Web Application Penetration Testing Checklist

Use this Web Application Pen Testing Checklist to find vulnerabilities in authentication, APIs, input handling, and business logic. Test your app against real-world attack scenarios, save this test record for compliance and audit-readiness.

Download as free PDF

Library
IT & Data Center
Web Application Penetration Testing Checklist

Reconnaissance & Attack Surface Mapping

Authentication & Session Attacks

Authorization & Access Control Bypass

Injection, Input Handling & File Attacks

Business Logic & Workflow Abuse

Infrastructure, API & Exploitation Chaining

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists

Conduct inspections anytime, anywhere - even offline
Capture photos as proof of compliance or areas needing attention
Instantly generate and share detailed reports after the inspections
Assign & track follow-up tasks, view historical trends on a centralized dashboard

Web Application Penetration Testing Checklist

Use this Web Application Pen Testing Checklist to find vulnerabilities in authentication, APIs, input handling, and business logic. Test your app against real-world attack scenarios, save this test record for compliance and audit-readiness.

1. Can the application’s domains, subdomains, APIs, and admin panels be fully enumerated?

2. Can the technology stack and frameworks be identified from the outside?

3. Can hidden or undocumented endpoints be discovered?

4. Can development, staging, or internal environments be accessed?

5. Can sensitive files or configuration endpoints be found?

6. Can the application’s main business workflows be mapped from the outside?

1. Can authentication be bypassed under any circumstances?

2. Can multi-factor authentication be bypassed or abused?

3. Can weak or default credentials be used to log in?

4. Can the password reset or account recovery flow be abused?

5. Can user sessions be hijacked, fixed, or reused?

6. Do sessions remain valid after logout or password change?

1. Can a normal user access another user’s data by modifying IDs or parameters?

2. Can a normal user access admin or internal functionality?

3. Can privileges be escalated by manipulating requests or roles?

4. Are backend APIs enforcing authorization independently of the UI?

5. Can object-level permissions be bypassed through direct API calls?

6. Can internal or hidden features be accessed without proper rights?

1. Can SQL injection, NoSQL injection, or command injection be triggered?

2. Can reflected, stored, or DOM-based XSS be triggered?

3. Can file upload restrictions be bypassed to upload dangerous files?

4. Can path traversal be used to access unauthorized files?

5. Can CSRF protections be bypassed or are they missing?

6. Can template injection or deserialization attacks be triggered?

1. Can application workflows be abused to skip required steps?

2. Can business rules be bypassed to gain free credits, refunds, or approvals?

3. Can race conditions be exploited to duplicate or manipulate transactions?

4. Can pricing, quantities, or approval states be manipulated in requests?

5. Can limits or quotas be bypassed through request manipulation?

6. Can the same operation be abused repeatedly for unintended gain?

1. Can API endpoints be abused through mass assignment or object injection?

2. Can API rate limits be bypassed or abused?

3. Can secrets, tokens, or credentials be found in client-side code or responses?

4. Can misconfigured infrastructure or cloud services be accessed?

5. Can multiple low-severity issues be chained into a full account takeover or data breach?

6. Can attacks be performed without triggering meaningful alerts or logs?