Complete Security Testing Checklist

All Security Tests

Custom Bugs

Security Testing Tools & Resources

Reconnaissance Tools

subfinder Amass httpx waybackurls Gau nmap ffuf dirsearch

Vulnerability Scanners

Burp Suite OWASP ZAP Nuclei sqlmap XSStrike Commix

Payload Resources

PayloadsAllTheThings SecLists FuzzDB Intruder payloads

Learning Resources

OWASP Testing Guide PortSwigger Web Security Academy HackTricks PayloadBox
, \">", "Use custom scripts or tools like IBRAHIMXSS, xss_vibes" ] } ], tools: ["Burp Suite", "Gau", "Waybackurls", "XSS Tools"], impact: "Allows script execution in victim's browser context" } ] }, { id: "idor", name: "IDOR & Authorization", description: "Testing for Insecure Direct Object Reference and authorization flaws", items: [ { id: 7, title: "IDOR via Parameter Manipulation", description: "IDOR by manipulating object references", category: "idor", severity: "P1", completed: false, methods: [ { name: "Method 1 - User ID Manipulation", steps: [ "Signup two times - 1 account A and 1 account B", "Check both cookie, token, userid what is similar in a request or response to authenticate", "Change that specific values with each other and check if other user data show", "Test: userid=123 to userid=124, account a cookie change with account b, authorization token replace with other token", "Decode token and change username, id etc.", "Test endpoints like: /user/api/invoice/123 to /user/api/invoice/124, /user/api/v1/123 to /user/api/v2/124", "If you got other user data than report as IDOR" ] } ], tools: ["Burp Suite", "JWT.io"], impact: "Unauthorized access to other users' data and resources" } ] }, { id: "business-logic", name: "Business Logic Flaws", description: "Testing for business logic vulnerabilities", items: [ { id: 8, title: "Coupon & Discount Abuse", description: "Testing for coupon and discount logic flaws", category: "business-logic", severity: "P2", completed: false, methods: [ { name: "Multiple Coupon Redemption", steps: [ "Get a coupon code intended for one-time use", "Apply the same code multiple times or on multiple accounts", "Observe if the discount applies again (logic flaw)" ] } ], tools: ["Burp Suite"], impact: "Financial loss through unauthorized discounts" } ] }, { id: "rce", name: "Remote Code Execution", description: "Testing for Remote Code Execution vulnerabilities", items: [ { id: 9, title: "Command Injection via Parameters", description: "OS command injection through user input", category: "rce", severity: "P1", completed: false, methods: [ { name: "Method 1 - GET Parameter Injection", steps: [ "Intercept a GET request like: GET /ping?host=127.0.0.1 HTTP/1.1", "Send to Repeater and modify the host parameter with payloads: 127.0.0.1;ls, 127.0.0.1&&whoami, 127.0.0.1|uname -a", "Observe the response for command output like www-data, root, system info or directory listing", "If output appears → Vulnerable!" ] } ], tools: ["Burp Suite"], impact: "Full server compromise and arbitrary command execution" } ] }, { id: "ssrf", name: "SSRF Vulnerabilities", description: "Testing for Server-Side Request Forgery", items: [ { id: 10, title: "SSRF via URL Parameters", description: "SSRF through user-controlled URL parameters", category: "ssrf", severity: "P1", completed: false, methods: [ { name: "SSRF Recon & Automation", steps: [ "Use subfinder -d example.com -o out.txt", "cat out.txt | httpx >> livesub.txt", "cat livesub.txt | waybackurls | grep -Ev '\\.(png|jpg|gif|jpeg|swf|woff|svg)$' > allUrls.txt", "cat allUrls.txt | grep \"=\" | qsreplace http://burpcollaborator.net > ssrf.txt", "cat ssrf.txt | httpx -fr" ] } ], tools: ["subfinder", "httpx", "waybackurls", "qsreplace", "Burp Collaborator"], impact: "Internal network access and service enumeration" } ] } ]; // Global variables let currentFilter = 'all'; let currentView = 'detailed'; let customBugs = JSON.parse(localStorage.getItem('customBugs')) || []; // Initialize the application document.addEventListener('DOMContentLoaded', function() { initializeApp(); }); function initializeApp() { setupEventListeners(); renderChecklist(); renderCustomBugs(); updateStatistics(); } // Setup event listeners function setupEventListeners() { // Search functionality document.getElementById('searchInput').addEventListener('input', function(e) { filterChecklist(e.target.value); }); // Filter buttons document.querySelectorAll('.filter-btn').forEach(btn => { btn.addEventListener('click', function() { document.querySelectorAll('.filter-btn').forEach(b => b.classList.remove('active')); this.classList.add('active'); currentFilter = this.dataset.category; filterChecklist(document.getElementById('searchInput').value); }); }); // View controls document.querySelectorAll('.view-btn').forEach(btn => { btn.addEventListener('click', function() { document.querySelectorAll('.view-btn').forEach(b => b.classList.remove('active')); this.classList.add('active'); currentView = this.dataset.view; document.getElementById('checklistContainer').className = `checklist-container ${currentView === 'compact' ? 'compact' : ''}`; }); }); // Tabs document.querySelectorAll('.tab').forEach(tab => { tab.addEventListener('click', function() { document.querySelectorAll('.tab').forEach(t => t.classList.remove('active')); document.querySelectorAll('.tab-content').forEach(c => c.classList.remove('active')); this.classList.add('active'); document.getElementById(`${this.dataset.tab}-tab`).classList.add('active'); }); }); // Bug form submission document.getElementById('bugForm').addEventListener('submit', function(e) { e.preventDefault(); saveCustomBug(); }); } // Render checklist items function renderChecklist() { const container = document.getElementById('checklistContainer'); container.innerHTML = ''; securityChecklistData.forEach(category => { // Filter items based on current filter const filteredItems = category.items.filter(item => { if (currentFilter === 'all') return true; return item.category === currentFilter; }); if (filteredItems.length === 0) return; const categoryElement = createCategoryElement(category, filteredItems); container.appendChild(categoryElement); }); updateStatistics(); } // Create category element function createCategoryElement(category, items) { const div = document.createElement('div'); div.className = 'checklist-category'; const completedCount = items.filter(item => item.completed).length; div.innerHTML = `

