Phase 1: Reconnaissance & Information Gathering 🕵️♂️
1. Identify the target domain and IP addresses 🌐
2. Enumerate subdomains 🔍
3. Check for DNS records (A, MX, CNAME, TXT) 📋
4. Perform WHOIS lookup for domain registration details 📞
5. Identify technologies used (frameworks, libraries, CMS) 🛠️
6. Check SSL/TLS certificate details 🔒
7. Map the application architecture (frontend/backend/APIs) 🏗️
8. Identify entry points (login forms, APIs, file uploads) 🚪
9. Review robots.txt and sitemap.xml files 🤖
10. Look for exposed directories/files using directory brute-forcing 📂
11. Check for open ports and services 🚪
12. Identify third-party integrations (payment gateways, analytics) 🤝
13. Analyze HTTP headers for security configurations 📑
14. Check for error messages leaking sensitive information ❌
15. Review version control files (.git, .svn) 📁
16. Identify backup files or archives (.bak, .zip) 💾
17. Check for default credentials in documentation 📚
18. Identify any hardcoded secrets in client-side code 🔑
19. Analyze cookies for sensitive data 🍪
20. Map user roles and permissions 🧑💼
—
Phase 2: OWASP Top Ten Categories and Subcategories 🛡️
1. Broken Access Control 🔓
21. Test for unauthorized access to admin pages 🚫
22. Verify role-based access controls 🧑💻
23. Check for IDOR (Insecure Direct Object References) 🆔
24. Test for privilege escalation vulnerabilities ⬆️
25. Verify proper session management 🔑
26. Check for missing authorization checks on API endpoints 📡
27. Test for bypassing CAPTCHA mechanisms 🤖
28. Verify access to restricted files or resources 📂
29. Test for improper logout functionality 🚪
30. Check for insecure redirects or forwards ➡️
2. Cryptographic Failures 🔐
31. Check for weak encryption algorithms 🛠️
32. Verify secure storage of sensitive data 🔒
33. Test for plaintext transmission of sensitive data 📡
34. Check for improper certificate validation 🔐
35. Verify HTTPS usage across all pages 🌐
36. Test for weak password hashing mechanisms 🔑
37. Check for exposure of sensitive tokens or keys 🔑
38. Verify secure random number generation 🎲
39. Test for improper handling of cryptographic exceptions ❌
40. Check for insecure use of JWTs (JSON Web Tokens) 📜
3. Injection Flaws 💉
41. Test for SQL injection vulnerabilities 🗄️
42. Check for NoSQL injection vulnerabilities 📊
43. Verify input sanitization for OS commands ⌨️
44. Test for LDAP injection vulnerabilities 📋
45. Check for XSS (Cross-Site Scripting) vulnerabilities 🌐
46. Verify protection against template injection 📝
47. Test for command injection vulnerabilities 💻
48. Check for XPath injection vulnerabilities 📊
49. Verify protection against header injection 📑
50. Test for log injection vulnerabilities 📜
4. Insecure Design 🏗️
51. Review the application’s threat model 🛡️
52. Check for lack of security controls in design 🚫
53. Verify adherence to secure coding practices 🛠️
54. Test for improper error handling mechanisms ❌
55. Check for insecure default configurations ⚙️
56. Verify proper input validation throughout the app 📋
57. Test for insufficient logging and monitoring 📊
58. Check for insecure use of third-party components 🤝
59. Verify secure integration with external systems 🌐
60. Test for inadequate data validation flows 🔄
5. Security Misconfiguration ⚙️
61. Check for unnecessary features enabled 🚫
62. Verify proper configuration of security headers 📑
63. Test for default accounts/passwords 🧑💻
64. Check for verbose error messages ❌
65. Verify proper file permissions 📂
66. Test for insecure cloud storage configurations ☁️
67. Check for outdated software versions 🔄
68. Verify secure database configurations 🗄️
69. Test for improper CORS policies 🌐
70. Check for missing security patches 🛠️
6. Vulnerable Components 🧩
71. Identify outdated libraries/frameworks 🔄
72. Check for known vulnerabilities in dependencies 🔍
73. Verify dependency updates are applied regularly 🛠️
74. Test for insecure use of open-source components 🌟
75. Check for unused or redundant components 🚫
76. Verify secure integration of third-party APIs 🌐
77. Test for insecure plugin/module usage 🧩
78. Check for unpatched vulnerabilities in components 🛡️
79. Verify secure handling of component updates 🔄
80. Test for insecure use of custom-built components 🛠️
7. Identification and Authentication Failures 🔑
81. Check for weak password policies 🧑💻
82. Verify multi-factor authentication (MFA) implementation 🔒
83. Test for account enumeration vulnerabilities 🆔
84. Check for insecure password recovery mechanisms 🔄
85. Verify session timeout and invalidation 🔑
86. Test for brute-force attack protections 🛡️
87. Check for insecure storage of credentials 🔒
88. Verify secure handling of authentication tokens 📜
89. Test for improper use of remember-me functionality 🧠
90. Check for insecure OAuth implementations 🌐
8. Software and Data Integrity Failures 🔄
91. Verify integrity of downloaded files/updates 📥
92. Check for insecure deserialization vulnerabilities 🧩
93. Test for tampering of client-side data 🔄
94. Verify secure handling of serialized objects 📦
95. Check for improper validation of external inputs 📋
96. Test for insecure use of auto-update mechanisms 🔄
97. Verify secure handling of backups 💾
98. Check for improper validation of digital signatures 📜
99. Test for insecure handling of API responses 📡
100. Verify secure deployment pipelines 🛠️
9. Security Logging and Monitoring Failures 📊
