{ "categories": { "Information Gathering": { "id": "WSTG-INFO", "tests": [ { "name": "Conduct Search Engine Discovery Reconnaissance for Information Leakage", "id": "WSTG-INFO-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage", "objectives": [ "Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's site) or indirectly (via third-party services)." ] }, { "name": "Fingerprint Web Server", "id": "WSTG-INFO-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server", "objectives": [ "Determine the version and type of a running web server to enable further discovery of any known vulnerabilities." ] }, { "name": "Review Webserver Metafiles for Information Leakage", "id": "WSTG-INFO-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage", "objectives": [ "Identify hidden or obfuscated paths and functionality through the analysis of metadata files.", "Extract and map other information that could lead to a better understanding of the systems at hand." ] }, { "name": "Attack Surface Identification", "id": "WSTG-INFO-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification", "objectives": [ "Enumerate all web applications within scope.", "Identify DNS names, domains, and virtual hosts associated with the target.", "Discover additional domains and subdomains using passive and active DNS techniques.", "Analyze digital certificates and Certificate Transparency logs for additional hostnames." ] }, { "name": "Review Web Page Content for Information Leakage", "id": "WSTG-INFO-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage", "objectives": [ "Review web page comments, metadata, and redirect bodies to find any information leakage.", "Gather JavaScript files and review the JS code to better understand the application and to find any information leakage.", "Identify if source map files or other frontend debug files exist." ] }, { "name": "Identify Application Entry Points", "id": "WSTG-INFO-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points", "objectives": [ "Identify possible entry and injection points through request and response analysis." ] }, { "name": "Map Execution Paths Through Application", "id": "WSTG-INFO-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/07-Map_Execution_Paths_Through_Application", "objectives": [ "Map the target application and understand the principal workflows." ] }, { "name": "Fingerprint Web Application Framework", "id": "WSTG-INFO-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework", "objectives": [ "Fingerprint the components used by the web applications." ] }, { "name": "Fingerprint Web Application", "id": "WSTG-INFO-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/09-Fingerprint_Web_Application", "objectives": [ "" ] }, { "name": "Map Application Architecture", "id": "WSTG-INFO-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/10-Map_Application_Architecture", "objectives": [ "Understand the architecture of the application and the technologies in use." ] } ] }, "Configuration and Deployment Management Testing": { "id": "WSTG-CONF", "tests": [ { "name": "Test Network Infrastructure Configuration", "id": "WSTG-CONF-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration", "objectives": [ "Review the applications' configurations set across the network and validate that they are not vulnerable.", "Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials." ] }, { "name": "Test Application Platform Configuration", "id": "WSTG-CONF-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration", "objectives": [ "Ensure that default and known files have been removed.", "Validate that no debugging code or extensions are left in the production environments.", "Review the logging mechanisms set in place for the application." ], "cre_ids": [ "843-841", "402-706" ] }, { "name": "Test File Extensions Handling for Sensitive Information", "id": "WSTG-CONF-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information", "objectives": [ "Enumerate sensitive file extensions that might contain raw data such as scripts or credentials", "Validate that no system framework bypasses exist for the rules that have been set" ], "cre_ids": [ "615-744" ] }, { "name": "Review Old Backup and Unreferenced Files for Sensitive Information", "id": "WSTG-CONF-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information", "objectives": [ "Find and analyse unreferenced files that might contain sensitive information." ], "cre_ids": [ "462-245" ] }, { "name": "Enumerate Infrastructure and Application Admin Interfaces", "id": "WSTG-CONF-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces", "objectives": [ "Identify hidden administrator interfaces and functionality." ] }, { "name": "Test HTTP Methods", "id": "WSTG-CONF-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods", "objectives": [ "Enumerate supported HTTP methods.", "Test for access control bypass.", "Test HTTP method overriding techniques." ], "cre_ids": [ "483-715" ] }, { "name": "Test HTTP Strict Transport Security", "id": "WSTG-CONF-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security", "objectives": [ "Review the HSTS header and its validity." ], "cre_ids": [ "036-147" ] }, { "name": "Test File Permission", "id": "WSTG-CONF-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission", "objectives": [ "Review and identify any rogue file permissions." ] }, { "name": "Test for Subdomain Takeover", "id": "WSTG-CONF-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover", "objectives": [ "Enumerate all possible domains (previous and current).", "Identify any forgotten or misconfigured domains." ], "cre_ids": [ "336-512" ] }, { "name": "Test Cloud Storage", "id": "WSTG-CONF-11", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage", "objectives": [ "Assess that the access control configuration for the storage services is properly in place." ] }, { "name": "Testing for Content Security Policy", "id": "WSTG-CONF-12", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy", "objectives": [ "Review the Content-Security-Policy header or meta element to identify misconfigurations." ] }, { "name": "Test Path Confusion", "id": "WSTG-CONF-13", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/13-Test_for_Path_Confusion", "objectives": [ "Make sure application paths are configured correctly." ] }, { "name": "Test Other HTTP Security Header Misconfigurations", "id": "WSTG-CONF-14", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations", "objectives": [ "Identify improperly configured security headers.", "Assess the impact of misconfigured security headers.", "Validate the correct implementation of required security headers." ] } ] }, "Identity Management Testing": { "id": "WSTG-IDNT", "tests": [ { "name": "Test Role Definitions", "id": "WSTG-IDNT-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions", "objectives": [ "Identify and document roles used by the application.", "Attempt to switch, change, or access another role.", "Review the granularity of the roles and the needs behind the permissions given." ], "cre_ids": [ "817-808", "368-633" ] }, { "name": "Test User Registration Process", "id": "WSTG-IDNT-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process", "objectives": [ "Verify that the identity requirements for user registration are aligned with business and security requirements.", "Validate the registration process." ] }, { "name": "Test Account Provisioning Process", "id": "WSTG-IDNT-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/03-Test_Account_Provisioning_Process", "objectives": [ "Verify which accounts may provision other accounts and of what type." ] }, { "name": "Testing for Account Enumeration and Guessable User Account", "id": "WSTG-IDNT-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account", "objectives": [ "Review processes that pertain to user identification (*e.g.* registration, login, etc.).", "Enumerate users where possible through response analysis." ] }, { "name": "Testing for Weak or Unenforced Username Policy", "id": "WSTG-IDNT-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy", "objectives": [ "" ] } ] }, "Authentication Testing": { "id": "WSTG-ATHN", "tests": [ { "name": "Testing for Credentials Transported over an Encrypted Channel", "id": "WSTG-ATHN-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel", "objectives": [ "" ], "cre_ids": [ "270-634" ] }, { "name": "Testing for Default Credentials", "id": "WSTG-ATHN-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials", "objectives": [ "Determine whether the application has any user accounts with default passwords.", "Review whether new user accounts are created with weak or predictable passwords." ], "cre_ids": [ "235-658" ] }, { "name": "Testing for Weak Lock Out Mechanism", "id": "WSTG-ATHN-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism", "objectives": [ "Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.", "Evaluate the unlock mechanism's resistance to unauthorized account unlocking." ], "cre_ids": [ "802-056" ] }, { "name": "Testing for Bypassing Authentication Schema", "id": "WSTG-ATHN-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema", "objectives": [ "Ensure that authentication is applied across all services that require it." ] }, { "name": "Testing for Vulnerable Remember Password", "id": "WSTG-ATHN-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/05-Testing_for_Vulnerable_Remember_Password", "objectives": [ "Validate that the generated session is managed securely and do not put the user's credentials in danger." ] }, { "name": "Testing for Browser Cache Weaknesses", "id": "WSTG-ATHN-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses", "objectives": [ "Review if the application stores sensitive information on the client-side.", "Review if access can occur without authorization." ], "cre_ids": [ "473-758" ] }, { "name": "Testing for Weak Authentication Methods", "id": "WSTG-ATHN-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods", "objectives": [ "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords." ], "cre_ids": [ "630-577", "487-305", "455-885", "327-505", "751-176" ] }, { "name": "Testing for Weak Security Question Answer", "id": "WSTG-ATHN-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer", "objectives": [ "Determine the complexity and how straight-forward the questions are.", "Assess possible user answers and brute force capabilities." ], "cre_ids": [ "772-358" ] }, { "name": "Testing for Weak Password Change or Reset Functionalities", "id": "WSTG-ATHN-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities", "objectives": [ "Determine whether the password change and reset functionality allows accounts to be compromised." ], "cre_ids": [ "581-525" ] }, { "name": "Testing for Weaker Authentication in Alternative Channel", "id": "WSTG-ATHN-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel", "objectives": [ "Identify alternative authentication channels.", "Assess the security measures used and if any bypasses exists on the alternative channels." ] }, { "name": "Testing Multi-Factor Authentication (MFA)", "id": "WSTG-ATHN-11", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/11-Testing_Multi-Factor_Authentication", "objectives": [ "Identify the type of MFA used by the application.", "Determine whether the MFA implementation is robust and secure.", "Attempt to bypass the MFA." ] } ] }, "Authorization Testing": { "id": "WSTG-ATHZ", "tests": [ { "name": "Testing Directory Traversal File Include", "id": "WSTG-ATHZ-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include", "objectives": [ "Identify injection points that pertain to path traversal.", "Assess bypassing techniques and identify the extent of path traversal." ], "cre_ids": [ "737-086", "742-056", "675-168" ] }, { "name": "Testing for Bypassing Authorization Schema", "id": "WSTG-ATHZ-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema", "objectives": [ "Assess if unauthenticated, horizontal, or vertical access is possible." ], "cre_ids": [ "152-725", "524-603", "650-560" ] }, { "name": "Testing for Privilege Escalation", "id": "WSTG-ATHZ-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation", "objectives": [ "Identify injection points related to privilege manipulation.", "Fuzz or otherwise attempt to bypass security measures." ], "cre_ids": [ "713-683" ] }, { "name": "Testing for Insecure Direct Object References", "id": "WSTG-ATHZ-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References", "objectives": [ "Identify points where object references may occur.", "Assess the access control measures and if they're vulnerable to IDOR." ], "cre_ids": [ "304-667" ] }, { "name": "Testing for OAuth Weaknesses", "id": "WSTG-ATHZ-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses", "objectives": [ "Determine if OAuth2 implementation is vulnerable or using a deprecated or custom implementation." ] } ] }, "Session Management Testing": { "id": "WSTG-SESS", "tests": [ { "name": "Testing for Session Management Schema", "id": "WSTG-SESS-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema", "objectives": [ "Gather session tokens, for the same user and for different users where possible.", "Analyze and ensure that enough randomness exists to stop session forging attacks.", "Modify cookies that are not signed and contain information that can be manipulated." ], "cre_ids": [ "582-541", "618-403", "551-054", "704-530", "727-043" ] }, { "name": "Testing for Cookies Attributes", "id": "WSTG-SESS-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes", "objectives": [ "Ensure that the proper security configuration is set for cookies." ], "cre_ids": [ "232-034", "342-055", "688-081", "804-220", "705-182", "455-358" ] }, { "name": "Testing for Session Fixation", "id": "WSTG-SESS-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation", "objectives": [ "Analyze the authentication mechanism and its flow.", "Force cookies and assess the impact." ], "cre_ids": [ "002-630" ] }, { "name": "Testing for Exposed Session Variables", "id": "WSTG-SESS-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables", "objectives": [ "Ensure that proper encryption is implemented.", "Review the caching configuration.", "Assess the channel and methods' security." ], "cre_ids": [ "333-888", "402-133" ] }, { "name": "Testing for Cross Site Request Forgery", "id": "WSTG-SESS-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery", "objectives": [ "Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user." ], "cre_ids": [ "464-084", "060-472" ] }, { "name": "Testing for Logout Functionality", "id": "WSTG-SESS-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality", "objectives": [ "Assess the logout UI.", "Analyze the session timeout and if the session is properly killed after logout." ], "cre_ids": [ "673-736", "238-346", "457-165" ] }, { "name": "Testing Session Timeout", "id": "WSTG-SESS-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout", "objectives": [ "Validate that a hard session timeout exists." ], "cre_ids": [ "065-782" ] }, { "name": "Testing for Session