-
Notifications
You must be signed in to change notification settings - Fork 0
/
owstg.yaml
1254 lines (1254 loc) · 57.2 KB
/
owstg.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
- type: pentest
- category:
atomic_tests:
- description: Conduct Search Engine Discovery Reconnaissance for Information
Leakage
id: WSTG-INFO-01
objectives:
- Identify what sensitive design and configuration information of the application,
system, or organization is exposed directly (on the organization's site) or
indirectly (via third-party services).
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Fingerprint Web Server
id: WSTG-INFO-02
objectives:
- Determine the version and type of a running web server to enable further discovery
of any known vulnerabilities.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Review Webserver Metafiles for Information Leakage
id: WSTG-INFO-03
objectives:
- Identify hidden or obfuscated paths and functionality through the analysis
of metadata files.
- Extract and map other information that could lead to a better understanding
of the systems at hand.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Enumerate Applications on Webserver
id: WSTG-INFO-04
objectives:
- Enumerate the applications within the scope that exist on a web server.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Review Webpage Content for Information Leakage
id: WSTG-INFO-05
objectives:
- Review webpage comments, metadata, and redirect bodies to find any information
leakage.
- Gather JavaScript files and review the JS code to better understand the application
and to find any information leakage.
- Identify if source map files or other front-end debug files exist.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Identify Application Entry Points
id: WSTG-INFO-06
objectives:
- Identify possible entry and injection points through request and response
analysis.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Map Execution Paths Through Application
id: WSTG-INFO-07
objectives:
- Map the target application and understand the principal workflows.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/07-Map_Execution_Paths_Through_Application
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Fingerprint Web Application Framework
id: WSTG-INFO-08
objectives:
- Fingerprint the components being used by the web applications.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Fingerprint Web Application
id: WSTG-INFO-09
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/09-Fingerprint_Web_Application
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Map Application Architecture
id: WSTG-INFO-10
objectives:
- Understand the architecture of the application and the technologies in use.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/10-Map_Application_Architecture
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-INFO
title: Information Gathering
- category:
atomic_tests:
- description: Test Network Infrastructure Configuration
id: WSTG-CONF-01
objectives:
- Review the applications' configurations set across the network and validate
that they are not vulnerable.
- Validate that used frameworks and systems are secure and not susceptible to
known vulnerabilities due to unmaintained software or default settings and
credentials.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Application Platform Configuration
id: WSTG-CONF-02
objectives:
- Ensure that defaults and known files have been removed.
- Validate that no debugging code or extensions are left in the production environments.
- Review the logging mechanisms set in place for the application.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test File Extensions Handling for Sensitive Information
id: WSTG-CONF-03
objectives:
- Dirbust sensitive file extensions, or extensions that might contain raw data
(*e.g.* scripts, raw data, credentials, etc.).
- Validate that no system framework bypasses exist on the rules set.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Review Old Backup and Unreferenced Files for Sensitive Information
id: WSTG-CONF-04
objectives:
- Find and analyse unreferenced files that might contain sensitive information.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Enumerate Infrastructure and Application Admin Interfaces
id: WSTG-CONF-05
objectives:
- Identify hidden administrator interfaces and functionality.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test HTTP Methods
id: WSTG-CONF-06
objectives:
- Enumerate supported HTTP methods.
- Test for access control bypass.
- Test HTTP method overriding techniques.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test HTTP Strict Transport Security
id: WSTG-CONF-07
objectives:
- Review the HSTS header and its validity.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test RIA Cross Domain Policy
id: WSTG-CONF-08
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/08-Test_RIA_Cross_Domain_Policy
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test File Permission
id: WSTG-CONF-09
objectives:
- Review and identify any rogue file permissions.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test for Subdomain Takeover
id: WSTG-CONF-10
objectives:
- Enumerate all possible domains (previous and current).
