# Web Application and API Pentest Checklist > Made using The OWASP Testing guide (page 211) and the API Security Top 10 2023. You can refer to it (see resources below) for detailed explainations on how to test.\ > Adapt it to your methodology and the context of your test.\ > Download this file locally from [here](https://raw.githubusercontent.com/CSbyGB/pentips/main/checklists/web-and-api-pentest-checklist.md) this way you can check everything you have done.\ > If you need some practice for specific vulnerabilities to reproduce them in your context, I recommend [portswigger's web security Academy here](https://portswigger.net/web-security).\ > For more explainations on specific topics, if OWASP is not enough you can also use [Portswigger here](https://portswigger.net/web-security/all-topics) ## Information Gathering * [ ] Conduct Search Engine Discovery and Reconnaissance for Information Leakage * [ ] Fingerprint Web Server * [ ] Review Webserver Metafiles for Information Leakage * [ ] Enumerate Applications on Webserver * [ ] Review Webpage Comments and Metadata for Information Leakage * [ ] Identify application entry points * [ ] Map execution paths through application * [ ] Fingerprint Web Application Framework * [ ] Fingerprint Web Application * [ ] Map Application Architecture ## Configuration and Deploy Management Testing * [ ] Test Network/Infrastructure Configuration * [ ] Test Application Platform Configuration * [ ] Test File Extensions Handling for Sensitive Information * [ ] Backup and Unreferenced Files for Sensitive Information * [ ] Enumerate Infrastructure and Application Admin Interfaces * [ ] Test HTTP Methods * [ ] Test HTTP Strict Transport Security * [ ] Test RIA cross domain policy ## Identity Management Testing * [ ] Test Role Definitions * [ ] Test User Registration Process * [ ] Test Account Provisioning Process * [ ] Testing for Account Enumeration and Guessable User Account * [ ] Testing for Weak or unenforced username policy * [ ] Test Permissions of Guest/Training Accounts * [ ] Test Account Suspension/Resumption Process ## Authentication Testing * [ ] Testing for Credentials Transported over an Encrypted Channel * [ ] Testing for default credentials * [ ] Testing for Weak lock out mechanism * [ ] Testing for bypassing authentication schema * [ ] Test remember password functionality * [ ] Testing for Browser cache weakness * [ ] Testing for Weak password policy * [ ] Testing for Weak security question/answer * [ ] Testing for weak password change or reset functionalities * [ ] Testing for Weaker authentication in alternative channel ## Authorization Testing * [ ] Testing Directory traversal/file include * [ ] Testing for bypassing authorization schema * [ ] Testing for Privilege Escalation * [ ] Testing for Insecure Direct Object References ## Session Management Testing * [ ] Testing for Bypassing Session Management Schema * [ ] Testing for Cookies attributes * [ ] Testing for Session Fixation * [ ] Testing for Exposed Session Variables * [ ] Testing for Cross Site Request Forgery * [ ] Testing for logout functionality * [ ] Test Session Timeout * [ ] Testing for Session puzzling ## Input Validation Testing * [ ] Testing for Reflected Cross Site Scripting * [ ] Testing for Stored Cross Site Scripting * [ ] Testing for HTTP Verb Tampering * [ ] Testing for HTTP Parameter pollution * [ ] Testing for SQL Injection * [ ] Oracle Testing * [ ] SQL Server Testing * [ ] Testing PostgreSQL * [ ] MS Access Testing * [ ] Testing for NoSQL injection * [ ] Testing for LDAP Injection * [ ] Testing for ORM Injection * [ ] Testing for XML Injection * [ ] Testing for SSI Injection * [ ] Testing for XPath Injection * [ ] IMAP/SMTP Injection * [ ] Testing for Code Injection * [ ] Testing for Local File Inclusion * [ ] Testing for Remote File Inclusion * [ ] Testing for Command Injection * [ ] Testing for Buffer overflow * [ ] Testing for Heap overflow * [ ] Testing for Stack overflow * [ ] Testing for Format string * [ ] Testing for incubated vulnerabilities * [ ] Testing for HTTP Splitting/Smuggling ## Error Handling * [ ] Analysis of Error Codes * [ ] Analysis of Stack Traces ## Cryptography * [ ] Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection * [ ] Testing for Padding Oracle * [ ] Testing for Sensitive information sent via unencrypted channels ## Business Logic Testing * [ ] Test Business Logic Data Validation * [ ] Test Ability to Forge Requests * [ ] Test Integrity Checks * [ ] Test for Process Timing * [ ] Test Number of Times a Function Can be Used Limits * [ ] Testing for the Circumvention of Work Flows * [ ] Test Defenses Against Application Mis-use * [ ] Test Upload of Unexpected File Types * [ ] Test Upload of Malicious Files ## Client Side Testing * [ ] Testing for DOM based Cross Site Scripting * [ ] Testing for JavaScript Execution * [ ] Testing for HTML Injection * [ ] Testing for Client Side URL Redirect * [ ] Testing for CSS Injection * [ ] Testing for Client Side Resource Manipulation * [ ] Test Cross Origin Resource Sharing * [ ] Testing for Cross Site Flashing * [ ] Testing for Clickjacking * [ ] Testing WebSockets * [ ] Test Web Messaging * [ ] Test Local Storage ## Specific API vulnerabilities to look for * [ ] API1:2023 Broken Object Level Authorization * [ ] API2:2023 Broken Authentication * [ ] API3:2023 Broken Object Property Level Authorization * [ ] API4:2023 Unrestricted Resource Consumption * [ ] API5:2023 Broken Function Level Authorization * [ ] API6:2023 Unrestricted Access to Sensitive Business Flows * [ ] API7:2023 Server Side Request Forgery * [ ] API8:2023 Security Misconfiguration * [ ] API9:2023 Improper Inventory Management * [ ] API10:2023 Unsafe Consumption of APIs ## Ressources * [OWASP Testing guide - online](https://owasp.org/www-project-web-security-testing-guide/v42/) * [OWASP Testing guide - PDF](https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf) * [API Security Top 10 2023](https://owasp.org/www-project-api-security/) * [Must-have checklists I use in my pentesting assessments by cristivlad25](https://typefully.com/CristiVlad25/zIvaPqI) * [The OWASP Web Application Penetration Check List](https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf) * [100 web vulnerabilities, categorized into various types - Wesley Thijs - part 1](https://www.linkedin.com/posts/wesley-thijs-8b384828a_100-web-vulnerabilities-categorized-into-activity-7120716719496519680-CtdJ?utm_source=share\&utm_medium=member_desktop) * [100 web vulnerabilities, categorized into various types - Wesley Thijs - part 2](https://www.linkedin.com/feed/update/urn:li:activity:7120716719496519680?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7120716719496519680%2C7120716739620794368%29\&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287120716739620794368%2Curn%3Ali%3Aactivity%3A7120716719496519680%29) * [List of API attacks - Wesley Thijs](https://gist.github.com/The-XSS-Rat/8b6d56df0f439f7f9abb90276d971400)