├── OWASP-Checklist ├── 00 - Main Index.md ├── 01 - Information Gathering │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 02 - Configuration Testing │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 03 - Identity Management │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 04 - Authentication │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 05 - Authorization │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 06 - Session Management │ ├── REAMDE.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 07 - Input Validation │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 08 - Error Handling │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 09 - Cryptography │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 10 - Business Logic │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md ├── 11 - Client-side │ ├── README.md.md │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md └── API Testing │ ├── API Documentation Testing │ ├── resources │ │ └── OWASP_Resources.md │ └── techniques │ │ └── OWASP_Techniques.md │ ├── README.md.md │ ├── resources │ └── OWASP_Resources.md │ └── techniques │ └── OWASP_Techniques.md └── README.md /OWASP-Checklist/00 - Main Index.md: -------------------------------------------------------------------------------- 1 | # Web Application Security Testing Guide 2 | 3 | ## Overview 4 | This comprehensive web application security testing guide provides structured methodologies, checklists, and resources for conducting thorough security assessments. Based on OWASP guidelines and industry best practices. 5 | 6 | ## Quick Links 7 | - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/) 8 | - [OWASP Top 10](https://owasp.org/www-project-top-ten/) 9 | - [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) 10 | 11 | ## Testing Categories 12 | 1. [[01 - Information Gathering/README|Information Gathering]] 13 | - Reconnaissance and mapping of target applications 14 | - Technology stack identification 15 | - Information leakage detection 16 | 17 | 2. [[02 - Configuration Testing/README|Configuration Testing]] 18 | - Server configuration analysis 19 | - Platform configuration review 20 | - Security header assessment 21 | 22 | 3. [[03 - Identity Management/README|Identity Management]] 23 | - User registration processes 24 | - Account provisioning 25 | - Identity handling verification 26 | 27 | 4. [[04 - Authentication/README|Authentication]] 28 | - Authentication mechanism testing 29 | - Credential management 30 | - Multi-factor authentication review 31 | 32 | 5. [[05 - Authorization/README|Authorization]] 33 | - Access control testing 34 | - Privilege escalation checks 35 | - Role-based access control verification 36 | 37 | 6. [[06 - Session Management/README|Session Management]] 38 | - Session handling 39 | - Token security 40 | - Session lifecycle testing 41 | 42 | 7. [[07 - Input Validation/README|Input Validation]] 43 | - Injection testing 44 | - Input sanitization verification 45 | - Cross-site scripting assessment 46 | 47 | 8. [[08 - Error Handling/README|Error Handling]] 48 | - Error message testing 49 | - Exception handling review 50 | - Debug information exposure 51 | 52 | 9. [[09 - Cryptography/README|Cryptography]] 53 | - Encryption implementation review 54 | - Key management assessment 55 | - Cryptographic protocol testing 56 | 57 | 10. [[10 - Business Logic/README|Business Logic]] 58 | - Workflow bypass testing 59 | - Business rule testing 60 | - Logic flaw identification 61 | 62 | 11. [[11 - Client-side/README|Client-side]] 63 | - Frontend security testing 64 | - DOM-based vulnerability assessment 65 | - Client-side control bypass 66 | 67 | 12. [[12 - API Testing/README|API Testing]] 68 | - API security testing 69 | - Endpoint security verification 70 | - API logic testing 71 | 72 | ## How to Use This Guide 73 | 1. Start with Information Gathering for your target 74 | 2. Follow each category systematically 75 | 3. Use the checklists provided in each section 76 | 4. Document findings and evidence 77 | 5. Track progress using provided templates 78 | 79 | ## Progress Tracking 80 | - [ ] Information Gathering 81 | - [ ] Configuration Testing 82 | - [ ] Identity Management 83 | - [ ] Authentication 84 | - [ ] Authorization 85 | - [ ] Session