OWASP: Testing Guide Checklist

Information Gathering Test Name

Conduct Search Engine Discovery Reconnaissance for

WSTG-INFO-01
Information Leakage

WSTG-INFO-02 Fingerprint Web Server

WSTG-INFO-03 Review Webserver Metafiles for Information Leakage

WSTG-INFO-04 Enumerate Applications on Webserver

WSTG-INFO-05 Review Web Page Content for Information Leakage

WSTG-INFO-06 Identify Application Entry Points

WSTG-INFO-07 Map Execution Paths Through Application

WSTG-INFO-08 Fingerprint Web Application Framework

WSTG-INFO-09 Fingerprint Web Application

WSTG-INFO-10 Map Application Architecture

Configuration and
Deployment Management Test Name
Testing
WSTG-CONF-01 Test Network Infrastructure Configuration

WSTG-CONF-02 Test Application Platform Configuration

WSTG-CONF-03 Test File Extensions Handling for Sensitive Information

Review Old Backup and Unreferenced Files for

WSTG-CONF-04
Sensitive Information

Enumerate Infrastructure and Application Admin

WSTG-CONF-05
Interfaces

WSTG-CONF-06 Test HTTP Methods

WSTG-CONF-07 Test HTTP Strict Transport Security

WSTG-CONF-08 Test RIA Cross Domain Policy
WSTG-CONF-09 Test File Permission

WSTG-CONF-10 Test for Subdomain Takeover

WSTG-CONF-11 Test Cloud Storage

WSTG-CONF-12 Testing for Content Security Policy

WSTG-CONF-13 Test Path Confusion

Identity Management Testing Test Name

WSTG-IDNT-01 Test Role Definitions

WSTG-IDNT-02 Test User Registration Process

WSTG-IDNT-03 Test Account Provisioning Process

Testing for Account Enumeration and Guessable User

WSTG-IDNT-04
Account

WSTG-IDNT-05 Testing for Weak or Unenforced Username Policy

Authentication Testing Test Name

Testing for Credentials Transported over an Encrypted

WSTG-ATHN-01
Channel

WSTG-ATHN-02 Testing for Default Credentials

WSTG-ATHN-03 Testing for Weak Lock Out Mechanism

WSTG-ATHN-04 Testing for Bypassing Authentication Schema

WSTG-ATHN-05 Testing for Vulnerable Remember Password

WSTG-ATHN-06 Testing for Browser Cache Weaknesses

WSTG-ATHN-07 Testing for Weak Authentication Methods

WSTG-ATHN-08 Testing for Weak Security Question Answer

 Testing for Weak Password Change or Reset
WSTG-ATHN-09
Functionalities

Testing for Weaker Authentication in Alternative

WSTG-ATHN-10
Channel

WSTG-ATHN-11 Testing Multi-Factor Authentication (MFA)

Authorization Testing Test Name

WSTG-ATHZ-01 Testing Directory Traversal File Include

WSTG-ATHZ-02 Testing for Bypassing Authorization Schema

WSTG-ATHZ-03 Testing for Privilege Escalation

WSTG-ATHZ-04 Testing for Insecure Direct Object References

WSTG-ATHZ-05 Testing for OAuth Weaknesses

Session Management Testing Test Name

WSTG-SESS-01 Testing for Session Management Schema

WSTG-SESS-02 Testing for Cookies Attributes

WSTG-SESS-03 Testing for Session Fixation

WSTG-SESS-04 Testing for Exposed Session Variables

WSTG-SESS-05 Testing for Cross Site Request Forgery

WSTG-SESS-06 Testing for Logout Functionality

WSTG-SESS-07 Testing Session Timeout

WSTG-SESS-08 Testing for Session Puzzling

WSTG-SESS-09 Testing for Session Hijacking

WSTG-SESS-10 Testing JSON Web Tokens

WSTG-SESS-11 Testing for Concurrent Sessions

Input Validation Testing Test Name

WSTG-INPV-01 Testing for Reflected Cross Site Scripting

WSTG-INPV-02 Testing for Stored Cross Site Scripting

WSTG-INPV-03 Testing for HTTP Verb Tampering

WSTG-INPV-04 Testing for HTTP Parameter Pollution

WSTG-INPV-05 Testing for SQL Injection

WSTG-INPV-06 Testing for LDAP Injection

WSTG-INPV-07 Testing for XML Injection

WSTG-INPV-08 Testing for SSI Injection

WSTG-INPV-09 Testing for XPath Injection

WSTG-INPV-10 Testing for IMAP SMTP Injection

WSTG-INPV-11 Testing for Code Injection

WSTG-INPV-12 Testing for Command Injection

WSTG-INPV-13 Testing for Buffer Overflow

WSTG-INPV-13 Testing for Format String Injection

WSTG-INPV-14 Testing for Incubated Vulnerability

WSTG-INPV-15 Testing for HTTP Splitting Smuggling

WSTG-INPV-16 Testing for HTTP Incoming Requests

WSTG-INPV-17 Testing for Host Header Injection

WSTG-INPV-18 Testing for Server-side Template Injection

WSTG-INPV-19 Testing for Server-Side Request Forgery

WSTG-INPV-20 Testing for Mass Assignment

Testing for Error Handling Test Name

WSTG-ERRH-01 Testing for Improper Error Handling

WSTG-ERRH-02 Testing for Stack Traces

Testing for Weak

Test Name
Cryptography

WSTG-CRYP-01 Testing for Weak Transport Layer Security

WSTG-CRYP-02 Testing for Padding Oracle

Testing for Sensitive Information Sent via Unencrypted

WSTG-CRYP-03
Channels

WSTG-CRYP-04 Testing for Weak Encryption

Business Logic Testing Test Name

WSTG-BUSL-01 Test Business Logic Data Validation

WSTG-BUSL-02 Test Ability to Forge Requests

WSTG-BUSL-03 Test Integrity Checks

WSTG-BUSL-04 Test for Process Timing

WSTG-BUSL-05 Test Number of Times a Function Can Be Used Limits

WSTG-BUSL-06 Testing for the Circumvention of Work Flows

WSTG-BUSL-07 Test Defenses Against Application Misuse

WSTG-BUSL-08 Test Upload of Unexpected File Types

WSTG-BUSL-09 Test Upload of Malicious Files

WSTG-BUSL-10 Test Payment Functionality

Client-side Testing Test Name

WSTG-CLNT-01 Testing for DOM-Based Cross Site Scripting

WSTG-CLNT-02 Testing for JavaScript Execution

WSTG-CLNT-03 Testing for HTML Injection

WSTG-CLNT-04 Testing for Client-side URL Redirect

WSTG-CLNT-05 Testing for CSS Injection

WSTG-CLNT-06 Testing for Client-side Resource Manipulation

WSTG-CLNT-07 Testing Cross Origin Resource Sharing

WSTG-CLNT-08 Testing for Cross Site Flashing

WSTG-CLNT-09 Testing for Clickjacking

WSTG-CLNT-10 Testing WebSockets

WSTG-CLNT-11 Testing Web Messaging

WSTG-CLNT-12 Testing Browser Storage

WSTG-CLNT-13 Testing for Cross Site Script Inclusion

WSTG-CLNT-14 Testing for Reverse Tabnabbing

API Testing Test Name

WSTG-APIT-01 API Reconnaissance

WSTG-APIT-99 Testing GraphQL

Objectives Status Notes

- Identify what sensitive design and configuration information of the

application, system, or organization is exposed directly (on the Not Started
organization's site) or indirectly (via third-party services).

- Determine the version and type of a running web server to enable

Not Started
further discovery of any known vulnerabilities.

- Identify hidden or obfuscated paths and functionality through the

analysis of metadata files.
Not Started
- Extract and map other information that could lead to a better
understanding of the systems at hand.

- Enumerate the applications within the scope that exist on a web

Not Started
server.

- Review web page comments, metadata, and redirect bodies to

find any information leakage.
- Gather JavaScript files and review the JS code to better Not Started
understand the application and to find any information leakage.
- Identify if source map files or other frontend debug files exist.

- Identify possible entry and injection points through request and

Not Started
response analysis.

- Map the target application and understand the principal

Not Started
workflows.
- Fingerprint the components used by the web applications. Not Started
N/A Not Started
- Understand the architecture of the application and the
Not Started
technologies in use.

Objectives Status Notes

- Review the applications' configurations set across the network
and validate that they are not vulnerable.
- Validate that used frameworks and systems are secure and not Not Started
susceptible to known vulnerabilities due to unmaintained software
or default settings and credentials.

- Ensure that default and known files have been removed.

- Validate that no debugging code or extensions are left in the
Not Started
production environments.
- Review the logging mechanisms set in place for the application.

- Brute force sensitive file extensions that might contain raw data
such as scripts, credentials, etc.
Not Started
- Validate that no system framework bypasses exist for the rules
that have been set

- Find and analyse unreferenced files that might contain sensitive

Not Started
information.

- Identify hidden administrator interfaces and functionality. Not Started

- Enumerate supported HTTP methods.

- Test for access control bypass. Not Started
- Test HTTP method overriding techniques.

- Review the HSTS header and its validity. Not Started

N/A Not Started
- Review and identify any rogue file permissions. Not Started
- Enumerate all possible domains (previous and current).
Not Started
- Identify any forgotten or misconfigured domains.

- Assess that the access control configuration for the storage

Not Started
services is properly in place.

- Review the Content-Security-Policy header or meta element to

Not Started
identify misconfigurations.
- Make sure application paths are configured correctly. Not Started

Objectives Status Notes

- Identify and document roles used by the application.

- Attempt to switch, change, or access another role.
Not Started
- Review the granularity of the roles and the needs behind the
permissions given.
- Verify that the identity requirements for user registration are
aligned with business and security requirements. Not Started
- Validate the registration process.

- Verify which accounts may provision other accounts and of what

Not Started
type.

- Review processes that pertain to user identification (*e.g.*

registration, login, etc.). Not Started
- Enumerate users where possible through response analysis.

- Determine whether a consistent account name structure renders

the application vulnerable to account enumeration.
Not Started
- Determine whether the application's error messages permit
account enumeration.

Objectives Status Notes

N/A Not Started

- Determine whether the application has any user accounts with

default passwords.
Not Started
- Review whether new user accounts are created with weak or
predictable passwords.

- Evaluate the account lockout mechanism's ability to mitigate brute

force password guessing.
Not Started
- Evaluate the unlock mechanism's resistance to unauthorized
account unlocking.

- Ensure that authentication is applied across all services that

Not Started
require it.

- Validate that the generated session is managed securely and do

Not Started
not put the user's credentials in danger.

- Review if the application stores sensitive information on the client-

side. Not Started
- Review if access can occur without authorization.

- Determine the resistance of the application against brute force

password guessing using available password dictionaries by
Not Started
evaluating the length, complexity, reuse, and aging requirements of
passwords.

- Determine the complexity and how straight-forward the questions

are. Not Started
- Assess possible user answers and brute force capabilities.
- Determine whether the password change and reset functionality
Not Started
allows accounts to be compromised.

- Identify alternative authentication channels.

- Assess the security measures used and if any bypasses exists on Not Started
the alternative channels.

- Identify the type of MFA used by the application.

- Determine whether the MFA implementation is robust and secure. Not Started
- Attempt to bypass the MFA.

Objectives Status Notes

- Identify injection points that pertain to path traversal.

- Assess bypassing techniques and identify the extent of path Not Started
traversal.

- Assess if horizontal or vertical access is possible. Not Started

- Identify injection points related to privilege manipulation.

Not Started
- Fuzz or otherwise attempt to bypass security measures.

- Identify points where object references may occur.

- Assess the access control measures and if they're vulnerable to Not Started
IDOR.

- Determine if OAuth2 implementation is vulnerable or using a

Not Started
deprecated or custom implementation.

