OWASP: Spurtcommerce Security

Identity
Management Test Name
Testing

WSTG-IDNT-01 Test Role Definitions

WSTG-IDNT-02 Test User Registration Process

WSTG-IDNT-03 Test Account Provisioning Process

Testing for Account Enumeration and Guessable

WSTG-IDNT-04
User Account

WSTG-IDNT-05 Testing for Weak or unenforced username policy

Authentication
Test Name
Testing

Testing for Credentials Transported over an

WSTG-ATHN-01
Encrypted Channel

WSTG-ATHN-02 Testing for Default Credentials

WSTG-ATHN-03 Testing for Weak Lock Out Mechanism

WSTG-ATHN-04 Testing for Bypassing Authentication Schema

WSTG-ATHN-05 Testing for Vulnerable Remember Password

WSTG-ATHN-06 Testing for Browser Cache Weaknesses

WSTG-ATHN-07 Testing for Weak Password Policy

Testing for Weak Password Change or Reset

WSTG-ATHN-09
Functionalities

Authorization
Test Name
Testing

WSTG-ATHZ-02 Testing for Bypassing Authorization Schema

WSTG-ATHZ-03 Testing for Privilege Escalation

WSTG-ATHZ-04 Testing for Insecure Direct Object References

Session
Management Test Name
Testing

WSTG-SESS-01 Testing for Session Management Schema

WSTG-SESS-06 Testing for Logout Functionality

Data Validation
Test Name
Testing

WSTG-INPV-04 Testing for HTTP Parameter Pollution

WSTG-INPV-05 Testing for SQL Injection

WSTG-INPV-08 Testing for SSI Injection

WSTG-INPV-10 Testing for IMAP SMTP Injection

WSTG-INPV-11 Testing for Code Injection

WSTG-INPV-12 Testing for Command Injection

WSTG-INPV-13 Testing for Format String Injection

WSTG-INPV-18 Testing for Server-side Template Injection

Cryptography Test Name

WSTG-CRYP-01 Testing for Weak Transport Layer Security

Testing for Sensitive Information Sent via

WSTG-CRYP-03
Unencrypted Channels

WSTG-CRYP-04 Testing for Weak Encryption

Business logic
Test Name
Testing

WSTG-BUSL-01 Test Business Logic Data Validation

WSTG-BUSL-02 Test Ability to Forge Requests

WSTG-BUSL-03 Test Integrity Checks

WSTG-BUSL-06 Testing for the Circumvention of Work Flows

WSTG-BUSL-08 Test Upload of Unexpected File Types

WSTG-BUSL-09 Test Upload of Malicious Files

Client Side Testing Test Name

WSTG-CLNT-04 Testing for Client Side URL Redirect

WSTG-CLNT-05 Testing for CSS Injection

WSTG-CLNT-09 Testing for Clickjacking

WSTG-CLNT-12 Testing Browser Storage

WSTG-CLNT-13 Testing for Cross Site Script Inclusion

API Testing Test Name

WSTG-APIT-01 Testing GraphQL

: Spurtcommerce Security Testing Guide

Objectives

- Identify and document roles used by the application.

- Attempt to switch, change, or access another role.
- Review the granularity of the roles and the needs behind the permissions
given.
- Verify that the identity requirements for user registration are aligned with
business and security requirements.
- Validate the registration process.

- Verify which accounts may provision other accounts and of what type.

- Review processes that pertain to user identification (*e.g.* registration, login,

etc.).
- Enumerate users where possible through response analysis.

- Determine whether a consistent account name structure renders the

application vulnerable to account enumeration.
- Determine whether the application's error messages permit account
enumeration.

Objectives

- Assess whether any use case of the web site or application causes the
server or the client to exchange credentials without encryption.

- Enumerate the applications for default credentials and validate if they still
exist.
- Review and assess new user accounts and if they are created with any
defaults or identifiable patterns.
- Evaluate the account lockout mechanism's ability to mitigate brute force
password guessing.- Evaluate the unlock mechanism's resistance to
unauthorized account unlocking.

- Ensure that authentication is applied across all services that require it.
- Validate that the generated session is managed securely and do not put the
user's credentials in danger.

- Review if the application stores sensitive information on the client side.

- Review if access can occur without authorization.

- Determine the resistance of the application against brute force password

guessing using available password dictionaries by evaluating the length,
complexity, reuse, and aging requirements of passwords.

- Determine the resistance of the application to subversion of the account

change process allowing someone to change the password of an account.
- Determine the resistance of the passwords reset functionality against
guessing or bypassing.

Objectives

- Assess if horizontal or vertical access is possible.

- Identify injection points related to privilege manipulation.

- Fuzz or otherwise attempt to bypass security measures.

- Identify points where object references may occur.

- Assess the access control measures and if they're vulnerable to IDOR.

Objectives

- Gather session tokens, for the same user and for different users where
possible.
- Analyze and ensure that enough randomness exists to stop session forging
attacks.
- Modify cookies that are not signed and contain information that can be
manipulated.
- Assess the logout UI.
- Analyze the session timeout and if the session is properly killed after logout.

Objectives

- Identify the backend and the parsing method used.

- Assess injection points and try bypassing input filters using HPP.

- Identify SQL injection points.

- Assess the severity of the injection and the level of access that can be
achieved through it.

- Identify SSI injection points.

- Assess the severity of the injection.

- Identify IMAP/SMTP injection points.

- Understand the data flow and deployment structure of the system.
- Assess the injection impacts.

- Identify injection points where you can inject code into the application.
- Assess the injection severity.

- Identify and assess the command injection points.

- Assess whether injecting format string conversion specifiers into user-

controlled fields causes undesired behaviour from the application.

- Detect template injection vulnerability points.

- Identify the templating engine.
- Build the exploit.

Objectives
- Validate the service configuration.
- Review the digital certificate's cryptographic strength and validity.
- Ensure that the TLS security is not bypassable and is properly implemented
across the application.

- Identify sensitive information transmitted through the various channels.

- Assess the privacy and security of the channels used.

- Provide a guideline for the identification weak encryption or hashing uses

and implementations.

Objectives

- Identify data injection points.

- Validate that all checks are occurring on the back end and can't be
bypassed.
- Attempt to break the format of the expected data and analyze how the
application is handling it.
- Review the project documentation looking for guessable, predictable, or
hidden functionality of fields.
- Insert logically valid data in order to bypass normal business logic workflow.

- Review the project documentation for components of the system that move,
store, or handle data.
- Determine what type of data is logically acceptable by the component and
what types the system should guard against.
- Determine who should be allowed to modify or read that data in each
component.
- Attempt to insert, update, or delete data values used by each component
that should not be allowed per the business logic workflow.

- Review the project documentation for methods to skip or go through steps in

the application process in a different order from the intended business logic
flow.
- Develop a misuse case and try to circumvent every logic flow identified.

- Review the project documentation for file types that are rejected by the
system.
- Verify that the unwelcomed file types are rejected and handled safely.
- Verify that file batch uploads are secure and do not allow any bypass against
the set security measures.
- Identify the file upload functionality.
- Review the project documentation to identify what file types are considered
acceptable, and what types would be considered dangerous or malicious.
- Determine how the uploaded files are processed.
- Obtain or create a set of malicious files for testing.
- Try to upload the malicious files to the application and determine whether it
is accepted and processed.

Objectives

- Identify injection points that handle URLs or paths.

- Assess the locations that the system could redirect to.

- Identify CSS injection points.

- Assess the impact of the injection.

- Understand security measures in place.

- Assess how strict the security measures are and if they are bypassable.

- Determine whether the website is storing sensitive data in client-side

storage.
- The code handling of the storage objects should be examined for
possibilities of injection attacks, such as utilizing unvalidated input or
vulnerable libraries.
- Locate sensitive data across the system.
- Assess the leakage of sensitive data through various techniques.

Objectives

- Assess that a secure and production-ready configuration is deployed.

- Validate all input fields against generic attacks.
- Ensure that proper access controls are applied.
implemented

implemented
implemented

implemented
implemented

implemented
implemented
implemented

implemented