Skip to content
Jalwan
All articles
Methodology9 min read

The Web Application Penetration Testing Checklist for 2026

A structured checklist of what a thorough web application penetration test actually covers — from mapping the attack surface to verifying the fixes.

A good penetration test isn't a random poke at your application — it's a systematic walk through the entire attack surface. This checklist mirrors the methodology I follow on real engagements, grounded in the OWASP Web Security Testing Guide. Use it to understand what thorough testing looks like, or as a baseline for your own security reviews.

1. Reconnaissance and mapping

  • Enumerate all subdomains, endpoints, and entry points
  • Identify the tech stack, frameworks, and third-party services
  • Map every user role and the functionality each can reach
  • Review client-side code for hidden endpoints and secrets
  • Fingerprint the API surface (REST, GraphQL, websockets)

2. Configuration and deployment

  • Check for missing or misconfigured security headers
  • Test TLS configuration and certificate validity
  • Look for exposed admin interfaces, debug endpoints, and default files
  • Review error handling for information leakage
  • Verify CORS policy is appropriately restrictive

3. Authentication

  • Test for username enumeration on login, registration, and reset
  • Check password policy and brute-force / rate-limiting protections
  • Probe multi-factor authentication for bypasses
  • Examine the password reset flow for token leakage and reuse
  • Test 'remember me' and account lockout logic

4. Session management

  • Verify session tokens are random, rotated on login, and invalidated on logout
  • Check cookie flags (HttpOnly, Secure, SameSite)
  • Test for session fixation and concurrent-session handling
  • Inspect JWT handling: signature verification, algorithm confusion, expiry

5. Authorization and access control

This is where the most serious findings usually live. Test it exhaustively, across every role.

  • Test for IDOR by manipulating object identifiers across accounts
  • Attempt horizontal escalation (accessing peers' data)
  • Attempt vertical escalation (gaining admin capability)
  • Verify function-level authorization on every sensitive endpoint
  • Check for forced browsing to unlinked but unprotected resources

6. Input validation and injection

  • Test for SQL and NoSQL injection across all parameters
  • Probe for OS command and template injection
  • Test reflected, stored, and DOM-based XSS
  • Check for SSRF in any feature that fetches a URL
  • Test file upload handling for type, size, and path traversal

7. Business logic

Automated tools are blind here. This is manual work that requires understanding what your application is supposed to do.

  • Test multi-step workflows for steps that can be skipped or replayed
  • Look for race conditions in payments, coupons, and provisioning
  • Attempt price, quantity, and currency manipulation
  • Test limits and quotas for enforcement on the server
  • Abuse legitimate features in unintended combinations

8. API-specific tests

  • Test object- and function-level authorization on every endpoint
  • Check for excessive data exposure in responses
  • Test rate limiting and resource-consumption controls
  • For GraphQL: test introspection, query depth, and batching abuse
  • Verify mass-assignment protections on write operations

9. Reporting and verification

  • Manually verify every finding with a working proof of concept
  • Rate severity using CVSS and real business impact
  • Document clear reproduction steps and remediation guidance
  • Deliver an executive summary alongside technical detail
  • Retest after fixes and update the report with verification status
A checklist gives you coverage. Skill and curiosity give you the findings that matter. You need both.

This checklist is a solid foundation, but a real engagement adapts it to your specific application — the roles, workflows, and edge cases that make your product unique. If you'd like a thorough, manual assessment against this methodology and beyond, get in touch.

Written by , freelance web application penetration tester.

Book a security assessment →

Ready to find your vulnerabilities before attackers do?

Book a security assessment and get a clear, prioritized picture of your application's real risk. No obligation, no automated-scan fluff.