You will encounter some specific pages during pen tests, and when you do, you'll have to use a checklist different from the one we used before. Take note that you will still need to use the common checklist too, after finishing this step:

1. Login page (this includes the admin page):
   1. Test for default credentials (for example, username= admin and password= admin).
   2. Brute-force credentials using a dictionary file.
   3. Test for a lockout after a number of failed attempts for accomplishing a DOS instead.
   4. Does it use CAPTCHA? It allows for defending against automated attacks.
   5. Use SQL injection to bypass authentication.
   6. Do they use remember me passwords?
2. Registration page:
   1. Do they allow weak passwords?
   2. If you register with ...