The Ultimate Web App Pen Testing Checklist [Updated]

web pentesting checklist

Websites and web applications are the primary target for malicious hackers.

The widespread use of web applications to offer critical services like banking, health care and intelligence services has made them a primary source of data breaches.

When testing web applications it is important to have a web app pentesting checklist to consistently check against. A web app pentest checklist will ensure that you thoroughly cover the entire scope of web app security testing. When performing web app pentesting, you’ll leverage highly specialized web pentesting tools to identify and mitigate website security vulnerabilities.

So in this article we are going to look at the ultimate web application pentesting checklist that you need in order perform an in depth website security test.

By following this web app pentest checklist, you’ll be able to provide your company with clear actionable remediation instructions to improve the overall security posture. Before we get started with the web app pentesting checklist, let me underscore the fact that there are hundreds of tests that could be done on a web application.

However, you cannot perform all these tests at once… In fact, something are not worth wasting your time on. You need to choose the most important web app tests.

Here are my quick 3 tips for choosing a test.

  1. Begin by defining the scope of your web app pentesting.
  2. The outline the business critical aspects of the application.
  3. From this select & prioritize the necessary tests to perform.

Let’s get started with the web app pentesting checklist.

Information Gathering

The first step in assessing the security posture of your web application is to start by collecting all the information you can about the web app.

It is the first in this web app pentesting checklist.

I would begin by performing a search engine discovery and reconnaissance. This is where you use advanced queries like “site:” to find indexes and associated content cached by search engines like Google for that particular domain.

If the web application doesn’t implement a proper robot.txt file, it is possible for the cached pages to contain sensitive information that was not intended for the public. You can then use a robot.txt file, meta tags and search engine tools to remove such information from the caches.

Web server fingerprinting is another very important information gathering technique in web app pentesting.

This is where you use pentesting tools to probe the web server for the operating system, server software and version. Some server software versions have known vulnerabilities which lets you know how to exploit them.

You can also use site crawlers to follow all the links on the website to come up with a site map of all the accessible urls. This will enable you identify the important areas of the application, so you can plan and prioritize your tests. I would start with the more important areas where users can modify database information and secure them through encoding and user verification.

You can also request some of this information directly from developers in writing or through interviews.

Configuration Management

Testing for the configuration management is the second step in this web app pentest checklist. Here you will seek to understand the deployed configuration of the server that is hosting the web application.

Why is this important?

Because some key server configuration errors can compromise the web app just as an unsecured web app could compromise the server. So proper management of the server configuration is very important in maintaining the security of the application.

It takes just one vulnerability to undermine the security of an entire infrastructure.

For example, ensure that there is no vulnerability that can enable a remote attacker expose the source code of the application. So proper configuration of single elements that form part of the application is key to ensuring you avoid such mistakes that might compromise the security of the entire infrastructure.

Knowing the server file extensions will enable an attacker understand the underlying server technology and launch the appropriate attack.

You can also use web scanners to identify known directories on the server.

It is not uncommon to find unreferenced files in the server directory that can be used to expose the system infrastructure or acquire credentials. This could be in the form of renamed old files, automatic or manual backup files in compressed format.

These files may grant access to inner working of the application or back doors and thus are a serious threat to a web application. HTTP offers a number of methods that can be used to perform certain actions on the server, like GET, POST, PUT, DELETE etc…

However, these methods can also used for malicious purposes if the server is not properly configured. So it important that the usage of methods that modify server info like POST & DELETE are limited to trusted users.


Authentication in a web application entails the process of establishing that a user is actually who they claim they are.

It is also a very important element in this web application penetration testing checklist. When performing user authentication, you should ensure that user credentials are transported over an encrypted channel so that they aren’t intercepted by hackers.

All login should be done via a login form to be filled and the data transmitted via POST method.

Often you’ll find a web application using a software or plugin that comes with default configurations at installation. If these default credentials at authentication and installation are not changed or properly configured, they can be used by malicious attackers to gain unauthorized access because the credentials are publicly known.

All authentication systems should also implement a strong lock out mechanism to prevent brute force password cracking attacks.

I would generally lockout a user after 3-5 failed login attempts for sometime before they can try again. But I would exercise caught here, not to deny an authorized user access in the process of blocking unauthorized access. Because of developer negligence, sometimes it’s possible to bypass the login page.

This way you can directly call and access an internal page that was supposed to be only accessible after login.

You should be able to identify this through you pentest as well. It is also at this stage of the web app pentest checklist that I would check for vulnerable “remember password” implementations. So, look for passwords being stored in a cookie and ensure they are not stored in plain text but hashed.


Authorization entails the process of allowing authenticated users access only to content that is permitted to them.

By understanding how the authorization process works, you’ll be able to test it and find ways to circumvent it. For example, many web applications use and manage files as part of their daily operations. So, ensure that a user cannot read or write files that they are not unauthorized to. 

