Web Application Pentesting Cheat Sheet

What to test across the web application attack surface, organised by area. Expand an area to see the checks and what a finding looks like.

About

A methodology reference from recon and authentication through input validation, logic and APIs. It tells you what to test, not how to weaponise it.

Authorised testing only. This is a methodology reference, not a payload library. Test only systems you own or have explicit written permission to assess. Unauthorised testing is illegal.

Common tooling: Burp Suite, OWASP ZAP, nmap, ffuf or gobuster, nikto and the browser developer tools, used within an authorised scope.

Structured around the OWASP Web Security Testing Guide methodology. Checks written in our own words.

UniCybers Labs · Offensive Security Back to Offensive Security tools

Unlock the Labs toolkit

Free for learners. Tell us who you are once and every tool opens after that. It helps us keep the tools working and build what you actually need.

Full name

Phone (optional)

College or organisation

You are a

I confirm I am 18 years of age or older. I agree to the Privacy Policy and Terms.

One time only. We never sell your data.