Puzzling", "id": "WSTG-SESS-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling", "objectives": [ "Identify all session variables.", "Break the logical flow of session generation." ] }, { "name": "Testing for Session Hijacking", "id": "WSTG-SESS-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking", "objectives": [ "Identify vulnerable session cookies.", "Hijack vulnerable cookies and assess the risk level." ] }, { "name": "Testing JSON Web Tokens", "id": "WSTG-SESS-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens", "objectives": [ "Determine whether the JWTs expose sensitive information.", "Determine whether the JWTs can be tampered with or modified." ] }, { "name": "Testing for Concurrent Sessions", "id": "WSTG-SESS-11", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/11-Testing_for_Concurrent_Sessions", "objectives": [ "Evaluate the application's session management by assessing the handling of multiple active sessions for a single user account." ] } ] }, "Input Validation Testing": { "id": "WSTG-INPV", "tests": [ { "name": "Testing for Reflected Cross Site Scripting", "id": "WSTG-INPV-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting", "objectives": [ "Identify variables that are reflected in responses.", "Assess the input they accept and the encoding that gets applied on return (if any)." ], "cre_ids": [ "257-668", "065-388", "366-835" ] }, { "name": "Testing for Stored Cross Site Scripting", "id": "WSTG-INPV-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting", "objectives": [ "Identify stored input that is reflected on the client-side.", "Assess the input they accept and the encoding that gets applied on return (if any)." ], "cre_ids": [ "257-668", "065-388" ] }, { "name": "Testing for HTTP Verb Tampering", "id": "WSTG-INPV-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering", "objectives": [ "" ], "cre_ids": [ "532-878" ] }, { "name": "Testing for HTTP Parameter Pollution", "id": "WSTG-INPV-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution", "objectives": [ "Identify the backend and the parsing method used.", "Assess injection points and try bypassing input filters using HPP." ], "cre_ids": [ "743-237" ] }, { "name": "Testing for SQL Injection", "id": "WSTG-INPV-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection", "objectives": [ "Identify SQL injection points.", "Assess the severity of the injection and the level of access that can be achieved through it." ], "cre_ids": [ "064-808", "732-873" ] }, { "name": "Testing for LDAP Injection", "id": "WSTG-INPV-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection", "objectives": [ "Identify LDAP injection points.", "Assess the severity of the injection." ], "cre_ids": [ "531-558" ] }, { "name": "Testing for XML Injection", "id": "WSTG-INPV-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection", "objectives": [ "Identify XML injection points.", "Assess the types of exploits that can be attained and their severities." ], "cre_ids": [ "611-051", "134-207", "764-507" ] }, { "name": "Testing for SSI Injection", "id": "WSTG-INPV-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection", "objectives": [ "Identify SSI injection points.", "Assess the severity of the injection." ] }, { "name": "Testing for XPath Injection", "id": "WSTG-INPV-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection", "objectives": [ "Identify XPATH injection points." ], "cre_ids": [ "134-207" ] }, { "name": "Testing for IMAP SMTP Injection", "id": "WSTG-INPV-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection", "objectives": [ "Identify IMAP/SMTP injection points.", "Understand the data flow and deployment structure of the system.", "Assess the injection impacts." ], "cre_ids": [ "881-434" ] }, { "name": "Testing for Code Injection", "id": "WSTG-INPV-11", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection", "objectives": [ "Identify injection points where you can inject code into the application.", "Assess the injection severity." ], "cre_ids": [ "547-283", "657-084" ] }, { "name": "Testing for Command Injection", "id": "WSTG-INPV-12", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection", "objectives": [ "Identify and assess command injection points.", "Bypass special characters and OS commands filter." ], "cre_ids": [ "683-722", "857-718" ] }, { "name": "Testing for Format String Injection", "id": "WSTG-INPV-13", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection", "objectives": [ "Assess whether injecting format string conversion specifiers into user-controlled fields causes undesired behavior from the application." ], "cre_ids": [ "831-570" ] }, { "name": "Testing for Incubated Vulnerability", "id": "WSTG-INPV-14", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability", "objectives": [ "Identify injections that are stored and require a recall step to the stored injection.", "Understand how a recall step could occur.", "Set listeners or activate the recall step if possible." ] }, { "name": "Testing for HTTP Response