For every user role that you are going to test, here are three things to keep in mind:

  1. Can a user access the resource even if they are not authenticated?
  2. Can an authorized user still access the resource even after logout?
  3. Can a user access functions or resources pertaining to another user level?

During authorization tests, you should also check if the user is able to modify their user level/role in a way to could lead to a privilege escalation attack. Privilege escalation attack leads to the application performing actions with more privileges than were intended by the developer or sysadmin.

A proper authorization mechanism should ensure that a user:

  1. Cannot perform actions belonging to a higher privileged level
  2. Cannot perform actions belonging to another user 

The next item in this web application penetration checklist is session management.

Session Management

HTTP is a stateless protocol.

However, one of the core components of a web application is its mechanism of maintaining state for every user that interacts with it. This is what we call session management. Most web application environments have some kind of built-in session handling routines.

Through session management, web applications can avoid authenticating a user for each page they visit.

However, this can also be exploited by an attacker to gain access to an account without providing the appropriate login credentials. So when testing, ensure that cookies and sessions tokens are created in a secure and unpredictable way.

Whenever a cookie contains sensitive information or is a session token it should always be transmitted using an encrypted tunnel. Also, if the cookie is set to expire sometime in the future, ensure that it doesn’t contain any sensitive information as a hacker with access to this cookie can still keep submitting it.

A web pentester should also be able to prevent session hijacking.

This is by ensuring that every time a web application authenticates a users, it first invalidates the existing session id. By doing this a hacker cannot force a previously known sessions id on that user.

Apart from this, as a web pentester, you should ensure that not only does a web app allow a user to manually log out, it is also able to logout a user after a predefined time of inactivity. This way it neither possible to reuse that session ID, nor does any sensitive information persist in the browser cache.

Input Validation

One of the most common causes of security vulnerabilities in web applications is the inability to properly validate user data input.

It is through user input that you can exploit common vulnerabilities like XSS, SQL injection, file system attacks, buffer overflows etc…

That’s why input validation is a must have in your web application pentest checklist. You should never trust any data input from an external entity, user or client or whatever name you wanna call them.

So your web application should be able to test all forms of possible input so that you sufficiently validate input data before usage. Here is a more detailed guide on how to perform each kind of input validation in a web application.

I would never deploy an application before I ensure all input data is properly validated, especially uploaded files. By using some web development frameworks, like Django for example, you’ll find these input data validation functionality in-built out of the box.

Lastly, let’s look at error handling as the last item in this web app pentest checklist.

Error Handling

If you really want to secure a web application, you should always ensure there’s no information leakage… and a descriptive, detailed error message gives an attacker insight into the inner workings of your app.

As a web pentester, ensure that an application always fails safely under all circumstances and that no sensitive information is displayed to the user. When implementing error handling, I prefer a centralised error handling strategy.

This is because it’s easier to maintain and will enable you to catch most error types before they explode on the front end.

Even thought robust languages like Java and C# have checked exception handling at compile time, they can still lead to information leak because not all error types are checked.

Error messages are very important for development and debugging purposes though.

So if your application is still in development mode, it is okay to display full error messages on the screen. But after you deploy to production, only show generic error messages on the front end while logging the full message on a file on the server.

Common errors like NullPointerException in Java should always be type checked first. When in production mode, never show an error message on the front end which may contain a stack trace, line number where the error occurred, class name or method name.

Also don’t put sensitive information, people’s names or internal contact information in the error messages. These are the 7 things that I think are most important in a web application penetration testing checklist.


Web applications are very easy targets for malicious hackers.

It is therefore imperative that web developers frequently carry out penetration testing to ensure their web applications maintain a clear bill of health security wise. The main objective of web application penetration testing is to strengthen its security vulnerabilities. This way you prevent the same from being exploited by a malicious individual.

As you can see through this web security data breach, securing your web application cannot be taking lightly anymore. 

In this web application penetration testing checklist, I hope you’ve seen all the elements a thorough web app pentest should contain. By following this web pentest checklist you’ll be able to carry out a thorough and effective pentest.

Even professional software developers sometimes have a hard time understanding which application parameters have to be thoroughly checked before launch. So you should always look to keep your pentesting skills up to date by learning from the best through these online penetration testing courses.

Through these courses, you’ll learn in details how to perform a proper web application pentest.

You’ll also discover the best tools, both free and paid, that will always get you the best pentesting results. Did you find this web application pentesting checklist useful in launching your web app security test? Please share your experience with web security testing best practices in the comments below.

Lerma Gray

Lerma is our expert in online education with over a decade of experience. Specializing in e-learning and e-courses. She has reviewed several online training courses and enjoys reviewing e-learning platforms for individuals and organizations.

Related Post

Helping you Learn...
Online Courseing is a comprehensive platform dedicated to providing insightful and unbiased reviews of various online courses offered by platforms like Udemy, Coursera, and others. Our goal is to assist learners in making informed decisions about their educational pursuits.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram