Web Security Testing Guide Framework

Task 1

WSTG Overview

1. OWASP Web Security Testing Guide (WSTG)

The WSTG provides a comprehensive framework for testing web application security. Version 4.2 contains 91 test cases organized into 12 categories.

2. Testing Categories

WSTG-INFO: Information Gathering

ID	Test Name
WSTG-INFO-01	Conduct Search Engine Discovery Recon
WSTG-INFO-02	Fingerprint Web Server
WSTG-INFO-03	Review Webserver Metafiles for Info Leakage
WSTG-INFO-04	Enumerate Applications on Webserver
WSTG-INFO-05	Review Webpage Content for Info Leakage
WSTG-INFO-06	Identify Application Entry Points
WSTG-INFO-07	Map Execution Paths Through Application
WSTG-INFO-08	Fingerprint Web Application Framework
WSTG-INFO-09	Fingerprint Web Application
WSTG-INFO-10	Map Application Architecture

WSTG-CONF: Configuration and Deploy Management

ID	Test Name
WSTG-CONF-01	Test Network Infrastructure Configuration
WSTG-CONF-02	Test Application Platform Configuration
WSTG-CONF-03	Test File Extensions Handling
WSTG-CONF-04	Review Old Backup and Unreferenced Files
WSTG-CONF-05	Enumerate Infrastructure and Admin Interfaces
WSTG-CONF-06	Test HTTP Methods
WSTG-CONF-07	Test HTTP Strict Transport Security
WSTG-CONF-08	Test RIA Cross Domain Policy
WSTG-CONF-09	Test File Permission
WSTG-CONF-10	Test for Subdomain Takeover
WSTG-CONF-11	Test Cloud Storage

WSTG-IDNT: Identity Management

ID	Test Name
WSTG-IDNT-01	Test Role Definitions
WSTG-IDNT-02	Test User Registration Process
WSTG-IDNT-03	Test Account Provisioning Process
WSTG-IDNT-04	Test for Account Enumeration
WSTG-IDNT-05	Test for Weak or Unenforced Username Policy

WSTG-ATHN: Authentication Testing

ID	Test Name
WSTG-ATHN-01	Test for Credentials over Encrypted Channel
WSTG-ATHN-02	Test for Default Credentials
WSTG-ATHN-03	Test for Weak Lock Out Mechanism
WSTG-ATHN-04	Test for Bypassing Authentication Schema
WSTG-ATHN-05	Test for Vulnerable Remember Password
WSTG-ATHN-06	Test for Browser Cache Weaknesses
WSTG-ATHN-07	Test for Weak Password Policy
WSTG-ATHN-08	Test for Weak Security Question/Answer
WSTG-ATHN-09	Test for Weak Password Change/Reset
WSTG-ATHN-10	Test for Weaker Auth in Alt Channel

WSTG-ATHZ: Authorization Testing

ID	Test Name
WSTG-ATHZ-01	Test Directory Traversal/File Include
WSTG-ATHZ-02	Test for Bypassing Authorization Schema
WSTG-ATHZ-03	Test for Privilege Escalation
WSTG-ATHZ-04	Test for Insecure Direct Object References

WSTG-SESS: Session Management

ID	Test Name
WSTG-SESS-01	Test for Session Management Schema
WSTG-SESS-02	Test for Cookies Attributes
WSTG-SESS-03	Test for Session Fixation
WSTG-SESS-04	Test for Exposed Session Variables
WSTG-SESS-05	Test for CSRF
WSTG-SESS-06	Test for Logout Functionality
WSTG-SESS-07	Test Session Timeout
WSTG-SESS-08	Test for Session Puzzling
WSTG-SESS-09	Test for Session Hijacking

WSTG-INPV: Input Validation Testing

ID	Test Name
WSTG-INPV-01	Test for Reflected XSS
WSTG-INPV-02	Test for Stored XSS
WSTG-INPV-03	Test for HTTP Verb Tampering
WSTG-INPV-04	Test for HTTP Parameter Pollution
WSTG-INPV-05	Test for SQL Injection
WSTG-INPV-06	Test for LDAP Injection
WSTG-INPV-07	Test for XML Injection
WSTG-INPV-08	Test for SSI Injection
WSTG-INPV-09	Test for XPath Injection
WSTG-INPV-10	Test for IMAP/SMTP Injection
WSTG-INPV-11	Test for Code Injection
WSTG-INPV-12	Test for Command Injection
WSTG-INPV-13	Test for Format String Injection
WSTG-INPV-14	Test for Incubated Vulnerability
WSTG-INPV-15	Test for HTTP Splitting/Smuggling
WSTG-INPV-16	Test for HTTP Incoming Requests
WSTG-INPV-17	Test for Host Header Injection
WSTG-INPV-18	Test for SSTI
WSTG-INPV-19	Test for SSRF

WSTG-ERRH: Error Handling

ID	Test Name
WSTG-ERRH-01	Test for Improper Error Handling
WSTG-ERRH-02	Test for Stack Traces

WSTG-CRYP: Cryptography

ID	Test Name
WSTG-CRYP-01	Test for Weak Transport Layer Security
WSTG-CRYP-02	Test for Padding Oracle
WSTG-CRYP-03	Test for Sensitive Info Sent via Unencrypted
WSTG-CRYP-04	Test for Weak Encryption

WSTG-BUSL: Business Logic Testing

ID	Test Name
WSTG-BUSL-01	Test Business Logic Data Validation
WSTG-BUSL-02	Test Ability to Forge Requests
WSTG-BUSL-03	Test Integrity Checks
WSTG-BUSL-04	Test for Process Timing
WSTG-BUSL-05	Test Number of Times a Function Can Be Used
WSTG-BUSL-06	Test for Circumvention of Work Flows
WSTG-BUSL-07	Test Defenses Against Application Misuse
WSTG-BUSL-08	Test Upload of Unexpected File Types
WSTG-BUSL-09	Test Upload of Malicious Files

WSTG-CLNT: Client-Side Testing

ID	Test Name
WSTG-CLNT-01	Test for DOM-Based XSS
WSTG-CLNT-02	Test for JavaScript Execution
WSTG-CLNT-03	Test for HTML Injection
WSTG-CLNT-04	Test for Client-Side URL Redirect
WSTG-CLNT-05	Test for CSS Injection
WSTG-CLNT-06	Test for Client-Side Resource Manipulation
WSTG-CLNT-07	Test Cross Origin Resource Sharing
WSTG-CLNT-08	Test for Cross Site Flashing
WSTG-CLNT-09	Test for Clickjacking
WSTG-CLNT-10	Test WebSockets
WSTG-CLNT-11	Test Web Messaging
WSTG-CLNT-12	Test Browser Storage
WSTG-CLNT-13	Test for Cross Site Script Inclusion

3. Using WSTG as a Checklist

# Create a testing tracker spreadsheet:
# | WSTG ID | Test | Status | Notes | Evidence |
# |---------|------|--------|-------|----------|
# | INFO-01 | Search Engine Recon | Done | Found 3 subdomains | screenshot1.png |
# | INFO-02 | Fingerprint Server | Done | Nginx 1.18, PHP 7.4 | headers.txt |

# Work through each category systematically
# Mark status: Not Tested / In Progress / Pass / Fail / N/A
# Document evidence for every finding

4. Priority Order for Time-Limited Engagements

WSTG-ATHN: Authentication (high-impact findings)
WSTG-ATHZ: Authorization (IDOR, privilege escalation)
WSTG-INPV: Input Validation (injection attacks)
WSTG-SESS: Session Management (session attacks)
WSTG-BUSL: Business Logic (unique to each application)
WSTG-CONF: Configuration (quick wins)
WSTG-INFO: Information Gathering (foundation)
WSTG-CLNT: Client-Side (XSS, clickjacking)
WSTG-CRYP: Cryptography (SSL/TLS, hashing)
WSTG-ERRH: Error Handling (information disclosure)