Splitting", "id": "WSTG-INPV-15", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Response_Splitting", "objectives": [ "Identify user-controlled input that is reflected into HTTP response headers.", "Assess whether CR (`\\r`) and LF (`\\n`) characters can be injected into response headers.", "Determine the potential impact of successful HTTP Response Splitting attacks, such as cache poisoning or client-side exploitation." ] }, { "name": "Testing for HTTP Request Smuggling", "id": "WSTG-INPV-16", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Request_Smuggling", "objectives": [ "Identify request boundary inconsistencies between frontend and backend components", "Detect classic CL/TE desynchronization vulnerabilities", "Evaluate protocol translation logic (HTTP/2 → HTTP/1.1)", "Assess H2C upgrade handling and downgrade safety", "Confirm backend request queue poisoning" ] }, { "name": "Testing for Host Header Injection", "id": "WSTG-INPV-17", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection", "objectives": [ "Assess if the Host header is being parsed dynamically in the application.", "Bypass security controls that rely on the header." ] }, { "name": "Testing for Server-side Template Injection", "id": "WSTG-INPV-18", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection", "objectives": [ "Detect template injection vulnerability points.", "Identify the templating engine.", "Build the exploit." ], "cre_ids": [ "422-005" ] }, { "name": "Testing for Server-Side Request Forgery", "id": "WSTG-INPV-19", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery", "objectives": [ "Identify SSRF injection points.", "Test if the injection points are exploitable.", "Asses the severity of the vulnerability." ] }, { "name": "Testing for Mass Assignment", "id": "WSTG-INPV-20", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment", "objectives": [ "Identify requests that modify objects", "Assess if it is possible to modify fields never intended to be modified from outside" ] }, { "name": "Testing for CSV Injection", "id": "WSTG-INPV-21", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/21-Testing_for_CSV_Injection", "objectives": [ "Identify CSV/spreadsheet export features that include untrusted input.", "Verify whether attacker-controlled values are interpreted as formulas when the export is opened in common spreadsheet applications.", "Check whether separator/quote injection can move a dangerous prefix to the start of a cell.", "Validate whether mitigations remain effective in Microsoft Excel after saving and re-opening the CSV.", "Assess practical impact based on who opens the export and how it is used." ] } ] }, "Testing for Error Handling": { "id": "WSTG-ERRH", "tests": [ { "name": "Testing for Improper Error Handling", "id": "WSTG-ERRH-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling", "objectives": [ "Identify existing error output.", "Analyze the different output returned." ], "cre_ids": [ "166-151" ] }, { "name": "Testing for Stack Traces", "id": "WSTG-ERRH-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces", "objectives": [ "" ], "cre_ids": [ "513-183" ] } ] }, "Testing for Weak Cryptography": { "id": "WSTG-CRYP", "tests": [ { "name": "Testing for Weak Transport Layer Security", "id": "WSTG-CRYP-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security", "objectives": [ "Validate the service configuration.", "Review the digital certificate's cryptographic strength and validity.", "Ensure that the TLS security is not bypassable and is properly implemented across the application." ], "cre_ids": [ "248-646", "745-045", "767-701" ] }, { "name": "Testing for Padding Oracle", "id": "WSTG-CRYP-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle", "objectives": [ "Identify encrypted messages that rely on padding.", "Attempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis." ], "cre_ids": [ "036-810" ] }, { "name": "Testing for Sensitive Information Sent via Unencrypted Channels", "id": "WSTG-CRYP-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels", "objectives": [ "Identify sensitive information transmitted through the various channels.", "Assess the privacy and security of the channels used." ], "cre_ids": [ "186-540" ] }, { "name": "Testing for Weak Cryptographic Primitives", "id": "WSTG-CRYP-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Cryptographic_Primitives", "objectives": [ "Provide a guideline for the identification weak encryption or hashing uses and implementations." ], "cre_ids": [ "170-772", "786-224", "742-431", "433-122", "674-425", "441-132", "267-468", "224-321", "482-866", "027-210", "664-571", "542-488", "483-883" ] } ] }, "Business Logic Testing": { "id": "WSTG-BUSL", "tests": [ { "name": "Test Business Logic Data Validation", "id": "WSTG-BUSL-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation", "objectives": [ "Identify data injection points.", "Validate that all checks are occurring on the backend and can't be bypassed.", "Attempt to break the format of the expected