- Identify forgotten or misconfigured domains.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Cloud Storage
id: WSTG-CONF-11
objectives:
- Assess that the access control configuration for the storage services is properly
in place.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Content Security Policy
id: WSTG-CONF-12
objectives:
- Review the Content-Security-Policy header or meta element to identify misconfigurations.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Path Confusion
id: WSTG-CONF-13
objectives:
- Make sure application paths are configured correctly.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/13-Test_for_Path_Confusion
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-CONF
title: Configuration and Deployment Management Testing
- category:
atomic_tests:
- description: Test Role Definitions
id: WSTG-IDNT-01
objectives:
- Identify and document roles used by the application.
- Attempt to switch, change, or access another role.
- Review the granularity of the roles and the needs behind the permissions given.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test User Registration Process
id: WSTG-IDNT-02
objectives:
- Verify that the identity requirements for user registration are aligned with
business and security requirements.
- Validate the registration process.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Account Provisioning Process
id: WSTG-IDNT-03
objectives:
- Verify which accounts may provision other accounts and of what type.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/03-Test_Account_Provisioning_Process
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Account Enumeration and Guessable User Account
id: WSTG-IDNT-04
objectives:
- Review processes that pertain to user identification (*e.g.* registration,
login, etc.).
- Enumerate users where possible through response analysis.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak or Unenforced Username Policy
id: WSTG-IDNT-05
objectives:
- Determine whether a consistent account name structure renders the application
vulnerable to account enumeration.
- Determine whether the application's error messages permit account enumeration.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-IDNT
title: Identity Management Testing
- category:
atomic_tests:
- description: Testing for Credentials Transported over an Encrypted Channel
id: WSTG-ATHN-01
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Default Credentials
id: WSTG-ATHN-02
objectives:
- Determine whether the application has any user accounts with default passwords.
- Review whether new user accounts are created with weak or predictable passwords.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak Lock Out Mechanism
id: WSTG-ATHN-03
objectives:
- Evaluate the account lockout mechanism's ability to mitigate brute force password
guessing.
- Evaluate the unlock mechanism's resistance to unauthorized account unlocking.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Bypassing Authentication Schema
id: WSTG-ATHN-04
objectives:
- Ensure that authentication is applied across all services that require it.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Vulnerable Remember Password
id: WSTG-ATHN-05
objectives:
- Validate that the generated session is managed securely and do not put the
user's credentials in danger.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/05-Testing_for_Vulnerable_Remember_Password
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Browser Cache Weaknesses
id: WSTG-ATHN-06
objectives:
- Review if the application stores sensitive information on the client-side.
- Review if access can occur without authorization.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak Password Policy
id: WSTG-ATHN-07
objectives:
- Determine the resistance of the application against brute force password guessing
using available password dictionaries by evaluating the length, complexity,
reuse, and aging requirements of passwords.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak Security Question Answer
id: WSTG-ATHN-08
objectives:
- Determine the complexity and how straight-forward the questions are.
- Assess possible user answers and brute force capabilities.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak Password Change or Reset Functionalities
id: WSTG-ATHN-09
objectives:
- Determine whether the password change and reset functionality allows accounts
to be compromised.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weaker Authentication in Alternative Channel
id: WSTG-ATHN-10
objectives:
- Identify alternative authentication channels.
- Assess the security measures used and if any bypasses exists on the alternative
channels.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing Multi-Factor Authentication (MFA)
id: WSTG-ATHN-11
objectives:
- Identify the type of MFA used by the application.
- Determine whether the MFA implementation is robust and secure.
- Attempt to bypass the MFA.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/11-Testing_Multi-Factor_Authentication
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-ATHN
title: Authentication Testing
- category:
atomic_tests:
- description: Testing Directory Traversal File Include
id: WSTG-ATHZ-01
objectives:
- Identify injection points that pertain to path traversal.
- Assess bypassing techniques and identify the extent of path traversal.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Bypassing Authorization Schema
id: WSTG-ATHZ-02
objectives:
- Assess if horizontal or vertical access is possible.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Privilege Escalation
id: WSTG-ATHZ-03
objectives:
- Identify injection points related to privilege manipulation.
