Web server pentesting is performed under three significant categories: identity, analysis, and reporting vulnerabilities such as authentication weaknesses, configuration errors, and protocol relationship vulnerabilities.

 1.  “Conduct a series of methodical and repeatable tests ” is the best way to test the webserver to work through all of the different application vulnerabilities.

2. “Collecting as Much Information” about an organization, Ranging from the operating environment, is the main area to concentrate on in the initial stage of web server pentesting.

3. Performed web server authentication testing, using social engineering techniques to collect information about human resources, contact details, and other social-related information.

4. When gathering information about the target, use Whois database query tools to get details such as domain name, IP address, administrative details, autonomous system number, DNS, etc.

5. To gather information such as server name, server type, operating systems, an application running on the server, etc, use fingerprint scanning tools such as Netcraft, HTTPrecon, and ID Serve.

6. Create a Website to gather Specific information  from web pages, such as email addresses

7.  Enumerate web server Directories to extract important information about web functionalities, login forms, etc.

8.  Perform a directory traversal attack to access restricted directories and execute the command outside the Web server root directories.

9. Perform vulnerability scanning to identify the weaknesses in the network, use vulnerability scanning tools such as HPWebinspect and Nessus, and determine if the system can be exploited.

10. Perform a cache poisoning attack to force the web server’s cache to flush its actual cache content and send a specifically crafted request, which will be stored in the cache.

11. Performing an HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.

12. Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access.

13. Perform session hijacking to capture valid session cookies and IDs, use tools such as Burb suite and Firesheep, hijack to automate session hijacking.

14. Performing an MITM attack to access sensitive information by intercepting the communications between the end-users and web servers.

15. Use tools such as  Webalizer and AWStats to examine the web server logs.

Table of Contents

Essential Checklist Suggested by Microsoft
Files and Directori
Auditing and Logging
Server Certificates

Essential Checklist Suggested by Microsoft

Microsoft provides various checklists and best practices for different aspects of its products and services. Here are some essential checklists and guidelines suggested by Microsoft for Web Server Penetration Testing Checklist:


  • Unnecessary Windows services are disabled.
  • Services are running with least-privileged accounts.
  • FTP, SMTP, and NNTP services are disabled if they are not required.
  • Telnet service is disabled.


  • WebDAV is disabled if not used by the application OR it is secured if it is required.
  • TCP/IP stack is hardened
  • NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).


  • Unused accounts are removed from the server.
  • The guest account is disabled.
  • IUSR_MACHINE account is disabled if the application does not use it.
  • A custom least-privileged anonymous account is created if your applications require anonymous access.
  • The anonymous account cannot write access to Web content directories and cannot execute command-line tools.
  • Strong account and password policies are enforced for the server.
  • Remote logins are restricted. (The “Access, this computer from the network” user, right is removed from the Everyone group.)
  • Accounts are not shared among administrators.
  • Null sessions (anonymous logins) are disabled.
  • Approval is required for account delegation.
  • Users and administrators do not share accounts.
  • No more than two accounts exist in the Administrators group.
  • Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

  • Files and directories are contained on NTFS volumes
  • Web site content is located on a non-system NTFS volume.
  • Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
  • The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
  • Web site root directory has denied writing ACE for anonymous Internet accounts.
  • Content directories have denied writing ACE for anonymous Internet accounts.
  • The remote administration application is removed
  • Resource kit tools, utilities, and SDKs are removed.
  • Sample applications are removed


  • All unnecessary shares are removed (including default administration shares).
  • Access to required shares is restricted (the Everyone group does not have access).
  • Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).


  • Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)
  • Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.


  • Remote registry access is restricted.
  • SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Auditing and Logging

  •  Failed login attempts are audited.
  •  IIS log files are relocated and secured.
  • Log files are configured with an appropriate size depending on the application security requirement.
  • Log files are regularly archived and analyzed.
  • Access to the Metabase.bin file is audited.
  • IIS is configured for W3C Extended log file format auditing.

Server Certificates

  • Ensure certificate date ranges are valid.
  • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).
  •  Ensure the certificate’s public key is valid, all the way to a trusted root authority.
  • Confirm that the certificate has not been revoked.


1. What are the 5 significant types of penetration testing?

These are the five main types of penetration testing:

Network penetration testing looks for weak spots in servers, routers, and firewalls that are part of a network’s core.Web Application Penetration Testing: This type of testing looks for security holes in websites and web apps.Wireless Penetration Testing checks the safety of Wi-Fi and Bluetooth networks, among others.Penetration testing uses social engineering techniques, like phishing and fraud, to get into a system without permission.Physical penetration testing involves trying to get past physical security measures like cameras and access controls in order to check how safe a building is generally.

2. What is penetration testing of web servers?

Web server penetration testing entails systematically testing a server and its software for vulnerabilities and flaws.

The main goal is to detect and assess security risks that hackers potentially exploit. To test the web server for SQL injection, XSS, and remote code execution, penetration testers replicate these attacks.

Such testing helps organizations prevent security vulnerabilities and protect their web server and data.

3. Why API penetration testing?

API penetration testing is essential because APIs are essential to current software applications and systems. Why it’s crucial: Data leaks, authentication issues, and illegal access can compromise APIs.

Testing finds and addresses these hazards.Data Exposure: Attackers target APIs because they handle sensitive data. Testing assures data transmission and security.Integration with third-party APIs increases the attack surface in many applications. T

Testing ensures these integrations provide no vulnerabilities.

Regulations and compliance obligations often need detailed security assessments, which API testing helps achieve.Business Continuity: API breaches can cause considerable financial and reputational damage, hence API security is crucial.

Also, Read   Penetration testing Android Application checklist


  1. Good one Balaji……Comprehensive checklist! Pentesting also depends on the creativity of the pentester. This post should be upgraded to a pdf resource for download…it will go a long way to help Itsecurity guys.

    • Hi Charles.. It’s really glad to hear.. Thanks for your valuable feedback and Time… Our Moto is very simple .. Let’s share some good things to community with help of our little skills ..I don’t have any objection if any one use this source to anywhere….

  2. Awesome read . Can i get some help in doing this entire process like if you have a virtual lab on which this can be done. would like to learn the lifecycle.

  3. … [Trackback]

    […] Find More on|Find More|Read More Informations here|Here you will find 73959 additional Informations|Infos on that Topic: gbhackers.com/web-server-penetration-testing-checklist/ […]

  4. … [Trackback]

    […] Find More here|Find More|Read More Informations here|There you will find 76378 additional Informations|Informations on that Topic: gbhackers.com/web-server-penetration-testing-checklist/ […]

  5. … [Trackback]

    […] Read More on|Read More|Read More Informations here|There you can find 49668 more Informations|Infos to that Topic: gbhackers.com/web-server-penetration-testing-checklist/ […]


Please enter your comment!
Please enter your name here