Security Testing Checklist

120+ manual security checks performed during every assessment

Reconnaissance & Info Gathering

Passive Reconnaissance

  • WHOIS lookup and domain information
  • DNS record enumeration (A, AAAA, MX, TXT, NS)
  • Reverse DNS lookup
  • Certificate transparency log analysis
  • Search engine dorking (Google, Bing, Shodan)
  • GitHub/GitLab public repository analysis
  • Pastebin and code dump searches
  • Social media footprinting
  • Wayback Machine historical analysis
  • Public breach database checks

Active Reconnaissance

  • Subdomain enumeration (brute force & permutation)
  • Port scanning (TCP/UDP)
  • Service version detection
  • Operating system fingerprinting
  • SSL/TLS certificate analysis
  • Technology stack identification
  • Web server identification
  • Framework and CMS detection
  • JavaScript library enumeration
  • Third-party service identification

Web Application Security

Auth & Session Management

  • Username enumeration testing
  • Weak password policy analysis
  • Brute force protection testing
  • Multi-factor authentication bypass attempts
  • Password reset flow security
  • Session token randomness analysis
  • Session fixation testing
  • Session timeout validation
  • Logout functionality verification
  • Concurrent session handling
  • Cookie security flags (HttpOnly, Secure, SameSite)
  • OAuth/SAML implementation testing

Authorization & Access Control

  • Horizontal privilege escalation
  • Vertical privilege escalation
  • IDOR (Insecure Direct Object Reference)
  • Path traversal vulnerabilities
  • Forced browsing attempts
  • API endpoint authorization
  • Role-based access control bypass
  • Function-level access control
  • Missing authorization checks
  • JWT token manipulation

Input Validation

  • SQL injection (all contexts)
  • NoSQL injection testing
  • Cross-Site Scripting (Reflected, Stored, DOM)
  • XML External Entity (XXE) injection
  • LDAP injection
  • Command injection (OS)
  • Template injection (SSTI)
  • Expression language injection
  • File upload security
  • File inclusion (LFI/RFI)
  • CRLF injection
  • Header injection

Business Logic

  • Workflow bypass testing
  • Race condition exploitation
  • Price/quantity manipulation
  • Coupon/discount abuse
  • Referral system abuse
  • Account takeover scenarios
  • Multi-step process manipulation
  • State transition flaws
  • Time-of-check to time-of-use (TOCTOU)
  • Business constraint bypass

API Security Testing

REST API Testing

  • Endpoint discovery and enumeration
  • HTTP method tampering
  • Parameter pollution
  • Mass assignment vulnerabilities
  • Excessive data exposure
  • Rate limiting bypass
  • API versioning security
  • CORS misconfiguration
  • API key exposure
  • JWT security testing

GraphQL Testing

  • Introspection query testing
  • Query depth/complexity limits
  • Batching attack testing
  • Field suggestion enumeration
  • Mutation authorization
  • Subscription security
  • Alias-based attacks
  • Directive abuse

Client-Side Security

Browser Security

  • Cross-Site Request Forgery (CSRF)
  • Clickjacking protection
  • Content Security Policy analysis
  • HTTPS enforcement
  • Secure cookie configuration
  • Subresource Integrity (SRI)
  • Open redirect vulnerabilities
  • Postmessage security
  • WebSocket security
  • LocalStorage/SessionStorage secrets

JavaScript Security

  • Prototype pollution
  • DOM clobbering
  • Client-side validation bypass
  • Sensitive data in JavaScript
  • Source map exposure
  • Debug code in production
  • Third-party library vulnerabilities

Mobile Application Security

Static Analysis

  • Hardcoded credentials/secrets
  • Insecure data storage
  • Weak cryptography usage
  • Code obfuscation analysis
  • Permission over-requesting
  • Backup flag configuration
  • Debug mode detection
  • Certificate pinning implementation

Dynamic Analysis

  • Network traffic interception
  • API endpoint abuse
  • SSL/TLS pinning bypass
  • Root/Jailbreak detection bypass
  • Screen caching analysis
  • Clipboard data exposure
  • Deep link exploitation
  • Runtime manipulation (Frida)

Cloud & Infrastructure

Server Configuration

  • Default credentials testing
  • Unnecessary services detection
  • Security headers analysis
  • SSL/TLS configuration
  • Information disclosure in errors
  • Directory listing exposure
  • Backup file discovery
  • Admin interface exposure

Cloud Misconfigurations

  • S3 bucket public access
  • IAM overly permissive roles
  • Security group misconfigurations
  • Unencrypted data storage
  • Logging and monitoring gaps
  • Exposed management interfaces
  • Secrets in environment variables
  • Container security issues

Advanced Attack Vectors

Server-Side Attacks

  • Server-Side Request Forgery (SSRF)
  • XML bomb (Billion Laughs)
  • Deserialization vulnerabilities
  • Remote code execution
  • Server-side template injection
  • Cache poisoning
  • HTTP request smuggling
  • Host header injection

Specialized Testing

  • Web cache deception
  • HTTP parameter pollution
  • Unicode normalization abuse
  • Time-based blind attacks
  • DNS rebinding
  • WebRTC IP leakage
  • Timing attack analysis