Penetration Testing Checklist

July 15, 2016 | Views: 50339

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Remember, penetration testing is not functional testing. In pentesting, your goal is to find security holes in the system. Below is a checklist with some generic tests to run, which are not necessarily applicable for all applications.


Penetration Testing Checklist:

1) Web Applications – Check if a web application is able to identify spam attacks on contact forms used in the website.
2) Proxy Servers – Check if network traffic is monitored by proxy appliances. Proxy servers make it difficult for hackers to get internal details of the network, thus protecting the system from external attacks.
3) Spam Email Filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with built-in spam filters, which need to be configured per your needs. These configuration rules can be applied on email headers, subjects or bodies.
4) Firewalls – Make sure an entire network or computers are protected with a firewall. A firewall can be a software or hardware to block unauthorized access to systems. Firewalls can prevent sending data outside the network without your permission.
5) Exploits – Try to exploit all servers, desktop systems, printers and network devices.
6) Verification – Verify that all usernames and passwords are encrypted and transferred over secured connections like HTTPs.
7) Cookies – Verify information stored in website cookies. It should not be in readable format.
8 ) Vulnerabilities – Review previously found vulnerabilities to check if the fix is working.

9) Open Ports – Ensure there are no ports on a network.
11) Telephones – Check all telephone devices.
12) WiFi – Test WiFi network security.
13) HTTP Methods – Review HTTP methods. PUT and Delete methods should not be enabled on web server.
14) Passwords – Password should be at least 8 character long containing at least one number and one special character.
15) Usernames – Usernames should not be like “admin” or “administrator”.
16) Application Login Pages – Application logins pages should be locked upon few unsuccessful login attempts.
17) Error Messages – Error messages should be generic and not mention specific error details like “Invalid username” or “Invalid password”.
19) Special Characters – Verify if special characters, HTML tags and scripts are handled properly as an input value.
20) Internal System Details – Internal system details should not be revealed in any of the error or alert messages.
21) Custom Error Messages – Custom error messages should be displayed to end-users in case of web page crash.
22) Registry Entries – Review the use of registry entries. Sensitive information should not be kept in registry.
23) Scanning Files – All files must be scanned before uploading to server.
24) Sensitive Data – Sensitive data should not be passed in URL’s while communicating with different internal modules of the web application.
25) No Hard-Coded Usernames or Passwords – There should not be any hard-coded username or password in the system.
26) Input Fields – Check all input fields with long input strings – with and without spaces.
27) Password Functionality – Ensure reset password functionality is secure.
28) SQL Injection – Verify application for SQL Injection.
29) XSS – Verify application for Cross Site Scripting.
31) Input Validations – Important input validations should be done at server side instead of JavaScript checks at client side.
32) System Resources – Critical resources in the system should be available to authorized persons and services only.
33) Access Permissions – All access logs should be maintained with proper access permissions.
34) Ending Sessions – Check that user sessions end upon log off.
35) Directory Browsing – Verify that directory browsing is disabled on the server.
36) Up-to-Date Versions – Verify that all applications and database versions are up to date.
37) URL Manipulation – Review URL manipulation to make sure a web application is not showing any unwanted information.
38) Buffer Overflow – Check memory leak and buffer overflow.
39) Trojan Attacks – Verify if incoming network traffic is scanned to find Trojan attacks.
40) Brute Force Attacks – Check if systems are safe from Brute Force Attacks – use a trial and error method to find sensitive information like passwords.
41) DoS – Ensure the system or network is secured from DoS (denial-of-service) attacks.Attackers can target networks or a single computer with continuous requests. Resources on target systems get overloaded, resulting in denial of service for legit requests.


This is a basic checklist to get started with pentesting. There are hundreds of advanced penetration methods, which can be done either manually or with the help of automation tools.


Ali Tabish


Image by @infosectdk

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?

  2. That’s a detailed Checklist and precise to the point. Good one 🙂

Page 9 of 9« First...«56789
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?