- ๐ Explore the application manually and identify entry points.
- ๐ธ๏ธ Perform automated crawling and hidden content discovery.
- ๐ Review
robots.txt,sitemap.xml, backups, temp files. - ๐ Enumerate subdomains and related applications.
- ๐งฉ Identify technologies, frameworks, and versions used.
- ๐ฅ๏ธ Collect server and application fingerprints.
- ๐ชถ Inspect HTML, comments, and metadata for sensitive info.
- ๐ฅ Identify all user roles and access levels.
- โ๏ธ List all hostnames, ports, and third-party integrations.
- ๐ Discover and analyze API endpoints (REST, GraphQL, gRPC).
- ๐งญ Identify admin interfaces or exposed management panels.
- ๐งน Check for old, backup, or unreferenced files.
- ๐งฑ Verify restricted HTTP methods (e.g., disable
PUT,TRACE). - ๐งพ Test for security headers (
CSP,HSTS,X-Frame-Options, etc.). - ๐ Validate HTTPS / TLS configuration and certificate chain.
- ๐งฎ Confirm correct file permissions and environment variables.
- ๐ซ Ensure no production data in test systems (and vice versa).
- โ๏ธ Test for exposed cloud storage or misconfigured CDN.
- ๐งฉ Check for possible subdomain takeover or orphaned DNS entries.
- ๐งโ๐ป Review CI/CD pipelines for secrets or hardcoded credentials.
- ๐ Review registration and provisioning flows.
- ๐ท Test for user enumeration (login, reset, signup).
- ๐ฅ Verify unique username policies and predictable IDs.
- ๐ Validate de-provisioning and role removal processes.
- โ๏ธ Confirm least-privilege principles are applied.
- ๐ Verify credentials transmitted only via HTTPS.
- ๐จ Test for default or weak passwords.
- ๐งญ Test for authentication bypass and forced browsing.
- โ Check brute-force protection and account lockout.
- ๐งพ Validate password policies (length, complexity, reuse).
- ๐พ Test โRemember Meโ token security.
- ๐ Review password reset/change flows.
- ๐ง Verify CAPTCHA / rate-limit on login endpoints.
- ๐ก๏ธ Test MFA / 2FA enforcement.
- ๐ช Ensure logout properly invalidates sessions/tokens.
- ๐งฉ Test for session fixation and renewal upon login.
- ๐ซ Disable browser autocomplete on password fields.
- ๐งผ Verify sensitive data not cached or stored locally.
- ๐ Test for path traversal and file access control.
- ๐ง Test for insecure direct object references (IDOR).
- ๐ Check for privilege escalation (vertical/horizontal).
- ๐ณ๏ธ Test for missing or broken access control.
- ๐งฑ Validate access control consistency across APIs.
- ๐ช Review OAuth / OIDC implementations.
- ๐ช Identify how sessions are handled (cookies, tokens, JWT).
- โ๏ธ Verify cookie flags (
Secure,HttpOnly,SameSite). - โฐ Check session timeout and absolute expiration.
- ๐ช Confirm session invalidation after logout or inactivity.
- ๐ Regenerate session IDs on login / privilege changes.
- ๐ Test session ID randomness and predictability.
- ๐งฑ Validate HTTPS-only transmission of tokens.
- ๐งฟ Test for CSRF and clickjacking protection.
- ๐ชช Review JWT signature, expiration, and claim integrity.
- ๐ฌ Test for Reflected, Stored, and DOM-based XSS.
- ๐ง Test for SQL, NoSQL, and ORM Injection.
- ๐งพ Test for XML / XXE and XPath Injection.
- ๐งโ๐ป Test for Command, Code, and Template Injection (SSTI).
- ๐ Test for SSRF and HTTP Request Smuggling.
- โ๏ธ Test for HTTP Header and Host Header Injection.
- ๐ Test for Open Redirects.
- ๐ Test for LFI / RFI (File Inclusion).
- ๐งฑ Test for Expression Language Injection and Mass Assignment.
- ๐ Compare client-side vs. server-side validation rules.
- ๐งฑ Test for verbose error messages and stack traces.
- ๐ซ Validate no sensitive data is leaked in errors or logs.
- ๐ Confirm security events are logged and monitored.
- ๐ก Verify alerting for critical events (auth failures, privilege changes).
- ๐ Verify encryption of sensitive data (in transit + at rest).
- ๐งฎ Test for weak / deprecated algorithms (MD5, SHA-1, RC4).
- ๐ง Check proper salting and key derivation (PBKDF2, bcrypt, Argon2).
- ๐งฐ Validate secure random number generation.
- ๐ซ Detect hardcoded keys or secrets.
- ๐ชช Validate certificate chain and expiry.
- โ๏ธ Test for logic bypasses and workflow manipulation.
- โณ Test for race conditions and timing attacks.
- ๐ Validate business rule enforcement (limits, quotas).
- ๐งพ Test for missing non-repudiation controls.
- ๐งโโ๏ธ Verify separation of duties and privilege boundaries.
- ๐ Test for unsafe file uploads (type, size, path, scanning).
- ๐งจ Test for malicious file execution after upload.
- ๐ง Test for DOM-based XSS and client-side injection.
- ๐ชถ Test for HTML and CSS Injection.
- ๐ Check CORS configuration.
- ๐ผ๏ธ Test for clickjacking via frames/iframes.
- ๐ฌ Verify Web Messaging (postMessage) origins and targets.
- ๐ฌ Test WebSockets for authentication and origin checks.
- ๐พ Check browser storage (LocalStorage, IndexedDB) for secrets.
- ๐ Test for Reverse Tabnabbing and open redirects.
- ๐ Verify PWA / Service Worker caching security.
- ๐ Enumerate API endpoints and parameters.
- ๐งฑ Test for Broken Object Level Authorization (BOLA).
- ๐งพ Check for excessive data exposure in responses.
- โ๏ธ Test for input validation and rate limiting.
- ๐งฉ Test for mass assignment and schema injection.
- ๐งญ Validate authentication and authorization consistency.
- ๐งฐ Test outdated API versions and unprotected endpoints.
- ๐ชถ Test GraphQL queries and mutations for injection or over-fetching.
- ๐ณ๏ธ Test for resource exhaustion (CPU, memory, I/O).
- โฑ๏ธ Verify rate limiting and throttling mechanisms.
- ๐งฎ Test for regex or SQL wildcard DoS.
- ๐ฆ Test oversized payload and file upload handling.
- ๐งญ Document all findings with WSTG IDs, risk level, and PoC.
- ๐๏ธ Map findings to OWASP Top 10 categories.
- ๐งฐ Provide clear remediation steps and references.
- ๐ Store test results securely and restrict access.