side checking implementation or hidden URL or parameter driven

  • JS Functions via the developer console

  • Copy and Paste of URL


  • Input data are parsed or encoded for output

  • Implemented the server-side parsing mechanism

  • CSP enables correctly

  • Parameter bypass Character

    • // /\ \\ %00 @ ''

    • URL encoding

    • double encodings

  • Captcha Bypass

    • Change of HTTP request type

    • Modify or remove the captcha parameter

    • Parameter pollution

    • No timeout or session mechanism

    • Guessable

  • Open redirect bypass

    • JS open redirects

    • Hiddenlink open redirects

    • using // /\ %00 @ to bypass

    • Parameter pollution

  • JWT

    • Secret is leaked

    • The server never checks the secret

    • The secret is guessable or brute forceable

  • CSRF

    • Check the CSRF Token exists on the CRUD action

    • Server-side or client-side validation

    • Token length and guessable

    • Any parameter with token

    • Accepts empty parameter

    • Responds without CSRF token

    • The token is not session bound

  • Vulnerable to Injection of

o XSS (included: Reflected, Stored and DOM Based )

o SQL (included: Error, Union, Boolean, and time base)

o XPath


o Command


Web Service API

  • Guessable of the API service call

  • Authentication required

  • Authorization implemented

  • All input validate on the server-side

  • All input/output data format is defined with validation control

Others check

  • Clickjacking

  • Frame Tampering

  • Invalidated redirects and forwards

  • Secure HTTP Respond Header setting

  • Error handling

  • File upload control

Last updated