Web Application Pentest Checklist

OWASP Top 10: 2025 – Web Application Security

A01:2025 – Broken Access Control

A02:2025 – Security Misconfiguration

A03:2025 – Software Supply Chain Failures

A04:2025 – Cryptographic Failures

A05:2025 – Injection

A06:2025 – Insecure Design

A07:2025 – Authentication Failures

A08:2025 – Software or Data Integrity Failures

A09:2025 – Security Logging and Alerting Failures

A10:2025 – Mishandling of Exceptional Conditions

Recon 0%

Run amass

Run subfinder

Run assetfinder

Run dnsgen

Run massdns

Use httprobe

Run aquatone

Shodan enumeration

Censys enumeration

Google dorking

GitHub secret hunting

Search API keys

Search AWS keys

Search OAuth secrets

Search CI/CD secrets

Search exposed .env files

Search private repo leaks

Surface Mapping 0%

Nmap scan

Burp crawler

ffuf fuzzing

JS endpoint discovery

Hidden API endpoints

Hardcoded tokens in JS

GraphQL endpoint exposure

Hidden content discovery

robots.txt / sitemap.xml

Tech fingerprinting

Client-side review

DOM sinks

Unsafe eval()

Prototype pollution vectors

Authentication 0%

Authentication bypass

Logic flaw bypass

Header manipulation

JWT tampering

Parameter pollution bypass

Account takeover (ATO)

Password reset abuse

Token reuse

Race condition

OAuth misbinding

User enumeration

Timing attack

Error message difference

Bruteforce bypass

Rate-limit bypass

IP rotation

Captcha bypass

Weak password policy

MFA bypass

OTP reuse

Backup code abuse

Password reset flaws

Token prediction

Token reuse

Host header poisoning

Default credentials

Session Management 0%

Session fixation

Session timeout bypass

Token not regenerated

Missing HttpOnly/Secure flags

CSRF

No CSRF token

Token reuse

JSON CSRF

Clickjacking (sensitive)

Clickjacking (non-sensitive)

Authorization 0%

Privilege escalation to admin

Horizontal access (IDOR)

Sequential IDOR

UUID brute force

GraphQL IDOR

Missing authorization check

Cross-tenant data exposure

Broken Object Level Authorization (BOLA)

Injection 0%

Remote Code Execution (RCE)

Command injection

Deserialization

Template injection

File upload RCE

SQL Injection

Error-based

Union-based

Boolean-based

Time-based

OOB

Second-order

NoSQL Injection

$ne operator

Regex injection

Command Injection

Blind

OOB DNS exfiltration

XXE

Blind XXE

File read

SSRF via XXE

SSTI

Jinja2

Twig

Freemarker

Velocity

LDAP Injection

Reflected XSS

HTML context

Attribute context

JS context

Stored XSS

Admin panel

Public profile

Rich text editor

DOM XSS

location.hash

postMessage abuse

LFI

Path traversal

Log poisoning

RFI

API Security 0%

Broken Function Level Authorization

Mass assignment

Excessive data exposure

Improper rate limiting

OAuth / JWT 0%

OAuth redirect URI bypass

OAuth state parameter bypass

JWT alg=none attack

JWT weak secret brute force

JWT kid injection

Token replay attack

SSRF 0%

Basic SSRF

SSRF to metadata service

Blind SSRF

Cache & Host Header 0%

Cache poisoning

Cache deception

Host header injection

Password reset poisoning

File Handling 0%

Unrestricted file upload

Web shell upload

Double extension bypass

File type bypass

SVG XSS

Polyglot file upload

EXIF data leakage

Business Logic 0%

Workflow bypass

Payment abuse

Negative value manipulation

Currency tampering

Coupon abuse

Race condition

Cryptography 0%

Weak encryption

Hardcoded secrets

Weak hashing algorithm

Improper randomness

Advanced Web Attacks 0%

Open Redirect

OAuth redirect chaining

DOM-based redirect

URL parameter manipulation

HTTP Request Smuggling

CL.TE desync

TE.CL desync

TE.TE desync

HTTP Response Splitting

CORS Misconfiguration

Wildcard origin with credentials

Null origin abuse

Improper origin reflection

Subdomain Takeover

Dangling DNS record

S3 bucket takeover

Azure service takeover

GraphQL Security Issues

Introspection enabled in production

Batch query abuse

Excessive nested queries (DoS)

