Web Application and API Pentest Checklist

Made using The OWASP Testing guide (page 211) and the API Security Top 10 2023. You can refer to it (see resources below) for detailed explainations on how to test. Adapt it to your methodology and the context of your test. Download this file locally from here this way you can check everything you have done. If you need some practice for specific vulnerabilities to reproduce them in your context, I recommend portswigger's web security Academy here. For more explainations on specific topics, if OWASP is not enough you can also use Portswigger here

Information Gathering

Configuration and Deploy Management Testing

Identity Management Testing

Authentication Testing

Authorization Testing

Session Management Testing

Input Validation Testing

Error Handling


Business Logic Testing

Client Side Testing

Specific API vulnerabilities to look for


Last updated