VAPT • 6 min read

VAPT Checklist: Web + API Testing That Finds Real Risk

Most testing fails because it stops at “scanner findings”. This checklist is designed to catch what attackers actually exploit: weak auth flows, broken access control, and abuse paths.

Updated: Feb 24, 2026 • Author: Cyber Spear Team • Category: VAPT

1) Authentication & Session Security

✓
Brute-force controls
Rate limits, lockout policies, and MFA enforcement.
✓
Token rotation
Rotate tokens on login, privilege change, and password reset.
✓
Password reset abuse
Verify OTP/email flows cannot be bypassed or enumerated.

2) Authorization (Broken Access Control)

✓
IDOR checks
Change IDs and validate server-side ownership checks exist.
✓
Role boundary tests
Ensure non-admin users cannot access admin routes.
✓
Tenant isolation
Validate cross-tenant access is blocked in multi-tenant apps.

3) API Abuse & Business Logic

✓
Mass assignment
Ensure payload fields can’t modify restricted properties.
✓
Replay / race conditions
Double spend, duplicate orders, and promo abuse scenarios.
✓
Improper object state
Access drafts, cancel paid flows, or reuse one-time actions.

4) Remediation & Retesting

Good VAPT ends with closure: fixes verified, regressions prevented, and guardrails added.

NEXT STEP

Want us to run this checklist on your app?

We’ll deliver proof-based findings, priority fixes, and retesting support.

Request a Quote See VAPT Scope