OWASP:

Unnamed:
Testing
0 Guide
Unnamed:
Checklist
Unnamed:
2 Unnamed:
3 Unnamed:
4 Tools
5 Used
TBD
TBD
TBD
InformatioTest NameObjectives Status Notes TBD
WSTG-INFO-01 - Identify Not Started TBD
WSTG-INFO-02 -- Determine Not Started
Identify hidden TBD and functionality through the analysis of metadata files
or obfuscated paths
WSTG-INFO-03 - Extract and NotmapStarted
other informationTBD that could lead to a better understanding of the systems
WSTG-INFO-04 -- Enumerate Not Started
Gather JavaScript files and review TBDthe JS code to better understand the application and to fi
WSTG-INFO-05 - Identify ifNot Started
source TBD frontend debug files exist.
map files or other
WSTG-INFO-06 - Identify Not Started TBD
WSTG-INFO-07 - Map the tNot Started TBD
WSTG-INFO-08 - Fingerpri Not Started TBD
WSTG-INFO-09 Not Started TBD
WSTG-INFO-10 - UnderstanNot Started TBD
TBD
Configurat Test NameObjectives Status Notes
- Review the applications' configurations TBD set across the network and validate that they are no
WSTG-CONF-01 -- Validate that
Not used
Startedframeworks and
TBD systems
Validate that no debugging code or extensions areare
secure and
left in thenot susceptible
production to known vulner
environments.
WSTG-CONF-02 -- Review the
Not
Brute force logging
Started
sensitive mechanisms set that
TBD
file extensions in place forcontain
might the application.
raw data such as scripts, credentials
WSTG-CONF-03 - Validate that Not noStarted
system framework TBD bypasses exist for the rules that have been set
WSTG-CONF-04 - Find and Not Started TBD
WSTG-CONF-05 -- Identify Not Started
Test for access control bypass. TBD
WSTG-CONF-06 - Test HTTPNot method
Startedoverriding techniques.
TBD
WSTG-CONF-07 - Review thNot Started TBD
WSTG-CONF-08 Not Started TBD
WSTG-CONF-09 -- Review anNot
Enumerate allStarted
possible domainsTBD (previous and current).
WSTG-CONF-10 - Identify any Notforgotten
Started or misconfigured
TBD domains.
WSTG-CONF-11 - Assess th Not Started TBD
WSTG-CONF-12 - Review thNot Started TBD
WSTG-CONF-13 - Make sureNot Started TBD
TBD
Identity M Test NameObjectives
- Attempt to Status Notes or access
switch, change, TBD another role.
WSTG-IDNT-01 -- Review the
Notgranularity
Started of the roles
Verify that the identity requirementsTBDand forthe needs
user behind the
registration are permissions
aligned withgiven.
business and sec
WSTG-IDNT-02 - Validate the Notregistration
Started process.
TBD
WSTG-IDNT-03 -- Verify
ReviewwhNot Started
processes that pertain toTBDuser identification (*e.g.* registration, login, etc.).
WSTG-IDNT-04 -- Determine
Enumerate Notusers where
Started
whether possible
a consistentTBDthrough name
account response analysis.
structure renders the application vulnerable
WSTG-IDNT-05 - Determine whether
Not Startedthe application's
TBD error messages permit account enumeration.
TBD
AuthenticaTest NameObjectives Status Notes TBD
WSTG-ATHN-01 - Determine Not Startedthe application
whether TBD has any user accounts with default passwords.
WSTG-ATHN-02 -- Review whether
Not Started
new user accounts
TBD are created
Evaluate the account lockout mechanism's abilitywith weak or brute
to mitigate predictable passwords.
force password guessing
WSTG-ATHN-03 - Evaluate the
Notunlock
Startedmechanism's TBD resistance to unauthorized account unlocking.
WSTG-ATHN-04 - Ensure thNot Started TBD
WSTG-ATHN-05 -- Validate Review if Not Started
the application storesTBDsensitive information on the client-side.
WSTG-ATHN-06 - Review if Not access Started
can occur without TBD authorization.
WSTG-ATHN-07 -- Determine Determine NottheStarted
complexity and TBD how straight-forward the questions are.
WSTG-ATHN-08 - Assess possible Not Started
user answers and TBD brute force capabilities.
WSTG-ATHN-09 -- DeterminNot Started TBD
Identify alternative authentication channels.
WSTG-ATHN-10 -- Assess theNot
Determine Started
security
whether measures TBDand if any bypasses
used
the MFA implementation is robust exists on the alternative channels.
and secure.
WSTG-ATHN-11 - Attempt to Not Started
bypass the MFA. TBD
TBD
AuthorizatiTest NameObjectives Status
- Identify injection points that pertain Notes TBD to path traversal.
WSTG-ATHZ-01 - Assess bypassing Not Started techniques and TBDidentify the extent of path traversal.
WSTG-ATHZ-02 -- Assess Identifyifinjection
Not Started points relatedTBD to privilege manipulation.
WSTG-ATHZ-03 -- Identify Fuzz or otherwise
Not Started
points where attempt
objecttoreferences
bypass
TBD security measures.
may occur.
WSTG-ATHZ-04 - Assess theNot access
Startedcontrol measures TBD and if they're vulnerable to IDOR.
WSTG-ATHZ-05 - DeterminNot Started TBD
TBD
Session MaTest NameObjectives
- Analyze and Status
ensure that Notesenough TBD
randomness exists to stop session forging attacks.
WSTG-SESS-01 - Modify cookies that are not signed
Not Started TBD and contain information that can be manipulated.
WSTG-SESS-02 -- Ensure AnalyzethNot Started
the authentication TBD
mechanism and its flow.
WSTG-SESS-03 -- Force cookies
Not and
Started assess
Review the caching configuration. the impact.
TBD
WSTG-SESS-04 - Assess theNot channel
Started and methods' TBD security.
WSTG-SESS-05 -- Determine N ot Started
Assess the logout UI. TBD
WSTG-SESS-06 - Analyze the Notsession
Startedtimeout and TBD
if the session is properly killed after logout.
WSTG-SESS-07 -- Validate Identify allNot Started
session variables. TBD
WSTG-SESS-08 -- IdentifyBreak the Not
logical
Started
vulnerable flow of session
session TBD
generation.
cookies.
WSTG-SESS-09 -- Hijack Determine whether the JWTs exposethe
vulnerable
Not Started
cookies and assess
TBD risk level.
sensitive information.
WSTG-SESS-10 - Determine Not Startedthe JWTs can
whether TBDbe tampered with or modified.
WSTG-SESS-11 - Evaluate Not Started TBD
TBD
Input ValidTest NameObjectives Status Notes
- Identify variables that are reflected TBD in responses.
WSTG-INPV-01 -- AssessIdentifythe Not
input
stored Started
theythat
input accept andTBDthe encoding
is reflected that gets applied on return (if any).
on the client-side.
WSTG-INPV-02 - Assess theNot inputStarted
they accept and TBDthe encoding that gets applied on return (if any).
WSTG-INPV-03 - Identify the Notbackend
Started and the parsing TBD method used.
WSTG-INPV-04 -- Assess injection points and
Identify SQL injection points. TBD
Not Started try bypassing input filters using HPP.
WSTG-INPV-05 -- Assess
Identifythe severity
Not
LDAP Started
injectionof the injection
points. TBD and the level of access that can be achieved through it.
WSTG-INPV-06 -- Assess
Identifythe severity
Not
XML Started
injection of the injection.
points. TBD
WSTG-INPV-07 -- Identify
Assess the types
Not
SSI of exploits
Started
injection points. thatTBDcan be attained and their severities.
WSTG-INPV-08 - Assess theNot severity
Started of the injection.
TBD
WSTG-INPV-09 -- Identify
Understand Notthe Started TBD
data flow and deployment structure of the system.
WSTG-INPV-10 -- Assess the injection
Not Started impacts. TBD
Identify injection points where you can inject code into the application.
WSTG-INPV-11 - Assess theNot injection
Startedseverity. TBD
WSTG-INPV-12 - Identify Not Started TBD
WSTG-INPV-13 Not Started TBD
WSTG-INPV-13 - Assess whNot Started TBD
 - Understand how a recall step could occur.
WSTG-INPV-14 -- Set listeners
Assess Notor
if the Started
activate the
application recall
TBDsteptoif splitting,
is vulnerable possible. identifying what possible attacks are achie
WSTG-INPV-15 -- Assess Monitorif all
the
Not chain
Started
incoming of and
communication
outgoing TBD HTTP is vulnerable
requests to tothe
smuggling,
Web Server identifying what
to inspect possible
any a
suspicio
WSTG-INPV-16 -- Monitor Assess if HTTP
NotHost
the Started
traffic without
header changes
is being TBDparsed of end user Browser
dynamically in theproxy or client-side application.
application.
WSTG-INPV-17 -- Bypass Nottemplating
Identifysecurity
the Started
controlsengine.
that rely TBD on the header.
WSTG-INPV-18 -- Build the Not Started
exploit.
Test if the injection points are exploitable. TBD
WSTG-INPV-19 -- Asses Identify Not
therequestsStarted
severity of the
that TBD
vulnerability.
modify objects
WSTG-INPV-20 - Assess if itNot Started to modifyTBD
is possible fields never intended to be modified from outside
TBD
Testing forTest NameObjectives
- Identify existing error output. TBD
Status Notes
WSTG-ERRH-01 - Analyze the Notdifferent
Started output returned. TBD
WSTG-ERRH-02 Not Started TBD
TBD
Testing fo Test NameObjectives Status
- Review the digital certificate's cryptographic Notes TBD strength and validity.
WSTG-CRYP-01 -- Ensure that
Not the TLS
Started security is not
TBD
Identify encrypted messages that rely on padding. bypassable and is properly implemented across the appli
WSTG-CRYP-02 -- Attempt to
Notbreak
Identify sensitive Startedthe padding transmitted
information of
TBDthe encrypted throughmessages and analyze
the various channels.the returned error m
WSTG-CRYP-03 - Assess theNot privacy
Started and security TBD of the channels used.
WSTG-CRYP-04 - Provide aNot Started TBD
TBD
Business LoTest NameObjectives
- Validate that Statusall checksNotes
are occurringTBD on the backend and can't be bypassed.
WSTG-BUSL-01 -- Review Attemptthe to
Notbreak
Started
project the format ofTBD
documentation the looking
expected fordata and analyze
guessable, how theorapplication
predictable, is handl
hidden functionali
WSTG-BUSL-02 -- Insert logically
Not Started
valid data in order TBD to bypass normal business
Determine who should be allowed to modify or read that data in each component. logic workflow.
WSTG-BUSL-03 -- Attempt Review the to
Notinsert,
Started
project update, or delete
documentation TBD for data values
system used by each
functionality thatcomponent that should
may be impacted not b
by time.
WSTG-BUSL-04 -- Develop and
Notexecute
Identify functions Startedthatmisuse
must set cases.
TBD
limits to the times they can be called.
WSTG-BUSL-05 -- Review Assess ifthethere
Not Started
is a logical
project limit set
documentation TBDon forthe functions
methods and or
to skip if itgois through
properlysteps
validated.
in the applicatio
WSTG-BUSL-06 -- Develop aNot
misuse
Startedcase and try to
TBD circumvent every
Review which tests had a different functionality based on aggressive input.logic flow identified.
WSTG-BUSL-07 -- UnderstandVerify thatNot the Started
the defenses in place
unwelcomed fileTBD and are
types verify if theyand
rejected are handled
enough to protect the system agains
safely.
WSTG-BUSL-08 -- Verify ObtainthatorNotfileStarted
create batch
a setuploads
of malicious TBD
are secure and
files for do not allow any bypass against the set securit
testing.
WSTG-BUSL-09 -- Understand
Try to uploadNothowStarted
thethemalicious
payment TBD
filesfunctionality
to the application
works. and determine whether it is accepted an
WSTG-BUSL-10 - Determine Not Startedthe payment
whether TBD functionality is secure.
TBD
Client-sideTest NameObjectives - Identify DOM Status sinks. Notes TBD
WSTG-CLNT-01 - Build payloads Not Started
that pertain to every TBD sink type.
WSTG-CLNT-02 - Identify Not Started TBD
WSTG-CLNT-03 -- Identify Not Started
Identify injection points that handle TBD URLs or paths.
WSTG-CLNT-04 -- AssessIdentifythe locations
Not
CSS Startedthat
injection the system
points. TBD could redirect to.
WSTG-CLNT-05 -- Identify
Assess the impact
Not
sinks Started
with of the input
weak injection. TBD
validation.
WSTG-CLNT-06 -- Assess the impact
Not Started of the
Identify endpoints that implement resource TBDmanipulation.
CORS.
WSTG-CLNT-07 -- Ensure that
Not the CORS
Started configuration
Decompile and analyze the application's TBD is secure
code.or harmless.
WSTG-CLNT-08 - Assess sinks Notinputs
Started and unsafe method TBD usages.
WSTG-CLNT-09 -- Identify
Assess app Notusage
the Started of WebSockets. TBD
WSTG-CLNT-10 -- Assess its Not
implementation
Started
Assess the security of the message's by using
TBD the same tests on normal HTTP channels.
origin.
WSTG-CLNT-11 -- Validate
Determine that
Not it's
Started
whether usingthesafe methods
website TBD and validating
is storing sensitive its input.
data in client-side storage.
WSTG-CLNT-12 - The code Not handling
Started of the storage TBD objects should be examined for possibilities of injection att
 - Locate sensitive data across the system.
WSTG-CLNT-13 - Assess theNotleakage
Started
of sensitive TBD
data through various techniques.
WSTG-CLNT-14 Not Started TBD
TBD
API TestingTest NameObjectives Status
- Find all parameters Notes
for TBD supported by the backend server, documented or un
each endpoint
WSTG-APIT-01 Validate all input fields against TBD
-- Discover Not Started
interesting data related to APIsattacks.
generic in HTML and JavaScript sent to clients.
WSTG-APIT-99 Notproper
- Ensure that Started TBDare applied.
access controls
Unnamed:
OWASP: Summary
0 Unnamed:
FindingsUnnamed:
2 Unnamed:
3 Unnamed:
4 Unnamed:
5 Unnamed:
6 Unnamed:
7 Unnamed:
8 9

Nº OTG Vulnerabil Affected HImpact Likelihood Risk ObservatioRecommend

1 WSTG-INFO-02 www.examp High Moderate High
2 WSTG-INFOConduct Sewww.examp High Moderate High
3 WSTG-INFOConduct Sewww.examp High Moderate High
Unnamed: 10

Test Evidence
xxx-1
OWASP:
Unnamed:
Risk 0Assessment
Unnamed:
Calculator
Unnamed:
2 Unnamed:
3 Unnamed:
4 Unnamed:
5 Unnamed:
6 7

Likelihood factors Impact factors

Threat Agent Factors Technical Impact Factors
Skills requ Some technical skills [3] Loss of conMinimal non-sensitive data disclosed [2]
Motive Possible reward [4] Loss of InteAll data totally corrupt [9]
OpportunitFull access or expensive resources requiredLoss of AvaiMinimal secondary services interrupted [1]
PopulationSystem Administrators [2] Loss of AccNot Applicable [0]

Vulnerability Factors Business Impact Factors

Easy of DisPractically impossible [1] Financial Minor effect on annual profit [3]
Ease of ExpEasy [5] Reputatio Loss of major accounts [4]
AwarenessHidden [4] Non-ComplClear violation [5]
Intrusion DLogged and reviewed [3] Privacy vioOne individual [3]

Likelihood score: Impact score:

Overall Risk Severity :

Impact
Likelihood
ve data disclosed [2]

services interrupted [1]

ual profit [3]

Skills required
Unnamed: 1MotiveUnnamed:Opportunity
3 Unnamed:
Population
5 Unnamed:
Size Easy7of Discovery
Unnamed: 9
Select an o Select an o Select an o Select an o Select an o
Not Applica 0 Not Applica 0 Full access 0 Not Applica 0 Not Applica 0
No technical 1 Low or no 1 Special acc 4 System Adm 2 Practically 1
Some techni 3 Possible re 4 Some access 7 Intranet Us 4 Difficult [3] 3
Advanced c 5 High rewar 9 No access o 9 Partners [5 5 Easy [7] 7
Network an 6 Authenticat 6 Automated t 9
Security pe 9 Anonymous 9

Loss of confidentialityLoss of Integrity Loss of Availability Loss of AccountabilityFinancial damage

Select an o Select an o Select an o Select an o Select an o
Not Applica 0 Not Applica 0 Not Applica 0 Not Applica 0 Not Applica 0
Minimal non 2 Minimal sli 1 Minimal sec 1 Attack fully 1 Damage cost 1
Extensive n 6 Minimal ser 3 Minimal pri 5 Attack poss 7 Minor effec 3
Extensive c 7 Extensive s 5 Extensive p 7 Attack com 9 Significant 7
All data di 9 Extensive s 7 All service 9 Backruptcy 9
All data tot 9
Ease of Exploit
Unnamed: Awareness
11 Unnamed:
Intrusion
13 Detection
Unnamed: 15
Select an o Select an o Select an o
Not Applica 0 Not Applica 0 Not Applica 0
Theoretical 1 Unknown [ 1 Active dete 1
Difficult [3] 3 Hidden [4] 4 Logged and 3
Easy [5] 5 Obvious [6 6 Logged wit 8
Automated t 9 Public kno 9 Not logged 9

Reputation damage Non-Compliance Privacy violation

Select an o Select an o Select an o
Not Applica 0 Not Applica 0 Not Applica 0
Minimal da 1 Minor viola 2 One individ 3
Loss of maj 4 Clear violat 5 Hundreds o 5
Loss of goo 5 High profile 7 Thousands 7
Brand dama 9 Millions of 9