-
Notifications
You must be signed in to change notification settings - Fork 0
/
WSTG.json
886 lines (886 loc) · 56.4 KB
/
WSTG.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
{
"categories": {
"Information Gathering": {
"id": "WSTG-INFO",
"tests": [{
"name": "Conduct Search Engine Discovery Reconnaissance for Information Leakage",
"id": "WSTG-INFO-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage",
"objectives": [
"Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's site) or indirectly (via third-party services)."
]
}, {
"name": "Fingerprint Web Server",
"id": "WSTG-INFO-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server",
"objectives": [
"Determine the version and type of a running web server to enable further discovery of any known vulnerabilities."
]
}, {
"name": "Review Webserver Metafiles for Information Leakage",
"id": "WSTG-INFO-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage",
"objectives": [
"Identify hidden or obfuscated paths and functionality through the analysis of metadata files.",
"Extract and map other information that could lead to a better understanding of the systems at hand."
]
}, {
"name": "Enumerate Applications on Webserver",
"id": "WSTG-INFO-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver",
"objectives": [
"Enumerate the applications within the scope that exist on a web server."
]
}, {
"name": "Review Webpage Content for Information Leakage",
"id": "WSTG-INFO-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage",
"objectives": [
"Review webpage comments, metadata, and redirect bodies to find any information leakage.",
"Gather JavaScript files and review the JS code to better understand the application and to find any information leakage.",
"Identify if source map files or other front-end debug files exist."
]
}, {
"name": "Identify Application Entry Points",
"id": "WSTG-INFO-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points",
"objectives": [
"Identify possible entry and injection points through request and response analysis."
]
}, {
"name": "Map Execution Paths Through Application",
"id": "WSTG-INFO-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/07-Map_Execution_Paths_Through_Application",
"objectives": [
"Map the target application and understand the principal workflows."
]
}, {
"name": "Fingerprint Web Application Framework",
"id": "WSTG-INFO-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework",
"objectives": [
"Fingerprint the components being used by the web applications."
]
}, {
"name": "Fingerprint Web Application",
"id": "WSTG-INFO-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/09-Fingerprint_Web_Application",
"objectives": [
""
]
}, {
"name": "Map Application Architecture",
"id": "WSTG-INFO-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/10-Map_Application_Architecture",
"objectives": [
"Understand the architecture of the application and the technologies in use."
]
}]
},
"Configuration and Deployment Management Testing": {
"id": "WSTG-CONF",
"tests": [{
"name": "Test Network Infrastructure Configuration",
"id": "WSTG-CONF-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration",
"objectives": [
"Review the applications' configurations set across the network and validate that they are not vulnerable.",
"Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials."
]
}, {
"name": "Test Application Platform Configuration",
"id": "WSTG-CONF-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration",
"objectives": [
"Ensure that defaults and known files have been removed.",
"Validate that no debugging code or extensions are left in the production environments.",
"Review the logging mechanisms set in place for the application."
]
}, {
"name": "Test File Extensions Handling for Sensitive Information",
"id": "WSTG-CONF-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information",
"objectives": [
"Dirbust sensitive file extensions, or extensions that might contain raw data (*e.g.* scripts, raw data, credentials, etc.).",
"Validate that no system framework bypasses exist on the rules set."
]
}, {
"name": "Review Old Backup and Unreferenced Files for Sensitive Information",
"id": "WSTG-CONF-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information",
"objectives": [
"Find and analyse unreferenced files that might contain sensitive information."
]
}, {
"name": "Enumerate Infrastructure and Application Admin Interfaces",
"id": "WSTG-CONF-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces",
"objectives": [
"Identify hidden administrator interfaces and functionality."
]
}, {
"name": "Test HTTP Methods",
"id": "WSTG-CONF-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods",
"objectives": [
"Enumerate supported HTTP methods.",
"Test for access control bypass.",
"Test HTTP method overriding techniques."
]
}, {
"name": "Test HTTP Strict Transport Security",
"id": "WSTG-CONF-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"objectives": [
"Review the HSTS header and its validity."
]
}, {
"name": "Test RIA Cross Domain Policy",
"id": "WSTG-CONF-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/08-Test_RIA_Cross_Domain_Policy",
"objectives": [
""
]
}, {
"name": "Test File Permission",
"id": "WSTG-CONF-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission",
"objectives": [
"Review and identify any rogue file permissions."
]
}, {
"name": "Test for Subdomain Takeover",
"id": "WSTG-CONF-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",
"objectives": [
"Enumerate all possible domains (previous and current).",
"Identify forgotten or misconfigured domains."
]
}, {
"name": "Test Cloud Storage",
"id": "WSTG-CONF-11",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage",
"objectives": [
"Assess that the access control configuration for the storage services is properly in place."
]
}, {
"name": "Testing for Content Security Policy",
"id": "WSTG-CONF-12",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"objectives": [
"Review the Content-Security-Policy header or meta element to identify misconfigurations."
]
}, {
"name": "Test Path Confusion",
"id": "WSTG-CONF-13",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/13-Test_for_Path_Confusion",
"objectives": [
"Make sure application paths are configured correctly."
]
}]
},
"Identity Management Testing": {
"id": "WSTG-IDNT",
"tests": [{
"name": "Test Role Definitions",
"id": "WSTG-IDNT-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions",
"objectives": [
"Identify and document roles used by the application.",
"Attempt to switch, change, or access another role.",
"Review the granularity of the roles and the needs behind the permissions given."
]
}, {
"name": "Test User Registration Process",
"id": "WSTG-IDNT-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process",
"objectives": [
"Verify that the identity requirements for user registration are aligned with business and security requirements.",
"Validate the registration process."
]
}, {
"name": "Test Account Provisioning Process",
"id": "WSTG-IDNT-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/03-Test_Account_Provisioning_Process",
"objectives": [
"Verify which accounts may provision other accounts and of what type."
]
}, {
"name": "Testing for Account Enumeration and Guessable User Account",
"id": "WSTG-IDNT-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account",
"objectives": [
"Review processes that pertain to user identification (*e.g.* registration, login, etc.).",
"Enumerate users where possible through response analysis."
]
}, {
"name": "Testing for Weak or Unenforced Username Policy",
"id": "WSTG-IDNT-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy",
"objectives": [
"Determine whether a consistent account name structure renders the application vulnerable to account enumeration.",
"Determine whether the application's error messages permit account enumeration."
]
}]
},
"Authentication Testing": {
"id": "WSTG-ATHN",
"tests": [{
"name": "Testing for Credentials Transported over an Encrypted Channel",
"id": "WSTG-ATHN-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel",
"objectives": [
""
]
}, {
"name": "Testing for Default Credentials",
"id": "WSTG-ATHN-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials",
"objectives": [
"Determine whether the application has any user accounts with default passwords.",
"Review whether new user accounts are created with weak or predictable passwords."
]
}, {
"name": "Testing for Weak Lock Out Mechanism",
"id": "WSTG-ATHN-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism",
"objectives": [
"Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.",
"Evaluate the unlock mechanism's resistance to unauthorized account unlocking."
]
}, {
"name": "Testing for Bypassing Authentication Schema",
"id": "WSTG-ATHN-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema",
"objectives": [
"Ensure that authentication is applied across all services that require it."
]
}, {
"name": "Testing for Vulnerable Remember Password",
"id": "WSTG-ATHN-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/05-Testing_for_Vulnerable_Remember_Password",
"objectives": [
"Validate that the generated session is managed securely and do not put the user's credentials in danger."
]
}, {
"name": "Testing for Browser Cache Weaknesses",
"id": "WSTG-ATHN-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses",
"objectives": [
"Review if the application stores sensitive information on the client-side.",
"Review if access can occur without authorization."
]
}, {
"name": "Testing for Weak Password Policy",
"id": "WSTG-ATHN-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy",
"objectives": [
"Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords."
]
}, {
"name": "Testing for Weak Security Question Answer",
"id": "WSTG-ATHN-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer",
"objectives": [
"Determine the complexity and how straight-forward the questions are.",
"Assess possible user answers and brute force capabilities."
]
}, {
"name": "Testing for Weak Password Change or Reset Functionalities",
"id": "WSTG-ATHN-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities",
"objectives": [
"Determine whether the password change and reset functionality allows accounts to be compromised."
]
}, {
"name": "Testing for Weaker Authentication in Alternative Channel",
"id": "WSTG-ATHN-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel",
"objectives": [
"Identify alternative authentication channels.",
"Assess the security measures used and if any bypasses exists on the alternative channels."
]
}, {
"name": "Testing Multi-Factor Authentication (MFA)",
"id": "WSTG-ATHN-11",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/11-Testing_Multi-Factor_Authentication",
"objectives": [
"Identify the type of MFA used by the application.",
"Determine whether the MFA implementation is robust and secure.",
"Attempt to bypass the MFA."
]
}]
},
"Authorization Testing": {
"id": "WSTG-ATHZ",
"tests": [{
"name": "Testing Directory Traversal File Include",
"id": "WSTG-ATHZ-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include",
"objectives": [
"Identify injection points that pertain to path traversal.",
"Assess bypassing techniques and identify the extent of path traversal."
]
}, {
"name": "Testing for Bypassing Authorization Schema",
"id": "WSTG-ATHZ-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema",
"objectives": [
"Assess if horizontal or vertical access is possible."
]
}, {
"name": "Testing for Privilege Escalation",
"id": "WSTG-ATHZ-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation",
"objectives": [
"Identify injection points related to privilege manipulation.",
"Fuzz or otherwise attempt to bypass security measures."
]
}, {
"name": "Testing for Insecure Direct Object References",
"id": "WSTG-ATHZ-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References",
"objectives": [
"Identify points where object references may occur.",
"Assess the access control measures and if they're vulnerable to IDOR."
]
}, {
"name": "Testing for OAuth Weaknesses",
"id": "WSTG-ATHZ-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses",
"objectives": [
"Determine if OAuth2 implementation is vulnerable or using a deprecated or custom implementation."
]
}]
},
"Session Management Testing": {
"id": "WSTG-SESS",
"tests": [{
"name": "Testing for Session Management Schema",
"id": "WSTG-SESS-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema",
"objectives": [
"Gather session tokens, for the same user and for different users where possible.",
"Analyze and ensure that enough randomness exists to stop session forging attacks.",
"Modify cookies that are not signed and contain information that can be manipulated."
]
}, {
"name": "Testing for Cookies Attributes",
"id": "WSTG-SESS-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes",
"objectives": [
"Ensure that the proper security configuration is set for cookies."
]
}, {
"name": "Testing for Session Fixation",
"id": "WSTG-SESS-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation",
"objectives": [
"Analyze the authentication mechanism and its flow.",
"Force cookies and assess the impact."
]
}, {
"name": "Testing for Exposed Session Variables",
"id": "WSTG-SESS-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables",
"objectives": [
"Ensure that proper encryption is implemented.",
"Review the caching configuration.",
"Assess the channel and methods' security."
]
}, {
"name": "Testing for Cross Site Request Forgery",
"id": "WSTG-SESS-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery",
"objectives": [
"Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user."
]
}, {
"name": "Testing for Logout Functionality",
"id": "WSTG-SESS-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality",
"objectives": [
"Assess the logout UI.",
"Analyze the session timeout and if the session is properly killed after logout."
]
}, {
"name": "Testing Session Timeout",
"id": "WSTG-SESS-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout",
"objectives": [
"Validate that a hard session timeout exists."
]
}, {
"name": "Testing for Session Puzzling",
"id": "WSTG-SESS-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling",
"objectives": [
"Identify all session variables.",
"Break the logical flow of session generation."
]
}, {
"name": "Testing for Session Hijacking",
"id": "WSTG-SESS-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking",
"objectives": [
"Identify vulnerable session cookies.",
"Hijack vulnerable cookies and assess the risk level."
]
}, {
"name": "Testing JSON Web Tokens",
"id": "WSTG-SESS-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens",
"objectives": [
"Determine whether the JWTs expose sensitive information.",
"Determine whether the JWTs can be tampered with or modified."
]
}]
},
"Input Validation Testing": {
"id": "WSTG-INPV",
"tests": [{
"name": "Testing for Reflected Cross Site Scripting",
"id": "WSTG-INPV-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting",
"objectives": [
"Identify variables that are reflected in responses.",
"Assess the input they accept and the encoding that gets applied on return (if any)."
]
}, {
"name": "Testing for Stored Cross Site Scripting",
"id": "WSTG-INPV-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting",
"objectives": [
"Identify stored input that is reflected on the client-side.",
"Assess the input they accept and the encoding that gets applied on return (if any)."
]
}, {
"name": "Testing for HTTP Verb Tampering",
"id": "WSTG-INPV-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering",
"objectives": [
""
]
}, {
"name": "Testing for HTTP Parameter Pollution",
"id": "WSTG-INPV-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution",
"objectives": [
"Identify the backend and the parsing method used.",
"Assess injection points and try bypassing input filters using HPP."
]
}, {
"name": "Testing for SQL Injection",
"id": "WSTG-INPV-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection",
"objectives": [
"Identify SQL injection points.",
"Assess the severity of the injection and the level of access that can be achieved through it."
]
}, {
"name": "Testing for LDAP Injection",
"id": "WSTG-INPV-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection",
"objectives": [
"Identify LDAP injection points.",
"Assess the severity of the injection."
]
}, {
"name": "Testing for XML Injection",
"id": "WSTG-INPV-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection",
"objectives": [
"Identify XML injection points.",
"Assess the types of exploits that can be attained and their severities."
]
}, {
"name": "Testing for SSI Injection",
"id": "WSTG-INPV-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection",
"objectives": [
"Identify SSI injection points.",
"Assess the severity of the injection."
]
}, {
"name": "Testing for XPath Injection",
"id": "WSTG-INPV-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection",
"objectives": [
"Identify XPATH injection points."
]
}, {
"name": "Testing for IMAP SMTP Injection",
"id": "WSTG-INPV-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection",
"objectives": [
"Identify IMAP/SMTP injection points.",
"Understand the data flow and deployment structure of the system.",
"Assess the injection impacts."
]
}, {
"name": "Testing for Code Injection",
"id": "WSTG-INPV-11",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection",
"objectives": [
"Identify injection points where you can inject code into the application.",
"Assess the injection severity."
]
}, {
"name": "Testing for Command Injection",
"id": "WSTG-INPV-12",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection",
"objectives": [
"Identify and assess the command injection points."
]
}, {
"name": "Testing for Buffer Overflow",
"id": "WSTG-INPV-13",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow",
"objectives": [
""
]
}, {
"name": "Testing for Format String Injection",
"id": "WSTG-INPV-13",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection",
"objectives": [
"Assess whether injecting format string conversion specifiers into user-controlled fields causes undesired behavior from the application."
]
}, {
"name": "Testing for Incubated Vulnerability",
"id": "WSTG-INPV-14",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability",
"objectives": [
"Identify injections that are stored and require a recall step to the stored injection.",
"Understand how a recall step could occur.",
"Set listeners or activate the recall step if possible."
]
}, {
"name": "Testing for HTTP Splitting Smuggling",
"id": "WSTG-INPV-15",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling",
"objectives": [
"Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable.",
"Assess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable."
]
}, {
"name": "Testing for HTTP Incoming Requests",
"id": "WSTG-INPV-16",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests",
"objectives": [
"Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.",
"Monitor HTTP traffic without changes of end user Browser proxy or client-side application."
]
}, {
"name": "Testing for Host Header Injection",
"id": "WSTG-INPV-17",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection",
"objectives": [
"Assess if the Host header is being parsed dynamically in the application.",
"Bypass security controls that rely on the header."
]
}, {
"name": "Testing for Server-side Template Injection",
"id": "WSTG-INPV-18",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection",
"objectives": [
"Detect template injection vulnerability points.",
"Identify the templating engine.",
"Build the exploit."
]
}, {
"name": "Testing for Server-Side Request Forgery",
"id": "WSTG-INPV-19",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery",
"objectives": [
"Identify SSRF injection points.",
"Test if the injection points are exploitable.",
"Asses the severity of the vulnerability."
