OWASP Web Application Penetration Checklist
Penetration testing will never be an exact science where a complete list of all possible issues that should be tested can be defined. Indeed penetration is only an appropriate technique to test the security of web applications under certain circumstances. For information about what these circumstances are, and to learn how to build a testing framework and which testing techniques you should consider, we recommend reading the OWASP Testing Framework Part One (http://www.owasp.org) .
Risk Management Guide for Information Technology Systems, NIST 800-30 1describes vulnerabilities in operational, technical and management categories. Penetration testing alone does not really help identify operational and management vulnerabilities.