Blog · C.11 · Free Resource

Web application pentest checklist: 156 test cases across 9 phases

The exact checklist used on every CyberFortify web application engagement. 156 test cases organised by phase from pre-engagement through reporting, mapped to OWASP WSTG v4.2, PCI DSS v4.0 Req 6.2.4, and ASVS. Interactive online version below - PDF available on request.

Pre-Engagement Authentication Authorization Injection API Security Business Logic OWASP WSTG PCI DSS
CHECKLIST: Pre-Engagement · Recon · Authentication · Authorization · Injection · Cryptography · API & GraphQL · Business Logic · Security Headers · OWASP WSTG · PCI DSS v4.0 · ASVS · 156 Test Cases CHECKLIST: Pre-Engagement · Recon · Authentication · Authorization · Injection · Cryptography · API & GraphQL · Business Logic · Security Headers · OWASP WSTG · PCI DSS v4.0 · ASVS · 156 Test Cases
// TL;DR

156 web application penetration testing checks across 9 phases: pre-engagement, recon, authentication, authorization, injection, cryptography, API/GraphQL, business logic, and security headers/reporting. Phases 1-5 are fully interactive below. Phases 6-9 (86 more items) are available in the PDF - request via email at the bottom. Progress is tracked locally in your browser.

156Individual test cases across 9 phases
WSTGMapped to OWASP WSTG v4.2 test IDs
PCIAligned to PCI DSS v4.0 Req 6.2.4
2026Updated for GraphQL, LLM endpoints, edge functions

0 / 156 completed

Use the interactive checklist below during your engagement. Check items as you complete them - progress is saved in your browser. Request the PDF via the form mid-page to get a printable, signable version suitable for client deliverables and QSA evidence packages.

01
Pre-Engagement & Scoping 12 items
  • PRE-01 Confirm written authorisation (Rules of Engagement signed) Critical
  • PRE-02 Define scope: IP ranges, domains, excluded systems
  • PRE-03 Confirm test window and emergency contact list
  • PRE-04 Identify test environment type (prod / staging / dev) and data sensitivity
  • PRE-05 Request architecture diagram, tech stack, third-party integrations
  • PRE-06 Obtain test accounts: admin, standard user, unauthenticated baseline
  • PRE-07 Confirm WAF / IDS / rate-limiting in place - whitelist tester IPs if needed
  • PRE-08 Identify authentication mechanisms (JWT, session cookies, OAuth, SAML, API keys)
  • PRE-09 Collect OpenAPI/Swagger docs, GraphQL schema, Postman collections if available
  • PRE-10 Agree on reporting format, severity taxonomy, and false-positive process
  • PRE-11 Configure test tooling: proxy CA installed, Burp project created, nuclei updated
  • PRE-12 Set up out-of-band listener (Burp Collaborator / interactsh) for blind callbacks
02
Reconnaissance & Asset Discovery 14 items
  • REC-01 Passive subdomain enumeration: subfinder, amass, crt.sh
  • REC-02 Probe live subdomains: httpx with status, title, tech-detect
  • REC-03 Web crawl + JS link extraction: katana with js-crawl enabled
  • REC-04 Directory and file fuzzing: ffuf with raft-large-words + extension wordlists
  • REC-05 Identify server software, framework versions, and client-side libraries (retire.js)
  • REC-06 Check for exposed source maps (.js.map), build artifacts (.env, .git, .DS_Store)
  • REC-07 Search for secrets in JS bundles: truffleHog + manual regex review
  • REC-08 Check Wayback Machine / CommonCrawl for historical endpoints
  • REC-09 Identify backup/old files: .bak, .old, .copy, ~filename patterns
  • REC-10 Enumerate API endpoints: kiterunner with routes-large.kite
  • REC-11 Review robots.txt, sitemap.xml, security.txt, humans.txt
  • REC-12 Check CORS policy: enumerate allowed origins, wildcard, credentials flag
  • REC-13 Run nuclei with exposure and tech-detect templates
  • REC-14 Map all authentication entry points, password reset flows, OAuth providers
03
Authentication Testing 18 items
  • AUTH-01 Username enumeration via response time, message, or status code differences High
  • AUTH-02 Brute-force protection: rate limiting, lockout, CAPTCHA bypass attempts
  • AUTH-03 Password reset flow: token predictability, token reuse, host header injection
  • AUTH-04 JWT: alg:none, RS256→HS256 confusion, weak secret brute-force (hashcat)
  • AUTH-05 JWT: embedded JWK injection, kid path traversal, jku/x5u SSRF
  • AUTH-06 Session cookie attributes: Secure, HttpOnly, SameSite, Partitioned
  • AUTH-07 Session fixation: server-side session ID rotation after authentication
  • AUTH-08 Session token entropy: collect 50+ tokens, check for patterns or low entropy
  • AUTH-09 OAuth 2.0: state parameter CSRF, open redirect in redirect_uri
  • AUTH-10 OAuth 2.0: PKCE downgrade, token leakage via Referer/fragment
  • AUTH-11 SAML: XML signature wrapping, XXE in SAML request, NameID injection
  • AUTH-12 MFA bypass: code reuse, race condition on OTP validation, response manipulation
  • AUTH-13 Logout: session invalidated server-side, not just cookie deleted
  • AUTH-14 Account takeover via email change: confirmation bypass, token reuse after change
  • AUTH-15 Default or weak credentials on admin panels, backup interfaces (/admin, /.well-known)
  • AUTH-16 SSO cross-tenant token reuse: JWT audience validation, tenant claim enforcement
  • AUTH-17 API key exposure: in JS source, logs, error messages, response headers
  • AUTH-18 HTTP authentication: Basic over HTTP, Digest replay, NTLM in web context
04
Authorization & Access Control 16 items
  • AUTHZ-01 BOLA/IDOR: access other users' objects via sequential ID, UUID, compound key Critical
  • AUTHZ-02 Horizontal privilege escalation: user A reads/modifies user B's data
  • AUTHZ-03 Vertical privilege escalation: user role → admin via parameter or response manipulation
  • AUTHZ-04 Forced browsing: direct URL access to authenticated pages when unauthenticated
  • AUTHZ-05 HTTP method override: PUT→GET, POST with X-HTTP-Method-Override header
  • AUTHZ-06 Mass assignment: inject extra fields (role, isAdmin, tenantId) in POST/PUT requests
  • AUTHZ-07 GraphQL BOLA: direct object ID, nested resolver bypass, batching enumeration
  • AUTHZ-08 CSRF: missing token, token not validated server-side, SameSite=None without Secure
  • AUTHZ-09 Referrer-based access control: spoofable Referer header grants access
  • AUTHZ-10 Path traversal in file operations: /../ encoding variants, null byte, Unicode
  • AUTHZ-11 Multi-tenancy: tenant ID in JWT claim vs URL parameter - which takes precedence?
  • AUTHZ-12 Soft-delete bypass: accessing deleted objects via direct ID lookup
  • AUTHZ-13 Insecure direct object reference in file downloads: invoice, report, document IDs
  • AUTHZ-14 Feature flags and beta features: enumerate hidden features via JS source, API params
  • AUTHZ-15 Role check on export/bulk download endpoints (often forgotten in authz model)
  • AUTHZ-16 Subscription/tier bypass: access paid features from free account via API direct call
05
Injection & Input Validation 20 items
  • INJ-01 SQL injection: GET/POST params, headers (User-Agent, X-Forwarded-For), JSON body Critical
  • INJ-02 Blind SQL injection: time-based (SLEEP/WAITFOR), boolean-based, out-of-band
  • INJ-03 NoSQL injection: MongoDB operator injection ($where, $gt, $regex), array injection
  • INJ-04 Server-side template injection: Jinja2, Twig, Mako, FreeMarker, Velocity, ERB
  • INJ-05 Server-side request forgery: internal IP ranges, cloud IMDS (169.254.169.254)
  • INJ-06 Reflected XSS: all input parameters, headers, path components
  • INJ-07 Stored XSS: profile fields, comments, file names, imported data
  • INJ-08 DOM XSS: location.hash, postMessage, innerHTML sinks in JS code
  • INJ-09 Command injection: OS commands via ping, nslookup, file operations with user input
  • INJ-10 XML/XXE: external entity injection via XML upload, SOAP, SVG, docx/xlsx
  • INJ-11 LDAP injection: username/password fields in directory-backed auth
  • INJ-12 HTTP header injection: CRLF in redirect parameters, response splitting
  • INJ-13 Open redirect: in login return URL, OAuth redirect_uri, 3xx Location header
  • INJ-14 File upload: malicious extension bypass, MIME type mismatch, zip slip, SVG XSS
  • INJ-15 Deserialization: Java, PHP, Python pickle, .NET BinaryFormatter - ysoserial payloads
  • INJ-16 GraphQL injection: mutation input fields, directive abuse, alias-based injection
  • INJ-17 LLM prompt injection: system prompt bypass via user message, indirect via retrieved docs
  • INJ-18 CSV/formula injection in exports: =CMD(), @SUM(), +HYPERLINK() in downloaded files
  • INJ-19 HTML injection in email templates: user-controlled HTML in notification content
  • INJ-20 PDF generation injection: HTML/CSS in PDF-rendered fields (wkhtmltopdf SSRF)

Get the complete PDF

Phases 6-9 include cryptography, API/GraphQL, business logic, and reporting checklists - 86 more test cases not shown above. The PDF includes WSTG mapping, severity ratings, tool recommendations, and evidence capture notes.

// 06-09 Remaining phases - overview

The sections below summarise the remaining checklist phases. Full test case details with WSTG IDs, tool commands, and evidence capture notes are in the PDF.

Phase 06 · 18 items

Cryptography & Transport

TLS version enforcement, cipher suite audit, HSTS preload, certificate pinning (mobile), weak key exchange (DHE <2048), token entropy analysis, custom crypto review, key storage in code/config, encryption-at-rest validation.

Phase 07 · 22 items

API & GraphQL Security

Rate limiting per endpoint, GraphQL introspection exposure, schema complexity limits, batching/aliasing attacks, REST versioning (old versions still live), API key rotation, webhook signature validation, async callback SSRF, Swagger/OAS exposure.

Phase 08 · 20 items

Business Logic

Race conditions on state-modifying operations, workflow skip (payment bypass), negative quantity/price manipulation, coupon/discount stacking, referral abuse, limit override (resource exhaustion), state machine bypass, time-of-check to time-of-use.

Phase 09 · 26 items

Security Headers & Reporting

CSP strength analysis, X-Frame-Options, Permissions-Policy, cache control for sensitive pages, error message verbosity, stack trace exposure, version disclosure, finding severity rating methodology, evidence capture standards, remediation guidance structure.

// Compliance Framework mapping

Every checklist item maps to one or more compliance test requirements. If your engagement is compliance-scoped, use the filter in the PDF to extract only the relevant test cases. See our compliance consulting service for engagements that require audit-ready deliverables.

FrameworkRelevant requirementCoverageNotes
PCI DSS v4.0Req 6.2.4 - Manual Code Review / Pen TestFullReq 11.4.1-11.4.5 pen test scope alignment
OWASP WSTG v4.2All test categories IDNT through CLNTFullEach item tagged with WSTG-XXXX-YY ID
ASVS v4.0Level 2 (standard) and Level 3 (high security)~85%Static analysis items excluded (code review separate)
SOC 2 CC6.xCC6.1-CC6.8 logical access controlsPartialAuth + authz phases map directly; injection phases contextual
ISO 27001:2022Annex A 8.8 (vuln mgmt), 8.29 (security testing)PartialChecklist produces evidence for technical testing controls

// Tools Referenced in this checklist

Each item references the specific tool or technique used to test it. The PDF includes tool commands, payload examples, and evidence capture instructions. For the full tooling guide, see our dedicated post.

Web Application Pentest Tools - 2026 Edition

Phase-by-phase guide to every tool referenced in this checklist: Burp Suite Pro, nuclei, ffuf, jwt_tool, sqlmap, GraphQL Voyager, and 20+ more with usage examples.

Read the tools guide →
CY

CyberFortify Research

Penetration Testing Practice

This checklist is maintained by the CyberFortify penetration testing team and updated after every major OWASP release and significant finding on client engagements.

Want this checklist run against your application?

CyberFortify's web application penetration testing service executes every item on this checklist manually - plus the business logic and environment-specific tests that no checklist can pre-enumerate.

Schedule scoping call → Web app pen testing →