IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides
  3. Web Application Security Testing Checklist

Checklists

Web Application Security Testing Checklist

This checklist organizes web application security testing into the areas that most often matter, aligned to the OWASP Top 10 (2021). Use it as a coverage map rather than a rigid script.

The checklist

  1. Access control

    Test horizontal and vertical privilege escalation, IDOR, forced browsing, and CSRF on state-changing actions.

  2. Authentication & sessions

    Test login, MFA, password reset, session fixation, and token handling (including JWT validation).

  3. Injection

    Probe for SQL/NoSQL injection, command injection, SSTI, and cross-site scripting across all inputs and contexts.

  4. Server-side flaws

    Test for SSRF, XXE, path traversal, and insecure deserialization on file, URL, and data-handling features.

  5. Security configuration

    Check security headers, CORS, TLS/HSTS, error verbosity, and default or exposed admin interfaces.

  6. Business logic

    Test workflows for logic abuse: skipping steps, replay, negative values, and race conditions.

  7. Data protection

    Verify sensitive data handling, caching of private responses, and secure cookie attributes.

  8. Logging & monitoring

    Confirm that security-relevant events are logged and that failures are detectable.

Key takeaways

  • Access control and business logic need the most human-like reasoning.
  • Cover every injection context, not just the obvious inputs.
  • Configuration and headers are quick wins with real impact.

FAQ

How often should web application security testing run?

As often as the application changes. Point-in-time testing misses everything shipped between engagements, which is why continuous or autonomous testing on every deploy is increasingly the standard.

Related

OWASP Top 10 explainedSecurity headers referenceVulnerability knowledge graph

Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.

Join the waitlist
← All guides
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub