LtR101: Web Application Testing Methodologies

LtR101: Web Application Testing Methodologies

I get loads of messages on various mediums each week asking about how to get into information security & bug hunting. Queries range from how to do things through to how to get into the industry and where to start.

I started this series for those people, learning and wanting to learn more about this industry, what is involved and along the way give some practical tips and tricks. This post serves as one of the more practical ones, giving a rough check-list on items to cover off in penetration testing, the list is geared more towards pentesters in mind however it can be applied to bug bounty hunting too.

As I've learned over the past few years each person is different and will develop their own methodology of testing applications, however most will follow a rough structure on finding and enumerating apps. I stumbled across several lists and methodologies in my time testing however this is my take.

When testing applications it is important to have some form of methodology or check-list in place. It's not essential however it can be VERY useful, it allows the tester to go through all avenues looking for vulnerabilities and enumerate more and more.

The list below is by no means a complete methodology it has been adapted from the Web application hacker's handbook & other publications. It does however serve as a rough guideline on things to analyse and look for.


  • Utilize port scanning
  • Map visible content
  • Discover hidden & default content
    • Utilize shodan for finding similar apps and endpoints
    • Utilize the waybackmachine for finding forgotten endpoints
  • Test for debug parameters & Dev parameters
  • Identify data entry points
  • Identify the technologies used
  • Map the attack surface and application

Access Control Testing

  • Authentication
  • Test password quality rules
  • Test for username enumeration
  • Test resilience to password guessing
  • Test password creation strength
  • Test any account recovery function
  • Test any "remember me" function
  • Test any impersonation function
  • Test username uniqueness
  • Check for unsafe distribution of credentials
  • Test for fail-open conditions
  • Test any multi-stage mechanisms
  • Session Management
    • Test tokens for meaning
  • Test tokens for predictability
  • Check for insecure transmission of tokens
  • Check for disclosure of tokens in logs
  • Check mapping of tokens to sessions
  • Check session termination
  • Check for session fixation
  • Check for cross-site request forgery
  • Check cookie scope
  • Access Controls
  • Understand the access control requirements
  • Test effectiveness of controls, using multiple accounts if possible
  • Test for insecure access control methods (request parameters, Referrer header, etc)

Input Validation and Handling

  • Fuzz all request parameters
  • Test for SQL injection
  • Identify all reflected data
  • Test for reflected XSS
  • Test for HTTP header injection
  • Test for arbitrary redirection
  • Test for stored attacks
  • Test for OS command injection
  • Test for path traversal
  • Test for JavaScript/HTML injection
  • Test for file inclusion - both local and remote
  • Test for SMTP injection
  • Test for SOAP injection
  • Test for LDAP injection
  • Test for XPath injection
  • Test for template injection
  • Test for XXE injection

Application/Business Logic

  • Identify the logic attack surface
  • Test transmission of data via the client
  • Test for reliance on client-side input validation
  • Test any thick-client components (Java, ActiveX, Flash)
  • Test multi-stage processes for logic flaws
  • Test handling of incomplete input
  • Test trust boundaries
  • Test transaction logic
  • Test for Indirect object references(IDOR)

Application Infrastructure

  • Test segregation in shared infrastructures/ virtual hosting environments
  • Test segregation between ASP-hosted applications
  • Test for web server vulnerabilities - this can be tied into port scanning and infrastructure assessments
  • Default credentials
  • Default content
  • Dangerous HTTP methods
  • Proxy functionality

Miscellaneous tests

  • Check for DOM-based attacks - open redirection, cross site scripting, client side validation.
  • Check for frame injection, frame busting(can still be an issue)
  • Check for local privacy vulnerabilities
  • Persistent cookies
  • Weak cookie options
  • Caching
  • Sensitive data in URL parameters
  • Follow up any information leakage
  • Check for weak SSL ciphers
  • HTTP Header analysis - look for lack of security headers such as:
    • Content Security Policy (CSP)
    • HTTP Strict Transport Security (HSTS)
    • X-XSS-Protection
    • X-Content-Type-Options
    • HTTP Public Key Pinning

Now as stated in the intro this list is by no means a conclusive one, however hopefully it will allow you to build a better picture of what needs to be tested, what can be tested and when to include it. Your own methodology is up to you, it is your responsibility to test and then act/report on what you've found. If you've got any questions or queries tweet me.

Did you enjoy this? Check out the other #ltr101 posts here or consider buying my book.