- Fuzz or otherwise attempt to bypass security measures.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Insecure Direct Object References
id: WSTG-ATHZ-04
objectives:
- Identify points where object references may occur.
- Assess the access control measures and if they're vulnerable to IDOR.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for OAuth Weaknesses
id: WSTG-ATHZ-05
objectives:
- Determine if OAuth2 implementation is vulnerable or using a deprecated or
custom implementation.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-ATHZ
title: Authorization Testing
- category:
atomic_tests:
- description: Testing for Session Management Schema
id: WSTG-SESS-01
objectives:
- Gather session tokens, for the same user and for different users where possible.
- Analyze and ensure that enough randomness exists to stop session forging attacks.
- Modify cookies that are not signed and contain information that can be manipulated.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Cookies Attributes
id: WSTG-SESS-02
objectives:
- Ensure that the proper security configuration is set for cookies.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Session Fixation
id: WSTG-SESS-03
objectives:
- Analyze the authentication mechanism and its flow.
- Force cookies and assess the impact.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Exposed Session Variables
id: WSTG-SESS-04
objectives:
- Ensure that proper encryption is implemented.
- Review the caching configuration.
- Assess the channel and methods' security.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Cross Site Request Forgery
id: WSTG-SESS-05
objectives:
- Determine whether it is possible to initiate requests on a user's behalf that
are not initiated by the user.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Logout Functionality
id: WSTG-SESS-06
objectives:
- Assess the logout UI.
- Analyze the session timeout and if the session is properly killed after logout.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing Session Timeout
id: WSTG-SESS-07
objectives:
- Validate that a hard session timeout exists.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Session Puzzling
id: WSTG-SESS-08
objectives:
- Identify all session variables.
- Break the logical flow of session generation.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Session Hijacking
id: WSTG-SESS-09
objectives:
- Identify vulnerable session cookies.
- Hijack vulnerable cookies and assess the risk level.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing JSON Web Tokens
id: WSTG-SESS-10
objectives:
- Determine whether the JWTs expose sensitive information.
- Determine whether the JWTs can be tampered with or modified.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-SESS
title: Session Management Testing
- category:
atomic_tests:
- description: Testing for Reflected Cross Site Scripting
id: WSTG-INPV-01
objectives:
- Identify variables that are reflected in responses.
- Assess the input they accept and the encoding that gets applied on return
(if any).
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Stored Cross Site Scripting
id: WSTG-INPV-02
objectives:
- Identify stored input that is reflected on the client-side.
- Assess the input they accept and the encoding that gets applied on return
(if any).
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for HTTP Verb Tampering
id: WSTG-INPV-03
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for HTTP Parameter Pollution
id: WSTG-INPV-04
objectives:
- Identify the backend and the parsing method used.
- Assess injection points and try bypassing input filters using HPP.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for SQL Injection
id: WSTG-INPV-05
objectives:
- Identify SQL injection points.
- Assess the severity of the injection and the level of access that can be achieved
through it.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for LDAP Injection
id: WSTG-INPV-06
objectives:
- Identify LDAP injection points.
- Assess the severity of the injection.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for XML Injection
id: WSTG-INPV-07
objectives:
- Identify XML injection points.
- Assess the types of exploits that can be attained and their severities.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for SSI Injection
id: WSTG-INPV-08
objectives:
- Identify SSI injection points.
- Assess the severity of the injection.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for XPath Injection
id: WSTG-INPV-09
objectives:
- Identify XPATH injection points.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for IMAP SMTP Injection
id: WSTG-INPV-10
objectives:
- Identify IMAP/SMTP injection points.
- Understand the data flow and deployment structure of the system.
- Assess the injection impacts.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Code Injection
id: WSTG-INPV-11
objectives:
- Identify injection points where you can inject code into the application.
- Assess the injection severity.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Command Injection
id: WSTG-INPV-12
objectives:
- Identify and assess the command injection points.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Buffer Overflow
id: WSTG-INPV-13
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Format String Injection
id: WSTG-INPV-13-bis
objectives:
- Assess whether injecting format string conversion specifiers into user-controlled
fields causes undesired behavior from the application.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Incubated Vulnerability
id: WSTG-INPV-14
objectives:
- Identify injections that are stored and require a recall step to the stored
injection.