${category.name}

${completedCount}/${items.length}
${items.map(item => createChecklistItem(item)).join('')}
`; // Add toggle functionality const header = div.querySelector('.category-header'); const itemsContainer = div.querySelector('.checklist-items'); header.addEventListener('click', () => { itemsContainer.classList.toggle('expanded'); const icon = header.querySelector('i.fa-chevron-down'); icon.classList.toggle('collapsed'); }); // Expand by default itemsContainer.classList.add('expanded'); return div; } // Create individual checklist item function createChecklistItem(item) { return `
${item.title}
${item.description}
${item.severity} ${item.category}
${renderMethods(item.methods)} ${renderTools(item.tools)} ${renderImpact(item.impact)}
`; } // Render methods for a checklist item function renderMethods(methods) { return methods.map(method => `

${method.name}

`).join(''); } // Render tools section function renderTools(tools) { if (!tools || tools.length === 0) return ''; return `
Tools Required
${tools.map(tool => `${tool}`).join('')}
`; } // Render impact section function renderImpact(impact) { if (!impact) return ''; return `
Impact

${impact}

`; } // Toggle complete status function toggleComplete(id, completed) { securityChecklistData.forEach(category => { const item = category.items.find(i => i.id === id); if (item) { item.completed = completed; } }); // Update UI const itemElement = document.querySelector(`.checklist-item[data-id="${id}"]`); if (itemElement) { itemElement.classList.toggle('completed', completed); } updateStatistics(); } // Filter checklist based on search and category function filterChecklist(searchTerm) { const items = document.querySelectorAll('.checklist-item'); const categories = document.querySelectorAll('.checklist-category'); const lowerSearchTerm = searchTerm.toLowerCase(); let visibleCategories = 0; categories.forEach(category => { const categoryItems = category.querySelectorAll('.checklist-item'); let visibleItems = 0; categoryItems.forEach(item => { const title = item.querySelector('.item-title').textContent.toLowerCase(); const description = item.querySelector('.item-description').textContent.toLowerCase(); const content = item.textContent.toLowerCase(); const matchesSearch = !searchTerm || title.includes(lowerSearchTerm) || description.includes(lowerSearchTerm) || content.includes(lowerSearchTerm); const matchesCategory = currentFilter === 'all' || item.querySelector('.category-badge').textContent === currentFilter; if (matchesSearch && matchesCategory) { item.style.display = 'block'; visibleItems++; } else { item.style.display = 'none'; } }); // Show/hide category based on visible items if (visibleItems > 0) { category.style.display = 'block'; visibleCategories++; } else { category.style.display = 'none'; } }); // Update category title const categoryTitle = document.getElementById('categoryTitle'); if (currentFilter === 'all') { categoryTitle.textContent = `All Security Tests (${visibleCategories} categories)`; } else { categoryTitle.textContent = `${currentFilter.charAt(0).toUpperCase() + currentFilter.slice(1)} Tests`; } } // Update statistics function updateStatistics() { let total = 0; let completed = 0; securityChecklistData.forEach(category => { category.items.forEach(item => { total++; if (item.completed) completed++; }); }); // Add custom bugs to statistics customBugs.forEach(bug => { total++; if (bug.status === 'completed') completed++; }); const pending = total - completed; const percentage = total > 0 ? (completed / total) * 100 : 0; document.getElementById('totalTests').textContent = total; document.getElementById('completedTests').textContent = completed; document.getElementById('pendingTests').textContent = pending; document.getElementById('progressFill').style.width = `${percentage}%`; } // Toggle all sections function toggleAllSections() { const items = document.querySelectorAll('.checklist-items'); const allExpanded = Array.from(items).every(item => item.classList.contains('expanded')); items.forEach(item => { if (allExpanded) { item.classList.remove('expanded'); item.parentElement.querySelector('.category-header i.fa-chevron-down').classList.add('collapsed'); } else { item.classList.add('expanded'); item.parentElement.querySelector('.category-header i.fa-chevron-down').classList.remove('collapsed'); } }); } // Mark all as completed function markAllCompleted() { securityChecklistData.forEach(category => { category.items.forEach(item => { item.completed = true; }); }); renderChecklist(); updateStatistics(); } // Clear all progress function clearAllProgress() { if (confirm('Are you sure you want to clear all progress?')) { securityChecklistData.forEach(category => { category.items.forEach(item => { item.completed = false; }); }); renderChecklist(); updateStatistics(); } } // Show statistics modal function showStatistics() { let total = 0; let completed = 0; const categoryStats = {}; securityChecklistData.forEach(category => { let catTotal = 0; let catCompleted = 0; category.items.forEach(item => { total++; catTotal++; if (item.completed) { completed++; catCompleted++; } }); categoryStats[category.name] = { total: catTotal, completed: catCompleted, percentage: catTotal > 0 ? (catCompleted / catTotal) * 100 : 0 }; }); const pending = total - completed; const percentage = total > 0 ? (completed / total) * 100 : 0; const statsContent = document.getElementById('statsContent'); statsContent.innerHTML = `
Overall Progress: ${completed}/${total} (${percentage.toFixed(1)}%)

Category Breakdown:

${Object.entries(categoryStats).map(([name, stats]) => `
${name}: ${stats.completed}/${stats.total} (${stats.percentage.toFixed(1)}%)
`).join('')} `; document.getElementById('statsModal').style.display = 'block'; } // Show add bug modal function showAddBugModal() { document.getElementById('addBugModal').style.display = 'block'; } // Close modal function closeModal(modalId) { document.getElementById(modalId).style.display = 'none'; } // Save custom bug function saveCustomBug() { const bug = { id: Date.now(), title: document.getElementById('bugTitle').value, category: document.getElementById('bugCategory').value, severity: document.getElementById('bugSeverity').value, status: document.getElementById('bugStatus').value, description: document.getElementById('bugDescription').value, steps: document.getElementById('bugSteps').value, impact: document.getElementById('bugImpact').value, tools: document.getElementById('bugTools').value.split(',').map(tool => tool.trim()).filter(tool => tool), createdAt: new Date().toISOString() }; customBugs.push(bug); localStorage.setItem('customBugs', JSON.stringify(customBugs)); // Reset form document.getElementById('bugForm').reset(); closeModal('addBugModal'); // Refresh custom bugs display renderCustomBugs(); updateStatistics(); // Show success message alert('Bug saved successfully!'); } // Render custom bugs function renderCustomBugs() { const container = document.getElementById('customBugsContainer'); if (customBugs.length === 0) { container.innerHTML = `

No Custom Bugs Yet

Add your first custom bug by clicking the "Add New Bug" button above.