Objectives Status Notes

- Gather session tokens, for the same user and for different users
where possible.
- Analyze and ensure that enough randomness exists to stop
Not Started
session forging attacks.
- Modify cookies that are not signed and contain information that
can be manipulated.

- Ensure that the proper security configuration is set for cookies. Not Started

- Analyze the authentication mechanism and its flow.

Not Started
- Force cookies and assess the impact.
- Ensure that proper encryption is implemented.
- Review the caching configuration. Not Started
- Assess the channel and methods' security.

- Determine whether it is possible to initiate requests on a user's

Not Started
behalf that are not initiated by the user.

- Assess the logout UI.

- Analyze the session timeout and if the session is properly killed Not Started
after logout.

- Validate that a hard session timeout exists. Not Started

- Identify all session variables.
Not Started
- Break the logical flow of session generation.

- Identify vulnerable session cookies.

Not Started
- Hijack vulnerable cookies and assess the risk level.

- Determine whether the JWTs expose sensitive information.

Not Started
- Determine whether the JWTs can be tampered with or modified.

- Evaluate the application's session management by assessing the

Not Started
handling of multiple active sessions for a single user account.

Objectives Status Notes

- Identify variables that are reflected in responses.

- Assess the input they accept and the encoding that gets applied Not Started
on return (if any).

- Identify stored input that is reflected on the client-side.

- Assess the input they accept and the encoding that gets applied Not Started
on return (if any).

N/A Not Started

- Identify the backend and the parsing method used.

Not Started
- Assess injection points and try bypassing input filters using HPP.

- Identify SQL injection points.

- Assess the severity of the injection and the level of access that Not Started
can be achieved through it.

- Identify LDAP injection points.

Not Started
- Assess the severity of the injection.
- Identify XML injection points.
- Assess the types of exploits that can be attained and their Not Started
severities.

- Identify SSI injection points.

Not Started
- Assess the severity of the injection.
- Identify XPATH injection points. Not Started

- Identify IMAP/SMTP injection points.

- Understand the data flow and deployment structure of the system. Not Started
- Assess the injection impacts.

- Identify injection points where you can inject code into the
application. Not Started
- Assess the injection severity.

- Identify and assess the command injection points. Not Started

N/A Not Started

- Assess whether injecting format string conversion specifiers into

user-controlled fields causes undesired behavior from the Not Started
application.

- Identify injections that are stored and require a recall step to the
stored injection.
Not Started
- Understand how a recall step could occur.
- Set listeners or activate the recall step if possible.

- Assess if the application is vulnerable to splitting, identifying what

possible attacks are achievable.
Not Started
- Assess if the chain of communication is vulnerable to smuggling,
identifying what possible attacks are achievable.

- Monitor all incoming and outgoing HTTP requests to the Web

Server to inspect any suspicious requests.
Not Started
- Monitor HTTP traffic without changes of end user Browser proxy
or client-side application.

- Assess if the Host header is being parsed dynamically in the

application. Not Started
- Bypass security controls that rely on the header.

- Detect template injection vulnerability points.

- Identify the templating engine. Not Started
- Build the exploit.

- Identify SSRF injection points.

- Test if the injection points are exploitable. Not Started
- Asses the severity of the vulnerability.
- Identify requests that modify objects
- Assess if it is possible to modify fields never intended to be Not Started
modified from outside

Objectives Status Notes

- Identify existing error output.

Not Started
- Analyze the different output returned.
N/A Not Started

Objectives Status Notes

- Validate the service configuration.

- Review the digital certificate's cryptographic strength and validity.
Not Started
- Ensure that the TLS security is not bypassable and is properly
implemented across the application.

- Identify encrypted messages that rely on padding.

- Attempt to break the padding of the encrypted messages and Not Started
analyze the returned error messages for further analysis.

- Identify sensitive information transmitted through the various

channels. Not Started
- Assess the privacy and security of the channels used.

- Provide a guideline for the identification weak encryption or

Not Started
hashing uses and implementations.

Objectives Status Notes

- Identify data injection points.

- Validate that all checks are occurring on the backend and can't be
bypassed. Not Started
- Attempt to break the format of the expected data and analyze how
the application is handling it.

- Review the project documentation looking for guessable,

predictable, or hidden functionality of fields.
Not Started
- Insert logically valid data in order to bypass normal business logic
workflow.
- Review the project documentation for components of the system
that move, store, or handle data.
- Determine what type of data is logically acceptable by the
component and what types the system should guard against.
- Determine who should be allowed to modify or read that data in Not Started
each component.
- Attempt to insert, update, or delete data values used by each
component that should not be allowed per the business logic
workflow.

- Review the project documentation for system functionality that

may be impacted by time. Not Started
- Develop and execute misuse cases.

- Identify functions that must set limits to the times they can be
called.
Not Started
- Assess if there is a logical limit set on the functions and if it is
properly validated.

- Review the project documentation for methods to skip or go

through steps in the application process in a different order from
the intended business logic flow. Not Started
- Develop a misuse case and try to circumvent every logic flow
identified.

- Generate notes from all tests conducted against the system.

- Review which tests had a different functionality based on
aggressive input. Not Started
- Understand the defenses in place and verify if they are enough to
protect the system against bypassing techniques.

- Review the project documentation for file types that are rejected
by the system.
- Verify that the unwelcomed file types are rejected and handled
Not Started
safely.
- Verify that file batch uploads are secure and do not allow any
bypass against the set security measures.
- Identify the file upload functionality.
- Review the project documentation to identify what file types are
considered acceptable, and what types would be considered
dangerous or malicious.
- If documentation is not available then consider what would be
Not Started
appropriate based on the purpose of the application.
- Determine how the uploaded files are processed.
- Obtain or create a set of malicious files for testing.
- Try to upload the malicious files to the application and determine
whether it is accepted and processed.

- Determine whether the business logic for the e-commerce

functionality is robust.
Not Started
- Understand how the payment functionality works.
- Determine whether the payment functionality is secure.

Objectives Status Notes

- Identify DOM sinks.

Not Started
- Build payloads that pertain to every sink type.
- Identify sinks and possible JavaScript injection points. Not Started
- Identify HTML injection points and assess the severity of the
Not Started
injected content.

- Identify injection points that handle URLs or paths.

Not Started
- Assess the locations that the system could redirect to.

- Identify CSS injection points.

Not Started
- Assess the impact of the injection.

- Identify sinks with weak input validation.

Not Started
- Assess the impact of the resource manipulation.

- Identify endpoints that implement CORS.

Not Started
- Ensure that the CORS configuration is secure or harmless.

- Decompile and analyze the application's code.

Not Started
- Assess sinks inputs and unsafe method usages.
- Assess application vulnerability to clickjacking attacks. Not Started

- Identify the usage of WebSockets.

- Assess its implementation by using the same tests on normal Not Started
HTTP channels.

- Assess the security of the message's origin.

Not Started
- Validate that it's using safe methods and validating its input.
- Determine whether the website is storing sensitive data in client-
side storage.
- The code handling of the storage objects should be examined for Not Started
possibilities of injection attacks, such as utilizing unvalidated input
or vulnerable libraries.

- Locate sensitive data across the system.

Not Started
- Assess the leakage of sensitive data through various techniques.

N/A Not Started

Objectives Status Notes

- Find all API endpoints supported by the backend server code,

documented or undocumented.
- Find all parameters for each endpoint supported by the backend
Not Started
server, documented or undocumented.
- Discover interesting data related to APIs in HTML and JavaScript
sent to clients.

- Assess that a secure and production-ready configuration is

deployed.
Not Started
- Validate all input fields against generic attacks.
- Ensure that proper access controls are applied.
OWASP: Summary Findings

Nº OTG Vulnerability Name Affected Host/Path Impact

www.example.com/news.php
1 WSTG-INFO-02 Fingerprint Web Server High
(id,page)
Conduct Search Engine Discovery
www.example.com/news.php
2 WSTG-INFO-02 Reconnaissance for Information High
(id,page)
Leakage
Conduct Search Engine Discovery
www.example.com/news.php
3 WSTG-INFO-02 Reconnaissance for Information High
(id,page)
Leakage
Likelihood Risk Observation/Implication Recommendation Test Evidence

Moderate High xxx-1

Moderate High

Moderate High
OWASP: Risk Assessment Calculator

Likelihood factors

Threat Agent Factors

Skills required Some technical skills [3] 3

Motive Possible reward [4] 4
Opportunity Full access or expensive resources required [0] 0
Population Size System Administrators [2] 2

Vulnerability Factors

Easy of Discovery Practically impossible [1] 1

Ease of Exploit Easy [5] 5
Awareness Hidden [4] 4
Intrusion Detection Logged and reviewed [3] 3

Likelihood score: 2.75

Overall Risk Severity : Low

Impact
Likelihood Low ->Moderate<- High
->Low<- Note ->Low<- Moderate

Moderate Low Moderate High

High Moderate High Critical

Impact factors

Technical Impact Factors

Loss of confidentiality Minimal non-sensitive data disclosed [2] 2

Loss of Integrity All data totally corrupt [9] 9
Loss of Availability Minimal secondary services interrupted [1] 1
Loss of Accountability Not Applicable [0] 0

Business Impact Factors

Financial damage Minor effect on annual profit [3] 3

Reputation damage Loss of major accounts [4] 4
Non-Compliance Clear violation [5] 5
Privacy violation One individual [3] 3

Impact score: 3.375

Skills required Motive Opportunity
Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Full access or expensive resources required [0] 0
No technical skills [1] 1 Low or no reward [1] 1 Special access or resources required [4] 4
Some technical skills [3] 3 Possible reward [4] 4 Some access or resources required [7] 7
Advanced computer user [5] 5 High reward [9] 9 No access or resources required [9] 9
Network and programming skills [6] 6
Security penetration skills [9] 9

Loss of confidentiality Loss of Integrity Loss of Availability

Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
Minimal non-sensitive data disclosed [2] 2 Minimal slightly corrupt data [1] 1 Minimal secondary services interrupted [1] 1
Extensive non-sensitive data disclosed [6] 6 Minimal seriously corrupt data [3] 3 Minimal primary services interrupted [5] 5
Extensive critical data disclosed [7] 7 Extensive slightly corrupt data [5] 5 Extensive primary services interrupted [7] 7
All data disclosed [9] 9 Extensive seriously corrupt data [7] 7 All services completely lost [9] 9
All data totally corrupt [9] 9
Population Size Easy of Discovery Ease of Exploit
Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
System Administrators [2] 2 Practically impossible [1] 1 Theoretical [1] 1
Intranet Users [4] 4 Difficult [3] 3 Difficult [3] 3
Partners [5] 5 Easy [7] 7 Easy [5] 5
Authenticated users [6] 6 Automated tools available [9] 9 Automated tools available [9] 9
Anonymous Internet users [9] 9

Loss of Accountability Financial damage Reputation damage

Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
Attack fully traceable to individual [1] 1 Damage costs less than to fix the issue [1] 1 Minimal damage [1] 1
Attack possibly traceable to individual [7] 7 Minor effect on annual profit [3] 3 Loss of major accounts [4] 4
Attack completely anonymous [9] 9 Significant effect on annual profit [7] 7 Loss of goodwill [5] 5
Backruptcy [9] 9 Brand damage [9] 9
Awareness Intrusion Detection
Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Unknown [1] 1 Active detection in application [1] 1
Hidden [4] 4 Logged and reviewed [3] 3
Obvious [6] 6 Logged without review [8] 8
Public knowledge [9] 9 Not logged [9] 9

Non-Compliance Privacy violation

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Minor violation [2] 2 One individual [3] 3
Clear violation [5] 5 Hundreds of people [5] 5
High profile violation [7] 7 Thousands of people [7] 7
Millions of people [9] 9