Pentesting Web checklist
Supaya kamu ga pusing harus ngapain aja kalo mau pentest web ya.
Last updated
Was this helpful?
Supaya kamu ga pusing harus ngapain aja kalo mau pentest web ya.
Last updated
Was this helpful?
Identify web server, technologies and database ()
Web fuzzing ( and )
Find ()
Identify WAF (, )
/Github tools (, )
Get urls ( , , )
Check potential vulnerable urls ()
Automatic XSS finder ()
Broken link hijacking ()
Get all JS files (, )
JS hardcoded APIs and secrets ()
JS analysis (, , , )
Run automated scanner ()
Test CORS (, )
Check DMARC/SPF policies ()
Open ports with
to all ports
Check UDP ports ( or nmap)
Test ()
If got creds, try password for all the services discovered
(also my%00email@mail.com for account tko)
Check for password wordlist ( and )
Test 0auth login functionality for
Test response tampering in authentication
If , check common flaws
Try login with common
Bypass tokens
Create a list of features that are pertaining to a user account only and try
File : , No Size Limit, File extension, Filter Bypass, extension, RCE
Check profile picture URL and find email id/user info or
of all downloadable files (Geolocation, usernames)
HTTP in GET & POST (X Forwarded Host)
Path , LFI and RFI
in any request, change content-type to text/xml
Stored
injection with ' and '--+-
injection
HTTP Request
in previously discovered open ports
Try to discover hidden parameters (or )
Check for test credit card number allowed like 4111 1111 1111 1111 ( )
hosting misconfiguration ()
Test storage
Bypass with OCR tool ()