Checklist for Penetration Testing Web Applications - Indian Cyber Security.. - ICSS


Web Application Pentesting is a method of identifying, analysing, and reporting vulnerabilities in a web application, such as buffer overflow, input validation, code execution, bypass authentication, SQL Injection, CSRF, and cross-site scripting, in the target web application for penetration testing. In this Checklist for Penetration Testing Web Applications, we will give you in detail content about it.

Testing that is repeatable and a process that is serious For all types of online application vulnerabilities, one of the best methods is to do Web Application Penetration Testing.

Checklist for Penetration Testing Web Applications

Web Application Penetration Testing Checklist:

Information Gathering:

  • Using the GNU Wget tool, retrieve and analyse the robot.txt files.
  • Examine the software's version. By requesting invalid pages, the database Details, the error technical component, flaws are introduced by error codes.
  • Use DNS inverse queries, DNS zone transfers, and web-based DNS searches as needed.
  • Use tools like NMAP and Nessus to perform directory-style searching and vulnerability scanning, as well as probe for URLs.
  • Using Burp Proxy, OWSAP ZAP, TemperIE, and WebscarabTemper Data, determine the application's entry point.
  • Perform TCP/ICMP and service fingerprinting using standard fingerprinting tools such as Nmap and Amap.
  • Test for recognised file types/Extensions/Directories by requesting common file extensions such as.ASP,EXE,.HTML,.PHP.
  • Examine the Sources code from the Application Front End's Accessing Pages.

Authentication Testing:

  • Determine whether the session can be "reused" after logging out. Check to see if the programme logs out a user after a given period of time has passed.
  • Examine the browser cache to see if any sensitive information is still present.
  • Check and try to reset the password using social engineering techniques such as guessing and cracking cryptic questions.
  • Check the HTML code of the login page to see if the "Remember my password" Mechanism is enabled.
  • Verify that the hardware devices communicate with the authentication infrastructure directly and independently via an additional communication channel.
  • Check if there are any authentication vulnerabilities in CAPTCHA.
  • Look for any security questions or answers that aren't up to par.
  • A successful SQL injection could result in client trust being lost, and attackers could steal phone numbers, addresses, and credit card information.
  • A web application firewall can be used to screen out harmful SQL queries from traffic.

Authorization Testing:

  • To gain access to the resources, first test the role and privilege manipulation.
  • Check for path traversal by performing input vector enumeration and analysing the web application's input validation routines.
  • Use web spider tools to test for cookie and parameter tempering.
  • Perform an HTTP test. Request Tempering and see if you can gain unauthorised access to reserved resources.

Configuration  Management Testing:

  • Review the server and application documentation and check the directory and file enumeration. Examine the infrastructure as well as the application admin interfaces.
  • Examine the Web server's banner and run a network scan.
  • Check for obsolete Documentation and Backup files, as well as referenced files such as source codes, passwords, and installation locations.
  • Using NMAP and NESSUS, check and identify the ports connected with the SSL/TLS services.Use Netcat and Telnet to review the OPTIONS HTTP technique.
  • Verify legitimate user credentials using HTTP methods and XST.
  • Run an application configuration management test to check the source code, log files, and default Error Codes.

Session Management Testing:

  • Test for Cross-Sight Request Forgery by looking at the URLs in the Restricted section.
  • Inspect Encryption and reuse of session token, Proxies and caching, and GET&POST for exposed session variables.
  • To perform an Attack, collect a sufficient number of cookie samples, examine the cookie sample algorithm, and manufacture a valid Cookie.
  • Use intercept proxies like Burp Proxy, OWASP ZAP, or traffic intercept proxies like Temper Data to test the cookie attribute.
  • To avoid a user session being sealed, test the session fixation.