101. Check for insufficient logging of security events 📜
102. Verify proper alerting mechanisms for anomalies ⚠️
103. Test for logging of sensitive data 🔒
104. Check for centralized logging solutions 📊
105. Verify log retention policies 📅
106. Test for real-time monitoring capabilities 🕒
107. Check for correlation of logs across systems 🔄
108. Verify secure storage of logs 🔒
109. Test for detection of brute-force attacks 🛡️
110. Check for logging of failed login attempts 🔑
10. Server-Side Request Forgery (SSRF) 🌐
111. Test for SSRF vulnerabilities in APIs 📡
112. Check for improper validation of URLs 🌐
113. Verify protection against internal network access 🛡️
114. Test for SSRF via metadata endpoints ☁️
115. Check for improper handling of redirects ➡️
116. Verify secure parsing of user-supplied URLs 📑
117. Test for SSRF in image/file processing 🖼️
118. Check for SSRF in email sending functionality 📧
119. Verify secure handling of proxy configurations 🌐
120. Test for SSRF in third-party integrations 🤝
— -
Phase 3: Advanced Vulnerabilities 🚀
1. Advanced Injection Techniques
121. Test for blind SQL injection vulnerabilities 🗄️
122. Check for second-order SQL injection vulnerabilities ⚡
123. Test for time-based blind SQL injection ⏳
124. Verify protection against union-based SQL injection 🛡️
125. Test for stacked queries in SQL injection 📜
126. Check for out-of-band SQL injection vulnerabilities 🌐
127. Test for advanced NoSQL injection techniques 📊
128. Verify protection against GraphQL query injection 📊
129. Test for server-side template injection (SSTI) 📝
130. Check for advanced XSS payloads (DOM-based, stored, reflected) 🌐
2. Advanced Authentication Attacks
131. Test for token replay attacks 🔑
132. Check for JWT none algorithm vulnerabilities 📜
133. Test for JWT signature verification bypass 🛡️
134. Verify protection against OAuth CSRF attacks 🌐
135. Test for session fixation vulnerabilities 🔑
136. Check for improper session regeneration after login 🔄
137. Test for insecure password reset mechanisms 🔄
138. Verify protection against credential stuffing attacks 🛡️
139. Test for insecure single sign-on (SSO) implementations 🌐
140. Check for improper handling of OAuth scopes 📑
3. Advanced Authorization Attacks
141. Test for horizontal privilege escalation ⬆️
142. Check for vertical privilege escalation 🧑💻
143. Test for bypassing access controls via API endpoints 📡
144. Verify protection against forced browsing attacks 📂
145. Test for bypassing CAPTCHA during critical workflows 🤖
146. Check for improper handling of user roles in APIs 📡
147. Test for bypassing two-factor authentication (2FA) 🔒
148. Verify protection against business logic flaws in authorization 🔄
149. Test for bypassing rate limits in sensitive operations ⏳
150. Check for improper handling of permissions in microservices 🌐
4. Advanced Business Logic Flaws
151. Test for improper price manipulation in e-commerce apps 💰
152. Check for bypassing payment steps 🛒
153. Verify secure handling of referral bonuses 🎁
154. Test for abuse of discount codes 🛍️
155. Check for improper inventory management 📦
156. Verify secure handling of workflows 🔄
157. Test for abuse of rate limits ⏳
158. Check for improper access to hidden features 🔍
159. Verify secure handling of cancellation flows 🚫
160. Test for abuse of free trials 🕒
5. Advanced Miscellaneous Vulnerabilities
161. Test for insecure WebSocket implementations 🌐
162. Check for improper handling of CORS preflight requests 📡
163. Verify protection against clickjacking attacks 🖱️
164. Test for insecure handling of HTTP headers 📑
165. Check for improper handling of JSONP callbacks 📜
166. Verify protection against host header injection attacks 🌐
167. Test for insecure use of Web Assembly (WASM) 🛠️
168. Check for improper handling of CSP (Content Security Policy) 🛡️
169. Verify protection against XML External Entity (XXE) attacks 📊
170. Test for insecure handling of file uploads (e.g., RCE via uploads) 📂
— -
Phase 4: Report Writing ✍️
171. Include an executive summary 📑
172. Provide a detailed methodology section 🛠️
173. List all identified vulnerabilities 🛡️
174. Include risk ratings for each issue ⚠️
175. Add screenshots for clarity 📷
176. Provide step-by-step reproduction steps 🔄
177. Include remediation recommendations 🛠️
178. Highlight critical findings first 🔥
179. Add references to OWASP guidelines 📚
180. Include a timeline of testing activities 📅
181. Provide a glossary of technical terms 📖
182. Include a disclaimer for limitations 🚫
183. Add contact information for follow-up 📞
184. Verify confidentiality of the report 🔒
185. Proofread for grammar and clarity ✍️
186. Format the report professionally 📄
187. Include a table of contents 📑
188. Add appendices for additional details 📋
189. Verify alignment with client requirements 🤝
190. Include a conclusion with next steps 🚀
— -
Phase 5: Final Steps 🏁
191. Re-test after fixes are applied 🔄
192. Verify patch effectiveness 🛡️
193. Document lessons learned 📚
194. Update the threat model 🏗️
195. Conduct a post-mortem analysis 📊
196. Share findings with stakeholders 🤝
197. Provide training for developers 🛠️
198. Recommend periodic security audits 📅
199. Encourage a security-first mindset 🛡️
200. Celebrate successes 🎉
—
This checklist provides detailed steps to find web application flaws in 2025 this checklist is for those who are looking to start career in bug bounty or web app security - medium
