Web App Pen Testing Checklist: Your Detailed Guide

The annual cost of cybercrime damage is growing every year. In 2023, the US saw a 22% spike in cybercrime losses, reaching a staggering $12.5 billion. Business email compromise, investment scams, ransomware, and tech support frauds were the top culprits. Globally, cybercrime is projected to jump to $23.84 trillion by 2027.

While preventing every attack is virtually impossible, beefing up your security is absolutely achievable. How? Penetration testing for web applications, often called “web app pen testing,” is a proactive move to find weaknesses in your app before hackers break in.

QAwerk penetration testing “Do’s & Don’ts”: Our web penetration testing checklist is grounded in practical experience. We also provide hacks and warnings for this process. With over nine years in cybersecurity, QAwerk has performed penetration testing for over 1,000 apps with a 98% success score.

This checklist is a detailed guide on how to thoroughly examine web applications for vulnerabilities. We will cover:

Web App Pen Testing Workflow

Penetration testing isn’t an exact science, and it would be impractical to define an exhaustive list of all potential vulnerabilities. To conduct web application pen testing thoroughly and consistently, businesses typically rely on checklists. These checklists help ensure complete security coverage. The following checklist can be used in-house or as an RFP (Request for Proposal) template when outsourcing. Let’s dive into the key steps of web app pen testing.

Information Gathering

The first step in a web app pentest is information gathering, a phase as crucial as laying the groundwork for a strategic plan. It involves meticulously collecting data about the target system, understanding its structure, technology, workflow and business logic to identify potential attack and security threat vectors in the solution. This phase sets the stage for all subsequent testing efforts, ensuring a focused and informed approach towards identifying vulnerabilities.

Passive Reconnaissance:

  • Identify the IP address and ASN (autonomous system number)
  • Identify subdomains and alternate domains using DNS records and 3-rd party search engines with the help of enumeration tools
  • Use OSINT methodology to analyze publicly available information (like social media, forums, code storage systems, and shared API collections) for insights on the target

Active Reconnaissance:

  • Use automatic and semi-automatic tools to discover sensitive files, parameters, and applied web technology
  • Identify business logic of the application
  • Map the application’s attack surface (URLs, parameters, APIs)
Do’s:
  • Do gather information without directly interacting with the target system
  • Do use different security testing tools like Burp Suite, OWASP ZAP, or Nikto to scan and analyze the attack surface
  • Do maintain an organized repository of gathered information for easy reference and analysis
Don’ts:
  • Don’t overlook robots.txt files, sitemap.xml, or other easily accessible files that might reveal sensitive information
  • Don’t overlook the importance of non-technical data such as company policies and employee information
  • Don’t ignore the legal and ethical boundaries of information gathering
  • Don’t use intrusive tools or techniques that could trigger alarms or cause disruptions without prior consent

“Information gathering is like getting to know your opponent before a big game. It’s about spotting the weak areas, understanding the playing field, and making sure we’re one step ahead. Each of these steps helps us see what a potential attacker might see, but use it to strengthen our defense.”

Denys
says Denys,

QA engineer at QAwerk

Configuration & Deployment Management Testing

Security misconfiguration is a major cause of data breaches, ranking fifth in the OWASP Top 10 list of web vulnerabilities. Configuration and deployment testing ensures that system settings and practices don’t leave your app vulnerable.

In early 2024, Microsoft revealed a breach where hackers exploited a legacy non-production test tenant account without multi-factor authentication (MFA) to access emails from senior staff and cybersecurity teams. This incident is a great reminder that test and legacy accounts should either be decommissioned when no longer in use or should be maintained with the same security standards as production accounts.

At QAwerk, we do the following:

  • Check for default credentials on login interfaces
  • Validate security configurations in the web server, application server, and database
  • Identify risky services, directories, and files that may expose sensitive information
  • Assess the network communications and its configurations for vulnerabilities (like weak ciphers and SSL certificate issues)
  • Verify third-party components and libraries against well-known security issues
Do’s:
  • Do check the directory and file enumeration, review documentation, and examine infrastructure and app login interfaces
  • Do examine the metadata provided by the server during interaction to uncover potential version-related vulnerabilities
  • Do use tools such as Nmap (with specified scripts) and Nessus to accurately identify and evaluate ports associated with SSL/TLS services
Don’ts:
  • Don’t neglect identifying and assessing remnants of old documentation, backup files, or outdated references
  • Don’t forget to examine the responses from the OPTIONS HTTP method using tools like Burp Suite or ZAP to unveil potential misconfigurations, as well as unexpected or unsecured endpoints

Authentication Testing

Authentication testing is a big part of web application pen testing. It ensures that users are who they claim to be. Key areas include login processes, password policies, session management, and MFA. Authentication testing helps stop hackers from account takeover. Here are the main steps:

  • Test for weak password policies and assess password storage mechanisms
  • Attempt brute force and credential stuffing attacks
  • Check for the implementation of MFA
  • Validate session management and identify session fixation or hijacking vulnerabilities
  • Investigate brute force protection and account lockout mechanisms
Do’s:
  • Do check if it’s possible to “reuse” the session after logging out
  • Do check whether any sensitive information remains stored in the browser cache after logout
  • Do review the complexity and uniqueness of security questions
  • Do investigate for possible SQL injection points within the authentication process
  • Do use fuzzing to brute force the credentials
Don’ts:
  • Don’t assume that MFA is unbreakable. Test for potential bypass methods, such as exploiting fallback authentication methods or flaws in MFA implementation
  • Don’t perform brute force attacks without explicit permission from the organization, as these can lead to account lockouts and service disruption
  • Don’t neglect to test whether sessions are properly invalidated after logout or inactivity

“Authentication testing is a delicate balance between security and accessibility. At QAwerk, we focus on ensuring that while the system remains impenetrable to unauthorized users, the legitimate user experience remains smooth and uninterrupted.”

Yaroslav
says Yaroslav,

QA automation engineer at QAwerk

Authorization Testing

Authorization testing verifies that authenticated users have the correct level of access to resources based on their roles. While authentication proves who you are, authorization decides what you can do in the app. For a comprehensive authorization testing process, make sure to:

  • Verify role-based access control (RBAC) and check for privilege escalation
  • Test for horizontal and vertical privilege escalation vulnerabilities
  • Test for proper segregation of duties and least privilege principles
  • Attempt unauthorized access to sensitive resources and authorized functions
Do’s:
  • Do verify that the app’s logging mechanisms are robust and can provide insights into potential authorization breaches
  • Do test for path traversal by creating paths that attempt to access files or directories outside of the intended scope
  • Do examine URLs for parameters that could potentially be manipulated
  • Do analyze HTTP headers and all forms for potential input points
  • Do try to execute authorized requests in different roles under an unauthorized or a low-privileged user
Don’ts:
  • Don’t assume that internal systems are less prone to authorization issues
  • Don’t assume that just because an app has RBAC or other access controls in place, they are correctly configured
  • Don’t neglect to test authorization controls from the perspective of low-privilege accounts
  • Don’t forget to test indirect access paths, such as through APIs, file uploads, or less-secured parts of the app

Session Management Testing

Session management testing is all about making sure that user sessions in a web application are secure from start to finish. The session management mechanism is responsible for creating and managing unique session identifiers, which track the user’s status and maintain a consistent connection throughout their interaction with the web application. Here is how to perform session management testing:

  • Assess the security of session cookies (HttpOnly, Secure flags)
  • Test for session fixation, session hijacking, and session replay vulnerabilities
  • Ensure proper session expiration and invalidation after logout or inactivity
  • Verify the uniqueness and randomness of session identifiers
Do’s:
  • Do check if session identifiers are leaked or transmitted via insecure communication channels or GET methods (GET requests can expose tokens in URLs)
  • Do collect a sufficient number of session samples to analyze the session algorithm against randomization, forged attacks, and hijacking
  • Do experiment with modifying session attributes (try changing the domain, path, or expiration date) to see how the application responds
  • Do check if the session does not contain any personally identifiable information (PII) or sensitive data inside
Don’ts:
  • Don’t forget to test session timeout mechanisms in cases where “remember me” functionality is implemented
  • Don’t neglect to test session management across various devices and browsers to ensure consistent behavior and security
  • Don’t forget to check if the session is fully cleared from the browser after logout

Data Validation Testing

Data validation testing finds weaknesses in how the app handles data. This stage involves comprehensive checks for common security flaws, including various types of code injections and overflow errors. The goal is to make sure the application stays unyielding against data manipulation and tampering attacks. Here’s a testing checklist for web application data validation:

  • Review the app’s JavaScript code for common coding errors
  • Test the app’s parameters against SQL injections
  • Examine the HTML code for potential cross-site scripting (XSS) vulnerabilities, such as reflected XSS, stored XSS, or DOM-based XSS
  • Test for WebDAV injection vulnerabilities to access sensitive information about users and hosts
  • Test for IMAP/SMTP injection vulnerabilities on the email web forms to gain unauthorized access to the backend mail server
  • Test for XPATH injection vulnerabilities to access confidential information stored in XML documents
  • Test for XML injection vulnerabilities to learn about the XML structure and potentially exploit vulnerabilities
  • Test for code injection vulnerabilities by injecting malicious code into input fields
  • Test for template injections that could lead to code execution on the backend side
  • Test for HTTP splitting and smuggling vulnerabilities that could manipulate cookies or HTTP redirects
Do’s:
  • Do test all input points for SQLi: every user input field, HTTP header, and URL parameter
  • Do analyze cache headers and work on cache poisoning and HTTP smuggling attacks
  • Do investigate potential injection points in the application and use fuzzing methods to discover:
    • SQL injections
    • XSS
    • XPath
    • XEE
    • Template injections
  • Do attempt to bypass defense mechanisms by injecting special HTTP headers
Don’ts:
  • Don’t underestimate the creativity of attackers in exploiting data validation flaws
  • Don’t overlook less obvious injection points or data processing areas
  • Don’t let any user input to pass without filtering and security checks

“I’ve seen too many apps with weak input validation that could have been easily hacked. Data validation is indeed the bedrock of web app security. Improper input validation can lead to attacks like XSS, SQL injection, and buffer overflows, so it shouldn’t be taken lightly.”

Oleh
says Oleh,

QA engineer at QAwerk

Denial of Service Testing

Denial of service (DoS) testing evaluates an app’s resilience to attacks that aim to shut it down. These attacks can overwhelm the app with excessive requests, exploit vulnerabilities to crash it, or consume all its resources to the point where real users can’t properly use it. In 2023, retail, shipping, and PR websites saw a surge in distributed denial of service (DDoS) attacks around the holiday shopping season.

The goal of DoS testing is to identify and mitigate points of vulnerability that could lead to service disruption, ensuring the application is stable and functional under extreme conditions. Here’s how it’s done:

  • Decide which systems, services, and resources you’ll target, and set limits for how much stress you’ll put on them
  • Simulate various types of DoS attacks, such as volumetric attacks (flooding with traffic) and application-layer attacks (Slowloris)
  • Set up alerts to detect when the system reaches critical thresholds or becomes unresponsive, allowing for a quick response to prevent lasting damage
  • Document the outcomes of the DoS tests, including the types of attacks used, their impact on the system, and any problems found
Do’s:
  • Do obtain explicit written permission from stakeholders before conducting DoS testing
  • Do coordinate with network administrators and security teams to minimize disruption during testing
  • Do use tools like HOIC, and hping3 to generate different types of traffic and assess the system’s response
  • Do use tools like Burp Suite, ZAP, and JMeter (Apache) to define application forms and parameters and try to fuzz them with a great amount of repeating for creating an application DoS attack
Don’ts:
  • Don’t conduct DoS tests on live production systems unless absolutely necessary and only after thorough planning and risk assessment
  • Don’t push the system beyond the predefined limits, as it can cause irreparable damage
  • Don’t forget to consider the legal and compliance implications of DoS testing, especially if testing involves external or third-party services

QAwerk’s Expertise in Web App Penetration Testing

At QAwerk, we approach penetration testing with a hacker’s mindset, identifying subtle yet crucial vulnerabilities in your software and IT infrastructure. Our experienced penetration testers leverage automated tools and manual techniques to uncover hidden vulnerabilities.

We simulate real-world attacks, identifying weaknesses in authentication, authorization, input validation, session management, and more. Our goal is to provide a comprehensive assessment of your web application’s security posture.

Our Key Services:

  • Vulnerability Scanning: We rely on multiple open-source and commercial pentesting tools to automate routine tasks and get accurate insights about your web app security.
  • Penetration Testing: Our experts simulate common cyberattacks to assess the real-world impact of vulnerabilities and provide actionable advice.
  • Load Testing: Load testing can help you prepare for DDoS attacks. It’s a performance test that shows you problems like slowness or crashes when lots of people use your app. This lets you find the breaking point and see how your system handles heavy traffic. See how we helped an indie game developer identify their breaking point and significantly improve server performance.
  • Compliance Testing: We’ll help ensure your web application adheres to industry standards and regulations, such as PCI DSS, HIPAA, and GDPR.
  • Code Security Audits: We conduct thorough security audits to identify issues before they become a major headache. Our code security audit is well structured and divided into Architecture Review, Database Review, Code Quality, Test Coverage, and Security Review.

Our services align with key cybersecurity regulations, ensuring compliance and enhancing your overall security posture. Contact us today for a free consultation and learn how our web application penetration testing service can benefit your business.

Final Wrap Up

As web apps become more complex and critical to businesses, the risks of security breaches are rising rapidly. Investing in regular pen testing helps companies find and fix security problems, protecting their valuable assets and keeping customers happy. Our pen testing checklist is a valuable step towards fortifying your apps against such threats.

At QAwerk, we help businesses stay ahead of cybersecurity threats. Don’t wait for a data breach to happen. If you have any questions or need further guidance, we’re here to help. Let’s talk about how to improve your web app security!

See a sample of our security code review of a US-based e-commerce platform

This report highlights the exploits we found categorized by severity along with recommendations on how to fix them.
Please enter your business email isn′t a business email