Home
/Checklists
/Web Application Pentest Checklist

Web Application28 items

Web Application Pentest Checklist

A structured penetration testing checklist for web applications covering all critical attack surfaces. This checklist guides testers through reconnaissance, vulnerability discovery, exploitation, and reporting phases aligned with OWASP and PTES methodologies.

OWASP Top 10OWASP WSTGPTESNIST SP 800-115

Progress: 0 of 28 items

Define scope of target URLs, subdomains, and IP rangesinfo

Document all in-scope and out-of-scope assets including third-party integrations.

Obtain signed authorization and rules of engagementinfo

Ensure legal authorization covers all testing activities including automated scanning.

Identify testing environment (production, staging, or dev)

Confirm whether testing will be conducted against production or a mirrored environment.

Establish emergency contacts and communication channels

Document escalation procedures in case of service disruption or critical findings.

Review application architecture and technology stack documentation

Gather information about frameworks, languages, and infrastructure in use.

Enumerate subdomains using passive and active techniquesinfo

Use tools like Subfinder, Amass, and certificate transparency logs.

Perform directory and file brute-forcingmedium

Use Gobuster, Feroxbuster, or ffuf to discover hidden endpoints, backup files, and admin panels.

Identify web server, framework, and CMS versionslow

Fingerprint technologies using Wappalyzer, WhatWeb, or response header analysis.

Review robots.txt, sitemap.xml, and security.txt

Check for exposed paths, disallowed directories, and security contact information.

Crawl the application and map all endpoints

Use Burp Suite Spider or ZAP to build a comprehensive site map.

Identify API endpoints and JavaScript-exposed routesmedium

Analyze JavaScript bundles and network traffic for undocumented API calls.

Test for SQL injection across all input parameterscritical

Use both manual payloads and automated tools like sqlmap on GET, POST, and cookie parameters.

Test for Cross-Site Scripting (reflected, stored, and DOM-based)high

Inject XSS payloads into form fields, URL parameters, headers, and dynamic content areas.

Assess authentication mechanisms for weaknesseshigh

Test for brute-force protections, credential stuffing resilience, default credentials, and password policy enforcement.

Test session management for fixation, hijacking, and expiration issueshigh

Verify session tokens are regenerated after login, cookies have Secure and HttpOnly flags, and sessions expire appropriately.

Check for insecure direct object references (IDOR)high

Attempt to access other users' resources by manipulating object identifiers in URLs and API calls.

Test for Server-Side Request Forgery (SSRF)critical

Probe URL parameters, file imports, and webhook configurations for internal network access.

Verify CSRF protections on state-changing operationsmedium

Confirm anti-CSRF tokens are present and validated on all forms and AJAX requests.

Attempt privilege escalation between user rolescritical

Test horizontal and vertical privilege escalation by accessing endpoints belonging to higher-privileged roles.

Test file upload functionality for remote code executioncritical

Upload web shells, polyglot files, and bypass extension/MIME type restrictions.

Exploit identified injection vulnerabilities to assess impacthigh

Chain discovered vulnerabilities to demonstrate real-world impact such as data exfiltration.

Test for business logic flaws in transaction and workflow processeshigh

Bypass pricing logic, manipulate multi-step workflows, and test race conditions.

Verify security headers and Content Security Policy effectivenessmedium

Check for missing X-Frame-Options, HSTS, CSP, and other security headers.

Document all findings with proof-of-concept evidence

Include screenshots, HTTP request/response pairs, and reproduction steps.

Classify findings using CVSS scoring and business impact

Assign severity ratings based on exploitability, impact, and affected asset criticality.

Provide actionable remediation guidance for each finding

Include specific code fixes, configuration changes, and reference documentation.

Prepare executive summary for non-technical stakeholders

Summarize overall risk posture, critical findings, and prioritized remediation roadmap.

Clean up all testing artifacts and temporary accounts

Remove uploaded files, test data, and any accounts created during the engagement.

Related Vulnerabilities

Broken Access Control

critical

Injection

critical

Security Misconfiguration

medium

Server-Side Request Forgery

high

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

Web Application Pentest Checklist

Pre-Engagement

Reconnaissance

Vulnerability Assessment

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy