Professional Documents
Culture Documents
OWASP Testing Checklist
OWASP Testing Checklist
OWASP Testing Checklist
com/company/hackingarticles
Check referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS. Conduct Search Engine Discovery Reconnaissance for Information Leakage
Burp Proxy Identify what sensitive design and configuration information of the
WSTG-ATHN-01 Tools
ZAP application, system, or organization is exposed directly (on the
organization’s website) or indirectly (via third-party services)
Testing for Weak Password Policy OWASP Top 10 - NA
Bing
Determine the resistance of the application against brute force CWE - NA
Shodan WSTG-INFO-01 Map Application Architecture
password guessing using available password dictionaries by evaluating Testing for Default Credentials Tools
the length, complexity, reuse, and aging requirements of passwords. Understand the architecture of the application and the technologies in use.
Google
Determine whether the application has any user accounts with default passwords.
Burp Proxy Browser
Common Crawl
WSTG-ATHN-07 Burp Intruder
ZAP Tools WSTG-INFO-10 Tools curl
WSTG-ATHN-02 OWASP Top 10 - NA
Tools THC Hydra
Hydra CWE - NA wget
Nikto 2
A7 OWASP Top 10 OWASP Top 10 - NA
Fingerprint Web Server
OWASP Top 10 A7
CWE-521 CWE - NA
Determine the version and type of a running web server to enable
CWE CWE CWE-1392
CWE-1391 further discovery of any known vulnerabilities Fingerprint Web Application
Testing for Weak Lock Out Mechanism
Testing for Weak Security Question Answer Netcraft Identify the web application and version to determine known
Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.
Nikto2 vulnerabilities and the appropriate exploits.
Determine the complexity and how straight-forward the questions are.
WSTG-ATHN-03 Tools Browser Tools WSTG-INFO-02
Assess possible user answers and brute force capabilities. Whatweb
Nmap
WSTG-ATHN-08 A7
Browser Tools OWASP Top 10 BlindElephant
Zenmap WSTG-INFO-09
CWE CWE-307 Tools
A7 OWASP Top 10 Wappalyzer
A5
Testing for Bypassing Authentication Schema OWASP Top 10
CWE-640 CWE CMSmap
A6
Testing for Weak Password Change or Reset Functionalities Ensure that authentication is applied across all services that require it.
CWE-756 OWASP Top 10 - NA
Determine whether the password change and reset functionality allows WebGoat CWE
Tools CWE -1352 CWE - NA
accounts to be compromised. OWASP Zed Attack
Review Webserver Metafiles for Information Leakage Fingerprint Web Application Framework
Browser A1
WSTG-ATHN-09 Authentication Testing WSTG-ATHN-04 OWASP Top 10 Identify hidden or obfuscated paths and functionality through the analysis of metadata files Fingerprint the components being used by the web applications.
Burp Proxy Tools A7
Browser WhatWeb
ZAP CWE-287 Tools
curl Information Gathering WSTG-INFO-08 Wappalyzer
A7 OWASP Top 10 CWE-288
A1 OWASP Top 10
CWE-200
CWE
Testing for Session Management Schema CWE-540
Gather session tokens, for the same user and for different users where
possible.Analyze and ensure that enough randomness exists to stop Test Network Infrastructure Configuration
session forging attacks.
Review the applications’configurations set across the network and
OWASP Zed Attack Proxy Project (ZAP) - features a session token analysis mechanism. validate that they are not vulnerable.
Testing JSON Web Tokens
Burp Sequencer Tools Tools Nessus
WSTG-SESS-01 Determine whether the JWTs expose sensitive information. Determine
YEHG's JHijack WSTG-CONF-01 A1
whether the JWTs can be tampered with or modified.
A2 OWASP Top 10 A5
John the Ripper
OWASP Top 10
A4 A6
jwt2john
CWE-315 CWE-284
WSTG-SESS-10 Tools jwt-cracker
CWE-330 CWE CWE-1349
JSON Web Tokens Burp Extension
CWE
CWE-539 CWE-1352
ZAP JWT Add-on
CWE-694 Test Application Platform Configuration
OWASP Top 10 A7
Testing for Cookies Attributes Ensure that defaults and known files have been removed. Validate that
CWE-345
no debugging code or extensions are left in the production
Ensure that the proper security configuration is set for cookies. CWE CWE-757 environments.
OWASP Zed Attack Proxy Project CWE-798 Browser
Intercepting Proxy Tools
Web Proxy Burp Suite Nikto2
Testing for Session Hijacking
Tamper Data for FF Quantum Tools Identify vulnerable session cookies. Hijack vulnerable cookies and assess the risk level. A1
Test RIA Cross Domain Policy
“FireSheep” for FireFox Jhijack OWASP Top 10 A5
Browser Plug-in WSTG-SESS-02 Analyse the permissions allowed from the policy files WSTG-CONF-02
WSTG-SESS-09 Tools
“EditThisCookie” for Chrome ZAP (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from. A9
“Cookiebro - Cookie Manager” for FireFox Burp Proxy CWE-13
OWASP Top 10 A2
A5 OWASP Top 10 WSTG-CONF-08
CWE CWE-523 ZAP Tools CWE-117
CWE-16 Testing for Session Puzzling Nikto2 CWE-223
CWE-614 Identify all session variables. Break the logical flow of session generation. A5 OWASP Top 10 CWE-200
CWE
CWE-1004 Session Management Testing
Burp Proxy CWE-942 CWE CWE-201
WSTG-SESS-08 Tools CWE
CWE-1275 ZAP Test File Permission CWE-489
Testing for Session Fixation OWASP Top 10 A7 Review and identify any rogue file permissions. CWE-532
Analyze the authentication mechanism and its flow. Force cookies and assess the impact. CWE CWE-841 Windows AccessEnum CWE-548
OWASP ZAP Tools WSTG-SESS-03 Windows AccessChk Tools CWE-651
Testing Session Timeout
A7 OWASP Top 10 Linux namei WSTG-CONF-09 CWE-778
Validate that a hard session timeout exists, after the timeout has passed,
CWE-384 CWE all session tokens should be destroyed or be unusable.
A1 Test File Extensions Handling for Sensitive Information
Burp Proxy OWASP Top 10
Testing for Exposed Session Variables WSTG-SESS-07 A5 Dirbust sensitive file extensions, or extensions that might contain raw
Tools
ZAP data (e.g. scripts, raw data, credentials, etc.).
Ensure that proper encryption is implemented. Review the caching CWE-552
configuration. Assess the channel and methods’ security. CWE wget
OWASP Top 10 A7
CWE-732
OWASP ZAP WSTG-SESS-04 CWE CWE-613 Tools curl
Tools Test for Subdomain Takeover WSTG-CONF-03
Burp Proxy Testing for Logout Functionality google for "web mirroring tools”
Enumerate all possible domains (previous and current). Identify
A7 OWASP Top 10 Assess the logout UI. Analyze the session timeout and if the session is forgotten or misconfigured domains. OWASP Top 10 A1
CWE-598 CWE properly killed after logout.
dig CWE-200
WSTG-SESS-06
Testing for Cross Site Request Forgery Tools Burp Suite - Repeater
recon-ng CWE CWE-425
Determine whether it is possible to initiate requests on a user’s behalf OWASP Top 10 A7 WSTG-CONF-10
theHarvester Tools CWE-552
that are not initiated by the user.
CWE CWE-613
Sublist3r Configuration and Deployment Review Old Backup and Unreferenced Files for Sensitive Information
OWASP ZAP
WSTG-SESS-05 dnsrecon Management Testing Find and analyse unreferenced files that might contain sensitive information.
CSRF Tester Tools
OWASP Top 10 - NA Nessus
Pinata-csrf-tool
CWE-673 CWE Nikto2
A1 OWASP Top 10
Test Cloud Storage wget
CWE-352 CWE
Assess that the access control configuration for the storage services is properly in place. Tools Wget for Windows
WSTG-CONF-04
AWS CLI Tools WSTG-CONF-11 Sam Spade
Identify injection points that pertain to path traversal.Assess bypassing A3 OWASP Top 10 Testing for HTTP Verb Tampering
techniques and identify the extent of path traversal.
CWE-77 Craft custom HTTP requests to test the other methods to bypass URL
DotDotPwn CWE authentication and authorization.
CWE-78
WSTG-INPV-03
Path Traversal Fuz Tools netcat
Testing for Format String Injection
OWASP ZAP OWASP Top 10 - NA
Assess whether injecting format string conversion specifiers into user-
Burp Suite Tools controlled fields causes undesired behavior from the application. CWE - NA
WSTG-INPV-13
WSTG-ATHZ-01
Encoding/Decoding tools A3 OWASP Top 10 Testing for HTTP Parameter Pollution
String searcher "grep” CWE-134 CWE Identify the backend and the parsing method used. Assess injection
points and try bypassing input filters using HPP.
DirBuster Testing for Incubated Vulnerability WSTG-INPV-04
Tools OWASP ZAP Passive/Active Sc
A1 OWASP Top 10 Testing for OAuth Client Weaknesses Identify injections that are stored and require a recall step to the stored injection.
OWASP Top 10 A3
CWE-22 Identify weaknesses in the OAuth client. XSS-proxy
CWE CWE-235
CWE-23 BurpSuite OWASP Zed Attack Proxy (ZAP)
CWE Tools Testing for SQL Injection
CWE-35 WSTG-ATHZ-NA Tools EsPReSSO Burp Suite WSTG-INPV-14
Identify SQL injection points. Assess the severity of the injection and the
CWE-829 OWASP ZAP Metasploit level of access that can be achieved through it.
Testing for Bypassing Authorization Schema OWASP Top 10 A1 A3 OWASP Top 10 Fuzzdb
Assess if horizontal or vertical access is possible. CWE-NA CWE-79 sqlbftools
Tools
ZAP add-on: Access Control Testing OWASP Zed Attack Proxy (ZAP) Testing for OAuth Authorization Server Weaknesses CWE-434 CWE Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
Burp extension: AuthMatrix Tools CWE-1236
Identify weaknesses in the Authorization Server. Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool
Port Swigger Burp Suite WSTG-ATHZ-02
Burp extension: Autorize BurpSuite Testing for HTTP Splitting Smuggling OWASP Top 10 A3
A1 OWASP Top 10 WSTG-ATHZ-NA Tools EsPReSSO Assess if the application is vulnerable to splitting, identifying what CWE CWE-89
possible attacks are achievable.
CWE-285 Authorization Testing OWASP ZAP Orascan
Burp Proxy Testing for Oracle Tools
CWE-732 OWASP Top 10 A1 NGS SQuirreL
CWE WSTG-INPV-05
ZAP Tools
CWE-862 CWE-NA Francois Larouche: Multiple DBMS SQL Injection tool
WSTG-INPV-15
netcat
CWE-863 Testing for OAuth Weaknesses Reversing.org - sqlbftools
A3 Testing for MySQL Tools
Testing for Privilege Escalation Determine if OAuth2 implementation is vulnerable or using a OWASP Top 10 Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
deprecated or custom implementation. A4 Input Validation Testing
Identify injection points related to privilege manipulation. Fuzz or Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool
otherwise attempt to bypass security measures. BurpSuite CWE-93
Testing for SQL Server Tools Bernardo Damele A. G.: sqlmap, automatic SQL injection tool
OWASP Zed Attack Proxy (ZAP) Tools WSTG-ATHZ-03 Tools EsPReSSO CWE-113 CWE
WSTG-ATHZ-05
Testing PostgreSQL Tools SQLMap
A1 OWASP Top 10 OWASP ZAP CWE-444
Testing for MS Access Tools SQLMap
CWE-269 OWASP Top 10 A1 Testing for HTTP Incoming Requests
CWE Testing for NoSQL Injection Tools NoSQLMap
CWE-639 CWE-290 Monitor all incoming and outgoing HTTP requests to the Web Server to
inspect any suspicious requests. Testing for ORM Injection Tools SQLMap
Testing for Insecure Direct Object References CWE CWE-345
Fiddler Testing for Client-side Tools SQLMap
Identify points where object references may occur. Assess the access CWE-798
control measures and if they’re vulnerable to IDOR. TCPProxy Testing for LDAP Injection
Burp Proxy (Autorize) Charles Web Debugging Proxy Identify LDAP injection points. Assess the severity of the injection.
WSTG-ATHZ-04
Tools
ZAP WireShark WSTG-INPV-06 Tools Softerra LDAP Browser
WSTG-INPV-16
Tools
A1 OWASP Top 10 PowerEdit-Pcap OWASP Top 10 A3
Test Role Definitions Ostinato Identify XML injection points. Assess the types of exploits that can
be attained and their severities.
Identify and document roles used by the application.Attempt to switch, OWASP Top 10 - NA
change, or access another role. WSTG-INPV-07 Tools XML Injection Fuzz Strings (from wfuzz tool)
CWE - NA
Testing for Account Enumeration and Guessable User Account Burp's Autorize extension OWASP Top 10 A5
WSTG-IDNT-01 Tools Testing for Host Header Injection
Review processes that pertain to user identification (e.g. registration, ZAPs Access Control Testing add-on CWE-91
Assess if the Host header is being parsed dynamically in the application.
login, etc.). Enumerate users where possible through response analysis. CWE CWE-611
OWASP Top 10 A4 Bypass security controls that rely on the header.
OWASP Zed Attack Proxy (ZAP) WSTG-INPV-17
CWE-266 A4 OWASP Top 10 CWE-652
WSTG-IDNT-04 CWE
curl Tools Testing for SSI Injection
CWE-269 CWE-74
PERL CWE
Test User Registration Process CWE-116 Identify SSI injection points. Assess the severity of the injection.
A7 OWASP Top 10 Web Proxy Burp Suite
Verify that the identity requirements for user registration are aligned Testing for Server-side Template Injection
CWE-204 CWE with business and security requirements. Validate the registration
WSTG-INPV-08 Tools OWASP ZAP
process. Detect template injection vulnerability points. Identify the templating engine.
Testing for Weak or Unenforced Username Policy Identity Management Testing WSTG-IDNT-02
String searcher: grep
Tools HTTP proxy tools Tplmap
Determine whether a consistent account name structure renders the OWASP Top 10 A3
application vulnerable to account enumeration. OWASP Top 10 A4 Backslash Powered Scanner Burp Suite extension Tools WSTG-INPV-18
CWE CWE - 97
Browser CWE CWE-419 Template expression test strings/payloads list
WSTG-IDNT-05 Testing for XPath Injection
Burp Proxy Tools Test Account Provisioning Process A4 OWASP Top 10
Identify XPATH injection points.
ZAP Burp Proxy CWE-1336 CWE
Burp Proxy
A7 OWASP Top 10 Verify which accounts may provision other accounts and of what type. ZAP Testing for Server-Side Request Forgery Tools
WSTG-INPV-09
WSTG-IDNT-03 ZAP
CWE-204 CWE HTTP proxy tools Identify SSRF injection points. Test if the injection points are exploitable.
WSTG-INPV-19 OWASP Top 10 A3
OWASP Top 10 A4 A10 OWASP Top 10
CWE-91
CWE-269 CWE-918 CWE CWE
CWE CWE-643
CWE-280 Testing for Mass Assignment
Testing for IMAP SMTP Injection
Identify requests that modify objects. Assess if it is possible to modify
fields never intended to be modified from outside Identify IMAP/SMTP injection points. Understand the data flow and
WSTG-INPV-20
deployment structure of the system. Assess the injection impacts.
A4 OWASP Top 10
WSTG-INPV-10 Burp Proxy
CWE-915 CWE Tools
Testing for Improper Error Handling ZAP
Identify existing error output. Analyze the different output returned. OWASP Top 10 A3
OWASP Top 10 A5
WSTG-ERRH-01
CWE-209
CWE-210
CWE-431
CWE CWE-497
A2 OWASP Top 10 Identify encrypted messages that rely on padding. Attempt to break the
padding of the encrypted messages and analyze the returned error
CWE-261
Testing for the Circumvention of Work Flows messages for further analysis.
OWASP Top 10 A3