# Web and API pentest Checklist > Made using The OWASP Testing guide (page 211) and the API Security Top 10 2023. You can refer to it (see resources below) for detailed explainations on how to test. > Adapt it to your methodology and the context of your test. > Download this file locally from [here](https://raw.githubusercontent.com/CSbyGB/pentips/main/checklists/web-and-api-pentest-checklist.md) this way you can check everything you have done. > If you need some practice for specific vulnerabilities to reproduce them in your context, I recommend [portswigger's web security Academy here](https://portswigger.net/web-security). > For more explainations on specific topics, if OWASP is not enough you can also use [Portswigger here](https://portswigger.net/web-security/all-topics) ## Information Gathering - [ ] Conduct Search Engine Discovery and Reconnaissance for Information Leakage - [ ] Fingerprint Web Server - [ ] Review Webserver Metafiles for Information Leakage - [ ] Enumerate Applications on Webserver - [ ] Review Webpage Comments and Metadata for Information Leakage - [ ] Identify application entry points - [ ] Map execution paths through application - [ ] Fingerprint Web Application Framework - [ ] Fingerprint Web Application - [ ] Map Application Architecture ## Configuration and Deploy Management Testing - [ ] Test Network/Infrastructure Configuration - [ ] Test Application Platform Configuration - [ ] Test File Extensions Handling for Sensitive Information - [ ] Backup and Unreferenced Files for Sensitive Information - [ ] Enumerate Infrastructure and Application Admin Interfaces - [ ] Test HTTP Methods - [ ] Test HTTP Strict Transport Security - [ ] Test RIA cross domain policy ## Identity Management Testing - [ ] Test Role Definitions - [ ] Test User Registration Process - [ ] Test Account Provisioning Process - [ ] Testing for Account Enumeration and Guessable User Account - [ ] Testing for Weak or unenforced username policy - [ ] Test Permissions of Guest/Training Accounts - [ ] Test Account Suspension/Resumption Process ## Authentication Testing - [ ] Testing for Credentials Transported over an Encrypted Channel - [ ] Testing for default credentials - [ ] Testing for Weak lock out mechanism - [ ] Testing for bypassing authentication schema - [ ] Test remember password functionality - [ ] Testing for Browser cache weakness - [ ] Testing for Weak password policy - [ ] Testing for Weak security question/answer - [ ] Testing for weak password change or reset functionalities - [ ] Testing for Weaker authentication in alternative channel ## Authorization Testing - [ ] Testing Directory traversal/file include - [ ] Testing for bypassing authorization schema - [ ] Testing for Privilege Escalation - [ ] Testing for Insecure Direct Object References ## Session Management Testing - [ ] Testing for Bypassing Session Management Schema - [ ] Testing for Cookies attributes - [ ] Testing for Session Fixation - [ ] Testing for Exposed Session Variables - [ ] Testing for Cross Site Request Forgery - [ ] Testing for logout functionality - [ ] Test Session Timeout - [ ] Testing for Session puzzling ## Input Validation Testing - [ ] Testing for Reflected Cross Site Scripting - [ ] Testing for Stored Cross Site Scripting - [ ] Testing for HTTP Verb Tampering - [ ] Testing for HTTP Parameter pollution - [ ] Testing for SQL Injection - [ ] Oracle Testing - [ ] SQL Server Testing - [ ] Testing PostgreSQL - [ ] MS Access Testing - [ ] Testing for NoSQL injection - [ ] Testing for LDAP Injection - [ ] Testing for ORM Injection - [ ] Testing for XML Injection - [ ] Testing for SSI Injection - [ ] Testing for XPath Injection - [ ] IMAP/SMTP Injection - [ ] Testing for Code Injection - [ ] Testing for Local File Inclusion - [ ] Testing for Remote File Inclusion - [ ] Testing for Command Injection - [ ] Testing for Buffer overflow - [ ] Testing for Heap overflow - [ ] Testing for Stack overflow - [ ] Testing for Format string - [ ] Testing for incubated vulnerabilities - [ ] Testing for HTTP Splitting/Smuggling ## Error Handling - [ ] Analysis of Error Codes - [ ] Analysis of Stack Traces ## Cryptography - [ ] Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection - [ ] Testing for Padding Oracle - [ ] Testing for Sensitive information sent via unencrypted channels ## Business Logic Testing - [ ] Test Business Logic Data Validation - [ ] Test Ability to Forge Requests - [ ] Test Integrity Checks - [ ] Test for Process Timing - [ ] Test Number of Times a Function Can be Used Limits - [ ] Testing for the Circumvention of Work Flows - [ ] Test Defenses Against Application Mis-use - [ ] Test Upload of Unexpected File Types - [ ] Test Upload of Malicious Files ## Client Side Testing - [ ] Testing for DOM based Cross Site Scripting - [ ] Testing for JavaScript Execution - [ ] Testing for HTML Injection - [ ] Testing for Client Side URL Redirect - [ ] Testing for CSS Injection - [ ] Testing for Client Side Resource Manipulation - [ ] Test Cross Origin Resource Sharing - [ ] Testing for Cross Site Flashing - [ ] Testing for Clickjacking - [ ] Testing WebSockets - [ ] Test Web Messaging - [ ] Test Local Storage ## Specific API vulnerabilities to look for - [ ] API1:2023 Broken Object Level Authorization - [ ] API2:2023 Broken Authentication - [ ] API3:2023 Broken Object Property Level Authorization - [ ] API4:2023 Unrestricted Resource Consumption - [ ] API5:2023 Broken Function Level Authorization - [ ] API6:2023 Unrestricted Access to Sensitive Business Flows - [ ] API7:2023 Server Side Request Forgery - [ ] API8:2023 Security Misconfiguration - [ ] API9:2023 Improper Inventory Management - [ ] API10:2023 Unsafe Consumption of APIs ## Ressources - [OWASP Testing guide - online](https://owasp.org/www-project-web-security-testing-guide/v42/) - [OWASP Testing guide - PDF](https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf) - [API Security Top 10 2023](https://owasp.org/www-project-api-security/) - [Must-have checklists I use in my pentesting assessments by cristivlad25](https://typefully.com/CristiVlad25/zIvaPqI) - [The OWASP Web Application Penetration Check List](https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf) - [100 web vulnerabilities, categorized into various types - Wesley Thijs - part 1](https://www.linkedin.com/posts/wesley-thijs-8b384828a_100-web-vulnerabilities-categorized-into-activity-7120716719496519680-CtdJ?utm_source=share&utm_medium=member_desktop) - [100 web vulnerabilities, categorized into various types - Wesley Thijs - part 2](https://www.linkedin.com/feed/update/urn:li:activity:7120716719496519680?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7120716719496519680%2C7120716739620794368%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287120716739620794368%2Curn%3Ali%3Aactivity%3A7120716719496519680%29) - [List of API attacks - Wesley Thijs](https://gist.github.com/The-XSS-Rat/8b6d56df0f439f7f9abb90276d971400)