Checklists
Web Application Security Testing Checklist
This checklist organizes web application security testing into the areas that most often matter, aligned to the OWASP Top 10 (2021). Use it as a coverage map rather than a rigid script.
The checklist
Access control
Test horizontal and vertical privilege escalation, IDOR, forced browsing, and CSRF on state-changing actions.
Authentication & sessions
Test login, MFA, password reset, session fixation, and token handling (including JWT validation).
Injection
Probe for SQL/NoSQL injection, command injection, SSTI, and cross-site scripting across all inputs and contexts.
Server-side flaws
Test for SSRF, XXE, path traversal, and insecure deserialization on file, URL, and data-handling features.
Security configuration
Check security headers, CORS, TLS/HSTS, error verbosity, and default or exposed admin interfaces.
Business logic
Test workflows for logic abuse: skipping steps, replay, negative values, and race conditions.
Data protection
Verify sensitive data handling, caching of private responses, and secure cookie attributes.
Logging & monitoring
Confirm that security-relevant events are logged and that failures are detectable.
Key takeaways
- Access control and business logic need the most human-like reasoning.
- Cover every injection context, not just the obvious inputs.
- Configuration and headers are quick wins with real impact.
FAQ
How often should web application security testing run?
As often as the application changes. Point-in-time testing misses everything shipped between engagements, which is why continuous or autonomous testing on every deploy is increasingly the standard.
Related
Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.
Join the waitlist