Data Validation Testing: 

  • Checking for javascript coding errors in the source code.
  • Execute a Union Query Using programmes such as sqlninja, sqldumper, sql power injector, and others, do SQL injection testing, standard SQL injection testing, and blind SQL query testing.
  • Use tools like XSS proxy, Backframe, Burp Proxy, OWASP, ZAP, and XSS Assistant to analyse the HTML code, test for stored XSS, and utilise stored XSS.
  • Test for sensitive information about users and hosts using LDAP injection.Access the backend mail server using IMAP/SMTP injection testing.
  • Conduct XPATH Injection Testing to Gain Access to Confidential DataUse XML injection testing to learn more about the XML structure.
  • Run code injection tests to see if there are any input validation errors.
  • Run Buffer Overflow tests on memory information from the stack and heap, as well as the application control flow.
  • Check for HTTP Splitting and Cookie and HTTP Redirect Information Smuggling.

Denial of Service Testing: 

  • Send a large number of database-related requests and watch for any slowdowns or new error messages.
  • Analyze source code by hand and provide a variety of inputs of varied lengths to the applications.
  • For application information testing, test for SQL wildcard attacks. To provide DDoS attack protection and prevent their network from being hacked, enterprise networks should use the best DDoS attack prevention services.
  • Check for The user selects whether the application can manage a maximum number of objects.
  • Switch to Extreme mode. The application uses a large number of input fields as a loop counter. Defend your website against further attacks. Check the cost of your company's DDOS attack downtime as well.
  • Use a script to submit an unusually long value to the server so that the request can be logged.

Why Choose Indian Cyber Security Solutions (ICSS) ?

Indian cyber security Solutions is one of best institute of India among other institute in India. ICSS offer as CEHv11 Courses in India as well as kali Linux. ICSS has won as many award for giving the online training as well as offline training. Its way of giving the training is unique which is easily adapted by the student as well as the professional. Due to way how ICSS trained the student it has got as many award some of award are Tech Brand of 2020,Ten most trusting cyber security certification provider 2021 and many more.

Among the many Ethical Hacking course in India, Indian Cyber Security Solutions would be the right for you to join. We have the right set of practical lab classes set up for students to learn as well as industry grade trainers who would conduct the classes and impart the right set of Cyber Security Knowledge to students. Our efforts have been acknowledged by various reputed administrative institutes, such as "Top Ten Training Institutes in India in 2020 by Silicon India; as well as Ten Most Trusted Training & Cyber Security Certifications Provider, 2021 by The Knowledge Review.

As an Education Institute, we are also cyber security service provider to corporate organization. Services like VAPT, Web Penetration Testing, Network Penetration Testing, Mobile Application Penetration Testing to corporate organization like IRCTC, HDFC, Cambridge Technologies, and many more. With this, Indian Cyber Security Solutions have been acknowledged as the 20 Tech Brands of 2021. by Business Connect India.

Our Cyber Security Services

Cyber Security is extremely important for every organisation and that we understand that data theft avoided is better than data theft done. Thus we also provide cyber security services to various MNCs across India. Our team is professional in providing Web Application Penetration Testing, Network Penetration Testing, Mobile Application Penetration Testing to clients.

We this, we have been acknowledged as the top 20 most Cyber Security Trusted Brands for 2021 by The Global Hues. We stand by to our commitment in providing the right cyber security training to students. We have provided services to clients like Madhya Pradesh Gramin Bank, Odisha State Pollution Control Board, HDFC Life Insurance Corporation, Qatar Development Bank and many more.





Globsyn Crystals Building,5th Floor, Unit-4, Webel MoreKolkata – 700091


Chirush Mansion, 3478J HAL 2nd Stage,13th A Main Road Indiranagar Bangalore – 560008 Land Mark: Behind New Horizon School


Indian Cyber Security Solutions Cyber Security Research & Analytics Center Vine Avenue Moncton NB,Canada, PO E1E 1J9


Indian Cyber Security Solutions Australia (Research and Development Center)11 Darling Street, Hughesdale Melbourne VIC. 3166

© 2021 Indian Cyber Security Solutions | Green Fellow IT Security Pvt. Ltd.