Web Application Security Testing Checklist

5 min readJan 18, 2023

Hello everyone, Welcome to my Blog!

Today I am going to share with you how I personally start security testing of any web application step by step to ensure that I do not miss any security vulnerability in web application. Although, if I forgot any vulnerability that should be listed here, please forgive me and let me know in the comment section, I will review it and definitely try to incorporate the same.

I will try to keep this list updated, however, it might take some time. In the meantime, please have a look at the web application security testing checklist and let us know in the comment section if I have missed any test cases or if I should add some specific test cases for any specific vulnerability.

Let’s Start…

Web Application Security Testing

I personally prefer to start with the Black-Box approach where I try to enumerate banners information, some basic or I can say network-level findings that can be found using any automated tool as well as manually such as:

Missing HTTP Security Header (using Burp)
Cacheable HTTP Responses (using Burp)
Web vendor/version disclosure (using Burp)
Track/Trace/Delete method enabled (using Burp)
Vulnerable components/Outdated framework (using RetireJS, Wappalyser)
Cookie not marked Secure/HttpOnly (using Burp)
SSL/TLSv1.0 (using TestSSL)
SSL/TLS supports weak ciphers (using TestSSL)
SSL weak hashing algorithm (using TestSSL)
Form/Field autocomplete ON (using Browser)
Hardcoded Sensitive information (using Browser)
Data replay attack (using Burp)
Misconfigured CORS (using Burp)
Host Header Injection (using Burp)
HTTP Verb Tampering (using Burp)
Open Redirection (using Burp)
Sensitive Data in Clear Text (using Burp)
Unencrypted Communication (using Browser)
Web application accessible via IP (using Browser)

Alright, Now I will proceed further step by step to have a look at every possible vulnerability. When I browse any application, the first thing I usually see in the application is a dashboard with all the information about the business and a login and register page. Hence let’s try to dig from the Homepage itself.

Login Page:

No Captcha Implemented
Username/Email enumeration via verbose failure messages
Mobile enumeration via verbose failure messages
Brute Force Possible/No account lockout policy
Remember me Functionality
No MFA
No, Forget Password Functionality
No Virtual Keyboard Supported
Password is not case sensitive while login

Registration Functionality:

Username enumeration via verbose failure messages
No confirmed password functionality
No mobile number verification process
No email verification process/No account verification process
Weak Security Question/Answer
No multi-factor authentication enables option
No term and condition checkbox during registration
Nonunique usernames/Predictable usernames
Lack of User Input Validation (Max Length not Implemented)

Password Functionality:

No password change functionality post login
No password history enforcement
Insufficient password complexity
Password Policy accepts any Special Characters
Unverified Password Change/No old password required for new password
Password change link reused/ does not expire
Old password link does not expire on new link generation
Password change token is tied with email id/username
Reset Password Email flooding
No minimum time interval between password changes
Wrong Redirection post password change
No logout button enabled on Dashboard
No Email on sensitive action

Authentication Bypass:

Forced Browsing
Parameter Modification
using response manipulation
using response replay attack
using OTP bypass/MFA bypass
leveraging OTP misconfiguration
Using session ID prediction
SQL Injection

Session Management:

Weak token generation/predictable token
Session fixation
Multiple Concurrent Sessions Allowed
No session invalidation after logout/SessionID can be used post logout
Session timeout not implemented
Improper Session Management on Password Change
Back Button Enabled

Authorization Flaw:

Authentication bypass via invalidation of credentials (Parameter modification)
Insecure access (without token/OTP/MFA)
Directory traversal
File inclusion
Privilege escalation
Insecure direct object reference (IDOR)
Forced browsing

Business logic flaw

Business constraint bypass
Business flow bypasses
Business control bypass

Sensitive data exposure

PCI data in clear text
Sensitive data submission in clear text
Password without hashing and salting
Clear text password in response
Clear text password stored in cookies
Sensitive data traveled via GET method
Cleat text storage of sensitive information in Database
Information disclosure
Internal IP disclosure

Injection:

SQL injection

Error based
Union-based
Boolean based
Time-based
Out-of-band
Second-order

Cross-site scripting (XSS)

Reflected
Stored
DOM
Blind

HTML injection
CSS injection
Link injection
Iframe injection
CSV/Formula injection
XML injection
XPath injection
LDAP injection
NoSQL Injection
Command injection
Server-side template injection
Host header injection

Other Vulnerabilities:

Cross-site request forgery
Server-side request forgery
File upload
XML external entity (XXE)
Insecure deserialization
HTTP Request smuggling/Desynchronization attack
HTTP Response splitting/CRLF injection
HTTP Parameter pollution
HTTP Verb tempering
Open redirection
Clickjacking
Misconfigured CORS
Misconfigured referer header
Data replay attack
Race condition
Web cache poisoning
Web cache deception

Cryptographic Failures:

Unencrypted HTTP communication
Self-signed Certificate
SSL/TLSv1.0
SSL/TLS supports weak ciphers
SSL weak hashing algorithm
TLS fallback is not supported

Other Security Misconfigurations:

OTP Flooding
HTTP basic authentication/HTML form-based authentication
No email/activity alert on sensitive action (account registration/change password)
Weak/default/predictable username
Weak/default/predictable password
HTTP security header missing
Cookie not marked Secure/HttpOnly
Cacheable HTTP response
Web vendor/version disclosure
Email spoofing
Vulnerable components/Outdated framework
Track/Trace/Delete method enabled
No privacy policy implemented
Robots.txt file exposure
Robots.txt file misconfigured
Admin module exposed publicly
No separate table for admin and normal user accounts
No super admin for multiple admin accounts
Database running with root privileges
Backup file found on the server
Hidden/Sensitive/Default files found
Upload module on public page
Server time misconfigured
Insufficient logging and monitoring

Server-side Vulnerabilities are as below:

SQLi
Authentication
Business logic Vulnerabilities
Access Control
Server-side Request Forgery
XXE Injection
Directory Traversal
Command Injection
Information Disclosure

Client-side Vulnerabilities are as below:

XSS
CSRF
CORS
Clickjacking
DOM Based Vulnerabilities
Web Sockets

URL-based vulnerabilities:

SQL Injection

Error based
Union based
Time-based

Reflected
DOM

XXE
File Inclusion

Directory Traversal
IDOR
Privilege Escalation

Horizontal
Vertical

OS Command Injection
SSRF
Parameter pollution
Response Splitting/CRLF

Form-based vulnerability

SQL Injection
XSS

Reflection
Stored
DOM
Blind

Other Injection

HTML
CSS
iFrame
Formula
Command
SSTI

XXE
CSRF
File Upload
Clickjacking

Header based vulnerability

Host header injection
Request Smuggling
Misconfigured CORS
Verb Tampering
Misconfigured referer header
Web cache Poisoning
Web cache deception
Data replay attack
Missing Security Header
Cookie Issues
Web Vendor/version disclosure
Cacheable response

Wrapping Up

Please note that this checklist is not assuring all the vulnerabilities present in the web application. Vulnerabilities may rely on business requirements and exposure. Hence, some vulnerabilities can be invalid as per the business requirements or as per the design.

Thank you