`; return; } container.innerHTML = customBugs.map(bug => `
${bug.title}
${bug.description || 'No description provided'}
${bug.severity} ${bug.category} ${bug.status}
`).join(''); } // View bug details function viewBugDetails(bugId) { const bug = customBugs.find(b => b.id === bugId); if (!bug) return; const modal = document.getElementById('statsModal'); const statsContent = document.getElementById('statsContent'); statsContent.innerHTML = `

${bug.title}

${bug.severity} ${bug.category} ${bug.status}
${bug.description ? `
${bug.description}
` : ''}
${bug.steps}
${bug.impact ? `
${bug.impact}
` : ''} ${bug.tools && bug.tools.length > 0 ? `
${bug.tools.map(tool => `${tool}`).join('')}
` : ''}
${new Date(bug.createdAt).toLocaleString()}
`; modal.style.display = 'block'; } // Delete bug function deleteBug(bugId) { if (confirm('Are you sure you want to delete this bug?')) { customBugs = customBugs.filter(bug => bug.id !== bugId); localStorage.setItem('customBugs', JSON.stringify(customBugs)); renderCustomBugs(); updateStatistics(); } } // Show advanced search modal function showAdvancedSearch() { document.getElementById('advancedSearchModal').style.display = 'block'; } // Perform advanced search function performAdvancedSearch() { const category = document.getElementById('searchCategory').value; const severity = document.getElementById('searchSeverity').value; const status = document.getElementById('searchStatus').value; const tools = document.getElementById('searchTools').value.toLowerCase(); // Apply filters currentFilter = category || 'all'; // Update filter buttons document.querySelectorAll('.filter-btn').forEach(btn => { btn.classList.toggle('active', btn.dataset.category === currentFilter); }); // Close modal closeModal('advancedSearchModal'); // Apply search let searchQuery = ''; if (severity) searchQuery += ` ${severity}`; if (status) searchQuery += ` ${status}`; if (tools) searchQuery += ` ${tools}`; document.getElementById('searchInput').value = searchQuery.trim(); filterChecklist(searchQuery.trim()); } // Export checklist function exportChecklist() { const data = { checklist: securityChecklistData, customBugs: customBugs, exportedAt: new Date().toISOString() }; const blob = new Blob([JSON.stringify(data, null, 2)], { type: 'application/json' }); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = 'security-checklist-export.json'; document.body.appendChild(a); a.click(); document.body.removeChild(a); URL.revokeObjectURL(url); } // Import checklist function importChecklist() { const input = document.createElement('input'); input.type = 'file'; input.accept = '.json'; input.onchange = e => { const file = e.target.files[0]; const reader = new FileReader(); reader.onload = event => { try { const data = JSON.parse(event.target.result); if (data.checklist) { // Import checklist data securityChecklistData.length = 0; data.checklist.forEach(category => { securityChecklistData.push(category); }); } if (data.customBugs) { // Import custom bugs customBugs = data.customBugs; localStorage.setItem('customBugs', JSON.stringify(customBugs)); } renderChecklist(); renderCustomBugs(); updateStatistics(); alert('Checklist imported successfully!'); } catch (error) { alert('Error importing checklist: Invalid file format'); } }; reader.readAsText(file); }; input.click(); } // Initialize item content toggles document.addEventListener('click', function(e) { if (e.target.closest('.item-header')) { const item = e.target.closest('.checklist-item'); const content = item.querySelector('.item-content'); const toggleBtn = item.querySelector('.toggle-btn'); content.classList.toggle('expanded'); toggleBtn.classList.toggle('rotated'); } if (e.target.closest('.toggle-btn')) { const item = e.target.closest('.checklist-item'); const content = item.querySelector('.item-content'); const toggleBtn = item.querySelector('.toggle-btn'); content.classList.toggle('expanded'); toggleBtn.classList.toggle('rotated'); } }); // Close modals when clicking outside window.onclick = function(event) { const modals = document.querySelectorAll('.modal'); modals.forEach(modal => { if (event.target === modal) { modal.style.display = 'none'; } }); };