April 2025 · 8 min read

OWASP Top 10 Pentest Checklist 2025

A practical, step-by-step penetration testing checklist covering all OWASP Top 10 categories. Tools, payloads, and methodology for each vulnerability class.

⚡ Try the tool free →

The OWASP Top 10 is the most widely referenced standard for web application security. But reading the documentation is different from knowing how to test for each category in a real engagement. This checklist gives you the tools, techniques, and decision points for each one.

How to use this checklist

Work through each category in order. Mark items as tested, confirmed-vulnerable, or confirmed-not-vulnerable. Your final report should reference which items from each category you tested and the outcome.

For every finding, document: reproduction steps, evidence (screenshot or response dump), CVSS score, and remediation recommendation.

A01 — Broken Access Control

The #1 vulnerability since 2021. Test for:

  • IDOR (Insecure Direct Object Reference) — change id=123 to id=124, swap UUIDs, iterate numeric IDs
  • Horizontal privilege escalation — access another user's resources with your own session
  • Vertical privilege escalation — access admin endpoints with a regular user token
  • Forced browsing — directly request /admin, /dashboard, /api/users
  • CORS misconfiguration — check Access-Control-Allow-Origin: * on authenticated endpoints

Key tool: Burp Suite Intruder for parameter fuzzing. Use ffuf for endpoint discovery: ffuf -u https://target/FUZZ -w /usr/share/wordlists/dirb/big.txt

A02 — Cryptographic Failures

Formerly "Sensitive Data Exposure". Check for:

  • HTTP instead of HTTPS on any page that handles credentials or PII
  • Weak TLS versions (TLS 1.0, 1.1) — use testssl.sh or nmap --script ssl-enum-ciphers
  • Passwords stored as MD5/SHA1 (check if you can dump hashes and crack with hashcat)
  • Sensitive data in localStorage, sessionStorage, or URL parameters
  • JWT using alg: none or weak HS256 with guessable secret
# Test JWT alg:none
python3 jwt_tool.py <token> -X a

# Crack JWT secret
hashcat -a 0 -m 16500 <jwt> /usr/share/wordlists/rockyou.txt

A03 — Injection

SQL Injection remains one of the most impactful vulnerabilities. Test all input fields, headers, and parameters.

  • Error-based SQLi — single quote ', double quote ", comment --
  • Time-based blind SQLi'; SLEEP(5)-- (MySQL), '; WAITFOR DELAY '0:0:5'-- (MSSQL)
  • NoSQL injection{"$gt": ""} in JSON parameters (MongoDB)
  • LDAP injection*)(uid=*))(|(uid=* in login fields
  • OS command injection; id, | whoami, `id`

Key tool: sqlmap -u "https://target/page?id=1" --dbs --batch

A04 — Insecure Design

This requires manual testing and business logic analysis:

  • Can you apply a discount coupon multiple times?
  • Can you skip steps in a multi-step flow (e.g., go from step 1 to step 3 directly)?
  • Can you reset another user's password by manipulating the token or email parameter?
  • Are rate limits present on password reset, OTP, and login endpoints?

A05 — Security Misconfiguration

  • Default credentials — try admin:admin, admin:password, vendor defaults
  • Exposed admin panels — /phpmyadmin, /wp-admin, /.env, /config.json
  • Verbose error messages revealing stack traces, DB engine, file paths
  • Directory listing enabled
  • Missing security headers: X-Frame-Options, Content-Security-Policy, Strict-Transport-Security
# Check security headers
curl -I https://target.com | grep -i "x-frame\|csp\|hsts\|x-content"

A06 — Vulnerable and Outdated Components

  • Fingerprint framework versions from HTTP headers, HTML comments, JS filenames
  • Check identified versions against CVE databases (NVD, Exploit-DB)
  • WordPress: wpscan --url https://target --api-token YOUR_TOKEN
  • npm/pip dependencies: npm audit, pip-audit

A07 — Identification and Authentication Failures

  • No account lockout after failed logins → brute force with hydra or Burp Intruder
  • Weak password policy (accepts "password123")
  • Session token not invalidated after logout
  • Session token in URL (visible in server logs, referrer headers)
  • Predictable session tokens — check entropy

A08 — Software and Data Integrity Failures

  • Insecure deserialization — send serialized payloads to Java/PHP/Python endpoints
  • CI/CD pipeline poisoning — check if build scripts pull from unverified sources
  • Auto-update mechanisms without signature verification

Tool: ysoserial for Java deserialization gadget chains. phpggc for PHP object injection.

A09 — Security Logging and Monitoring Failures

Verify whether the application detects and alerts on attacks:

  • Perform 10 failed logins — does the account lock or alert?
  • Access a resource you have no rights to — is it logged?
  • Are logs accessible to unauthenticated users? (check /logs, /var/log)

A10 — Server-Side Request Forgery (SSRF)

Test any endpoint that fetches a URL or resource on behalf of the user:

  • http://169.254.169.254/latest/meta-data/ — AWS metadata (critical)
  • http://localhost:22, http://127.0.0.1:6379 — internal service enumeration
  • DNS rebinding and blind SSRF using interactsh / Burp Collaborator
  • Protocol smuggling: file://, dict://, gopher://
# Quick SSRF test with interactsh
curl -X POST https://target/fetch \
  -d '{"url":"https://YOUR_INTERACTSH_ID.oast.fun"}'

Putting it all together

A thorough OWASP audit takes time to configure correctly. You need to adapt each test to the specific technology stack, input surfaces, and business logic of the target. That's where a well-crafted AI prompt pays off — instead of generic advice, you get tailored guidance for your exact target.

MyAudity generates a structured OWASP + PTES prompt from your target configuration. You fill in the URL, stack, and depth level, then paste the result into Claude, ChatGPT, or any AI. It covers all 22 vectors with specific tools and payloads for your context.