OWASP: Testing Guide v4.

2 Checklist
Testing Guide

1. Information Test Name

Gathering
WSTG-INFO-01 Conduct Search Engine Discovery Reconnaissance
WSTG-INFO-02 for Information
Fingerprint WebLeakage
Server
WSTG-INFO-03 Review Webserver Metafiles for Information Leakage
WSTG-INFO-04 Enumerate Applications on Webserver
WSTG-INFO-05 Review Webpage Content for Information Leakage
WSTG-INFO-06 Identify application entry points
WSTG-INFO-07 Map execution paths through application
WSTG-INFO-08 Fingerprint Web Application Framework
WSTG-INFO-09 Fingerprint Web Application
WSTG-INFO-10 Map Application Architecture

2. Configuration and Test Name

Deploy Management
WSTG-CONF-01 Test Network Infrastructure Configuration
Testing
WSTG-CONF-02 Test Application Platform Configuration
WSTG-CONF-03 Test File Extensions Handling for Sensitive
WSTG-CONF-04 Information
Review Old Backup and Unreferenced Files for
WSTG-CONF-05 Sensitive Information
Enumerate Infrastructure and Application Admin
WSTG-CONF-06 Interfaces
Test HTTP Methods
WSTG-CONF-07 Test HTTP Strict Transport Security
WSTG-CONF-08 Test RIA cross domain policy
WSTG-CONF-09 Test File Permission
WSTG-CONF-10 Test for Subdomain Takeover
WSTG-CONF-11 Test Cloud Storage

3. Identity Management Test Name

Testing
WSTG-IDNT-01 Test Role Definitions
WSTG-IDNT-02 Test User Registration Process
WSTG-IDNT-03 Test Account Provisioning Process
WSTG-IDNT-04 Testing for Account Enumeration and Guessable
WSTG-IDNT-05 User Account
Testing for Weak or unenforced username policy

4. Authentication Test Name

Testing
WSTG-ATHN-01 Testing for Credentials Transported over an
WSTG-ATHN-02 Encrypted
Testing for Channel
Default Credentials
WSTG-ATHN-03 Testing for Weak Lock Out Mechanism
WSTG-ATHN-04 Testing for Bypassing Authentication Schema
WSTG-ATHN-05 Testing for Vulnerable Remember Password
WSTG-ATHN-06 Testing for Browser Cache Weaknesses
WSTG-ATHN-07 Testing for Weak Password Policy
WSTG-ATHN-08 Testing for Weak Security Question Answer
WSTG-ATHN-09 Testing for Weak Password Change or Reset
WSTG-ATHN-10 Functionalities
Testing for Weaker Authentication in Alternative
Channel
5. Authorization Test Name
Testing
WSTG-ATHZ-01 Testing Directory Traversal File Include
WSTG-ATHZ-02 Testing for Bypassing Authorization Schema
WSTG-ATHZ-03 Testing for Privilege Escalation
WSTG-ATHZ-04 Testing for Insecure Direct Object References

6. Session Test Name

Management Testing
WSTG-SESS-01 Testing for Session Management Schema
WSTG-SESS-02 Testing for Cookies Attributes
WSTG-SESS-03 Testing for Session Fixation
WSTG-SESS-04 Testing for Exposed Session Variables
WSTG-SESS-05 Testing for Cross Site Request Forgery (CSRF)
WSTG-SESS-06 Testing for Logout Functionality
WSTG-SESS-07 Testing Session Timeout
WSTG-SESS-08 Testing for Session Puzzling (Session Variable
WSTG-SESS-09 Overloading)
Testing for Session Hijacking

7. Data Validation Test Name

Testing
WSTG-INPV-01 Testing for Reflected Cross Site Scripting
WSTG-INPV-02 Testing for Stored Cross Site Scripting
WSTG-INPV-03 Testing for HTTP Verb Tampering
WSTG-INPV-04 Testing for HTTP Parameter Pollution
WSTG-INPV-05 Testing for SQL Injection
WSTG-INPV-06 Testing for LDAP Injection
WSTG-INPV-07 Testing for XML Injection
WSTG-INPV-08 Testing for SSI Injection
WSTG-INPV-09 Testing for XPath Injection
WSTG-INPV-10 Testing for IMAP SMTP Injection
WSTG-INPV-11 Testing for Code Injection
WSTG-INPV-12 Testing for Command Injection
WSTG-INPV-13 Testing for Format String Injection
WSTG-INPV-14 Testing for Incubated Vulnerability
WSTG-INPV-15 Testing for HTTP Splitting Smuggling
WSTG-INPV-16 Testing for HTTP Incoming Requests
WSTG-INPV-17 Testing for Host Header Injection
WSTG-INPV-18 Testing for Server-side Template Injection
WSTG-INPV-19 Testing for Server-Side Request Forgery

8. Error Handling Test Name

WSTG-ERRH-01 Testing for Improper Error Handling
WSTG-ERRH-02 Testing for Stack Traces

9. Cryptography Test Name

WSTG-CRYP-01 Testing for Weak Transport Layer Security
WSTG-CRYP-02 Testing for Padding Oracle
WSTG-CRYP-03 Testing for Sensitive Information Sent via
WSTG-CRYP-04 Unencrypted Channels
Testing for Weak Encryption

10. Business logic Test Name

Testing
WSTG-BUSL-01 Test Bisuiness Logic data
WSTG-BUSL-02 Test Ability to Forge Requests
WSTG-BUSL-03 Test Integrity Checks
WSTG-BUSL-04 Test for Process Timing
WSTG-BUSL-05 Test Number of Times a Function Can be Used Limits
WSTG-BUSL-06 Testing for the Circumvention of Work Flows
WSTG-BUSL-07 Test Defences Against Application Mis-use
WSTG-BUSL-08 Test Upload of Unexpected File Types
WSTG-BUSL-09 Test Upload of Malicious Files

11. Client Side Testing Test Name

WSTG-CLNT-01 Testing for DOM-Based Cross Site Scripting
WSTG-CLNT-02 Testing for JavaScript Execution
WSTG-CLNT-03 Testing for HTML Injection
WSTG-CLNT-04 Testing for Client Side URL Redirect
WSTG-CLNT-05 Testing for CSS Injection
WSTG-CLNT-06 Testing for Client Side Resource Manipulation
WSTG-CLNT-07 Test Cross Origin Resource Sharing
WSTG-CLNT-08 Testing for Cross Site Flashing
WSTG-CLNT-09 Testing for Clickjacking
WSTG-CLNT-10 Testing WebSockets
WSTG-CLNT-11 Test Web Messaging
WSTG-CLNT-12 Testing Browser Storage
WSTG-CLNT-13 Testing for Cross Site Script Inclusion (XSSI)

12. API Testing Test Name

WSTG-APIT-01 Testing GraphQL

13. Additional Checks Test Name

ADD-01 Microsoft IIS
ADD-02 Potentially vulnerable JavaScript library in use
ADD-03 Missing/misconfigured security headers
ADD-04 CSV Injection
ADD-05 MFA tests
ADD-06 Possible tab nabbing

Not Started
Pass
Issues
N/A
Objectives
- Identify what sensitive design and configuration
-information Determineof thethe application,
version and typesystem, or organization
of a running web
isIdentify
-server exposed directly
to hidden
enable (on
further
or the organization's
discovery
obfuscated pathsof any website)
andknown or
functionality
indirectly
vulnerabilities.
-through Enumerate (viaanalysis
the third-party
the services).
of metadata
applications files.
within scope that exist on
-a Review web server.
webpage comments and metadata to find
-any information
Identify possible leakage.
entry and injection points through
-request Map the and response
target analysis.
application and understand the
-principal workflows.
Fingerprint the components being used by the web
applications.
Merged into Fingerprint Web Application Framework.
- Generate a map of the application at hand based on
the research conducted.
Objectives
- Review the applications' configurations set across the
-network Ensureandthatvalidate
defaultsthat andthey
known arefiles
not have
vulnerable.
been
removed.
- Dirbust sensitive file extensions, or extensions that
-might Find contain
and analyse raw data (*e.g.* scripts,
unreferenced raw might
files that data,
credentials,
-contain etc.).administrator
Identifysensitive
hidden information. interfaces and
functionality.
- Enumerate supported HTTP methods.
- Review the HSTS header and its validity.
- Review and validate the policy files.
- Review and identify any rogue file permissions.
- Enumerate all possible domains (previous and
current).
- Assess that the access control configuration for the
storage services is properly in place.
Objectives
- Identify and document roles used by the application.
- Verify that the identity requirements for user
-registrationVerify which areaccounts
aligned withmay business
provisionand othersecurity
accounts
requirements.
-and of what
Review type. that pertain to user identification
processes
-(*e.g.* registration,
Determine whetherlogin, etc.).
a consistent account name
structure renders the application vulnerable to account
enumeration.
Objectives
- Assess whether any use case of the web site or
application causes
Enumerate the server
the applications forordefault
the client to exchange
credentials and
credentials
-validate Evaluate without
if they
the encryption.
still exist.
account lockout mechanism's ability to
-mitigateEnsurebrute force password
that authentication is guessing.-
applied acrossEvaluate
all the
unlock
-services mechanism's
Validate that
thatrequire resistance
it.
the generated to unauthorized
session is managed
accountReviewunlocking.
-securely and
if thedoapplication
not put thestores
user'ssensitive
credentials in
information
danger.
-on the client the
Determine side.resistance of the application against
-brute force password
Determine the complexityguessingand using available
how straight-forward
password
-the questions
Determine dictionaries
theare. by evaluating
resistance the length,
of the application to
complexity,
-subversion reuse,
of and
the account
Identify alternative aging requirements
change
authentication process
channels. of
allowing
someone to change the password of an account.
Objectives
- Identify injection points that pertain to path traversal.
- Assess if horizontal or vertical access is possible.
- Identify injection points related to privilege
manipulation.
- Identify points where object references may occur.

Objectives
- Gather session tokens, for the same user and for
-different
Ensure users where
that the possible.
proper security configuration is set for
cookies.
- Analyse the authentication mechanism and its flow.
- Force cookies and assess the impact.
- Ensure that proper encryption is implemented.
- Determine whether it is possible to initiate requests
-on a user's
Assess thebehalf
logoutthat
UI. are not initiated by the user.
- Validate that a hard session timeout exists.
- Identify all session variables.
- Identify vulnerable session cookies.

Objectives
- Identify variables that are reflected in responses.
- Identify stored input that is reflected on the client-
side.
Merged into WSTG-CONF-06
- Identify the backend and the parsing method used.
- Identify SQL injection points.
- Identify LDAP injection points.
- Identify XML injection points.
- Identify SSI injection points.
- Identify XPATH injection points.
- Identify IMAP/SMTP injection points.
- Identify injection points where you can inject code
into
- Identifythe application.
and assess the command injection points.
- Assess whether injecting format string conversion
-specifiers into user-controlled
Identify injections fieldsand
that are stored causes undesired
require a recall
behaviour
-step if from
to the
Assess stored
the theinjection.
application.
application is vulnerable to splitting,
-identifying
Monitor allwhat possible
incoming andattacks
outgoingareHTTP
achievable.
requests to
-the Web Server
Assess if the Hostto inspect
headerany suspicious
is being parsedrequests.
-dynamically
Detect templatein theinjection
application.
vulnerability points.
- Identify SSRF injection points.

Objectives
- Identify existing error output.
Merged into WSTG-ERRH-01

Objectives
- Validate the service configuration.
- Identify encrypted messages that rely on padding.-
-Attempt Identifytosensitive
break the padding oftransmitted
information the encryptedthrough the
messages
-various aand
Providechannels. analyse
guideline forthe
thereturned error weak
identification messages
for
encryption further analysis.
or hashing uses and implementations.
Objectives
- Identify data injection points.
- Review the project documentation looking for
-guessable,
Review thepredictable, or hidden functionality
project documentation for componentsof fields.
of
-the system
Review thethat move,
project store, or handle
documentation for data.
system
-functionality that may
Identify functions thatbemustimpacted by time.
set limits to the times they
-can be called.
Review the project documentation for methods to skip
-orGenerate
go through steps
notes from in the application
all tests conductedprocess in a the
against
-different
Revieworder
system. from the
the project intended business
documentation for file logic
typesflow.
that
-are rejected
Identify the by
filethe system.
upload functionality.

Objectives
- Identify DOM sinks.
Merged into Testing for DOM-Based Cross Site
Scripting.
- Identify HTML injection points and assess the
-severity
Identifyofinjection
the injected
pointscontent.
that handle URLs or paths.
- Identify CSS injection points.
- Identify sinks with weak input validation.
- Identify endpoints that implement CORS.
- Decompile and analyse the application's code.
- Understand security measures in place.
- Identify the usage of WebSockets.
- Assess the security of the message's origin.
- Determine whether the website is storing sensitive
-data in client-side
Locate storage.
sensitive data across the system.

Objectives
- Assess that a secure and production-ready
configuration is deployed.
Objectives
Microsoft IIS Tilde Short Name Disclosure
- Ensure only up-to-date JavaScript libraries are in use.
- Strict-Transport-Security
CSV Injection, also known as Formula Injection, occurs
when websites
Additional embedforuntrusted
test cases input
multi-factor inside CSV files.
authentication.
Reverse tab nabbing is an attack where a page linked
from the target page is able to rewrite that page, for
example to replace it with a phishing site. As the user
was originally on the correct page they are less likely
Approach Status
N/A N/A
- Check Server, ETag headers in response Issues
- Check <META> tags Pass
N/A N/A
- Check webpage comments and JavaScript codes for sensitive Pass
information:
- Set up and start a tool to capture traffic. Look for sensitive data Pass
-inmap
the captured
the targettraffic.
application using automatic spidering Pass
Find the type of web application framework/CMS from Pass
N/A N/A
N/A N/A

Approach Status
N/A N/A
- Check webpage comments for debugging code Pass
- Forced Browsing- find important file information - check for: (asa,Pass
inc, .config, sql, zip, tar, pdf, txt, etc) - refer to https://file
Inference from the Naming Scheme Used for Published Content Pass
- Directory & file enumeration, comments & links in source Pass
Identify HTTP allowed methods on web server with OPTIONS Pass
Check server response using: Issues
Testing for RIA Policy Files Weakness N/A
N/A N/A
N/A N/A
2.11 Test Cloud Storage N/A

Approach Status
- Identify all the in-scope application roles: Issues
- check if the same identity register multiple times N/A
- determine which roles are able to provision users and what Issues
sort of accounts
Check for genericthey can
login provision
error statement: Issues
- check the structure of account names. N/A

Approach Status
- Verify that all credential exchange occurred using HTTPS (and Issues
not HTTP):
Test for default credentials of common applications Pass
Check lockout mechanism Issues
Direct access protected page using address bar Issues
Check: N/A
Check browser history issue by clicking "back" button after Pass
loggingfor
Check out.
password complexity requirements Pass
Test the pre-generated questions. N/A
- Check if users can change or reset passwords for accounts N/A
that
N/A does not belong to them. N/A

Approach Status
- check for unusual file extensions Pass
Horizontal access: "lateral movement attacks" Pass
Change some param groupid=2 to groupid=1 Pass
Force changing parameter value (?username=LIM001 -> Pass
username=LIM003)
Approach Status
-Check for predictable session tokens Pass
-Check for secure attribute N/A
-Check that cookie is being renewed after a successful Pass
authentication
-Encryption & Reuse of session token vulnerabilities Pass
-Check if session management relies only on client-side Pass
-Check and ensure for visibility of log out function Issues
-Check if session timeout is set Pass
N/A Pass
-Check for sites without HSTS adoption Issues

Approach Status
-Detect Input Vectors(determine all user-defined variables) Pass
-Input forms Pass
N/A N/A
-Server-Side HPP Pass
-Detection Techniques: Issues
-Search Filters: N/A
-Insert XML metacharacters N/A
-Inject SSI directives as user input to test for SSI exploit Pass
-Check if application properly filter user input N/A
-Identifying Vulnerable Parameters: N/A
-Black-Box Testing Pass
-Append pipe symbol to end of filename Pass
-Use static analysis tool to find format string vulnerabilities in N/A
code or for
-Check binaries
allowed content type uploaded on web application Pass
and resultant
-Black-Box URL for uploaded file
Testing: Pass
N/A N/A
-Check for invalid input injected via host header Pass
-Check text or code context for SSTI vulnerabilities Pass
-Check for local and remote file inclusion Pass

Approach Status
-Check for errors Issues
N/A N/A

Approach Status
-Server Configuration: N/A
-Black-Box Testing: N/A
-Check that information is transmitted over HTTPS instead of Issues
HTTP
-Initialization Vector needs to be random and unpredictable Pass
when using AES128 or AES256
Approach Status
-Check for data entry point or hand off points between systems Issues
or software
-Check for guessable values Issues
-Look for hidden fields with proxy to capture HTTP traffic Issues
N/A N/A
-Look for functions or features in the application or software that Issues
shouldfor
-Look notmethods
be executed more
that skip orthan
go toa steps
singleintime
the or specific times
application Issues
during note
process
-Take business logic order
in aofdifferent
measures workflow
thatfrom
maythe intended
indicate the business work
application has in- Issues
flow self-defence:
built
-Study the application requirements and look out for files that Pass
are notshells:
-Web approved by application Pass

Approach Status
Insert data into JavaScript. E.g. (var data = "<escaped data from the N/Aserver>";)Followed by executing JavaScript. The mes
N/A N/A
Identify HTML code injecting points. Inject HTML codes Pass
Identify if there are client side redirections. If there are no form N/A
of encoding
Identify applied,
possible CSSit injection
is an implication that CSS
points, craft attackers
codescould
and Pass
redirect
Look outvictims
inject. to malicious
for weak site. E.g.
input validations (http://www.victim.site/?
thoroughly, client side scripts Pass
#www.malicious.site)
-that
Usehandles associated
Burp active scan URLs should also be investigated for Pass
potential
N/A issues. N/A
- Use Burp active scan Pass
- Identify applications that are using WebSockets. N/A
Analyse the codes and look out for insecure methods, where N/A
data is being
Browser evaluated
-> F12 via eval()
-> Application or inserted into the DOM via
-> Storage Issues
the innerHTML
Using property,
authenticated user which maydetermine
sessions, create DOM-based XSS
which endpoints N/A
vulnerabilities.
are responsible for sending sensitive data, what parameters are
necessary,
Approach and all relevant dynamically and statically produced Status
JavaScript answers.
Burp Extension: GraphQL Raider N/A

Approach Status
Burp Extension: IIS Tilde Enumeration Scanner N/A
Burp Extension: Active Scan++ Pass
Burp Extension: Active Scan++Reference: https://owasp.org/www-project-secure-headers/
Issues
Testing strings: N/A
# Check if the OTP length is too short, e.g. 4 digits only N/A
Look for the 'target="_blank"' within anchor tag in the HTTP Not Started
response.
Notes <Tester name> Finding ID
N/A N/A
The web apps display nginx version in http W02
header
- No hidden file / Directory was found and/or
accesible
N/A from unauth access N/A
No Harcoded Issue Was Found is Clientside
code

N/A N/A
N/A N/A

Notes Finding ID
N/A N/A
no sensitive data on comments
No sensitive file disclosed
no special directory found
no vuln detected using nmap & nessus

STS is not implemented

N/A N/A
N/A N/A

Notes Finding ID
user role is not checked in session, because of
that tester
Cannot can assign the role as long as tester
Register
know user
Each the navigation
cannot domenu.
self approve, but a security
flaw made itEnumeration
Username possible W03

Notes Finding ID
Using HTTP W01
No Default Credential
Bypass with change response body W06
Some URL especially data access using get, W05
can be accessed without any credentials
no cache store when logout
password policy is paramterized and met the
standard owasp
No Question Answer in web apps
No Password Reset Feature in web Application
N/A N/A

Notes Finding ID
All Parameters arent vulnerable to path
traversal. Checked
Bypassing by Burpsuite
Authorization SchemaIntruder with
are vulnerable
-Windows
EscalationLFI Payload
session validation
is not fromimplemented
is not
possible JHADIX validation
- parameter properly.
is implemented with session verification

Notes Finding ID
Web application cannot sign in on different Not reportable
browser at the
session use same
local time
storage
session identifier using bearer token
session randomized

token value can be reuse after logout

session timeout is implemented
session randomized N/A
session transmitted in url in load system

Notes Finding ID
Sanitization/Encoding of input across application is implemented on both client and server side within applicatio
Sanitization/Encoding of input across application is implemented on both client and server side within applicatio
N/A
Additional checks performed on chatbot functionality, stripping of unsafe characters are performed.
website takechecks
Additional last parameter to append.
performed on chatbot functionality, stripping of unsafe characters are performed.
SQLi found on pkinfo, and getqueryparam result W04
data leak Used for auth
NO LDAP
No XML Used for Request
Not Vulnerable to SSI
Application is use json as request and response

command payload is not executed

command payload is not executed

no possble incubated found

server not vuln to http smuggling
N/A N/A
Not vulnerbale to Host Header Injection
No Templated Rendered and executed
Not Vulnerable to SSRF And Blind SSRF

Notes Finding ID
Default forbidden page W08
N/A N/A

Notes Finding ID
web app not using HTTPS
test on cookies, cookie value is not compatible
with
usingpadding,
HTTP tool used: padbuster. W01
password encyption saved in db found to be
bycrypt
Notes Finding ID
follow up on bac vulnerabilites W07,W09
follow up on bac vulnerabilites W07,W09
follow up on bac vulnerabilites W07,W09
N/A N/A
follow up on bypass lockout W06
follow up on bypass lockout, and bac, and W05,W07,W09
forcebrowse
follow up on bac impersonate user
Failed to Upload unexpexcted file (php,js)
Failed to Upload Injected xlsx

Notes Finding ID

N/A N/A
html code is not executed

clnt 03
not reflected in response
not reflected in response
N/A N/A
X-Frame-Options: DENY for this website

sensitive data is found. password and another

user value

Notes Finding ID
Not Using GraphQL

Notes Finding ID
webserver is using nginx

Missing STS & CSP

authentication not using MFA

Finding Description References (evidence/outputs)
N/A N/A

N/A N/A

N/A N/A
N/A N/A

Finding Description References (evidence/outputs)

N/A N/A

N/A N/A
N/A N/A

Finding Description References (evidence/outputs)

Finding Description References

N/A N/A

Finding Description References (evidence/outputs)

Finding Description References (evidence/outputs)

 N/A N/A

Notes References (evidence/outputs)

plemented on both client and server side within application functions.
plemented on both client and server side within application functions.
tripping of unsafe characters are performed. N/A
tripping of unsafe characters are performed.

N/A N/A

Notes References (evidence/outputs)

N/A N/A

Notes References (evidence/outputs)

Notes References (evidence/outputs)

N/A N/A

Notes References (evidence/outputs)

N/A N/A

N/A N/A
Notes References (evidence/outputs)

Notes References (evidence/outputs)

Follow Up Review Comments Follow Up References
N/A N/A

N/A N/A

N/A N/A
N/A N/A

Follow Up Review Comments Follow Up References

N/A N/A

N/A N/A
N/A N/A

Follow Up Review Comments Follow Up References

Follow Up Review Comments Follow Up References

N/A N/A

Follow Up Review Comments Follow Up References

Follow Up Review Comments Follow Up References

N/A N/A

Follow Up Review Comments Follow Up References

N/A N/A

N/A N/A

Follow Up Review Comments Follow Up References

N/A N/A

Follow Up Review Comments Follow Up References

Follow Up Review Comments Follow Up References

N/A N/A

Follow Up Review Comments Follow Up References

N/A N/A

N/A N/A
Follow Up Review Comments Follow Up References

Follow Up Review Comments Follow Up References

Recommended Burp Extensions
# Extensions
1 Active Scan++
2 Additional Scanner Checks
3 J2EEScan
4 Java Deserialization Scanner
5 Log4Shell Scanner
6 SSL Scanner
7 CSRF Scanner
8 Param Miner
9 DOM Invader
10 IIS Tilde Enumeration Scanner
11 Retire.js
12 Autorize
13 Detect Dynamic JS
14 Upload Scanner
15 Autowasp
16 Backslash Powered Scanner
17 403 Bypasser
18
19
20
Version Changes
1.1 Initial release
1.2 Added Testing Approach
1.3 Added References column
Updated section 11. Client Side Testing
1.4
Corrected
Added gobuster
finding command
and follow up review columns
1.5
Updated SSI, XPATH, SST injection
1.6 Additional test cases from Shantanu