OWASP Top 10 Testing Checklist

Attempt to reach administrative endpoints by modifying URLs, parameters, or force browsing.

Modify user IDs, account numbers, or object references to access resources of other users.

Test Access-Control-Allow-Origin with malicious origins and check credential handling.

Use ../ sequences and path manipulation to access files outside intended directories.

Check that all CRUD operations enforce the same authorization rules on the same resource.

Check for HTTP endpoints, unencrypted API calls, and cleartext protocols handling sensitive data.

Use testssl.sh or SSLyze to check for TLS 1.0/1.1, weak ciphers, and certificate issues.

Confirm usage of bcrypt, Argon2, or scrypt with appropriate work factors.

Verify that tokens, session IDs, and credentials do not appear in URLs or server logs.

Check for hardcoded keys, weak key generation, and improper key storage.

Test GET/POST parameters, headers, cookies, and JSON/XML bodies for SQL injection.

Inject command separators (;, |, &&) in fields that may interact with the operating system.

Inject LDAP metacharacters into login forms and search features using directory services.

Inject template expressions like {{7*7}} or ${7*7} to detect server-side template injection.

Inject XPath expressions and XML entities into fields processed as XML.

Inject CRLF characters into parameters reflected in HTTP headers.

Identify flaws in multi-step processes, pricing logic, and approval workflows.

Test for default admin accounts, sample applications, and debug endpoints in production.

Check for CSP, X-Frame-Options, X-Content-Type-Options, HSTS, and Permissions-Policy.

Scan dependencies with Snyk, OWASP Dependency-Check, or npm audit for known CVEs.

Verify account lockout, rate limiting, and CAPTCHA protections on login endpoints.

Test MFA enrollment, code reuse, brute-force, and response manipulation attacks.

Send crafted serialized objects to identify remote code execution or injection opportunities.

Check for unsigned updates, dependency confusion, and supply chain attack vectors.

Check that failed logins, access violations, and input validation failures generate alerts.

Inject newlines and log format strings to manipulate log entries.

Inject internal URLs (169.254.169.254, localhost, internal hostnames) to access internal services.

Use alternative representations, open redirects, and DNS rebinding to bypass SSRF protections.