A practical checklist for authentication, sessions, access control, injection, business logic, and configuration testing of web applications.
299 checks · progress and notes saved in your browser
Map the target: fingerprint technologies, discover content and assets, and surface exposed configuration before active testing.
Verify how the application proves identity: credentials, MFA, tokens (JWT), federation (OAuth/OIDC/SAML), session lifecycle, and recovery flows.
Access-control testing: IDOR, privilege escalation, RBAC, multi-tenant isolation, mass assignment, and forced browsing.
Untrusted input reaching interpreters, parsers, and renderers across SQL, NoSQL, OS commands, templates, XML, LDAP, browsers, and serialization layers.
Browser-enforced controls and cross-origin behaviour: CORS, CSP, security headers, cookies, clickjacking, WebSockets, and caching.
Abuse of legitimate functionality: workflow bypass, price/quantity manipulation, race conditions, rate limiting, coupon abuse, and client-side trust.
Assess transport security, error handling, file upload, default artifacts, secrets exposure, takeover risk, and server configuration.