Pre-engagement Pentest Checklist for Web Applications Assessments

01 Feb

The success of a penetration test relies 50% on the planning and the information that it has been obtained in advance and the other 50% of the actual deployment of the test. Many times the proposal documents might not contain all the necessary information for the security consultant or the pentester.

As a penetration tester we need to ensure that the requirements of the project are met and there are no delays or any surprises (outside of the actual test) that will impact the assessment and the results.This can happen only with 2 ways:

  1. Validation of the information in the proposal
  2. Establishment of a communication channel with the client to obtain further information around the pentest


Checklists are always helpful as we don’t forget what information is needed. Below is a checklist that is focused on web application assessments and it can assist pentesters especially the newest in the field to ensure that they have all the prerequisites to conduct the project with efficiency and to prevent any failures.

  • Determination of the type of pentest (Blackbox, Whitebox)
  • Key objectives behind this penetration test
  • Location address and contact (if it is an onsite job)
  • Validation that the Authorization Letter has been signed
  • URL of the web application that is in scope and validation that is accessible
  • 2 sets of credentials (normal and admin or a privilege user) and validation that are working
  • Determination of the environment (Production or UAT)
  • Number of static and dynamic pages
  • Testing Boundaries (DoS, Brute force attacks etc.)
  • Technologies (PHP, ASP, .NET, IIS, Apache, Operating system etc.)
  • Any VPN or port numbers are needed and verify those ahead of time
  • Any web services that the site may use.
  • Any pages that the client does not want to be tested.
  • Any pages that submit emails
  • IP address of the tester
  • Escalation contact
  • 3rd parties that needs to be contacted in advance of the pentest
  • Web application firewalls and other IDS in place
  • Timeframe of the assessment (dates and hours)
  • Diagrams and any kind of documentation
  • Validation that a backup has been performed recently on the application
  • Other client requirements


If you think that there is more information that’s needs to be gathered please reply with a comment and I will update the list.


Posted by on February 1, 2015 in General Lab Notes


Tags: , ,

9 responses to “Pre-engagement Pentest Checklist for Web Applications Assessments

  1. Ryan Beck

    February 2, 2015 at 5:03 pm

    Great list! Wanted to add a couple things that you would want to know before starting the test:

    1.) In addition to knowing the URL and verifying access to it, you would also want to know if any VPN or port numbers are needed and verify those ahead of time as well.

    2.) Any web services that the site may use.

    3.) Any pages that the client does not want to be tested.

    • netbiosX

      February 2, 2015 at 5:40 pm

      I have added those elements as well.Thank you Ryan for your contribution!

  2. Joseph Pierini

    February 3, 2015 at 1:23 am

    You should also add ‘Any pages that submit emails.’ How many times have you spammed a Client because of a lack of effect form field validation? All those “Contact Us” pages that send thousands of emails while testing for XSS, CSRF and SQLi.

    • netbiosX

      February 3, 2015 at 1:28 am

      That’s a good point Joseph! Thanks!

  3. bill clancy

    February 3, 2015 at 3:09 am

    Engagement letter to keep you out of jail.

  4. Saqib Raza

    February 3, 2015 at 4:52 am

    Information Added..!🙂

  5. Andres

    February 5, 2015 at 11:06 am

    Validate that no licenses of testing tools have expired, also check versions. Especially if not pentesting on a regular basis this can become an issue (though an internal only).
    Also make sure that there are no application deployments planned during the assessment – it might lead to inconsistent testing results.

  6. Rick Brechwald

    February 5, 2015 at 5:37 pm

    To expand a little bit on Andres’ comment: You want to know their standard maintenance schedule as well. The testing results could be unstable during maintenance windows.

  7. NickD

    February 9, 2015 at 1:30 pm

    I’d add some more, some of which I’ve learnt the hard way…

    * IP address/es of the target systems; their local resolution might not match your Internet based resolution.
    * Two accounts per level of access per tester – two accounts per level so if one gets locked out a tester can use the other one while waiting for the first to be re-enabled, two accounts per level so a single tester can test “horizontal” privilege escalation, “per level” so you don’t presume there’s just users and admins, “per tester” so each tester can test all interactions between their accounts without having to consult with colleagues.
    * Make it “any *services* which send emails”; WAFs that email on every alert can make your test “fun” for their admins.
    * WAF and IDS – are they part of the test? If not then disable them if pre-prod, whitelist the testers if prod, always test under “worst case scenario” as that ensures that the application is secure, AFAICT, even if the WAF fails open and the IDS can be bypassed.

    Handy list, nicely done🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: