Web Application Assessment Check List

Here is an OWASP Web Application Security Testing Checklist based on this github repo. It is super minimal but it offers a checklist with no memory. Next versions might include features like exporting/importing into the checklist which might be useful for assessments that you want to keep.

Configuration Management

Check for commonly used application and administrative URLs
Check for old, backup and unreferenced files
Check HTTP methods supported and Cross Site Tracing (XST)
Test file extensions handling
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
Test for policies (e.g. Flash, Silverlight, robots)
Test for non-production data in live environment, and vice-versa
Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

Check SSL Version, Algorithms, Key length
Check for Digital Certificate Validity (Duration, Signature and CN)
Check credentials only delivered over HTTPS
Check that the login form is delivered over HTTPS
Check session tokens only delivered over HTTPS
Check if HTTP Strict Transport Security (HSTS) in use

Authorization

Test for path traversal
Test for bypassing authorization schema
Test for vertical Access control problems (a.k.a. Privilege Escalation)
Test for horizontal Access control problems (between two users at the same privilege level)
Test for missing authorization

Denial of Service

Test for anti-automation
Test for account lockout
Test for HTTP protocol DoS
Test for SQL wildcard DoS

Business Logic

Test for feature misuse
Test for lack of non-repudiation
Test for trust relationships
Test for integrity of data
Test segregation of duties

Cryptography

Check if data which should be encrypted is not
Check for wrong algorithms usage depending on context
Check for weak algorithms usage
Check for proper use of salting
Check for randomness functions

Risky Functionality - File Uploads

Acceptable file types are whitelisted
File size limits, upload frequency and total file counts are defined and are enforced
File contents match the defined file type
All file uploads have Anti-Virus scanning in-place.
Unsafe filenames are sanitised
Uploaded files are not directly accessible within the web root
Uploaded files are not served on the same hostname/port
Files and other media are integrated with the authentication and authorisation schemas

HTML 5

Test Web Messaging
Test for Web Storage SQL injection
Check CORS implementation
Check Offline Web Application

An Owasp based checklist to help keep track penetration tests in web applications!

Information Gathering

Configuration Management

Secure Transmission

Authentication

Session Management