OWASP Top 10 Testing Checklist

Use this OWASP Top 10 checklist to prepare for a web application penetration test, brief your development team, or self-assess before engaging Forenzy. Each item maps to what our testers validate during an OWASP-aligned WAPT engagement.

1. A01: Broken Access Control — Test horizontal/vertical privilege escalation, IDOR on object references, forced browsing to admin routes, and missing function-level authorization on APIs.
2. A02: Cryptographic Failures — Verify TLS configuration, encryption at rest for sensitive data, secure key storage, and no secrets or PII in logs or error messages.
3. A03: Injection — Cover SQL, NoSQL, OS command, LDAP, and server-side template injection across every input vector — forms, headers, file uploads, and API parameters.
4. A04: Insecure Design — Review threat models, trust boundaries, rate limits, and business-logic flows that assume good intent (coupons, refunds, account recovery).
5. A05: Security Misconfiguration — Remove default credentials, disable verbose errors in production, lock down cloud storage buckets, and harden server and framework defaults.
6. A06: Vulnerable & Outdated Components — Maintain a software bill of materials (SBOM), patch known CVEs, and remove unused libraries from production builds.
7. A07: Identification & Authentication Failures — Enforce strong password policy, secure session handling, MFA where required, and protection against credential stuffing and session fixation.
8. A08: Software & Data Integrity Failures — Sign release artifacts, protect CI/CD pipelines, validate update mechanisms, and prevent unsigned plugin or package installation.
9. A09: Security Logging & Monitoring Failures — Ensure auth failures, access-control violations, and input validation errors are logged, retained, and alerted on.
10. A10: Server-Side Request Forgery (SSRF) — Block outbound requests to internal IPs, metadata endpoints, and cloud credential services from user-controlled URLs.

Need a formal assessment? Book OWASP-aligned website penetration testing with Forenzy — manual testing, proof-of-concept exploits, and free retest included.