Active Testing

During active testing, a tester uses the methodologies

described in the following sections.

The set of active tests have been split into 12 categories:

 Information gathering: This category involves

collecting information about the target application
and its environment, such as domain names, IP
addresses, technologies, versions, or vulnerabilities.
This helps to identify the attack surface and potential
entry points for the testing.

 Configuration and deployment management: This

category involves testing the configuration and
deployment settings of the application and its
components, such as servers, databases, or web
services. This helps to identify any misconfigurations,
insecure defaults, or outdated software that could
compromise the security of the application.

 Identity management: This category involves

testing the identity management functionality of the
application, such as user registration, account
management, password policy, or profile
management. This helps to identify any weaknesses
or flaws in the identity management process that
could lead to unauthorized access or impersonation.
 Authentication: This category involves testing the
authentication functionality of the application, such
as login, logout, password recovery, or multi-factor
authentication. This helps to identify any weaknesses
or flaws in the authentication mechanism that could
allow bypassing or compromising the authentication
process.

 Authorization: This category involves testing the

authorization functionality of the application, such as
role-based access control, privilege escalation, or
horizontal and vertical access control. This helps to
identify any weaknesses or flaws in the authorization
mechanism that could allow unauthorized access or
manipulation of data or functionality.

 Session management: This category involves testing

the session management functionality of the
application, such as session creation, maintenance,
termination, or hijacking. This helps to identify any
weaknesses or flaws in the session management
mechanism that could allow stealing or manipulating
the session tokens or cookies.

 Input validation: This category involves testing the

input validation functionality of the application, such
as data sanitization, encoding, or filtering. This helps
to identify any weaknesses or flaws in the input
validation mechanism that could allow injecting or
executing malicious or unexpected inputs, such as
SQL injection, XSS, or command injection.
 Error handling: This category involves testing the
error handling functionality of the application, such
as error messages, logs, or debug information. This
helps to identify any weaknesses or flaws in the error
handling mechanism that could reveal sensitive or
useful information to the attackers, such as stack
traces, database queries, or system information.

 Cryptography: This category involves testing the

cryptography functionality of the application, such as
encryption, decryption, hashing, or digital signatures.
This helps to identify any weaknesses or flaws in the
cryptography mechanism that could allow breaking
or compromising the confidentiality, integrity, or
authenticity of the data or communication.

 Business logic: This category involves testing the

business logic functionality of the application, such as
workflows, transactions, or calculations. This helps to
identify any weaknesses or flaws in the business logic
mechanism that could allow bypassing or abusing the
intended functionality or behavior of the application.

 Client-side: This category involves testing the client-

side functionality of the application, such as
JavaScript, HTML, CSS, or browser extensions. This
helps to identify any weaknesses or flaws in the
client-side mechanism that could allow modifying or
compromising the user interface or experience of the
application.
  API testing: This category involves testing the API
functionality of the application, such as REST, SOAP,
or GraphQL. This helps to identify any weaknesses or
flaws in the API mechanism that could allow
unauthorized access or manipulation of the data or
functionality exposed by the API.

Passive Testing
During passive testing, a tester uses the methodologies
described in the following sections.

During passive testing, a tester utilizes the methodologies

described in the following sections:

Information Gathering and Reconnaissance:

 Gathering information about the target application

through open-source intelligence (OSINT)
techniques, such as searching for publicly available
data, domain enumeration, and DNS analysis.

 Conducting reconnaissance to identify the technology

stack, server information, and potential entry points.

Traffic Analysis and Monitoring:

 Capturing and analyzing network traffic using tools

like Wireshark or tcpdump to understand
communication patterns, identify potential
 vulnerabilities, and gather information without
actively interacting with the application.

 Monitoring network logs, server logs, and error

messages for any valuable insights.

Passive Vulnerability Scanning:

 Leveraging automated vulnerability scanning tools

like Nikto or OpenVAS to passively scan the target
application for known vulnerabilities.

 Analyzing the scan results to identify security

weaknesses and potential attack vectors.

Application Mapping and Footprinting:

 Mapping the target application’s architecture,

components, and endpoints through techniques like
spidering, directory enumeration, and analyzing
response headers.

 Footprinting to gather information about the

application’s infrastructure, including IP ranges,
subdomains, and publicly accessible resources.

Passive Information Disclosure:

 Identifying instances where sensitive information is

inadvertently disclosed by the application, such as in
 HTTP response headers, error messages, or directory
listings.

 Analyzing the impact of information disclosure and

providing recommendations for mitigation.

The Web Security Testing Guide (WSTG) is a

comprehensive resource that provides guidance on testing
the security of web applications. It covers various
categories of testing scenarios, methods, tools, and
resources. Here are some examples for each category:

Information Gathering:

 Scenario: Identify subdomains of the target

application.

 Method: Use DNS enumeration techniques like brute-

forcing or querying DNS servers.

 Tool: Sublist3r, dnsenum, or Knockpy.

 Resource: OWASP Amass, a tool for gathering

information about the target application.

Configuration and Deployment Management Testing:

 Scenario: Test for default credentials on web servers

or administration panels.

 Method: Use common default username and password

combinations.

 Tool: Burp Suite, Hydra, or Metasploit.

  Resource: Default Password List by OpenWall.

Identity Management Testing:

 Scenario: Test for insecure or weak authentication

mechanisms.

 Method: Try common password guessing techniques

like brute-forcing or dictionary attacks.

 Tool: Burp Suite, Hydra, or OWASP ZAP.

 Resource: The SecLists project, a collection of various

wordlists for password cracking.

Authentication Testing:

 Scenario: Test for vulnerabilities in the authentication

process.

 Method: Attempt to bypass authentication

mechanisms or test for weak password policies.

 Tool: Burp Suite, OWASP ZAP, or sqlmap.

 Resource: OWASP Authentication Cheat Sheet.

Authorization Testing:

 Scenario: Test for flaws in the authorization

mechanisms.

 Method: Attempt to access resources or perform

actions that should be restricted.

 Tool: Burp Suite, OWASP ZAP, or sqlmap.

  Resource: OWASP Authorization Cheat Sheet.

Session Management Testing:

 Scenario: Test for vulnerabilities related to session

management.

 Method: Check for session fixation, session hijacking,

or session timeout issues.

 Tool: Burp Suite, OWASP ZAP, or Wireshark.

 Resource: OWASP Session Management Cheat Sheet.

Input Validation Testing:

 Scenario: Test for insecure or insufficient input

validation.

 Method: Submit malicious input to test for

vulnerabilities like SQL injection or Cross-Site
Scripting (XSS).

 Tool: Burp Suite, OWASP ZAP, or sqlmap.

 Resource: OWASP Input Validation Cheat Sheet.

Testing for Error Handling:

 Scenario: Test for improper error handling that may

leak sensitive information.

 Method: Submit intentionally malformed input to

trigger error conditions.

 Tool: Burp Suite, OWASP ZAP, or curl.

  Resource: OWASP Error Handling Cheat Sheet.

Conclusion
the OWASP Web Security Testing Guide (WSTG) is an
invaluable resource that provides practical methodologies
and best practices for enhancing web application security.
By following the guidance outlined in the WSTG,
organizations can identify vulnerabilities, improve their
security posture, and protect sensitive data. The WSTG
emphasizes documentation, ongoing learning, and
proactive security practices, enabling a more secure web
environment.