data and analyze how the application is handling it." ] }, { "name": "Test Ability to Forge Requests", "id": "WSTG-BUSL-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests", "objectives": [ "Review the project documentation looking for guessable, predictable, or hidden functionality of fields.", "Insert logically valid data in order to bypass normal business logic workflow." ] }, { "name": "Test Integrity Checks", "id": "WSTG-BUSL-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks", "objectives": [ "Review the project documentation for components of the system that move, store, or handle data.", "Determine what type of data is logically acceptable by the component and what types the system should guard against.", "Determine who should be allowed to modify or read that data in each component.", "Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow." ], "cre_ids": [ "048-612" ] }, { "name": "Test for Process Timing", "id": "WSTG-BUSL-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing", "objectives": [ "Review the project documentation for system functionality that may be impacted by time.", "Develop and execute misuse cases." ] }, { "name": "Test Number of Times a Function Can Be Used Limits", "id": "WSTG-BUSL-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits", "objectives": [ "Identify functions that must set limits to the times they can be called.", "Assess if there is a logical limit set on the functions and if it is properly validated." ] }, { "name": "Testing for the Circumvention of Work Flows", "id": "WSTG-BUSL-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/06-Testing_for_the_Circumvention_of_Work_Flows", "objectives": [ "Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.", "Develop a misuse case and try to circumvent every logic flow identified." ] }, { "name": "Test Defenses Against Application Misuse", "id": "WSTG-BUSL-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/07-Test_Defenses_Against_Application_Misuse", "objectives": [ "Generate notes from all tests conducted against the system.", "Review which tests had a different functionality based on aggressive input.", "Understand the defenses in place and verify if they are enough to protect the system against bypassing techniques." ] }, { "name": "Test Upload of Unexpected File Types", "id": "WSTG-BUSL-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types", "objectives": [ "Review the project documentation for file types that are rejected by the system.", "Verify that the unwelcomed file types are rejected and handled safely.", "Verify that file batch uploads are secure and do not allow any bypass against the set security measures." ], "cre_ids": [ "314-701" ] }, { "name": "Test Upload of Malicious Files", "id": "WSTG-BUSL-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files", "objectives": [ "Identify the file upload functionality.", "Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious.", "If documentation is not available then consider what would be appropriate based on the purpose of the application.", "Determine how the uploaded files are processed.", "Obtain or create a set of malicious files for testing.", "Try to upload the malicious files to the application and determine whether it is accepted and processed." ], "cre_ids": [ "814-322", "545-243", "307-111", "112-273", "660-052" ] }, { "name": "Test Payment Functionality", "id": "WSTG-BUSL-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality", "objectives": [ "Determine whether the business logic for the e-commerce functionality is robust.", "Understand how the payment functionality works.", "Determine whether the payment functionality is secure." ] } ] }, "Client-side Testing": { "id": "WSTG-CLNT", "tests": [ { "name": "Testing for DOM-Based Cross Site Scripting", "id": "WSTG-CLNT-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting", "objectives": [ "Identify DOM sinks.", "Build payloads that pertain to every sink type." ], "cre_ids": [ "257-668", "065-388", "607-671" ] }, { "name": "Testing for JavaScript Execution", "id": "WSTG-CLNT-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/02-Testing_for_JavaScript_Execution", "objectives": [ "Identify sinks and possible JavaScript injection points." ], "cre_ids": [ "387-848", "317-743" ] }, { "name": "Testing for HTML Injection", "id": "WSTG-CLNT-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection", "objectives": [ "Identify HTML injection points and assess the severity of the injected content." ], "cre_ids": [ "542-445" ] }, { "name": "Testing for Client-side URL Redirect", "id": "WSTG-CLNT-04", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect", "objectives": [ "Identify injection points that handle URLs or paths.", "Assess the locations that the system could redirect to." ], "cre_ids": [ "232-217" ] }, { "name": "Testing for CSS Injection", "id": "WSTG-CLNT-05", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection", "objectives": [ "Identify CSS injection points.", "Assess the impact of the injection." ], "cre_ids": [ "646-462" ] }, { "name": "Testing for Client-side Resource Manipulation", "id": "WSTG-CLNT-06", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation", "objectives": [ "Identify sinks with weak input validation.", "Assess the impact of the resource manipulation." ] }, { "name": "Testing Cross Origin Resource Sharing", "id": "WSTG-CLNT-07", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing", "objectives": [ "Identify endpoints that implement CORS.", "Ensure that the CORS configuration is secure or harmless." ], "cre_ids": [ "316-272" ] }, { "name": "Testing for Cross Site Flashing", "id": "WSTG-CLNT-08", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing", "objectives": [ "Decompile and analyze the application's code.", "Assess sinks inputs and unsafe method usages." ] }, { "name": "Testing for Clickjacking", "id": "WSTG-CLNT-09", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking", "objectives": [ "Assess application vulnerability to clickjacking attacks." ], "cre_ids": [ "480-071" ] }, { "name": "Testing WebSockets", "id": "WSTG-CLNT-10", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets", "objectives": [ "Identify the usage of WebSockets.", "Assess its implementation by using the same tests on normal HTTP channels." ] }, { "name": "Testing Web Messaging", "id": "WSTG-CLNT-11", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging", "objectives": [ "Assess the security of the message's origin.", "Validate that it's using safe methods and validating its input." ] }, { "name": "Testing Browser Storage", "id": "WSTG-CLNT-12", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/12-Testing_Browser_Storage", "objectives": [ "Determine whether the site is storing sensitive data in client-side storage.", "The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries." ], "cre_ids": [ "046-257", "617-524", "455-358" ] }, { "name": "Testing for Cross Site Script Inclusion", "id": "WSTG-CLNT-13", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion", "objectives": [ "Locate sensitive data across the system.", "Assess the leakage of sensitive data through various techniques." ] }, { "name": "Testing for Reverse Tabnabbing", "id": "WSTG-CLNT-14", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/14-Testing_for_Reverse_Tabnabbing", "objectives": [ "" ] }, { "name": "Testing for Client-side Template Injection", "id": "WSTG-CLNT-15", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/15-Testing_for_Client-Side_Template_Injection", "objectives": [ "Identify the client-side framework and its version used by the application.", "Detect injection points where user input is reflected into the DOM and processed by the template engine.", "Assess if the injection allows for arbitrary JavaScript execution (XSS) via the template syntax." ] } ] }, "API Testing": { "id": "WSTG-APIT", "tests": [ { "name": "API Reconnaissance", "id": "WSTG-APIT-01", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance", "objectives": [ "Find all API endpoints supported by the backend server code, documented or undocumented.", "Find all parameters for each endpoint supported by the backend server, documented or undocumented.", "Discover interesting data related to APIs in HTML and JavaScript sent to clients." ] }, { "name": "API Broken Object Level Authorization", "id": "WSTG-APIT-02", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization", "objectives": [ "The objective of this test is to identify whether the API enforces proper **object-level authorization** checks, ensuring that users can only access and manipulate objects they are authorized to interact with." ] }, { "name": "Testing for Excessive Data Exposure", "id": "WSTG-APIT-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/03-Testing_for_Excessive_Data_Exposure", "objectives": [ "Identify API responses that contain more data than what the client application displays or requires.", "Detect sensitive fields returned in API responses such as password hashes, authentication tokens, internal object IDs, PII, or infrastructure details.", "Determine whether the API relies on client-side filtering rather than server-side field selection to control data exposure." ] }, { "name": "API Broken Function Level Authorization", "id": "WSTG-APIT-03", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/04-API_Broken_Function_Level_Authorization", "objectives": [ "The goal of this test is to determine if the API enforces **role or privilege-based access control** to restrict users from accessing or executing functions they are not authorized to use. This ensures that function-level security boundaries are properly enforced." ] }, { "name": "Testing GraphQL", "id": "WSTG-APIT-99", "reference": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/99-Testing_GraphQL", "objectives": [ "Assess that a secure and production-ready configuration is deployed.", "Validate all input fields against generic attacks.", "Ensure that proper access controls are applied." ] } ] } } }