Comprehensive Black Box Testing Checklist

Verify the app can/cannot be reached directly via IP and whether IP access bypasses domain restrictions.

Check sensitive inputs (passwords, payment fields) for autocomplete/autofill protections.

Test how the system handles empty credentials and whether error messages leak info.

Check how 404/500 pages behave and whether they disclose internal paths or stack traces.

Test account lockouts, rate-limiting, CAPTCHAs and login throttling mechanisms.

Verify X-Frame-Options or CSP frame-ancestors to prevent framing attacks.

Check if user-controlled data can be used to spoof UI, messages or links to trick users.

Ensure Secure, HttpOnly, SameSite attributes are set appropriately for session cookies.

Check Access-Control-Allow-Origin, credentials handling and reflected origins vulnerabilities.

Test CRLF in headers and input to inject headers or manipulate responses.

Verify Content-Security-Policy exists and prevents unsafe-inline, eval and untrusted origins.

Check admin panels/services for default or well-known credentials.

Look for exposed directories or files via index listings or predictable paths.

Attempt path traversal to read unintended local files (e.g., ../../etc/passwd).

Use wordlists to discover hidden endpoints, admin paths, backup files and dev utilities.

Test if Host header can poison links, password reset or cause cache poisoning.

Verify Strict-Transport-Security header exists and is correctly configured.

Check for dangerous allowed methods (PUT, DELETE, TRACE, OPTIONS) and method tampering.

Ensure headers like X-Content-Type-Options, X-XSS-Protection, Referrer-Policy are present and sane.

Test server-side validation for injection, large payloads, invalid formats and type confusion.

Probe LDAP-backed endpoints for injection via filters or attribute manipulation.

Attempt to retrieve local files through path parameters or file includes.

Port/service discovery to identify reachable services and versions for attack surface mapping.

Test redirect parameters to see if arbitrary external redirects are allowed.

Check inputs that reach system calls for shell metacharacter injection or command chaining.

Tamper with responses and cached content to observe inconsistent or insecure behavior.

Scan JS libs for known vulnerable versions and insecure dependencies.

Test whether remote URLs can be included and executed by the application.

Search Shodan for public-facing assets and exposed services related to the target.

Use SOC Radar or similar to identify leaked credentials, breaches, or exposed assets.

Search public repos for credentials, API keys or leaked config (when in-scope).

Test query parameters, headers and cookies for SQLi and injection-based data exfiltration.

Run SSL tests (cipher suites, protocol versions, cert validity, downgrade risk, weak ciphers).

Attempt to force server to make internal network requests, access metadata endpoints or local services.

Test registration, password reset and login error messages for user enumeration vectors.

Look for version strings in headers, HTML comments, JavaScript or error pages.

Trigger errors to reveal stack traces, debug info or software versions in error responses.

Inventory and check third-party components and frameworks for known CVEs.

Enumerate frameworks, servers and libs to tailor attacks to identified tech stack.

Check for weak password hashing, poor key lengths, or outdated crypto algorithms.

Test reflected, stored and DOM XSS vectors and check output encoding.

Probe for blind, time-based or second-order SQL injection scenarios.

Test for broken authorization, insecure object references and horizontal/vertical privilege bypasses.

Enumerate internal services, metadata endpoints and port-scanning via SSRF vectors.

Confirm fixes, re-test previously found issues, and ensure no regressions or new leaks were introduced.