Web Application Security Testing Cheat Sheet

Saltar a: navegación, buscar


This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.


This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

The Checklist

Information Gathering

Configuration Management

Secure Transmission


Session Management


Data Validation

Denial of Service

Business Logic


Risky Functionality - File Uploads

Risky Functionality - Card Payment

Web Service Testing


Error Handling

Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi

All above are authors of the Testing Guide v3

Ryan Dewhurst
Frank Catucci

Related articles

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets