Web sites are windows that open your organization to the outside world. Because of their nature, they have to be always “open”. You can restrict the access of a service with a password or an IP address, or you can completely close the service access from outside your organisation. But in general, you don’t do these retrictions to a web application while you already want the application to be accessed by everyone.
While the application is able to be accessed by everyone, potential threat for you is the whole world. As a result, web application security is one of the most important subjects of cyber security.
With this article, we start to a series of blog posts about the checklists for web application pentests. Please remember that these are the basic controls, but not all. Technology and the attacking methodologies change day by day, so do checklists.
We strongly recommend you to create a checklist from our posts before the penetration test (pentest) starts. Note findings next to related bullet and put the screenshots of your findings. It will be very helpful when you prepare the pentest report.
The checklists subjected in this series are as follows:
Let’s start with learning the application:
The next “checklists for web applications” post will be about the information gathering and configuration management. Continue to follow us.