156 web application penetration testing checks across 9 phases: pre-engagement, recon, authentication, authorization, injection, cryptography, API/GraphQL, business logic, and security headers/reporting. Phases 1-5 are fully interactive below. Phases 6-9 (86 more items) are available in the PDF - request via email at the bottom. Progress is tracked locally in your browser.
0 / 156 completed
Use the interactive checklist below during your engagement. Check items as you complete them - progress is saved in your browser. Request the PDF via the form mid-page to get a printable, signable version suitable for client deliverables and QSA evidence packages.
- PRE-01 Confirm written authorisation (Rules of Engagement signed) Critical
- PRE-02 Define scope: IP ranges, domains, excluded systems
- PRE-03 Confirm test window and emergency contact list
- PRE-04 Identify test environment type (prod / staging / dev) and data sensitivity
- PRE-05 Request architecture diagram, tech stack, third-party integrations
- PRE-06 Obtain test accounts: admin, standard user, unauthenticated baseline
- PRE-07 Confirm WAF / IDS / rate-limiting in place - whitelist tester IPs if needed
- PRE-08 Identify authentication mechanisms (JWT, session cookies, OAuth, SAML, API keys)
- PRE-09 Collect OpenAPI/Swagger docs, GraphQL schema, Postman collections if available
- PRE-10 Agree on reporting format, severity taxonomy, and false-positive process
- PRE-11 Configure test tooling: proxy CA installed, Burp project created, nuclei updated
- PRE-12 Set up out-of-band listener (Burp Collaborator / interactsh) for blind callbacks
- REC-01 Passive subdomain enumeration: subfinder, amass, crt.sh
- REC-02 Probe live subdomains: httpx with status, title, tech-detect
- REC-03 Web crawl + JS link extraction: katana with js-crawl enabled
- REC-04 Directory and file fuzzing: ffuf with raft-large-words + extension wordlists
- REC-05 Identify server software, framework versions, and client-side libraries (retire.js)
- REC-06 Check for exposed source maps (.js.map), build artifacts (.env, .git, .DS_Store)
- REC-07 Search for secrets in JS bundles: truffleHog + manual regex review
- REC-08 Check Wayback Machine / CommonCrawl for historical endpoints
- REC-09 Identify backup/old files: .bak, .old, .copy, ~filename patterns
- REC-10 Enumerate API endpoints: kiterunner with routes-large.kite
- REC-11 Review robots.txt, sitemap.xml, security.txt, humans.txt
- REC-12 Check CORS policy: enumerate allowed origins, wildcard, credentials flag
- REC-13 Run nuclei with exposure and tech-detect templates
- REC-14 Map all authentication entry points, password reset flows, OAuth providers
- AUTH-01 Username enumeration via response time, message, or status code differences High
- AUTH-02 Brute-force protection: rate limiting, lockout, CAPTCHA bypass attempts
- AUTH-03 Password reset flow: token predictability, token reuse, host header injection
- AUTH-04 JWT: alg:none, RS256→HS256 confusion, weak secret brute-force (hashcat)
- AUTH-05 JWT: embedded JWK injection, kid path traversal, jku/x5u SSRF
- AUTH-06 Session cookie attributes: Secure, HttpOnly, SameSite, Partitioned
- AUTH-07 Session fixation: server-side session ID rotation after authentication
- AUTH-08 Session token entropy: collect 50+ tokens, check for patterns or low entropy
- AUTH-09 OAuth 2.0: state parameter CSRF, open redirect in redirect_uri
- AUTH-10 OAuth 2.0: PKCE downgrade, token leakage via Referer/fragment
- AUTH-11 SAML: XML signature wrapping, XXE in SAML request, NameID injection
- AUTH-12 MFA bypass: code reuse, race condition on OTP validation, response manipulation
- AUTH-13 Logout: session invalidated server-side, not just cookie deleted
- AUTH-14 Account takeover via email change: confirmation bypass, token reuse after change
- AUTH-15 Default or weak credentials on admin panels, backup interfaces (/admin, /.well-known)
- AUTH-16 SSO cross-tenant token reuse: JWT audience validation, tenant claim enforcement
- AUTH-17 API key exposure: in JS source, logs, error messages, response headers
- AUTH-18 HTTP authentication: Basic over HTTP, Digest replay, NTLM in web context
- AUTHZ-01 BOLA/IDOR: access other users' objects via sequential ID, UUID, compound key Critical
- AUTHZ-02 Horizontal privilege escalation: user A reads/modifies user B's data
- AUTHZ-03 Vertical privilege escalation: user role → admin via parameter or response manipulation
- AUTHZ-04 Forced browsing: direct URL access to authenticated pages when unauthenticated
- AUTHZ-05 HTTP method override: PUT→GET, POST with X-HTTP-Method-Override header
- AUTHZ-06 Mass assignment: inject extra fields (role, isAdmin, tenantId) in POST/PUT requests
- AUTHZ-07 GraphQL BOLA: direct object ID, nested resolver bypass, batching enumeration
- AUTHZ-08 CSRF: missing token, token not validated server-side, SameSite=None without Secure
- AUTHZ-09 Referrer-based access control: spoofable Referer header grants access
- AUTHZ-10 Path traversal in file operations: /../ encoding variants, null byte, Unicode
- AUTHZ-11 Multi-tenancy: tenant ID in JWT claim vs URL parameter - which takes precedence?
- AUTHZ-12 Soft-delete bypass: accessing deleted objects via direct ID lookup
- AUTHZ-13 Insecure direct object reference in file downloads: invoice, report, document IDs
- AUTHZ-14 Feature flags and beta features: enumerate hidden features via JS source, API params
- AUTHZ-15 Role check on export/bulk download endpoints (often forgotten in authz model)
- AUTHZ-16 Subscription/tier bypass: access paid features from free account via API direct call
- INJ-01 SQL injection: GET/POST params, headers (User-Agent, X-Forwarded-For), JSON body Critical
- INJ-02 Blind SQL injection: time-based (SLEEP/WAITFOR), boolean-based, out-of-band
- INJ-03 NoSQL injection: MongoDB operator injection ($where, $gt, $regex), array injection
- INJ-04 Server-side template injection: Jinja2, Twig, Mako, FreeMarker, Velocity, ERB
- INJ-05 Server-side request forgery: internal IP ranges, cloud IMDS (169.254.169.254)
- INJ-06 Reflected XSS: all input parameters, headers, path components
- INJ-07 Stored XSS: profile fields, comments, file names, imported data
- INJ-08 DOM XSS: location.hash, postMessage, innerHTML sinks in JS code
- INJ-09 Command injection: OS commands via ping, nslookup, file operations with user input
- INJ-10 XML/XXE: external entity injection via XML upload, SOAP, SVG, docx/xlsx
- INJ-11 LDAP injection: username/password fields in directory-backed auth
- INJ-12 HTTP header injection: CRLF in redirect parameters, response splitting
- INJ-13 Open redirect: in login return URL, OAuth redirect_uri, 3xx Location header
- INJ-14 File upload: malicious extension bypass, MIME type mismatch, zip slip, SVG XSS
- INJ-15 Deserialization: Java, PHP, Python pickle, .NET BinaryFormatter - ysoserial payloads
- INJ-16 GraphQL injection: mutation input fields, directive abuse, alias-based injection
- INJ-17 LLM prompt injection: system prompt bypass via user message, indirect via retrieved docs
- INJ-18 CSV/formula injection in exports: =CMD(), @SUM(), +HYPERLINK() in downloaded files
- INJ-19 HTML injection in email templates: user-controlled HTML in notification content
- INJ-20 PDF generation injection: HTML/CSS in PDF-rendered fields (wkhtmltopdf SSRF)
Get the complete PDF
Phases 6-9 include cryptography, API/GraphQL, business logic, and reporting checklists - 86 more test cases not shown above. The PDF includes WSTG mapping, severity ratings, tool recommendations, and evidence capture notes.
// 06-09 Remaining phases - overview
The sections below summarise the remaining checklist phases. Full test case details with WSTG IDs, tool commands, and evidence capture notes are in the PDF.
Cryptography & Transport
TLS version enforcement, cipher suite audit, HSTS preload, certificate pinning (mobile), weak key exchange (DHE <2048), token entropy analysis, custom crypto review, key storage in code/config, encryption-at-rest validation.
API & GraphQL Security
Rate limiting per endpoint, GraphQL introspection exposure, schema complexity limits, batching/aliasing attacks, REST versioning (old versions still live), API key rotation, webhook signature validation, async callback SSRF, Swagger/OAS exposure.
Business Logic
Race conditions on state-modifying operations, workflow skip (payment bypass), negative quantity/price manipulation, coupon/discount stacking, referral abuse, limit override (resource exhaustion), state machine bypass, time-of-check to time-of-use.
Security Headers & Reporting
CSP strength analysis, X-Frame-Options, Permissions-Policy, cache control for sensitive pages, error message verbosity, stack trace exposure, version disclosure, finding severity rating methodology, evidence capture standards, remediation guidance structure.
// Compliance Framework mapping
Every checklist item maps to one or more compliance test requirements. If your engagement is compliance-scoped, use the filter in the PDF to extract only the relevant test cases. See our compliance consulting service for engagements that require audit-ready deliverables.
| Framework | Relevant requirement | Coverage | Notes |
|---|---|---|---|
| PCI DSS v4.0 | Req 6.2.4 - Manual Code Review / Pen Test | Full | Req 11.4.1-11.4.5 pen test scope alignment |
| OWASP WSTG v4.2 | All test categories IDNT through CLNT | Full | Each item tagged with WSTG-XXXX-YY ID |
| ASVS v4.0 | Level 2 (standard) and Level 3 (high security) | ~85% | Static analysis items excluded (code review separate) |
| SOC 2 CC6.x | CC6.1-CC6.8 logical access controls | Partial | Auth + authz phases map directly; injection phases contextual |
| ISO 27001:2022 | Annex A 8.8 (vuln mgmt), 8.29 (security testing) | Partial | Checklist produces evidence for technical testing controls |
// Tools Referenced in this checklist
Each item references the specific tool or technique used to test it. The PDF includes tool commands, payload examples, and evidence capture instructions. For the full tooling guide, see our dedicated post.
Web Application Pentest Tools - 2026 Edition
Phase-by-phase guide to every tool referenced in this checklist: Burp Suite Pro, nuclei, ffuf, jwt_tool, sqlmap, GraphQL Voyager, and 20+ more with usage examples.
Read the tools guide →