Skip to content

Security Testing Checklist for Web Application

I have created the checklist for security testing for web application. I have divided it into different components like registration, password, security question and security answer and others. For any discussion you might want to start on security testing I recommend you to register at and also thought I would do a bit of marketing to which is a one stop shop for your software testing news.



  • For All web pages which carry confidential data like password, Secret answer for security question should be submitted via HTTPS(SSL).
  • Password & security answer needs to be masked with input type = password.
  • Server Side Validation for form. Use “Firebug” and “TamperData” to perform this test (You can tamper for minimum length of password, set only new password without old password >> You got to remove the old password element from Firebug from the client-side and then submit it <<)
  • Check for SQL Injection for any page in your application that accepts user-supplied information to access a database.
    • A login form, signup form, or “forgot password” form is a good start.
    • A dynamic page that uses URL variables such as ID (product information pages are good for this).
    • Check for XSS by searching application for a page that takes user input and outputs it directly to a webpage. Common examples: Forums, Comments, Wikis, Review. Also, check for CSRF.



  • Set of rules for setting a password should be same across all the modules like Registration form, Change password, and Forgot password. If these rules differ than hacker might exploit it through brute force method. Example: If the registration form does not validate for password minimum length as 8 chars but while changing password from user profile it validates for minimum length or vice versa. Now, as registration form accepts password which are less than 8 chars it becomes easy for hacker to apply brute-force method.
  • Password enforcement of alphabets + numeric + special characters should be used in order to protect the account to a greater extent against brute force attack mechanisms.


Forgot your password

  • There need to be a restriction on number of forgot password requests sent per day or in “X” hours interval or have a captcha so that automated requests are not sent (To automate the requests  you could use “ReloadEvery” add-on which is to be used on
  • The URL has to expire on one use after being used to set new password.
  • The token associated with the URL should not be guessable or there should be any pattern which could be easily cracked.
  • If the URL is not used within “X” hours then it has to expire (Example: Once the URL is generated, if it is not used then it has to expire after “72 hours”)
  • When new token is generated the old ones should expire even if they are not used.
  • should not send the password via e-mails by resetting automatically. There has to be URL which should be used by end-user to set new password of his / her choice.
  • While typing secret answer in Forgot Password the secret answer needs to be masked (Secret Answer is also part of authentication which is similar to password, shoulder surfing or auto-complete stuff could be dangerous here compromising the end-user account).
  • Once the password is set, you might want to take end-user to logged in state or requesting him / her to login now with the hyperlink (I, personally would recommend taking to login page and requesting him / her to login with new password)


Registration Form

  • There needs to be a CAPTCHA so that spam bots do not register and spam in discussion forums with illicit content which could be frustrating for your genuine end-users.
  • Tamper with the mandatory fields by trying to register without mandatory fields – This is a server-side validation (Add-on on Mozilla Firefox – Tamper Data) Example: Can anyone bypass acceptance of terms of conditions and proceed with registration? This could be applied for all the forms and this test idea will not be repeated in other forms.


Change Password

  • Once the password is changed successfully. User should not be able to login again with his old password but, with his new (changed) password.
  • Login using the credentials on Mozilla Firefox | Login with the same credentials on Google Chrome | Now, change password for the account in Google Chrome | After this, refresh or try to navigate to some webpage which are allowed to be navigated only by logged in end-users | Result: The end-user in Mozilla Firefox web browser has to log out as he / she is in the session which has old password


Security Questions & Secret answer

  • Frame the security question in such a fashion that they are not obvious to be known (What’s your pet’s name? >> Now, is that secret and no wonder we see such questions in famous web applications). It would be good if user is provided with option of choosing customized security question.
  • Secret / security answers should be stored in database as hashes and not plain text.



Session Management

  • User whose activity is idle for some time should be automatically logged out by expiring his session. (Example: User has gone out to fresh room or to have some snacks without logging out. Now, anyone can come to his system & see the user account open & exploit user account.
  • No confidential details like password should be saved in cookie.
  • Check what information cookie carries & try to tamper with it using Mozilla add-on Tamper Data.



  • Captcha characters should not be displayed in cyclic fashion.
  • Captcha images should not be allowed to download at one time using add-on like “DownThemAll”
  • Use to see if captcha could be deciphered.
  • Every refresh of a webpage should display new captcha every time.
  • Do not show the absolute path names of the captcha that is being displayed because it is easy to put assertions identifying the URL and then entering the according characters to pass the captcha.
  • I personally insist on using Google reCaptcha for your web application because it has not been cracked till date. There are many captcha third party services out there but, I do not recommend those.
  • Usage of question and answers type of captcha in textual format is good but, not good enough.


