Web Application Security Testing Guide
A practical, consultant-oriented checklist for testing modern web applications, grounded in the OWASP Top 10. Use it to scope engagements, structure your testing, and produce reports engineers can act on.
What web application security testing actually is
Web application security testing is the disciplined process of confirming that a web application enforces its intended trust boundaries under attack. It combines threat modeling, automated scanning, and manual testing against a stable target, with written authorization from the owner. Done well, it produces evidence — not opinions — that engineering can prioritize and fix.
The rest of this guide walks the six phases every engagement moves through, then drops into a category-by-category checklist mapped to the OWASP Top 10. It's the same structure RASS AppSec's Framework Packs use when running scans on your behalf.
The six phases of an engagement
Capture the target URLs, in-scope subdomains, out-of-scope paths, testing window, and written authorization from the asset owner. No packet leaves the tester until this is signed.
Enumerate subdomains, third-party integrations, JavaScript bundles, exposed API routes, and framework fingerprints. Build the attack surface map you'll drive testing from.
Run authenticated and unauthenticated scans, dependency scans, and secret scans. Use them to find volume; do not ship raw scanner output as findings.
Work the checklist below. Each category has concrete steps a consultant can execute without guessing what 'test for XSS' means.
Capture request/response pairs, screenshots, and reproduction steps for every finding. Map to CWE and OWASP category so the client's engineers can prioritize.
After remediation, replay the exact reproduction steps. A finding is not closed until the tester who found it re-verifies the fix.
OWASP Top 10 testing checklist
Every category below is a section of the checklist a consultant works through against a live target. The steps are what to actually do, not what the category means in the abstract.
Broken access control
- Enumerate every authenticated route, API endpoint, and object identifier surfaced to the browser.
- For each object, replay the request as a lower-privileged user and as an unauthenticated caller.
- Test horizontal escalation by swapping identifiers between two tenant accounts you control.
- Verify server-side enforcement — hidden UI is not access control.
Cryptographic failures
- Confirm TLS 1.2+ only, HSTS with a meaningful max-age, and no mixed content on any indexed page.
- Inspect cookies for Secure, HttpOnly, and SameSite attributes on session and auth tokens.
- Check that tokens, PII, and financial data are never logged, cached, or embedded in URLs.
- Validate password hashing (Argon2id / bcrypt with a modern work factor) and key rotation policy.
Injection
- Fuzz every input reflected into SQL, NoSQL, LDAP, OS commands, or template engines.
- Test time-based and boolean blind payloads on parameters that never appear in the response body.
- Confirm parameterized queries and ORM usage; grep the codebase for raw string concatenation.
- Escape or template-engine-encode any user data rendered into HTML, JS, or CSS contexts.
Insecure design
- Diagram trust boundaries and abuse cases before touching the running app.
- Identify features that assume good faith (rate-limit bypass, invite tokens, referral abuse, coupon reuse).
- Verify server-side business-rule enforcement (max spend, quotas, workflow state transitions).
- Flag missing controls in the report even when no exploitable finding was produced.
Security misconfiguration
- Check security headers: CSP, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- Look for exposed .env, .git, .DS_Store, backup files, admin panels, and default credentials.
- Confirm verbose errors, stack traces, and framework debug pages are disabled in production.
- Review CORS: explicit origins only, no wildcard with credentials.
Vulnerable & outdated components
- Run SCA against the lockfile; flag any dependency with a known critical or high CVE.
- Confirm the runtime (Node, Python, PHP) is on a supported major version.
- Check client-side libraries — outdated jQuery, moment.js, or legacy React are common findings.
- Track transitive dependencies, not just direct ones.
Identification & authentication failures
- Test username enumeration on login, registration, and password reset.
- Verify account lockout, MFA enforcement, and session rotation on privilege change.
- Confirm password reset tokens are single-use, short-lived, and cryptographically random.
- Attempt session fixation and check that logout invalidates the server session, not just the cookie.
Software & data integrity failures
- Verify CI/CD signs releases and pins dependency versions with integrity hashes.
- Check that update mechanisms and auto-updaters validate signatures.
- Look for insecure deserialization on cookies, tokens, and message queues.
- Confirm third-party scripts load with SRI where feasible.
Security logging & monitoring failures
- Confirm auth events, privilege changes, and admin actions are logged with actor, target, and timestamp.
- Verify logs are shipped off-host and tamper-evident.
- Test that failed logins, 4xx bursts, and impossible-travel patterns produce alerts.
- Check that PII and secrets are never written to logs.
Server-side request forgery (SSRF)
- Identify features that fetch user-supplied URLs (webhooks, image proxies, PDF renderers, OAuth callbacks).
- Test payloads against 169.254.169.254, localhost, and RFC1918 ranges.
- Verify a strict allowlist of destinations, DNS rebinding protection, and no credentials on outbound requests.
- Block redirects that cross scheme or move from a public to a private target.
Run this checklist on your projects
RASS AppSec Platform automates the scan-execution and evidence-collection phases and drafts client-ready reports with Hermes AI — all grounded in real scanner output, never invented findings.