WebSocket Security

Authentication bypass

Message tampering

Origin validation missing

DOM Clobbering

Advanced Logic & Modern Attacks 0%

Prototype Pollution

Server-Side Template Injection (Blind)

CSP Bypass

Service Worker abuse

Race condition (TOCTOU)

Web Cache Deception

HTTP Parameter Pollution (HPP)

Unicode normalization bypass

Business logic chain exploitation

Cloud & Infrastructure 0%

Open S3 bucket

Exposed .git directory

Backup file exposure (.bak/.old)

Exposed admin panel

Cloud metadata exposure

Exposed Kubernetes dashboard

IAM misconfiguration

Terraform secret leakage

Email & DNS Security 0%

SPF misconfiguration

DMARC misconfiguration

DKIM missing

Supply Chain Security 0%

Dependency confusion

NPM package hijacking

Outdated JS library with known CVE

Misconfiguration 0%

Missing security headers

Verbose error messages

Directory listing enabled

Outdated software version

Mixed content

Vulnerability Rating & Scoring

Bugcrowd VRT
View Bugcrowd Vulnerability Rating Taxonomy →

CVSS v3 Calculator
Calculate CVSS Score →

Use VRT for bug bounty severity mapping and CVSS for enterprise reporting.

Enterprise SDLC & Security Architecture

Secure SDLC & Architecture ▼

🛠 Secure SDLC

Threat Modeling (STRIDE) – Identify spoofing, tampering, repudation, info disclosure risks early.

Secure Coding Guidelines – Developers follow language-specific secure standards.

Code Review Enforcement – Mandatory peer review before merge.

SAST Integration – Static analysis in CI to catch vulnerabilities pre-deployment.

DAST Integration – Runtime scanning of staging environments.

Secrets Scanning – Detect exposed API keys & credentials in repos.

Dependency Scanning (SCA) – Monitor third-party library CVEs continuously.

CI/CD Security Gates – Block builds if critical issues are found.

🌐 Web / API / Mobile Practices

Input Validation Policy – Centralized validation & sanitization rules.

Centralized Authentication – Unified identity provider (OIDC / SSO).

Token Expiration Enforcement – Short-lived JWT & refresh strategy.

Certificate Pinning (Mobile) – Prevent MITM attacks.

CSP Enforcement – Reduce XSS impact surface.

Rate Limiting Strategy – Prevent brute force & abuse.

Secure Error Handling – No stack traces in production.

🛡 WAF & Edge Protection

Cloudflare / AWS WAF – Managed layer 7 filtering.

Managed & Custom Rule Sets – Block OWASP & business logic attacks.

Bot Mitigation – Prevent automation abuse.

DDoS Protection – Traffic scrubbing & edge distribution.

Geo Blocking – Restrict high-risk regions.

Virtual Patching – Temporary mitigation before code fix.

🌍 Network & Infrastructure

VPN Access Control – Restrict internal services exposure.

Zero Trust Architecture – Verify every access request.

Firewall Segmentation – Isolate production from internal networks.

IDS/IPS Monitoring – Detect intrusion attempts.

SIEM Logging – Centralized log correlation & alerting.

🏢 Active Directory Security

Least Privilege Model – Role-based access only.

GPO Hardening – Enforce secure domain policies.

Privileged Access Management – Just-in-time admin access.

Domain Controller Hardening – Protect AD core services.

Kerberos Protection – Prevent ticket abuse & relay attacks.

Audit Logging – Track authentication & privilege use.

☁ Cloud Security

IAM Least Privilege – Fine-grained cloud roles.

Security Group Audits – Restrict open ports.

S3 Bucket Policy Review – Prevent public exposure.

CloudTrail Logging – Track API activity.

Secrets Manager Usage – Store credentials securely.

🚀 DevSecOps

Branch Protection – Prevent direct production pushes.

PR Security Review – Mandatory approval before merge.

Container Scanning – Detect image vulnerabilities.

Kubernetes Security – RBAC & pod security policies.

IaC Scanning – Terraform / CloudFormation misconfig detection.

Web Application Pentest Checklist

🛠 Secure SDLC

🌐 Web / API / Mobile Practices

🛡 WAF & Edge Protection

🌍 Network & Infrastructure

🏢 Active Directory Security

☁ Cloud Security

🚀 DevSecOps

Harsh Gupta