]
}, {
"name": "Testing for Mass Assignment",
"id": "WSTG-INPV-20",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment",
"objectives": [
"Identify requests that modify objects",
"Assess if it is possible to modify fields never intended to be modified from outside"
]
}]
},
"Testing for Error Handling": {
"id": "WSTG-ERRH",
"tests": [{
"name": "Testing for Improper Error Handling",
"id": "WSTG-ERRH-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling",
"objectives": [
"Identify existing error output.",
"Analyze the different output returned."
]
}, {
"name": "Testing for Stack Traces",
"id": "WSTG-ERRH-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces",
"objectives": [
""
]
}]
},
"Testing for Weak Cryptography": {
"id": "WSTG-CRYP",
"tests": [{
"name": "Testing for Weak Transport Layer Security",
"id": "WSTG-CRYP-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security",
"objectives": [
"Validate the service configuration.",
"Review the digital certificate's cryptographic strength and validity.",
"Ensure that the TLS security is not bypassable and is properly implemented across the application."
]
}, {
"name": "Testing for Padding Oracle",
"id": "WSTG-CRYP-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle",
"objectives": [
"Identify encrypted messages that rely on padding.",
"Attempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis."
]
}, {
"name": "Testing for Sensitive Information Sent via Unencrypted Channels",
"id": "WSTG-CRYP-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels",
"objectives": [
"Identify sensitive information transmitted through the various channels.",
"Assess the privacy and security of the channels used."
]
}, {
"name": "Testing for Weak Encryption",
"id": "WSTG-CRYP-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption",
"objectives": [
"Provide a guideline for the identification weak encryption or hashing uses and implementations."
]
}]
},
"Business Logic Testing": {
"id": "WSTG-BUSL",
"tests": [{
"name": "Test Business Logic Data Validation",
"id": "WSTG-BUSL-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation",
"objectives": [
"Identify data injection points.",
"Validate that all checks are occurring on the backend and can't be bypassed.",
"Attempt to break the format of the expected data and analyze how the application is handling it."
]
}, {
"name": "Test Ability to Forge Requests",
"id": "WSTG-BUSL-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests",
"objectives": [
"Review the project documentation looking for guessable, predictable, or hidden functionality of fields.",
"Insert logically valid data in order to bypass normal business logic workflow."
]
}, {
"name": "Test Integrity Checks",
"id": "WSTG-BUSL-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks",
"objectives": [
"Review the project documentation for components of the system that move, store, or handle data.",
"Determine what type of data is logically acceptable by the component and what types the system should guard against.",
"Determine who should be allowed to modify or read that data in each component.",
"Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow."
]
}, {
"name": "Test for Process Timing",
"id": "WSTG-BUSL-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing",
"objectives": [
"Review the project documentation for system functionality that may be impacted by time.",
"Develop and execute misuse cases."
]
}, {
"name": "Test Number of Times a Function Can Be Used Limits",
"id": "WSTG-BUSL-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits",
"objectives": [
"Identify functions that must set limits to the times they can be called.",
"Assess if there is a logical limit set on the functions and if it is properly validated."
]
}, {
"name": "Testing for the Circumvention of Work Flows",
"id": "WSTG-BUSL-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/06-Testing_for_the_Circumvention_of_Work_Flows",
"objectives": [
"Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.",
"Develop a misuse case and try to circumvent every logic flow identified."
]
}, {
"name": "Test Defenses Against Application Misuse",
"id": "WSTG-BUSL-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/07-Test_Defenses_Against_Application_Misuse",
"objectives": [
"Generate notes from all tests conducted against the system.",
"Review which tests had a different functionality based on aggressive input.",
"Understand the defenses in place and verify if they are enough to protect the system against bypassing techniques."
]
}, {
"name": "Test Upload of Unexpected File Types",
"id": "WSTG-BUSL-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types",
"objectives": [
"Review the project documentation for file types that are rejected by the system.",
"Verify that the unwelcomed file types are rejected and handled safely.",
"Verify that file batch uploads are secure and do not allow any bypass against the set security measures."
