OWASP Web Security Testing Guide

Information Gathering

• Conduct Search Engine Discovery Reconnaissance for Information Leakage WSTG-INFO-01
• Fingerprint Web Server WSTG-INFO-02
• Review Webserver Metafiles for Information Leakage WSTG-INFO-03
• Enumerate Applications on Webserver WSTG-INFO-04
• Review Web Page Content for Information Leakage WSTG-INFO-05
• Identify Application Entry Points WSTG-INFO-06
• Map Execution Paths Through Application WSTG-INFO-07
• Fingerprint Web Application Framework WSTG-INFO-08
• Fingerprint Web Application WSTG-INFO-09
• Map Application Architecture WSTG-INFO-10

Configuration and Deployment Management Testing

• Test Network Infrastructure Configuration WSTG-CONF-01
• Test Application Platform Configuration WSTG-CONF-02
• Test File Extensions Handling for Sensitive Information WSTG-CONF-03
• Review Old Backup and Unreferenced Files for Sensitive Information WSTG-CONF-04
• Enumerate Infrastructure and Application Admin Interfaces WSTG-CONF-05
• Test HTTP Methods WSTG-CONF-06
• Test HTTP Strict Transport Security WSTG-CONF-07
• Test RIA Cross Domain Policy WSTG-CONF-08
• Test File Permission WSTG-CONF-09
• Test for Subdomain Takeover WSTG-CONF-10
• Test Cloud Storage WSTG-CONF-11
• Testing for Content Security Policy WSTG-CONF-12
• Test Path Confusion WSTG-CONF-13
• Test Other HTTP Security Header Misconfigurations WSTG-CONF-14

Identity Management Testing

• Test Role Definitions WSTG-IDNT-01
• Test User Registration Process WSTG-IDNT-02
• Test Account Provisioning Process WSTG-IDNT-03
• Testing for Account Enumeration and Guessable User Account WSTG-IDNT-04
• Testing for Weak or Unenforced Username Policy WSTG-IDNT-05

Authentication Testing

• Testing for Credentials Transported over an Encrypted Channel WSTG-ATHN-01
• Testing for Default Credentials WSTG-ATHN-02
• Testing for Weak Lock Out Mechanism WSTG-ATHN-03
• Testing for Bypassing Authentication Schema WSTG-ATHN-04
• Testing for Vulnerable Remember Password WSTG-ATHN-05
• Testing for Browser Cache Weaknesses WSTG-ATHN-06
• Testing for Weak Authentication Methods WSTG-ATHN-07
• Testing for Weak Security Question Answer WSTG-ATHN-08
• Testing for Weak Password Change or Reset Functionalities WSTG-ATHN-09
• Testing for Weaker Authentication in Alternative Channel WSTG-ATHN-10
• Testing Multi-Factor Authentication (MFA) WSTG-ATHN-11

Authorization Testing

• Testing Directory Traversal File Include WSTG-ATHZ-01
• Testing for Bypassing Authorization Schema WSTG-ATHZ-02
• Testing for Privilege Escalation WSTG-ATHZ-03
• Testing for Insecure Direct Object References WSTG-ATHZ-04
• Testing for OAuth Weaknesses WSTG-ATHZ-05

Session Management Testing

• Testing for Session Management Schema WSTG-SESS-01
• Testing for Cookies Attributes WSTG-SESS-02
• Testing for Session Fixation WSTG-SESS-03
• Testing for Exposed Session Variables WSTG-SESS-04
• Testing for Cross Site Request Forgery WSTG-SESS-05
• Testing for Logout Functionality WSTG-SESS-06
• Testing Session Timeout WSTG-SESS-07
• Testing for Session Puzzling WSTG-SESS-08
• Testing for Session Hijacking WSTG-SESS-09
• Testing JSON Web Tokens WSTG-SESS-10
• Testing for Concurrent Sessions WSTG-SESS-11

Input Validation Testing

• Testing for Reflected Cross-Site Scripting WSTG-INPV-01
• Testing for Stored Cross Site Scripting WSTG-INPV-02
• Testing for HTTP Verb Tampering WSTG-INPV-03
• Testing for HTTP Parameter Pollution WSTG-INPV-04
• Testing for SQLi WSTG-INPV-05
• Testing for LDAP Injection WSTG-INPV-06
• Testing for XML Injection WSTG-INPV-07
• Testing for SSI Injection WSTG-INPV-08
• Testing for XPath Injection WSTG-INPV-09
• Testing for IMAP SMTP Injection WSTG-INPV-10
• Testing for Code Injection WSTG-INPV-11
• Testing for Command Injection WSTG-INPV-12
• Testing for Buffer Overflow WSTG-INPV-13
• Testing for Format String Injection WSTG-INPV-13
• Testing for Incubated Vulnerability WSTG-INPV-14
• Testing for HTTP Splitting Smuggling WSTG-INPV-15
• Testing for HTTP Incoming Requests WSTG-INPV-16
• Testing for Host Header Injection WSTG-INPV-17
• Testing for Server-side Template Injection WSTG-INPV-18
• Testing for Server Side Request Forgery WSTG-INPV-19
• Testing for Mass Assignment WSTG-INPV-20

Testing for Error Handling

• Testing for Improper Error Handling WSTG-ERRH-01
• Testing for Stack Traces WSTG-ERRH-02

Testing for Weak Cryptography

• Testing for Weak Transport Layer Security WSTG-CRYP-01
• Testing for Padding Oracle WSTG-CRYP-02
• Testing for Sensitive Information Sent via Unencrypted Channels WSTG-CRYP-03
• Testing for Weak Encryption WSTG-CRYP-04

Business Logic Testing

• Test Business Logic Data Validation WSTG-BUSL-01
• Test Ability to Forge Requests WSTG-BUSL-02
• Test Integrity Checks WSTG-BUSL-03
• Test for Process Timing WSTG-BUSL-04
• Test Number of Times a Function Can Be Used Limits WSTG-BUSL-05
• Testing for the Circumvention of Work Flows WSTG-BUSL-06
• Test Defenses Against Application Misuse WSTG-BUSL-07
• Test Upload of Unexpected File Types WSTG-BUSL-08
• Test Upload of Malicious Files WSTG-BUSL-09
• Test Payment Functionality WSTG-BUSL-10

Client Side Testing

• Testing for DOM-Based Cross Site Scripting WSTG-CLNT-01
• Testing for JavaScript Execution WSTG-CLNT-02
• Testing for HTML Injection WSTG-CLNT-03
• Testing for Client-side URL Redirect WSTG-CLNT-04
• Testing for CSS Injection WSTG-CLNT-05
• Testing for Client-side Resource Manipulation WSTG-CLNT-06
• Testing Cross Origin Resource Sharing WSTG-CLNT-07
• Testing for Cross Site Flashing WSTG-CLNT-08
• Testing for Clickjacking WSTG-CLNT-09
• Testing WebSockets WSTG-CLNT-10
• Testing Web Messaging WSTG-CLNT-11
• Testing Browser Storage WSTG-CLNT-12
• Testing for Cross Site Script Inclusion WSTG-CLNT-13
• Testing for Reverse Tabnabbing WSTG-CLNT-14

API Testing

• API Reconnaissance WSTG-APIT-01
• Testing GraphQL WSTG-APIT-99