Checklist for Bug Bounty hunter based on OWASP pen-tester guide

This is a checklist for web pen-testing and bug bounty hunting. When you guys are hacking, you guys can use it as a reference….

4.12 Client Side Testing

4.12.1 OTG-CLIENT-001 Testing for DOM-based Cross-Site Scripting
4.12.2 OTG-CLIENT-002 Testing for JavaScript Execution
4.12.3 OTG-CLIENT-003 Testing for HTML Injection
4.12.4 OTG-CLIENT-004 Testing for Client-Side URL Redirect
4.12.5 OTG-CLIENT-005 Testing for CSS Injection
4.12.6 OTG-CLIENT-006 Testing for Client-Side Resource Manipulation
4.12.7 OTG-CLIENT-007 Test Cross-Origin Resource Sharing
4.12.8 OTG-CLIENT-008 Testing for Cross-Site Flashing
4.12.9 OTG-CLIENT-009 Testing for Clickjacking
4.12.10 OTG-CLIENT-010 Testing WebSockets
4.12.11 OTG-CLIENT-011 Test Web Messaging
4.12.12 OTG-CLIENT-012 Test Local Storage

4.11 Business Logic Testing

4.11.1 OTG-BUSLOGIC-001 Test Business Logic Data Validation
4.11.2 OTG-BUSLOGIC-002 Test Ability to Forge Requests
4.11.3 OTG-BUSLOGIC-003 Test Integrity Checks
4.11.4 OTG-BUSLOGIC-004 Test for Process Timing
4.11.5 OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
4.11.6 OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows
4.11.7 OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use
4.11.8 OTG-BUSLOGIC-008 Test Upload of Unexpected File Types
4.11.9 OTG-BUSLOGIC-009 Test Upload of Malicious Files

4.8 Data Validation Testing

4.8.1 OTG-INPVAL-001 Testing for Reflected Cross-Site Scripting
4.8.2 OTG-INPVAL-002 Testing for Stored Cross-Site Scripting
4.8.3 OTG-INPVAL-003 Testing for HTTP Verb Tampering
4.8.4 OTG-INPVAL-004 Testing for HTTP Parameter pollution
4.8.5 OTG-INPVAL-005 Testing for SQL Injection Oracle Testing MySQL Testing SQL Server Testing Testing PostgreSQL MS Access Testing Testing for NoSQL injection
4.8.6 OTG-INPVAL-006 Testing for LDAP Injection
4.8.7 OTG-INPVAL-007 Testing for ORM Injection
4.8.8 OTG-INPVAL-008 Testing for XML Injection
4.8.9 OTG-INPVAL-009 Testing for SSI Injection
4.8.10 OTG-INPVAL-010 Testing for XPath Injection
4.8.11 OTG-INPVAL-011 IMAP/SMTP Injection
4.8.12 OTG-INPVAL-012 Testing for Code Injection Testing for Local File Inclusion Testing for Remote File Inclusion
4.8.13 OTG-INPVAL-013 Testing for Command Injection
4.8.14 OTG-INPVAL-014 Testing for Buffer overflow Testing for Heap overflow Testing for Stack overflow Testing for Format string
4.8.15 OTG-INPVAL-015 Testing for incubated vulnerabilities
4.8.16 OTG-INPVAL-016 Testing for HTTP Splitting/Smuggling

4.9 Error Handling

4.9.1 OTG-ERR-001 Analysis of Error Codes
4.9.2 OTG-ERR-002 Analysis of Stack Traces

4.10 Cryptography

4.10.1 OTG-CRYPT-001 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
4.10.2 OTG-CRYPT-002 Testing for Padding Oracle
4.10.3 OTG-CRYPT-003 Testing for Sensitive information sent via unencrypted channels




An independent information security researcher and consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to use ProperSoft PDF2QBO and convert a PDF file to QBO (Web Connect) format

How C++ should not learn from Ada: Scoping of exception handlers

What’s new on SWAP.NET

Install ubuntu on windows using windows subsystem for Linux (WSL)

Running any Container on CloudRun

Planning a Proxmox Build

Introduction To GraphQL(REST alternative)

The new-look admin console of employee app

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yasir Ansari

Yasir Ansari

An independent information security researcher and consultant.

More from Medium

HackTheBox Search Write-Up

Search Avatar


How Clubhouse user scraping and social graphs

TryHackMe Advent of Cyber 3 → DAY 1