This is a good checklist but, it could be made much better if you want to. I stop here because I can go on and on generating the test ideas. You are free to use this checklist for your project in your organization and share it with your colleagues owing credits to me. To share this document here is the PDF document which you can download.


I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)



  1. Abhijit Mishra wrote:

    Nice one Santosh, Going to Implement the same in my project. Thanks for this important info.

    Thursday, March 29, 2012 at 3:30 am | Permalink
  2. Thanks Abhijit and glad that you would be implementing the same in your project. Also, try expanding the list and adding to the comments and including in your project too.

    Thursday, March 29, 2012 at 5:43 am | Permalink
  3. Eugenia Yakhnin wrote:

    I test Website applications and I use the Checklist as a checklist for my project.
    Very effective idea; hope you will generate more test ideas, as promised.

    Thursday, March 29, 2012 at 3:15 pm | Permalink
  4. Hi Eugenia, Firstly I did not make any promise as such :D Glad to know that you would be using this checklist for your project. While I generate more test ideas, it is only for my testing activity. I want other testers to generate test ideas which could be expansion of it. I want to see other testers also doing the same and doing better testing. However, the generic ones I would share with the readers on my blog like I did for this blog post.

    — Santhosh Tuppad

    Friday, March 30, 2012 at 12:40 am | Permalink
  5. srinivasskc wrote:

    Security Questions:

    should security Questions should be same for every user who registers/logins?

    Thursday, January 17, 2013 at 12:30 pm | Permalink
  6. srinivasskc wrote:

    captcha could be deciphered.

    How to do this?

    Thursday, January 17, 2013 at 12:36 pm | Permalink
  7. Please look into

    And also you might want to look into


    Thursday, January 17, 2013 at 3:26 pm | Permalink
  8. Depends on the context. There is no one answer. If you could help me in understanding the context, I could help.

    Thursday, January 17, 2013 at 3:27 pm | Permalink
  9. Varsha Tomar wrote:

    Very nice Santosh. Thanks for sharing the information.

    I need one help, I have just started SAP testing… Could you please help in this via sahring some documents and websites regarding SAP testing.


    Monday, February 4, 2013 at 6:52 pm | Permalink
  10. Varsha, I am sorry. I haven’t worked on it before (I hope you are referring to SAP of SAP Labs). If you are on Twitter, you might want to tweet @santhoshst and I will re-tweet it. You might get some help from people in terms of credible information. Thanks!

    Wednesday, February 6, 2013 at 5:17 pm | Permalink
  11. Jacob wrote:

    Thank you for including the security measure of the web applications. Is the security question is same for different users?

    Tuesday, January 7, 2014 at 6:36 pm | Permalink
  12. @JACOB, Security question needs to be a drop down feature which has several options. However, a custom text field to set their own security question is recommended by me. I hope that has answered your question? If not, feel free to reply.

    Friday, January 10, 2014 at 4:21 pm | Permalink
  13. sudhakar nerusu wrote:

    Thanks for sharing the information.. and
    i want more about security testing concepts
    in detail manner…
    please give me information.

    Saturday, January 25, 2014 at 4:40 pm | Permalink
  14. sudhakar nerusu wrote:

    now i am a manual tester
    but i want become a security tester

    Saturday, January 25, 2014 at 4:43 pm | Permalink

4 Trackbacks/Pingbacks

  1. Five Blogs – 31 March 2012 « 5blogs on Saturday, March 31, 2012 at 3:48 am

    […] Security Testing Checklist for Web Application Written by: SanthoshTuppad […]

  2. How do I start security testing? | Santhosh Tuppad's on Wednesday, May 16, 2012 at 9:45 pm

    […] do I start security testing?Result announcement for the awesome 18 testing challengesSecurity Testing Checklist for Web ApplicationFull disclosure of facebook bugbusters app security vulnerabilitiesAn awesome test for testers; take […]

  3. Security Testing Pathway | Dinesh Ram Kali. on Sunday, September 27, 2015 at 7:45 pm

    […] – Security testing checklist for web applications – Santhosh […]

  4. Security Testing Pathway | tester's blogs on Monday, September 28, 2015 at 8:25 am

    […] – Security testing checklist for web applications – Santhosh […]

Post a Comment

Your email is never published nor shared. Required fields are marked *