Management 86 | - [ ] Input Validation 87 | - [ ] Error Handling 88 | - [ ] Cryptography 89 | - [ ] Business Logic 90 | - [ ] Client-side 91 | - [ ] API Testing 92 | 93 | ## Project Status 94 | - Categories Started: 0/12 95 | - Categories Completed: 0/12 96 | 97 | ## Last Updated 98 | Date: [Current Date] 99 | 100 | ## Contributing 101 | Guidelines for contributing to this testing guide: 102 | 1. Follow the established format 103 | 2. Provide practical examples 104 | 3. Include verification steps 105 | 4. Reference industry standards -------------------------------------------------------------------------------- /OWASP-Checklist/01 - Information Gathering/README.md.md: -------------------------------------------------------------------------------- 1 | # Information Gathering 2 | 3 | ## Overview 4 | Information gathering is the critical first phase of security testing that involves collecting comprehensive intelligence about the target web application, its infrastructure, and associated assets. 5 | 6 | ## Objectives 7 | - Map the application's attack surface 8 | - Identify technology stack and components 9 | - Discover potential information leaks 10 | - Document application entry points 11 | - Understand application architecture 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Search Engine Discovery 16 | - [ ] Google Dorking 17 | - [ ] Code Repository Analysis 18 | - [ ] Historical Data Analysis 19 | - [ ] Document Metadata Collection 20 | 21 | ### 2. Fingerprinting 22 | - [ ] Web Server Identification 23 | - [ ] Technology Stack Analysis 24 | - [ ] Framework Detection 25 | - [ ] Third-party Component Analysis 26 | 27 | ### 3. Application Mapping 28 | - [ ] Directory Enumeration 29 | - [ ] Endpoint Discovery 30 | - [ ] Parameter Analysis 31 | - [ ] API Endpoint Mapping 32 | 33 | ### 4. Information Leakage 34 | - [ ] Source Code Analysis 35 | - [ ] Error Message Analysis 36 | - [ ] Comment Review 37 | - [ ] Metadata Extraction 38 | 39 | ## Common Tools 40 | - Recon: 41 | - Google Dorks 42 | - Shodan 43 | - Wayback Machine 44 | - Scanning: 45 | - Nmap 46 | - Nikto 47 | - Wappalyzer 48 | - Enumeration: 49 | - Gobuster 50 | - DirBuster 51 | - Burp Suite 52 | 53 | ## Additional Resources 54 | - 📁 [Testing Techniques](./techniques/) 55 | - 📁 [Tools and Scripts](./resources/) 56 | - 🔗 [OWASP Information Gathering Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/) 57 | 58 | ## Progress Tracking 59 | - [ ] Search Engine Discovery Complete 60 | - [ ] Fingerprinting Complete 61 | - [ ] Application Mapping Complete 62 | - [ ] Information Leakage Assessment Complete 63 | 64 | ## Notes 65 | - Document all findings thoroughly 66 | - Keep track of scope boundaries 67 | - Note any discovered assets for later testing 68 | - Record all identified technologies and versions -------------------------------------------------------------------------------- /OWASP-Checklist/01 - Information Gathering/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Information Gathering Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Web Server Fingerprinting 8 | - [Netcraft](https://www.netcraft.com/) 9 | - [WhatWeb](https://github.com/urbanadventurer/WhatWeb) 10 | - [Nmap](https://nmap.org/) 11 | - [httprint](http://net-square.com/httprint.html) 12 | - [HTTPRecon](https://w3dt.net/tools/httprecon) 13 | 14 | ### Search Engine Discovery 15 | - [Google Dorks](https://www.exploit-db.com/google-hacking-database) 16 | - [TheHarvester](https://github.com/laramies/theHarvester) 17 | - [Shodan](https://www.shodan.io/) 18 | - [Recon-ng](https://github.com/lanmaster53/recon-ng) 19 | 20 | ### Framework Fingerprinting 21 | - [WAFP](https://github.com/EnableSecurity/wafw00f) 22 | - [BlindElephant](http://blindelephant.sourceforge.net/) 23 | - [Wappalyzer](https://www.wappalyzer.com/) 24 | 25 | ### Website Mirroring 26 | - [HTTrack](https://www.httrack.com/) 27 | - [Wget](https://www.gnu.org/software/wget/) 28 | - [Cyotek WebCopy](https://www.cyotek.com/cyotek-webcopy) 29 | 30 | ## Official Documentation 31 | - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) 32 | - [OWASP Information Gathering Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/) -------------------------------------------------------------------------------- /OWASP-Checklist/01 - Information Gathering/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Information Gathering Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-INFO-001: Conduct Search Engine Discovery and Reconnaissance 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance) 7 | 8 | ## OTG-INFO-002: Fingerprint Web Server 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server) 10 | 11 | ## OTG-INFO-003: Review Webserver Metafiles for Information Leakage 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage) 13 | 14 | ## OTG-INFO-004: Enumerate Applications on Webserver 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver) 16 | 17 | ## OTG-INFO-005: Review Webpage Content for Information Leakage 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage) 19 | 20 | ## OTG-INFO-006: Identify Application Entry Points 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points) 22 | 23 | ## OTG-INFO-007: Map Execution Paths Through Application 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/07-Map_Execution_Paths_Through_Application) 25 | 26 | ## OTG-INFO-008: Fingerprint Web Application Framework 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework) 28 | 29 | ## OTG-INFO-009: Fingerprint Web Application 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/09-Fingerprint_Web_Application) 31 | 32 | ## OTG-INFO-010: Map Application Architecture 33 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/10-Map_Application_Architecture) -------------------------------------------------------------------------------- /OWASP-Checklist/02 - Configuration Testing/README.md.md: -------------------------------------------------------------------------------- 1 | # Configuration Testing 2 | 3 | ## Overview 4 | Configuration testing focuses on analyzing the security of application infrastructure, frameworks, and dependencies. This phase evaluates security controls, server configurations, and platform settings that could lead to vulnerabilities. 5 | 6 | ## Objectives 7 | - Identify misconfigurations in web servers and platforms 8 | - Assess security header implementations 9 | - Review file handling configurations 10 | - Evaluate platform and framework security settings 11 | - Check deployment configuration security 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Network Configuration 16 | - [ ] Port Scanning 17 | - [ ] Network Service Identification 18 | - [ ] SSL/TLS Configuration 19 | - [ ] DNS Configuration 20 | - [ ] Load Balancer Configuration 21 | 22 | ### 2. Platform Configuration 23 | - [ ] Web Server Settings 24 | - Apache 25 | - Nginx 26 | - IIS 27 | - [ ] Application Server Configuration 28 | - [ ] Database Server Settings 29 | - [ ] Container Configuration 30 | 31 | ### 3. Security Headers 32 | - [ ] HTTP Security Headers 33 | - Content-Security-Policy 34 | - X-Frame-Options 35 | - X-Content-Type-Options 36 | - Strict-Transport-Security 37 | - X-XSS-Protection 38 | - [ ] Cookie Security Attributes 39 | - [ ] CORS Configuration 40 | 41 | ### 4. File Handling 42 | - [ ] File Permission Analysis 43 | - [ ] Backup File Detection 44 | - [ ] Directory Indexing 45 | - [ ] File Extension Handling 46 | - [ ] Upload Directory Security 47 | 48 | ### 5. Infrastructure Security 49 | - [ ] Cloud Service Configuration 50 | - [ ] Container Security Settings 51 | - [ ] Kubernetes Configuration 52 | - [ ] Serverless Function Configuration 53 | 54 | ## Common Tools 55 | - Configuration Analysis: 56 | - Nmap 57 | - Nikto 58 | - SSL Labs Server Test 59 | - SecurityHeaders.com 60 | - Infrastructure Testing: 61 | - AWS Security Scanner 62 | - Azure Security Center 63 | - kubectl-audit 64 | - Docker Bench Security 65 | 66 | ## Additional Resources 67 | - 📁 [Testing Techniques](./techniques/) 68 | - 📁 [Configuration Templates](./resources/) 69 | - 🔗 [OWASP Configuration Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/) 70 | 71 | ## Common Misconfigurations 72 | 1. Default Credentials 73 | 2. Unnecessary Open Ports 74 | 3. Weak SSL/TLS Settings 75 | 4. Missing Security Headers 76 | 5. Excessive Directory Permissions 77 | 6. Exposed Version Information 78 | 7. Debug Mode Enabled 79 | 8. Insecure Cloud Storage Settings 80 | 81 | ## Testing Methodology 82 | 1. Identify Infrastructure Components 83 | 2. Analyze Default Settings 84 | 3. Review Security Controls 85 | 4. Check for Known Vulnerabilities 86 | 5. Validate Security Headers 87 | 6. Test File Handling 88 | 7. Assess Cloud Configuration 89 | 90 | ## Progress Tracking 91 | - [ ] Network Configuration Review 92 | - [ ] Platform Configuration Testing 93 | - [ ] Security Headers Analysis 94 | - [ ] File Handling Assessment 95 | - [ ] Infrastructure Security Review 96 | 97 | ## Notes 98 | - Document all configuration findings 99 | - Include version numbers and specific settings 100 | - Note deviations from security best practices 101 | - Maintain evidence of testing 102 | - Consider compliance requirements -------------------------------------------------------------------------------- /OWASP-Checklist/02 - Configuration Testing/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Configuration Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Infrastructure Testing 8 | - [Nmap](https://nmap.org/) 9 | - [Wireshark](https://www.wireshark.org/) 10 | - [tcpdump](https://www.tcpdump.org/) 11 | - [Hping](http://www.hping.org/) 12 | 13 | ### Platform Configuration 14 | - [Nikto](https://cirt.net/Nikto2) 15 | - [SSLyze](https://github.com/nabla-c0d3/sslyze) 16 | - [TestSSL](https://testssl.sh/) 17 | - [OpenVAS](https://www.openvas.org/) 18 | 19 | ### File Analysis 20 | - [FOCA](https://github.com/ElevenPaths/FOCA) 21 | - [DirBuster](https://tools.kali.org/web-applications/dirbuster) 22 | - [Gobuster](https://github.com/OJ/gobuster) 23 | 24 | ### Admin Interface Testing 25 | - [Burp Suite](https://portswigger.net/burp) 26 | - [OWASP ZAP](https://www.zaproxy.org/) 27 | - [AdminFinder](https://github.com/maaaaz/webscreenshot) 28 | 29 | ### HTTP Security Testing 30 | - [OWASP HTTPNINJA](https://www.owasp.org/index.php/HTTPninja) 31 | - [curl](https://curl.haxx.se/) 32 | - [HTTP Testing Tools](https://www.owasp.org/index.php/Category:OWASP_HTTP_Security_Headers_Project) 33 | 34 | ### Cloud Configuration 35 | - [AWS CLI](https://aws.amazon.com/cli/) 36 | - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) 37 | - [GCloud CLI](https://cloud.google.com/sdk/gcloud) 38 | - [CloudSploit](https://cloudsploit.com/) 39 | - [Scout Suite](https://github.com/nccgroup/ScoutSuite) 40 | 41 | ## Official Documentation 42 | - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) 43 | - [OWASP Configuration Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/) 44 | - [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/) 45 | - [OWASP Cloud Security Project](https://owasp.org/www-project-cloud-security/) -------------------------------------------------------------------------------- /OWASP-Checklist/02 - Configuration Testing/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Configuration Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-CONFIG-001: Test Network Infrastructure Configuration 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration) 7 | 8 | ## OTG-CONFIG-002: Test Application Platform Configuration 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration) 10 | 11 | ## OTG-CONFIG-003: Test File Extensions Handling for Sensitive Information 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information) 13 | 14 | ## OTG-CONFIG-004: Review Old Backup and Unreferenced Files for Sensitive Information 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information) 16 | 17 | ## OTG-CONFIG-005: Enumerate Infrastructure and Application Admin Interfaces 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces) 19 | 20 | ## OTG-CONFIG-006: Test HTTP Methods 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods) 22 | 23 | ## OTG-CONFIG-007: Test HTTP Strict Transport Security 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security) 25 | 26 | ## OTG-CONFIG-008: Test RIA Cross Domain Policy 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/08-Test_RIA_Cross_Domain_Policy) 28 | 29 | ## OTG-CONFIG-009: Test File Permission 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission) 31 | 32 | ## OTG-CONFIG-010: Test for Subdomain Takeover 33 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover) 34 | 35 | ## OTG-CONFIG-011: Test Cloud Storage 36 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage) -------------------------------------------------------------------------------- /OWASP-Checklist/03 - Identity Management/README.md.md: -------------------------------------------------------------------------------- 1 | # Identity Management Testing 2 | 3 | ## Overview 4 | Identity Management testing focuses on evaluating how the application handles user identity throughout its lifecycle, including registration, account management, and provisioning processes. This phase ensures proper implementation of identity-related security controls. 5 | 6 | ## Objectives 7 | - Evaluate user registration security 8 | - Test account provisioning processes 9 | - Assess identity verification mechanisms 10 | - Review profile management security 11 | - Verify role management implementation 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. User Registration 16 | - [ ] Registration Process Security 17 | - Input validation 18 | - Information disclosure 19 | - Account enumeration 20 | - Predictable usernames 21 | - [ ] Identity Verification 22 | - Email verification 23 | - Phone verification 24 | - Document verification 25 | - [ ] Registration Restrictions 26 | - Rate limiting 27 | - IP-based controls 28 | - Domain restrictions 29 | 30 | ### 2. Account Provisioning 31 | - [ ] Role Assignment 32 | - Default permissions 33 | - Role hierarchy 34 | - Privilege assignment 35 | - [ ] Account Creation Process 36 | - Automated provisioning 37 | - Manual provisioning 38 | - Integration with external systems 39 | - [ ] Account Attributes 40 | - Required fields 41 | - Optional fields 42 | - Sensitive data handling 43 | 44 | ### 3. Profile Management 45 | - [ ] Profile Update Security 46 | - Data validation 47 | - Access controls 48 | - Change verification 49 | - [ ] Profile Data Protection 50 | - Data encryption 51 | - Privacy controls 52 | - Data minimization 53 | - [ ] Profile Recovery Process 54 | - Password recovery 55 | - Account recovery 56 | - Multi-factor recovery 57 | 58 | ### 4. Identity Correlation 59 | - [ ] User Uniqueness 60 | - Duplicate detection 61 | - Identity merging 62 | - Cross-reference checking 63 | - [ ] Identity Federation 64 | - SSO implementation 65 | - Identity provider integration 66 | - Token handling 67 | 68 | ## Common Test Scenarios 69 | 1. Multiple Account Creation 70 | 2. Account Takeover Attempts 71 | 3. Identity Verification Bypass 72 | 4. Privilege Escalation via Registration 73 | 5. Profile Update Exploitation 74 | 6. Registration Data Manipulation 75 | 7. Recovery Process Abuse 76 | 8. Federation Token Manipulation 77 | 78 | ## Tools and Resources 79 | - Account Testing: 80 | - Burp Suite 81 | - OWASP ZAP 82 | - Custom Scripts 83 | - Identity Verification: 84 | - Email verification tools 85 | - SMS verification testing 86 | - Document verification testing 87 | - Automation Tools: 88 | - Selenium 89 | - Puppeteer 90 | - Registration bots 91 | 92 | ## Additional Resources 93 | - 📁 [Testing Techniques](./techniques/) 94 | - 📁 [Test Scripts](./resources/) 95 | - 🔗 [OWASP Identity Management Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/) 96 | 97 | ## Common Vulnerabilities 98 | 1. Weak Registration Controls 99 | 2. Insufficient Identity Verification 100 | 3. Predictable Account Numbers 101 | 4. Insecure Direct Object References 102 | 5. Missing Account Enumeration Protection 103 | 6. Weak Profile Recovery Process 104 | 7. Inadequate Role Management 105 | 8. Poor Federation Implementation 106 | 107 | ## Testing Methodology 108 | 1. Map Registration Flows 109 | 2. Identify Identity Touchpoints 110 | 3. Test Verification Methods 111 | 4. Analyze Profile Management 112 | 5. Assess Role Assignment 113 | 6. Verify Federation Security 114 | 7. Test Recovery Procedures 115 | 116 | ## Progress Tracking 117 | - [ ] User Registration Testing 118 | - [ ] Account Provisioning Review 119 | - [ ] Profile Management Testing 120 | - [ ] Identity Correlation Assessment 121 | - [ ] Federation Security Review 122 | 123 | ## Documentation Requirements 124 | - Test case details 125 | - Vulnerability findings 126 | - Configuration issues 127 | - Implementation gaps 128 | - Remediation recommendations 129 | 130 | ## Notes 131 | - Document all test cases 132 | - Track registration attempts 133 | - Monitor verification bypasses 134 | - Record identity correlations 135 | - Note security control effectiveness -------------------------------------------------------------------------------- /OWASP-Checklist/03 - Identity Management/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Identity Management Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### User Enumeration Testing 8 | - [Burp Suite](https://portswigger.net/burp) 9 | - [OWASP ZAP](https://www.zaproxy.org/) 10 | - [Username-Anarchy](https://github.com/7hab/Username-Anarchy) 11 | - [UsernameGenerator](https://github.com/21y4d/UsernameGenerator) 12 | 13 | ### Identity Management Testing 14 | - [OWASP Identity Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Identity_Management_Cheat_Sheet.html) 15 | - [OWASP Testing Guide Tools](https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/A-Testing_Tools) 16 | 17 | ### Registration Process Testing 18 | - [Maltego](https://www.maltego.com/) 19 | - [theHarvester](https://github.com/laramies/theHarvester) 20 | - [Recon-ng](https://github.com/lanmaster53/recon-ng) 21 | 22 | ### Identity Attack Tools 23 | - [John the Ripper](https://www.openwall.com/john/) 24 | - [Hydra](https://github.com/vanhauser-thc/thc-hydra) 25 | 26 | ## Official Documentation 27 | - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) 28 | - [OWASP Identity Management Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/) 29 | - [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) 30 | - [OWASP User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html) -------------------------------------------------------------------------------- /OWASP-Checklist/03 - Identity Management/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Identity Management Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-IDENT-001: Test Role Definitions 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions) 7 | 8 | ## OTG-IDENT-002: Test User Registration Process 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process) 10 | 11 | ## OTG-IDENT-003: Test Account Provisioning Process 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/03-Test_Account_Provisioning_Process) 13 | 14 | ## OTG-IDENT-004: Testing for Account Enumeration and Guessable User Account 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account) 16 | 17 | ## OTG-IDENT-005: Testing for Weak or Unenforced Username Policy 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy) -------------------------------------------------------------------------------- /OWASP-Checklist/04 - Authentication/README.md.md: -------------------------------------------------------------------------------- 1 | # Authentication Testing 2 | 3 | ## Overview 4 | Authentication testing focuses on evaluating how the application verifies user identity. This includes assessing all authentication mechanisms, credential management, and authentication workflows to ensure they are secure against various attack vectors. 5 | 6 | ## Objectives 7 | - Evaluate authentication mechanisms 8 | - Test password policies and management 9 | - Assess multi-factor authentication 10 | - Review session handling 11 | - Verify authentication bypasses 12 | - Test credential recovery processes 13 | 14 | ## Key Testing Areas 15 | 16 | ### 1. Password Authentication 17 | - [ ] Password Policy 18 | - Complexity requirements 19 | - Length requirements 20 | - History requirements 21 | - Common password prevention 22 | - [ ] Password Storage 23 | - Hashing algorithms 24 | - Salt implementation 25 | - Key stretching 26 | - [ ] Login Process 27 | - Brute force protection 28 | - Rate limiting 29 | - Account lockout 30 | - Error messages 31 | 32 | ### 2. Multi-Factor Authentication (MFA) 33 | - [ ] MFA Implementation 34 | - Setup process 35 | - Recovery process 36 | - Bypass methods 37 | - [ ] MFA Methods 38 | - TOTP/HOTP 39 | - SMS/Email codes 40 | - Biometric 41 | - Hardware tokens 42 | - [ ] MFA Security 43 | - Token validation 44 | - Replay protection 45 | - Backup codes 46 | 47 | ### 3. Authentication Flows 48 | - [ ] Standard Login 49 | - Remember me functionality 50 | - Stay logged in features 51 | - Concurrent sessions 52 | - [ ] Social Login 53 | - OAuth implementation 54 | - OpenID Connect 55 | - Token handling 56 | - [ ] API Authentication 57 | - API keys 