- Understand how a recall step could occur.
- Set listeners or activate the recall step if possible.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for HTTP Splitting Smuggling
id: WSTG-INPV-15
objectives:
- Assess if the application is vulnerable to splitting, identifying what possible
attacks are achievable.
- Assess if the chain of communication is vulnerable to smuggling, identifying
what possible attacks are achievable.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for HTTP Incoming Requests
id: WSTG-INPV-16
objectives:
- Monitor all incoming and outgoing HTTP requests to the Web Server to inspect
any suspicious requests.
- Monitor HTTP traffic without changes of end user Browser proxy or client-side
application.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Host Header Injection
id: WSTG-INPV-17
objectives:
- Assess if the Host header is being parsed dynamically in the application.
- Bypass security controls that rely on the header.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Server-side Template Injection
id: WSTG-INPV-18
objectives:
- Detect template injection vulnerability points.
- Identify the templating engine.
- Build the exploit.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Server-Side Request Forgery
id: WSTG-INPV-19
objectives:
- Identify SSRF injection points.
- Test if the injection points are exploitable.
- Asses the severity of the vulnerability.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Mass Assignment
id: WSTG-INPV-20
objectives:
- Identify requests that modify objects
- Assess if it is possible to modify fields never intended to be modified from
outside
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-INPV
title: Input Validation Testing
- category:
atomic_tests:
- description: Testing for Improper Error Handling
id: WSTG-ERRH-01
objectives:
- Identify existing error output.
- Analyze the different output returned.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Stack Traces
id: WSTG-ERRH-02
objectives:
- ''
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-ERRH
title: Testing for Error Handling
- category:
atomic_tests:
- description: Testing for Weak Transport Layer Security
id: WSTG-CRYP-01
objectives:
- Validate the service configuration.
- Review the digital certificate's cryptographic strength and validity.
- Ensure that the TLS security is not bypassable and is properly implemented
across the application.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Padding Oracle
id: WSTG-CRYP-02
objectives:
- Identify encrypted messages that rely on padding.
- Attempt to break the padding of the encrypted messages and analyze the returned
error messages for further analysis.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Sensitive Information Sent via Unencrypted Channels
id: WSTG-CRYP-03
objectives:
- Identify sensitive information transmitted through the various channels.
- Assess the privacy and security of the channels used.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Testing for Weak Encryption
id: WSTG-CRYP-04
objectives:
- Provide a guideline for the identification weak encryption or hashing uses
and implementations.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption
substeps:
- Your note 1
wasTested: false
hasConcern: false
id: WSTG-CRYP
title: Testing for Weak Cryptography
- category:
atomic_tests:
- description: Test Business Logic Data Validation
id: WSTG-BUSL-01
objectives:
- Identify data injection points.
- Validate that all checks are occurring on the backend and can't be bypassed.
- Attempt to break the format of the expected data and analyze how the application
is handling it.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Ability to Forge Requests
id: WSTG-BUSL-02
objectives:
- Review the project documentation looking for guessable, predictable, or hidden
functionality of fields.
- Insert logically valid data in order to bypass normal business logic workflow.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Integrity Checks
id: WSTG-BUSL-03
objectives:
- Review the project documentation for components of the system that move, store,
or handle data.
- Determine what type of data is logically acceptable by the component and what
types the system should guard against.
- Determine who should be allowed to modify or read that data in each component.
- Attempt to insert, update, or delete data values used by each component that
should not be allowed per the business logic workflow.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test for Process Timing
id: WSTG-BUSL-04
objectives:
- Review the project documentation for system functionality that may be impacted
by time.
- Develop and execute misuse cases.
observations: Your observation
reference: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing
substeps:
- Your note 1
wasTested: false
hasConcern: false
- description: Test Number of Times a Function Can Be Used Limits