Skip to content

OWASP Web Security Testing Guide (WSTG) Checklist

This checklist is based on the OWASP Web Security Testing Guide and provides a comprehensive framework for testing web application security. Each test includes objectives to guide your testing approach.

Information Gathering

  • WSTG-INFO-01 - Conduct Search Engine Discovery Reconnaissance for Information Leakage

  • Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's site) or indirectly (via third-party services).

  • WSTG-INFO-02 - Fingerprint Web Server

  • Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.

  • WSTG-INFO-03 - Review Webserver Metafiles for Information Leakage

  • Identify hidden or obfuscated paths and functionality through the analysis of metadata files.

  • Extract and map other information that could lead to a better understanding of the systems at hand.

  • WSTG-INFO-04 - Enumerate Applications on Webserver

  • Enumerate the applications within the scope that exist on a web server.

  • WSTG-INFO-05 - Review Web Page Content for Information Leakage

  • Review web page comments, metadata, and redirect bodies to find any information leakage.

  • Gather JavaScript files and review the JS code to better understand the application and to find any information leakage.

  • Identify if source map files or other frontend debug files exist.

  • WSTG-INFO-06 - Identify Application Entry Points

  • Identify possible entry and injection points through request and response analysis.

  • WSTG-INFO-07 - Map Execution Paths Through Application

  • Map the target application and understand the principal workflows.

  • WSTG-INFO-08 - Fingerprint Web Application Framework

  • Fingerprint the components used by the web applications.

  • WSTG-INFO-09 - Fingerprint Web Application

  • WSTG-INFO-10 - Map Application Architecture

  • Understand the architecture of the application and the technologies in use.

Configuration and Deployment Management Testing

  • WSTG-CONF-01 - Test Network Infrastructure Configuration

  • Review the applications' configurations set across the network and validate that they are not vulnerable.

  • Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.

  • WSTG-CONF-02 - Test Application Platform Configuration

  • Ensure that default and known files have been removed.

  • Validate that no debugging code or extensions are left in the production environments.

  • Review the logging mechanisms set in place for the application.

  • WSTG-CONF-03 - Test File Extensions Handling for Sensitive Information

  • Brute force sensitive file extensions that might contain raw data such as scripts, credentials, etc.

  • Validate that no system framework bypasses exist for the rules that have been set.

  • WSTG-CONF-04 - Review Old Backup and Unreferenced Files for Sensitive Information

  • Find and analyse unreferenced files that might contain sensitive information.

  • WSTG-CONF-05 - Enumerate Infrastructure and Application Admin Interfaces

  • Identify hidden administrator interfaces and functionality.

  • WSTG-CONF-06 - Test HTTP Methods

  • Enumerate supported HTTP methods.

  • Test for access control bypass.

  • Test HTTP method overriding techniques.

  • WSTG-CONF-07 - Test HTTP Strict Transport Security

  • Review the HSTS header and its validity.

  • WSTG-CONF-08 - Test RIA Cross Domain Policy

  • WSTG-CONF-09 - Test File Permission

  • Review and identify any rogue file permissions.

  • WSTG-CONF-10 - Test for Subdomain Takeover

  • Enumerate all possible domains (previous and current).

  • Identify any forgotten or misconfigured domains.

  • WSTG-CONF-11 - Test Cloud Storage

  • Assess that the access control configuration for the storage services is properly in place.

  • WSTG-CONF-12 - Testing for Content Security Policy

  • Review the Content-Security-Policy header or meta element to identify misconfigurations.

  • WSTG-CONF-13 - Test Path Confusion

  • Make sure application paths are configured correctly.

  • WSTG-CONF-14 - Test Other HTTP Security Header Misconfigurations

  • Identify improperly configured security headers.
  • Assess the impact of misconfigured security headers.
  • Validate the correct implementation of required security headers.

Identity Management Testing

  • WSTG-IDNT-01 - Test Role Definitions

  • Identify and document roles used by the application.

  • Attempt to switch, change, or access another role.

  • Review the granularity of the roles and the needs behind the permissions given.

  • WSTG-IDNT-02 - Test User Registration Process

  • Verify that the identity requirements for user registration are aligned with business and security requirements.

  • Validate the registration process.

  • WSTG-IDNT-03 - Test Account Provisioning Process

  • Verify which accounts may provision other accounts and of what type.

  • WSTG-IDNT-04 - Testing for Account Enumeration and Guessable User Account

  • Review processes that pertain to user identification (e.g. registration, login, etc.).

  • Enumerate users where possible through response analysis.

  • WSTG-IDNT-05 - Testing for Weak or Unenforced Username Policy

  • Determine whether a consistent account name structure renders the application vulnerable to account enumeration.
  • Determine whether the application's error messages permit account enumeration.

Authentication Testing

  • WSTG-ATHN-01 - Testing for Credentials Transported over an Encrypted Channel

  • WSTG-ATHN-02 - Testing for Default Credentials

  • Determine whether the application has any user accounts with default passwords.

  • Review whether new user accounts are created with weak or predictable passwords.

  • WSTG-ATHN-03 - Testing for Weak Lock Out Mechanism

  • Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.

  • Evaluate the unlock mechanism's resistance to unauthorized account unlocking.

  • WSTG-ATHN-04 - Testing for Bypassing Authentication Schema

  • Ensure that authentication is applied across all services that require it.

  • WSTG-ATHN-05 - Testing for Vulnerable Remember Password

  • Validate that the generated session is managed securely and do not put the user's credentials in danger.

  • WSTG-ATHN-06 - Testing for Browser Cache Weaknesses

  • Review if the application stores sensitive information on the client-side.

  • Review if access can occur without authorization.

  • WSTG-ATHN-07 - Testing for Weak Authentication Methods

  • Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords.

  • WSTG-ATHN-08 - Testing for Weak Security Question Answer

  • Determine the complexity and how straight-forward the questions are.

  • Assess possible user answers and brute force capabilities.

  • WSTG-ATHN-09 - Testing for Weak Password Change or Reset Functionalities

  • Determine whether the password change and reset functionality allows accounts to be compromised.

  • WSTG-ATHN-10 - Testing for Weaker Authentication in Alternative Channel

  • Identify alternative authentication channels.

  • Assess the security measures used and if any bypasses exists on the alternative channels.

  • WSTG-ATHN-11 - Testing Multi-Factor Authentication (MFA)

  • Identify the type of MFA used by the application.
  • Determine whether the MFA implementation is robust and secure.
  • Attempt to bypass the MFA.

Authorization Testing

  • WSTG-ATHZ-01 - Testing Directory Traversal File Include

  • Identify injection points that pertain to path traversal.

  • Assess bypassing techniques and identify the extent of path traversal.

  • WSTG-ATHZ-02 - Testing for Bypassing Authorization Schema

  • Assess if unauthenticated, horizontal, or vertical access is possible.

  • WSTG-ATHZ-03 - Testing for Privilege Escalation

  • Identify injection points related to privilege manipulation.

  • Fuzz or otherwise attempt to bypass security measures.

  • WSTG-ATHZ-04 - Testing for Insecure Direct Object References

  • Identify points where object references may occur.

  • Assess the access control measures and if they're vulnerable to IDOR.

  • WSTG-ATHZ-05 - Testing for OAuth Weaknesses

  • Determine if OAuth2 implementation is vulnerable or using a deprecated or custom implementation.

Session Management Testing

  • WSTG-SESS-01 - Testing for Session Management Schema

  • Gather session tokens, for the same user and for different users where possible.

  • Analyze and ensure that enough randomness exists to stop session forging attacks.

  • Modify cookies that are not signed and contain information that can be manipulated.

  • WSTG-SESS-02 - Testing for Cookies Attributes

  • Ensure that the proper security configuration is set for cookies.

  • WSTG-SESS-03 - Testing for Session Fixation

  • Analyze the authentication mechanism and its flow.

  • Force cookies and assess the impact.

  • WSTG-SESS-04 - Testing for Exposed Session Variables

  • Ensure that proper encryption is implemented.

  • Review the caching configuration.

  • Assess the channel and methods' security.

  • WSTG-SESS-05 - Testing for Cross Site Request Forgery

  • Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user.

  • WSTG-SESS-06 - Testing for Logout Functionality

  • Assess the logout UI.

  • Analyze the session timeout and if the session is properly killed after logout.

  • WSTG-SESS-07 - Testing Session Timeout

  • Validate that a hard session timeout exists.

  • WSTG-SESS-08 - Testing for Session Puzzling

  • Identify all session variables.

  • Break the logical flow of session generation.

  • WSTG-SESS-09 - Testing for Session Hijacking

  • Identify vulnerable session cookies.

  • Hijack vulnerable cookies and assess the risk level.

  • WSTG-SESS-10 - Testing JSON Web Tokens

  • Determine whether the JWTs expose sensitive information.

  • Determine whether the JWTs can be tampered with or modified.

  • WSTG-SESS-11 - Testing for Concurrent Sessions

  • Evaluate the application's session management by assessing the handling of multiple active sessions for a single user account.

Input Validation Testing

  • WSTG-INPV-01 - Testing for Reflected Cross Site Scripting

  • Identify variables that are reflected in responses.

  • Assess the input they accept and the encoding that gets applied on return (if any).

  • WSTG-INPV-02 - Testing for Stored Cross Site Scripting

  • Identify stored input that is reflected on the client-side.

  • Assess the input they accept and the encoding that gets applied on return (if any).

  • WSTG-INPV-03 - Testing for HTTP Verb Tampering

  • WSTG-INPV-04 - Testing for HTTP Parameter Pollution

  • Identify the backend and the parsing method used.

  • Assess injection points and try bypassing input filters using HPP.

  • WSTG-INPV-05 - Testing for SQL Injection

  • Identify SQL injection points.

  • Assess the severity of the injection and the level of access that can be achieved through it.

  • WSTG-INPV-06 - Testing for LDAP Injection

  • Identify LDAP injection points.

  • Assess the severity of the injection.

  • WSTG-INPV-07 - Testing for XML Injection

  • Identify XML injection points.

  • Assess the types of exploits that can be attained and their severities.

  • WSTG-INPV-08 - Testing for SSI Injection

  • Identify SSI injection points.

  • Assess the severity of the injection.

  • WSTG-INPV-09 - Testing for XPath Injection

  • Identify XPATH injection points.

  • WSTG-INPV-10 - Testing for IMAP SMTP Injection

  • Identify IMAP/SMTP injection points.

  • Understand the data flow and deployment structure of the system.

  • Assess the injection impacts.

  • WSTG-INPV-11 - Testing for Code Injection

  • Identify injection points where you can inject code into the application.

  • Assess the injection severity.

  • WSTG-INPV-12 - Testing for Command Injection

  • Identify and assess the command injection points.

  • WSTG-INPV-13 - Testing for Buffer Overflow

  • WSTG-INPV-13 - Testing for Format String Injection

  • Assess whether injecting format string conversion specifiers into user-controlled fields causes undesired behavior from the application.

  • WSTG-INPV-14 - Testing for Incubated Vulnerability

  • Identify injections that are stored and require a recall step to the stored injection.

  • Understand how a recall step could occur.

  • Set listeners or activate the recall step if possible.

  • WSTG-INPV-15 - Testing for HTTP Splitting Smuggling

  • Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable.

  • Assess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable.

  • WSTG-INPV-16 - Testing for HTTP Incoming Requests

  • Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.

  • Monitor HTTP traffic without changes of end user Browser proxy or client-side application.

  • WSTG-INPV-17 - Testing for Host Header Injection

  • Assess if the Host header is being parsed dynamically in the application.

  • Bypass security controls that rely on the header.

  • WSTG-INPV-18 - Testing for Server-side Template Injection

  • Detect template injection vulnerability points.

  • Identify the templating engine.

  • Build the exploit.

  • WSTG-INPV-19 - Testing for Server-Side Request Forgery

  • Identify SSRF injection points.

  • Test if the injection points are exploitable.

  • Asses the severity of the vulnerability.

  • WSTG-INPV-20 - Testing for Mass Assignment

  • Identify requests that modify objects
  • Assess if it is possible to modify fields never intended to be modified from outside

Testing for Error Handling

  • WSTG-ERRH-01 - Testing for Improper Error Handling

  • Identify existing error output.

  • Analyze the different output returned.

  • WSTG-ERRH-02 - Testing for Stack Traces

Testing for Weak Cryptography

  • WSTG-CRYP-01 - Testing for Weak Transport Layer Security

  • Validate the service configuration.

  • Review the digital certificate's cryptographic strength and validity.

  • Ensure that the TLS security is not bypassable and is properly implemented across the application.

  • WSTG-CRYP-02 - Testing for Padding Oracle

  • Identify encrypted messages that rely on padding.

  • Attempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis.

  • WSTG-CRYP-03 - Testing for Sensitive Information Sent via Unencrypted Channels

  • Identify sensitive information transmitted through the various channels.

  • Assess the privacy and security of the channels used.

  • WSTG-CRYP-04 - Testing for Weak Encryption

  • Provide a guideline for the identification weak encryption or hashing uses and implementations.

Business Logic Testing

  • WSTG-BUSL-01 - Test Business Logic Data Validation

  • Identify data injection points.

  • Validate that all checks are occurring on the backend and can't be bypassed.

  • Attempt to break the format of the expected data and analyze how the application is handling it.

  • WSTG-BUSL-02 - Test Ability to Forge Requests

  • Review the project documentation looking for guessable, predictable, or hidden functionality of fields.

  • Insert logically valid data in order to bypass normal business logic workflow.

  • WSTG-BUSL-03 - Test Integrity Checks

  • Review the project documentation for components of the system that move, store, or handle data.

  • Determine what type of data is logically acceptable by the component and what types the system should guard against.
  • Determine who should be allowed to modify or read that data in each component.

  • Attempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow.

  • WSTG-BUSL-04 - Test for Process Timing

  • Review the project documentation for system functionality that may be impacted by time.

  • Develop and execute misuse cases.

  • WSTG-BUSL-05 - Test Number of Times a Function Can Be Used Limits

  • Identify functions that must set limits to the times they can be called.

  • Assess if there is a logical limit set on the functions and if it is properly validated.

  • WSTG-BUSL-06 - Testing for the Circumvention of Work Flows

  • Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.

  • Develop a misuse case and try to circumvent every logic flow identified.

  • WSTG-BUSL-07 - Test Defenses Against Application Misuse

  • Generate notes from all tests conducted against the system.

  • Review which tests had a different functionality based on aggressive input.

  • Understand the defenses in place and verify if they are enough to protect the system against bypassing techniques.

  • WSTG-BUSL-08 - Test Upload of Unexpected File Types

  • Review the project documentation for file types that are rejected by the system.

  • Verify that the unwelcomed file types are rejected and handled safely.

  • Verify that file batch uploads are secure and do not allow any bypass against the set security measures.

  • WSTG-BUSL-09 - Test Upload of Malicious Files

  • Identify the file upload functionality.

  • Review the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious.
  • If documentation is not available then consider what would be appropriate based on the purpose of the application.
  • Determine how the uploaded files are processed.
  • Obtain or create a set of malicious files for testing.

  • Try to upload the malicious files to the application and determine whether it is accepted and processed.

  • WSTG-BUSL-10 - Test Payment Functionality

  • Determine whether the business logic for the e-commerce functionality is robust.
  • Understand how the payment functionality works.
  • Determine whether the payment functionality is secure.

Client-side Testing

  • WSTG-CLNT-01 - Testing for DOM-Based Cross Site Scripting

  • Identify DOM sinks.

  • Build payloads that pertain to every sink type.

  • WSTG-CLNT-02 - Testing for JavaScript Execution

  • Identify sinks and possible JavaScript injection points.

  • WSTG-CLNT-03 - Testing for HTML Injection

  • Identify HTML injection points and assess the severity of the injected content.

  • WSTG-CLNT-04 - Testing for Client-side URL Redirect

  • Identify injection points that handle URLs or paths.

  • Assess the locations that the system could redirect to.

  • WSTG-CLNT-05 - Testing for CSS Injection

  • Identify CSS injection points.

  • Assess the impact of the injection.

  • WSTG-CLNT-06 - Testing for Client-side Resource Manipulation

  • Identify sinks with weak input validation.

  • Assess the impact of the resource manipulation.

  • WSTG-CLNT-07 - Testing Cross Origin Resource Sharing

  • Identify endpoints that implement CORS.

  • Ensure that the CORS configuration is secure or harmless.

  • WSTG-CLNT-08 - Testing for Cross Site Flashing

  • Decompile and analyze the application's code.

  • Assess sinks inputs and unsafe method usages.

  • WSTG-CLNT-09 - Testing for Clickjacking

  • Assess application vulnerability to clickjacking attacks.

  • WSTG-CLNT-10 - Testing WebSockets

  • Identify the usage of WebSockets.

  • Assess its implementation by using the same tests on normal HTTP channels.

  • WSTG-CLNT-11 - Testing Web Messaging

  • Assess the security of the message's origin.

  • Validate that it's using safe methods and validating its input.

  • WSTG-CLNT-12 - Testing Browser Storage

  • Determine whether the website is storing sensitive data in client-side storage.

  • The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries.

  • WSTG-CLNT-13 - Testing for Cross Site Script Inclusion

  • Locate sensitive data across the system.

  • Assess the leakage of sensitive data through various techniques.

  • WSTG-CLNT-14 - Testing for Reverse Tabnabbing

API Testing

  • WSTG-APIT-01 - API Reconnaissance

  • Find all API endpoints supported by the backend server code, documented or undocumented.

  • Find all parameters for each endpoint supported by the backend server, documented or undocumented.

  • Discover interesting data related to APIs in HTML and JavaScript sent to clients.

  • WSTG-APIT-02 - API Broken Object Level Authorization

  • The objective of this test is to identify whether the API enforces proper object-level authorization checks, ensuring that users can only access and manipulate objects they are authorized to interact with.

  • WSTG-APIT-99 - Testing GraphQL

  • Assess that a secure and production-ready configuration is deployed.
  • Validate all input fields against generic attacks.
  • Ensure that proper access controls are applied.