# Web Application Penetration Test

**Pre-Engagement Phase**

1. **Define Scope:**
   * Identify target application(s) and environment.
   * Establish testing boundaries and limitations.
   * Obtain necessary permissions and legal clearances.
2. **Information Gathering:**
   * **Passive Reconnaissance:**
     * Collect information without interacting with the target directly.
     * **Tools:** Google Dorking, Shodan, Censys.
     * **Key Items:** Domain information, IP addresses, DNS records, publicly exposed sensitive information.
     * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
   * **Active Reconnaissance:**
     * Conduct WHOIS lookup.
     * Identify subdomains and enumerate directories.
     * **Tools:** WHOIS, Sublist3r, Dirb/Dirbuster, Nmap.
     * **Key Items:** Subdomains, open ports, services, directory structure.
     * **Sources:** [Blue Goat Cyber](https://bluegoatcyber.com)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​.

**Testing Phase**

3. **Configuration and Deployment Management Testing:**
   * Verify secure configuration of servers, frameworks, and application components.
   * **Tools:** Nikto, Nessus.
   * **Key Items:** Default accounts, unnecessary services, outdated software, sensitive information in configuration files.
   * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
4. **Authentication Testing:**
   * Test for weak passwords and default credentials.
   * Evaluate multi-factor authentication (MFA) implementation.
   * **Tools:** Hydra, Burp Suite Intruder, Medusa.
   * **Key Items:** Password policies, MFA implementation, brute force protection, session fixation vulnerabilities.
   * **Sources:** [Blue Goat Cyber](https://bluegoatcyber.com)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​.
5. **Session Management Testing:**
   * Examine session tokens for predictability and entropy.
   * **Tools:** Burp Suite, OWASP ZAP.
   * **Key Items:** Session token security, session hijacking, session fixation, secure storage and transmission of session cookies, session timeout and logout functionality.
   * **Sources:** [Blue Goat Cyber](https://bluegoatcyber.com)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​.
6. **Access Control Testing:**
   * Test for broken access controls and authorization issues.
   * **Tools:** Burp Suite, Postman, OWASP ZAP.
   * **Key Items:** Vertical and horizontal privilege escalation, server-side access control enforcement, IDOR vulnerabilities.
   * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
7. **Input Validation Testing:**
   * Test for SQL Injection vulnerabilities using automated tools and manual techniques.
   * **Tools:** SQLmap, Burp Suite, OWASP ZAP.
   * **Key Items:** SQL Injection, Cross-Site Scripting (XSS), Command Injection, File Inclusion, input validation mechanisms.
   * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
8. **Testing for Business Logic Vulnerabilities:**
   * Identify and exploit flaws in the application’s business logic.
   * **Tools:** Manual testing, custom scripts.
   * **Key Items:** Manipulation of business workflows, integrity of multi-step processes and transactions.
   * **Sources:** [Blue Goat Cyber](https://bluegoatcyber.com)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [QualySec](https://qualysec.com)​ ([Qualysec](https://qualysec.com/web-application-penetration-testing-guide/))​.
9. **Client-Side Testing:**
   * Test for Cross-Site Request Forgery (CSRF) vulnerabilities.
   * Evaluate the security of JavaScript and client-side code.
   * **Tools:** Burp Suite, OWASP ZAP, Browser Developer Tools.
   * **Key Items:** CSRF, JavaScript security, HTML5 and browser storage, Clickjacking and UI redressing attacks.
   * **Sources:** [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
10. **API Testing:**
    * Identify and map out all API endpoints.
    * **Tools:** Postman, Burp Suite, OWASP ZAP.
    * **Key Items:** API authentication, input validation and output encoding, excessive data exposure, rate limiting.
    * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
11. **Cryptography Testing:**
    * Verify the use of strong encryption algorithms and protocols.
    * **Tools:** SSL Labs, OpenSSL, TestSSL.sh.
    * **Key Items:** Encryption algorithms and protocols, SSL/TLS implementation, cryptographic storage, cryptographic keys and certificates.
    * **Sources:** [Blue Goat Cyber](https://bluegoatcyber.com)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​.
12. **Denial of Service (DoS) Testing:**
    * Identify and test for potential DoS attack vectors.
    * **Tools:** LOIC, HOIC, Slowloris.
    * **Key Items:** Rate limiting and throttling, application’s ability to handle high loads.
    * **Sources:** [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​, [QualySec](https://qualysec.com)​ ([Qualysec](https://qualysec.com/web-application-penetration-testing-guide/))​.
13. **Testing for Error Handling:**
    * Check for information leakage through error messages.
    * **Tools:** Burp Suite, OWASP ZAP.
    * **Key Items:** Error message handling, response to unexpected inputs, exposure of stack traces and debug information.
    * **Sources:** [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.

**Reporting Phase**

14. **Document Findings:**
    * Create detailed reports of vulnerabilities discovered.
    * **Tools:** Dradis, Faraday.
    * **Key Items:** Steps to reproduce, potential impact, remediation recommendations.
    * **Sources:** [QualySec](https://qualysec.com)​ ([Qualysec](https://qualysec.com/web-application-penetration-testing-guide/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
15. **Provide Executive Summary:**
    * Summarize key findings for non-technical stakeholders.
    * **Tools:** Custom templates.
    * **Key Items:** Overall security posture, strategic improvements, next steps.
    * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​.

**Post-Engagement Phase**

16. **Remediation Support:**
    * Offer guidance and support for fixing identified vulnerabilities.
    * **Tools:** Jira, Confluence.
    * **Key Items:** Verification of applied fixes, best practices for maintaining security.
    * **Sources:** [RSI Security](https://blog.rsisecurity.com)​ ([RSI Security](https://blog.rsisecurity.com/your-web-application-penetration-testing-checklist/))​, [Cybrary](https://www.cybrary.it)​ ([Cybrary](https://www.cybrary.it/blog/web-application-penetration-testing-checklist-detailed-cheat-sheet))​.
17. **Review and Reflect:**
    * Conduct a post-engagement review with the team.
    * **Tools:** Team meetings, retrospective tools.
    * **Key Items:** Lessons learned, potential improvements, updates to methodologies and tools.
    * **Sources:** [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)​ ([Blue Goat Cyber](https://bluegoatcyber.com/blog/comprehensive-guide-130-essential-checks-for-web-application-penetration-testing-with-tools/))​, [QualySec](https://qualysec.com)​ ([Qualysec](https://qualysec.com/web-application-penetration-testing-guide/))​.

**References**

* [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
* OWASP Top 10
* [NIST SP 800-115 Technical Guide to Information Security Testing and Assessment](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.battlecoder.com/battlecoder/security-documents/web-application-penetration-test.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.