Home
/Checklists
/OWASP Top 10 Testing Checklist

Web Application28 items

OWASP Top 10 Testing Checklist

A structured testing checklist aligned with the OWASP Top 10 2021 categories. Each phase covers specific vulnerability classes with concrete test cases that security testers can execute to verify application resilience against the most critical web application risks.

OWASP Top 10 2021OWASP WSTGASVS 4.0

Progress: 0 of 28 items

Test for vertical privilege escalation by accessing admin functions as a regular usercritical

Attempt to reach administrative endpoints by modifying URLs, parameters, or force browsing.

Test for horizontal privilege escalation by accessing other users' datacritical

Modify user IDs, account numbers, or object references to access resources of other users.

Verify that CORS configuration does not allow unauthorized originshigh

Test Access-Control-Allow-Origin with malicious origins and check credential handling.

Test directory traversal on file access and download featureshigh

Use ../ sequences and path manipulation to access files outside intended directories.

Verify that API endpoints enforce authorization consistentlycritical

Check that all CRUD operations enforce the same authorization rules on the same resource.

Identify sensitive data transmitted without encryptionhigh

Check for HTTP endpoints, unencrypted API calls, and cleartext protocols handling sensitive data.

Test for weak TLS configurations and cipher suitesmedium

Use testssl.sh or SSLyze to check for TLS 1.0/1.1, weak ciphers, and certificate issues.

Verify that passwords are stored using strong adaptive hashinghigh

Confirm usage of bcrypt, Argon2, or scrypt with appropriate work factors.

Check for sensitive data exposure in URLs and logsmedium

Verify that tokens, session IDs, and credentials do not appear in URLs or server logs.

Assess cryptographic key management practiceshigh

Check for hardcoded keys, weak key generation, and improper key storage.

Test for SQL injection in all user-controllable inputscritical

Test GET/POST parameters, headers, cookies, and JSON/XML bodies for SQL injection.

Test for OS command injection in system interaction featurescritical

Inject command separators (;, |, &&) in fields that may interact with the operating system.

Test for LDAP injection in directory-integrated applicationshigh

Inject LDAP metacharacters into login forms and search features using directory services.

Test for template injection (SSTI) in dynamic content renderingcritical

Inject template expressions like {{7*7}} or ${7*7} to detect server-side template injection.

Test for XPath and XML injection in XML-processing featureshigh

Inject XPath expressions and XML entities into fields processed as XML.

Test for header injection and HTTP response splittingmedium

Inject CRLF characters into parameters reflected in HTTP headers.

Test for insecure design in business logic and workflowshigh

Identify flaws in multi-step processes, pricing logic, and approval workflows.

Check for default credentials and unnecessary features enabledhigh

Test for default admin accounts, sample applications, and debug endpoints in production.

Verify security headers are present and correctly configuredmedium

Check for CSP, X-Frame-Options, X-Content-Type-Options, HSTS, and Permissions-Policy.

Identify components with known vulnerabilities using SCA toolshigh

Scan dependencies with Snyk, OWASP Dependency-Check, or npm audit for known CVEs.

Test authentication mechanisms for brute-force and credential stuffing resiliencehigh

Verify account lockout, rate limiting, and CAPTCHA protections on login endpoints.

Verify multi-factor authentication implementation and bypass resistancehigh

Test MFA enrollment, code reuse, brute-force, and response manipulation attacks.

Test for insecure deserialization in Java, PHP, and .NET applicationscritical

Send crafted serialized objects to identify remote code execution or injection opportunities.

Verify integrity of software update mechanisms and CI/CD pipelineshigh

Check for unsigned updates, dependency confusion, and supply chain attack vectors.

Verify that security events are properly logged and monitoredmedium

Check that failed logins, access violations, and input validation failures generate alerts.

Test for log injection and log forging vulnerabilitiesmedium

Inject newlines and log format strings to manipulate log entries.

Test for SSRF in URL parameters, webhooks, and file import featurescritical

Inject internal URLs (169.254.169.254, localhost, internal hostnames) to access internal services.

Test SSRF filter bypasses using URL encoding, redirects, and DNS rebindinghigh

Use alternative representations, open redirects, and DNS rebinding to bypass SSRF protections.

Related Vulnerabilities

Broken Access Control

critical

Injection

critical

Security Misconfiguration

medium

Server-Side Request Forgery

high

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

OWASP Top 10 Testing Checklist

A01 - Broken Access Control

A02 - Cryptographic Failures

A03 - Injection

A04-A07 - Design, Configuration & Component Flaws

A08-A10 - Integrity, Logging & SSRF

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy