OWASP WSTG Report Reference¶
Variables Reference¶
General¶
Variable | Description |
---|---|
{{Year}} |
The current year |
{{CreatedDate}} |
Organization¶
Variable | Description |
---|---|
{{OrganizationName}} |
The name of the organization. |
{{OrganizationEmail}} |
The email of the organization. |
{{OrganizationPhone}} |
The phone of the organization. |
{{{OrganizationDescription}}} |
The description of the organization. |
{{OrganizationContactName}} |
The contact of the organization. |
{{OrganizationUrl}} |
The url of the organization. |
Client¶
Variable | Description |
---|---|
{{ClientName}} |
The name of the client. |
{{ClientEmail}} |
The email of the client. |
{{ClientPhone}} |
The phone of the client. |
{{{ClientDescription}}} |
The description of the client. |
{{ClientContactName}} |
The contact of the client. |
{{ClientUrl}} |
The url of the client. |
Targets¶
Variable | Description |
---|---|
{{TargetName}} |
The name of the target. |
{{TargetDescription}} |
The description of the target. |
{{TargetType}} |
The type of the target. |
Results¶
Information gathering¶
Information Gathering | Objectives | Status | Notes |
---|---|---|---|
WSTG-INFO-01 | Conduct Search Engine Discovery Reconnaissance for Information Leakage Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization’s website) or indirectly (via third-party services). |
{{Info01Status}} |
{{Info01Note}} |
WSTG-INFO-02 | Fingerprint Web Server Determine the version and type of a running web server to enable further discovery of any known vulnerabilities. |
{{Info02Status}} |
{{Info02Note}} |
WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage Identify hidden or obfuscated paths and functionality through the analysis of metadata files. Extract and map other information that could lead to better understanding of the systems at hand. |
{{Info03Status}} |
{{Info03Note}} |
WSTG-INFO-04 | Enumerate Applications on Webserver Enumerate the applications within scope that exist on a web server. |
{{Info04Status}} |
{{Info04Note}} |
WSTG-INFO-05 | Review Webpage Content for Information Leakage Review webpage comments and metadata to find any information leakage. Gather JavaScript files and review the JS code to better understand the application and to find any information leakage. Identify if source map files or other front-end debug files exist. |
{{Info05Status}} |
{{Info05Note}} |
WSTG-INFO-06 | Identify Application Entry Points Identify possible entry and injection points through request and response analysis. |
{{Info06Status}} |
{{Info06Note}} |
WSTG-INFO-07 | Map Execution Paths Through Application Map the target application and understand the principal workflows. |
{{Info07Status}} |
{{Info07Note}} |
WSTG-INFO-08 | Fingerprint Web Application Framework Fingerprint the components being used by the web applications. |
{{Info08Status}} |
{{Info08Note}} |
WSTG-INFO-09 | Fingerprint Web Application Fingerprint the components being used by the web applications. |
{{Info09Status}} |
{{Info09Note}} |
WSTG-INFO-10 | Map Application Architecture Generate a map of the application at hand based on the research conducted. |
{{Info10Status}} |
{{Info10Note}} |
Configuration and Deployment Management Testing¶
Configuration and Deployment Management Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-CONF-01 | Test Network Infrastructure Configuration Review the applications’ configurations set across the network and validate that they are not vulnerable. Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials. |
{{Conf01Status}} |
{{Conf01Note}} |
WSTG-CONF-02 | Test Application Platform Configuration Ensure that defaults and known files have been removed. Validate that no debugging code or extensions are left in the production environments. Review the logging mechanisms set in place for the application. |
{{Conf02Status}} |
{{Conf02Note}} |
WSTG-CONF-03 | Test File Extensions Handling for Sensitive Information Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.). Validate that no system framework bypasses exist on the rules set. |
{{Conf03Status}} |
{{Conf03Note}} |
WSTG-CONF-04 | Review Old Backup and Unreferenced Files for Sensitive Information Find and analyse unreferenced files that might contain sensitive information. |
{{Conf04Status}} |
{{Conf04Note}} |
WSTG-CONF-05 | Enumerate Infrastructure and Application Admin Interfaces Identify hidden administrator interfaces and functionality. |
{{Conf05Status}} |
{{Conf05Note}} |
WSTG-CONF-06 | Test HTTP Methods Enumerate supported HTTP methods. Test for access control bypass. Test XST vulnerabilities. Test HTTP method overriding techniques. |
{{Conf06Status}} |
{{Conf06Note}} |
WSTG-CONF-07 | Test HTTP Strict Transport Security Review the HSTS header and its validity. |
{{Conf07Status}} |
{{Conf07Note}} |
WSTG-CONF-08 | Test RIA Cross Domain Policy Review and validate the policy files. |
{{Conf08Status}} |
{{Conf08Note}} |
WSTG-CONF-09 | Test File Permission Review and identify any rogue file permissions. |
{{Conf09Status}} |
{{Conf09Note}} |
WSTG-CONF-10 | Test for Subdomain Takeover Enumerate all possible domains (previous and current). Identify forgotten or misconfigured domains. |
{{Conf10Status}} |
{{Conf10Note}} |
WSTG-CONF-11 | Test Cloud Storage Assess that the access control configuration for the storage services is properly in place. |
{{Conf11Status}} |
{{Conf11Note}} |
Identity Management Testing¶
Identity Management Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-IDNT-01 | Test Role Definitions Identify and document roles used by the application. Attempt to switch, change, or access another role. Review the granularity of the roles and the needs behind the permissions given. |
{{Idnt01Status}} |
{{Idnt01Note}} |
WSTG-IDNT-02 | Test User Registration Process Verify that the identity requirements for user registration are aligned with business and security requirements. Validate the registration process. |
{{Idnt02Status}} |
{{Idnt02Note}} |
WSTG-IDNT-03 | Test Account Provisioning Process Verify which accounts may provision other accounts and of what type. |
{{Idnt03Status}} |
{{Idnt03Note}} |
WSTG-IDNT-04 | Testing for Account Enumeration and Guessable User Account Review processes that pertain to user identification (e.g. registration, login, etc.). Enumerate users where possible through response analysis. |
{{Idnt04Status}} |
{{Idnt04Note}} |
WSTG-IDNT-05 | Testing for Weak or unenforced username policy Determine whether a consistent account name structure renders the application vulnerable to account enumeration. Determine whether the application's error messages permit account enumeration. |
{{Idnt05Status}} |
{{Idnt05Note}} |
Authentication Testing¶
Authentication Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-ATHN-01 | Testing for Credentials Transported over an Encrypted Channel Assess whether any use case of the web site or application causes the server or the client to exchange credentials without encryption. |
{{Athn01Status}} |
{{Athn01Note}} |
WSTG-ATHN-02 | Testing for Default Credentials Enumerate the applications for default credentials and validate if they still exist. Review and assess new user accounts and if they are created with any defaults or identifiable patterns. |
{{Athn02Status}} |
{{Athn02Note}} |
WSTG-ATHN-03 | Testing for Weak Lock Out Mechanism Evaluate the account lockout mechanism's ability to mitigate brute force password guessing. Evaluate the unlock mechanism's resistance to unauthorized account unlocking. |
{{Athn03Status}} |
{{Athn03Note}} |
WSTG-ATHN-04 | Testing for Bypassing Authentication Schema Ensure that authentication is applied across all services that require it. |
{{Athn04Status}} |
{{Athn04Note}} |
WSTG-ATHN-05 | Testing for Vulnerable Remember Password Validate that the generated session is managed securely and do not put the user's credentials in danger. |
{{Athn05Status}} |
{{Athn05Note}} |
WSTG-ATHN-06 | Testing for Browser Cache Weaknesses Review if the application stores sensitive information on the client side. Review if access can occur without authorization. |
{{Athn06Status}} |
{{Athn06Note}} |
WSTG-ATHN-07 | Testing for Weak Password Policy Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords. |
{{Athn07Status}} |
{{Athn07Note}} |
WSTG-ATHN-08 | Testing for Weak Security Question Answer Determine the complexity and how straight-forward the questions are. Assess possible user answers and brute force capabilities. |
{{Athn08Status}} |
{{Athn08Note}} |
WSTG-ATHN-09 | Testing for Weak Password Change or Reset Functionalities Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account. Determine the resistance of the passwords reset functionality against guessing or bypassing. |
{{Athn09Status}} |
{{Athn09Note}} |
WSTG-ATHN-10 | Testing for Weaker Authentication in Alternative Channel Identify alternative authentication channels. Assess the security measures used and if any bypasses exists on the alternative channels. |
{{Athn10Status}} |
{{Athn10Note}} |
Authorization Testing¶
Authorization Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-ATHZ-01 | Testing Directory Traversal File Include Identify injection points that pertain to path traversal. Assess bypassing techniques and identify the extent of path traversal. |
{{Athz01Status}} |
{{Athz01Note}} |
WSTG-ATHZ-02 | Testing for Bypassing Authorization Schema Assess if horizontal or vertical access is possible. |
{{Athz02Status}} |
{{Athz02Note}} |
WSTG-ATHZ-03 | Testing for Privilege Escalation Identify injection points related to privilege manipulation. Fuzz or otherwise attempt to bypass security measures. |
{{Athz03Status}} |
{{Athz03Note}} |
WSTG-ATHZ-04 | Testing for Insecure Direct Object References Identify points where object references may occur. Assess the access control measures and if they're vulnerable to IDOR. |
{{Athz04Status}} |
{{Athz04Note}} |
Session Management Testing¶
Session Management Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-SESS-01 | Testing for Session Management Schema Gather session tokens, for the same user and for different users where possible. Analyze and ensure that enough randomness exists to stop session forging attacks. Modify cookies that are not signed and contain information that can be manipulated. |
{{Sess01Status}} |
{{Sess01Note}} |
WSTG-SESS-02 | Testing for Cookies Attributes Ensure that the proper security configuration is set for cookies. |
{{Sess02Status}} |
{{Sess02Note}} |
WSTG-SESS-03 | Testing for Session Fixation Analyze the authentication mechanism and its flow. Force cookies and assess the impact. |
{{Sess03Status}} |
{{Sess03Note}} |
WSTG-SESS-04 | Testing for Exposed Session Variables Ensure that proper encryption is implemented. Review the caching configuration. Assess the channel and methods' security. |
{{Sess04Status}} |
{{Sess04Note}} |
WSTG-SESS-05 | Testing for Cross Site Request Forgery Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user. |
{{Sess05Status}} |
{{Sess05Note}} |
WSTG-SESS-06 | Testing for Logout Functionality Assess the logout UI. Analyze the session timeout and if the session is properly killed after logout. |
{{Sess06Status}} |
{{Sess06Note}} |
WSTG-SESS-07 | Testing Session Timeout Validate that a hard session timeout exists. |
{{Sess07Status}} |
{{Sess07Note}} |
WSTG-SESS-08 | Testing for Session Puzzling Identify all session variables. Break the logical flow of session generation. |
{{Sess08Status}} |
{{Sess08Note}} |
WSTG-SESS-09 | Testing for Session Hijacking Identify vulnerable session cookies. Hijack vulnerable cookies and assess the risk level. |
{{Sess09Status}} |
{{Sess09Note}} |
Data Validation Testing¶
Data Validation Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-INPV-01 | Testing for Reflected Cross Site Scripting Identify variables that are reflected in responses. Assess the input they accept and the encoding that gets applied on return (if any). |
{{Inpv01Status}} |
{{Inpv01Note}} |
WSTG-INPV-02 | Testing for Stored Cross Site Scripting Identify stored input that is reflected on the client-side. Assess the input they accept and the encoding that gets applied on return (if any). |
{{Inpv02Status}} |
{{Inpv02Note}} |
WSTG-INPV-03 | Testing for HTTP Verb Tampering Enumerate supported HTTP methods. Test for access control bypass. Test XST vulnerabilities. Test HTTP method overriding techniques. |
{{Inpv03Status}} |
{{Inpv03Note}} |
WSTG-INPV-04 | Testing for HTTP Parameter Pollution Identify the backend and the parsing method used. Assess injection points and try bypassing input filters using HPP. |
{{Inpv04Status}} |
{{Inpv04Note}} |
WSTG-INPV-05 | Testing for SQL Injection Identify SQL injection points. Assess the severity of the injection and the level of access that can be achieved through it. |
{{Inpv05Status}} |
{{Inpv05Note}} |
WSTG-INPV-06 | Testing for LDAP Injection Identify LDAP injection points. Assess the severity of the injection. |
{{Inpv06Status}} |
{{Inpv06Note}} |
WSTG-INPV-07 | Testing for XML Injection Identify XML injection points. Assess the types of exploits that can be attained and their severities. |
{{Inpv07Status}} |
{{Inpv07Note}} |
WSTG-INPV-08 | Testing for SSI Injection Identify SSI injection points. Assess the severity of the injection. |
{{Inpv08Status}} |
{{Inpv08Note}} |
WSTG-INPV-09 | Testing for XPath Injection Identify XPATH injection points. |
{{Inpv09Status}} |
{{Inpv09Note}} |
WSTG-INPV-10 | Testing for IMAP SMTP Injection Identify IMAP/SMTP injection points. Understand the data flow and deployment structure of the system. Assess the injection impacts. |
{{Inpv10Status}} |
{{Inpv10Note}} |
WSTG-INPV-11 | Testing for Code Injection Identify injection points where you can inject code into the application. Assess the injection severity. |
{{Inpv11Status}} |
{{Inpv11Note}} |
WSTG-INPV-12 | Testing for Command Injection Identify and assess the command injection points. |
{{Inpv12Status}} |
{{Inpv12Note}} |
WSTG-INPV-13 | Testing for Format String Injection Assess whether injecting format string conversion specifiers into user-controlled fields causes undesired behaviour from the application. |
{{Inpv13Status}} |
{{Inpv13Note}} |
WSTG-INPV-14 | Testing for Incubated Vulnerability Identify injections that are stored and require a recall step to the stored injection. Understand how a recall step could occur. Set listeners or activate the recall step if possible. |
{{Inpv14Status}} |
{{Inpv14Note}} |
WSTG-INPV-15 | Testing for HTTP Splitting Smuggling Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable. Assess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable. |
{{Inpv15Status}} |
{{Inpv15Note}} |
WSTG-INPV-16 | Testing for HTTP Incoming Requests Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests. Monitor HTTP traffic without changes of end user Browser proxy or client-side application. |
{{Inpv16Status}} |
{{Inpv16Note}} |
WSTG-INPV-17 | Testing for Host Header Injection Assess if the Host header is being parsed dynamically in the application. Bypass security controls that rely on the header. |
{{Inpv17Status}} |
{{Inpv17Note}} |
WSTG-INPV-18 | Testing for Server-side Template Injection Detect template injection vulnerability points. Identify the templating engine. Build the exploit. |
{{Inpv18Status}} |
{{Inpv18Note}} |
WSTG-INPV-19 | Testing for Server-Side Request Forgery Identify SSRF injection points. Test if the injection points are exploitable. Assess the severity of the vulnerability. |
{{Inpv19Status}} |
{{Inpv19Note}} |
Error Handling¶
Error Handling | Objectives | Status | Notes |
---|---|---|---|
WSTG-ERRH-01 | Testing for Improper Error Handling Identify existing error output. Analyze the different output returned. |
{{Errh01Status}} |
{{Errh01Note}} |
WSTG-ERRH-02 | Testing for Stack Traces Identify existing error output. Analyze the different output returned. |
{{Errh02Status}} |
{{Errh02Note}} |
Cryptography Testing¶
Cryptography | Objectives | Status | Notes |
---|---|---|---|
WSTG-CRYP-01 | Testing for Weak Transport Layer Security Validate the service configuration. Review the digital certificate's cryptographic strength and validity. Ensure that the TLS security is not bypassable and is properly implemented across the application. |
{{Cryp01Status}} |
{{Cryp01Note}} |
WSTG-CRYP-02 | Testing for Padding Oracle Identify encrypted messages that rely on padding. Attempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis. |
{{Cryp02Status}} |
{{Cryp02Note}} |
WSTG-CRYP-03 | Testing for Sensitive Information Sent via Unencrypted Channels Identify sensitive information transmitted through the various channels. Assess the privacy and security of the channels used. |
{{Cryp03Status}} |
{{Cryp03Note}} |
WSTG-CRYP-04 | Testing for Weak Encryption Provide a guideline for the identification weak encryption or hashing uses and implementations. |
{{Cryp04Status}} |
{{Cryp04Note}} |
Business Logic Testing¶
Business Logic Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-BUSL-01 | Test Business Logic Data Validation Identify data injection points. Validate that all checks are occurring on the back end and can't be bypassed. Attempt to break the format of the expected data and analyze how the application is handling it. |
{{Busl01Status}} |
{{Busl01Note}} |
WSTG-BUSL-02 | Test Ability to Forge Requests Review the project documentation looking for guessable, predictable, or hidden functionality of fields. Insert logically valid data in order to bypass normal business logic workflow. |
{{Busl02Status}} |
{{Busl02Note}} |
WSTG-BUSL-03 | Test Integrity Checks Review the project documentation for components of the system that move, store, or handle data. Determine what type of data is logically acceptable by the component and what types the system should guard against. Determine who should be allowed to modify or read that data in each component. Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow. |
{{Busl03Status}} |
{{Busl03Note}} |
WSTG-BUSL-04 | Test for Process Timing Review the project documentation for system functionality that may be impacted by time. Develop and execute misuse cases. |
{{Busl04Status}} |
{{Busl04Note}} |
WSTG-BUSL-05 | Test Number of Times a Function Can be Used Limits Identify functions that must set limits to the times they can be called. Assess if there is a logical limit set on the functions and if it is properly validated. |
{{Busl05Status}} |
{{Busl05Note}} |
WSTG-BUSL-06 | Testing for the Circumvention of Work Flows Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow. Develop a misuse case and try to circumvent every logic flow identified. |
{{Busl06Status}} |
{{Busl06Note}} |
WSTG-BUSL-07 | Test Defenses Against Application Mis-use Generate notes from all tests conducted against the system. Review which tests had a different functionality based on aggressive input. Understand the defenses in place and verify if they are enough to protect the system against bypassing techniques. |
{{Busl07Status}} |
{{Busl07Note}} |
WSTG-BUSL-08 | Test Upload of Unexpected File Types Review the project documentation for file types that are rejected by the system. Verify that the unwelcomed file types are rejected and handled safely. Verify that file batch uploads are secure and do not allow any bypass against the set security measures. |
{{Busl08Status}} |
{{Busl08Note}} |
WSTG-BUSL-09 | Test Upload of Malicious Files Identify the file upload functionality. Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious. Determine how the uploaded files are processed. Obtain or create a set of malicious files for testing. Try to upload the malicious files to the application and determine whether it is accepted and processed. |
{{Busl09Status}} |
{{Busl09Note}} |
Client Side Testing¶
Client Side Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-CLNT-01 | Testing for DOM-Based Cross Site Scripting Identify DOM sinks. Build payloads that pertain to every sink type. |
{{Clnt01Status}} |
{{Clnt01Note}} |
WSTG-CLNT-02 | Testing for JavaScript Execution Identify sinks and possible JavaScript injection points. |
{{Clnt02Status}} |
{{Clnt02Note}} |
WSTG-CLNT-03 | Testing for HTML Injection Identify HTML injection points and assess the severity of the injected content. |
{{Clnt03Status}} |
{{Clnt03Note}} |
WSTG-CLNT-04 | Testing for Client Side URL Redirect Identify injection points that handle URLs or paths. Assess the locations that the system could redirect to. |
{{Clnt04Status}} |
{{Clnt04Note}} |
WSTG-CLNT-05 | Testing for CSS Injection Identify CSS injection points. Assess the impact of the injection. |
{{Clnt05Status}} |
{{Clnt05Note}} |
WSTG-CLNT-06 | Testing for Client Side Resource Manipulation Identify sinks with weak input validation. Assess the impact of the resource manipulation. |
{{Clnt06Status}} |
{{Clnt06Note}} |
WSTG-CLNT-07 | Test Cross Origin Resource Sharing Identify endpoints that implement CORS. Ensure that the CORS configuration is secure or harmless. |
{{Clnt07Status}} |
{{Clnt07Note}} |
WSTG-CLNT-08 | Testing for Cross Site Flashing Decompile and analyze the application's code. Assess sinks inputs and unsafe method usages. |
{{Clnt08Status}} |
{{Clnt08Note}} |
WSTG-CLNT-09 | Testing for Clickjacking Understand security measures in place. Assess how strict the security measures are and if they are bypassable. |
{{Clnt09Status}} |
{{Clnt09Note}} |
WSTG-CLNT-10 | Testing WebSockets Identify the usage of WebSockets. Assess its implementation by using the same tests on normal HTTP channels. |
{{Clnt10Status}} |
{{Clnt10Note}} |
WSTG-CLNT-11 | Test Web Messaging Assess the security of the message's origin. Validate that it's using safe methods and validating its input. |
{{Clnt11Status}} |
{{Clnt11Note}} |
WSTG-CLNT-12 | Testing Browser Storage Determine whether the website is storing sensitive data in client-side storage. The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries. |
{{Clnt12Status}} |
{{Clnt12Note}} |
WSTG-CLNT-13 | Testing for Cross Site Script Inclusion Locate sensitive data across the system. Assess the leakage of sensitive data through various techniques. |
{{Clnt13Status}} |
{{Clnt13Note}} |
Api Testing¶
API Testing | Objectives | Status | Notes |
---|---|---|---|
WSTG-APIT-01 | Testing GraphQL Assess that a secure and production-ready configuration is deployed. Validate all input fields against generic attacks. Ensure that proper access controls are applied. |
{{Apit01Status}} |
{{Apit01Note}} |