]
}, {
"name": "Test Upload of Malicious Files",
"id": "WSTG-BUSL-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files",
"objectives": [
"Identify the file upload functionality.",
"Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious.",
"If documentation is not available then consider what would be appropriate based on the purpose of the application.",
"Determine how the uploaded files are processed.",
"Obtain or create a set of malicious files for testing.",
"Try to upload the malicious files to the application and determine whether it is accepted and processed."
]
}, {
"name": "Test Payment Functionality",
"id": "WSTG-BUSL-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality",
"objectives": [
"Determine whether the business logic for the e-commerce functionality is robust.",
"Understand how the payment functionality works.",
"Determine whether the payment functionality is secure."
]
}]
},
"Client-side Testing": {
"id": "WSTG-CLNT",
"tests": [{
"name": "Testing for DOM-Based Cross Site Scripting",
"id": "WSTG-CLNT-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting",
"objectives": [
"Identify DOM sinks.",
"Build payloads that pertain to every sink type."
]
}, {
"name": "Testing for JavaScript Execution",
"id": "WSTG-CLNT-02",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/02-Testing_for_JavaScript_Execution",
"objectives": [
"Identify sinks and possible JavaScript injection points."
]
}, {
"name": "Testing for HTML Injection",
"id": "WSTG-CLNT-03",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection",
"objectives": [
"Identify HTML injection points and assess the severity of the injected content."
]
}, {
"name": "Testing for Client-side URL Redirect",
"id": "WSTG-CLNT-04",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect",
"objectives": [
"Identify injection points that handle URLs or paths.",
"Assess the locations that the system could redirect to."
]
}, {
"name": "Testing for CSS Injection",
"id": "WSTG-CLNT-05",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection",
"objectives": [
"Identify CSS injection points.",
"Assess the impact of the injection."
]
}, {
"name": "Testing for Client-side Resource Manipulation",
"id": "WSTG-CLNT-06",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation",
"objectives": [
"Identify sinks with weak input validation.",
"Assess the impact of the resource manipulation."
]
}, {
"name": "Testing Cross Origin Resource Sharing",
"id": "WSTG-CLNT-07",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing",
"objectives": [
"Identify endpoints that implement CORS.",
"Ensure that the CORS configuration is secure or harmless."
]
}, {
"name": "Testing for Cross Site Flashing",
"id": "WSTG-CLNT-08",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing",
"objectives": [
"Decompile and analyze the application's code.",
"Assess sinks inputs and unsafe method usages."
]
}, {
"name": "Testing for Clickjacking",
"id": "WSTG-CLNT-09",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking",
"objectives": [
"Understand security measures in place.",
"Assess how strict the security measures are and if they are bypassable."
]
}, {
"name": "Testing WebSockets",
"id": "WSTG-CLNT-10",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets",
"objectives": [
"Identify the usage of WebSockets.",
"Assess its implementation by using the same tests on normal HTTP channels."
]
}, {
"name": "Testing Web Messaging",
"id": "WSTG-CLNT-11",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging",
"objectives": [
"Assess the security of the message's origin.",
"Validate that it's using safe methods and validating its input."
]
}, {
"name": "Testing Browser Storage",
"id": "WSTG-CLNT-12",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/12-Testing_Browser_Storage",
"objectives": [
"Determine whether the website is storing sensitive data in client-side storage.",
"The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries."
]
}, {
"name": "Testing for Cross Site Script Inclusion",
"id": "WSTG-CLNT-13",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion",
"objectives": [
"Locate sensitive data across the system.",
"Assess the leakage of sensitive data through various techniques."
]
}, {
"name": "Testing for Reverse Tabnabbing",
"id": "WSTG-CLNT-14",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/14-Testing_for_Reverse_Tabnabbing",
"objectives": [
""
]
}]
},
"API Testing": {
"id": "WSTG-APIT",
"tests": [{
"name": "Testing GraphQL",
"id": "WSTG-APIT-01",
"reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL",
"objectives": [
"Assess that a secure and production-ready configuration is deployed.",
"Validate all input fields against generic attacks.",
"Ensure that proper access controls are applied."
]
}]
}
}
}