58 | - JWT implementation 59 | - OAuth 2.0 60 | 61 | ### 4. Password Recovery 62 | - [ ] Reset Process 63 | - Token security 64 | - Expiration time 65 | - Rate limiting 66 | - [ ] Recovery Methods 67 | - Email recovery 68 | - SMS recovery 69 | - Security questions 70 | - [ ] Account Recovery 71 | - Identity verification 72 | - Audit logging 73 | - Notification systems 74 | 75 | ## Common Attack Vectors 76 | 1. Brute Force Attacks 77 | 2. Credential Stuffing 78 | 3. Password Spraying 79 | 4. MFA Bypass 80 | 5. Session Fixation 81 | 6. Token Theft 82 | 7. Reset Token Manipulation 83 | 8. Social Engineering 84 | 85 | ## Tools and Resources 86 | - Authentication Testing: 87 | - Burp Suite (Intruder) 88 | - Hydra 89 | - JohnTheRipper 90 | - MFA Testing: 91 | - 2FA Bypass Scripts 92 | - Token Generators 93 | - MFA Test Suite 94 | - Session Analysis: 95 | - JWT Tool 96 | - Cookie Manager 97 | - Session Analyzers 98 | 99 | ## Additional Resources 100 | - 📁 [Testing Techniques](./techniques/) 101 | - 📁 [Attack Scripts](./resources/) 102 | - 🔗 [OWASP Authentication Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/) 103 | 104 | ## Common Vulnerabilities 105 | 1. Weak Password Requirements 106 | 2. Insufficient Brute Force Protection 107 | 3. Insecure Password Storage 108 | 4. Weak Session Management 109 | 5. Vulnerable Reset Processes 110 | 6. MFA Implementation Flaws 111 | 7. Token Exposure 112 | 8. Authentication Bypass Flaws 113 | 114 | ## Testing Methodology 115 | 1. Map Authentication Mechanisms 116 | 2. Test Password Policies 117 | 3. Evaluate MFA Security 118 | 4. Assess Session Management 119 | 5. Test Recovery Processes 120 | 6. Check Bypass Methods 121 | 7. Verify Token Security 122 | 123 | ## Test Cases 124 | 125 | ### Password Security 126 | - [ ] Test minimum length 127 | - [ ] Test complexity requirements 128 | - [ ] Test password history 129 | - [ ] Test common passwords 130 | - [ ] Test Unicode characters 131 | - [ ] Test truncation issues 132 | 133 | ### MFA Security 134 | - [ ] Test bypass methods 135 | - [ ] Test token replay 136 | - [ ] Test race conditions 137 | - [ ] Test backup codes 138 | - [ ] Test recovery process 139 | 140 | ### Session Management 141 | - [ ] Test session timeouts 142 | - [ ] Test concurrent sessions 143 | - [ ] Test session invalidation 144 | - [ ] Test remember me function 145 | 146 | ### Recovery Process 147 | - [ ] Test token security 148 | - [ ] Test rate limiting 149 | - [ ] Test enumeration 150 | - [ ] Test notification systems 151 | 152 | ## Progress Tracking 153 | - [ ] Password Authentication Testing 154 | - [ ] MFA Implementation Review 155 | - [ ] Authentication Flows Testing 156 | - [ ] Password Recovery Assessment 157 | - [ ] Session Management Testing 158 | 159 | ## Documentation Requirements 160 | - Test scenarios 161 | - Attack attempts 162 | - Successful bypasses 163 | - Configuration issues 164 | - Evidence collection 165 | - Remediation steps 166 | 167 | ## Notes 168 | - Document all test cases 169 | - Record bypass attempts 170 | - Track authentication failures 171 | - Note security exceptions 172 | - Monitor rate limiting 173 | - Verify audit logging -------------------------------------------------------------------------------- /OWASP-Checklist/04 - Authentication/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Authentication Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### SSL/TLS Testing 8 | - [SSLyze](https://github.com/nabla-c0d3/sslyze) 9 | - [TestSSL](https://testssl.sh/) 10 | - [OWASP O-Saft](https://owasp.org/www-project-o-saft/) 11 | - [Qualys SSL Labs](https://www.ssllabs.com/ssltest/) 12 | 13 | ### Default Credential Testing 14 | - [Default Credentials Cheat Sheet](https://github.com/ihebski/DefaultCreds-cheat-sheet) 15 | - [Seclists Default Passwords](https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials) 16 | - [Changeme](https://github.com/ztgrace/changeme) 17 | 18 | ### Password Testing 19 | - [John the Ripper](https://www.openwall.com/john/) 20 | - [hashcat](https://hashcat.net/) 21 | - [CeWL](https://github.com/digininja/CeWL) 22 | - [OWASP WebGoat](https://owasp.org/www-project-webgoat/) 23 | 24 | ### Authentication Bypass Testing 25 | - [Burp Suite](https://portswigger.net/burp) 26 | - [OWASP ZAP](https://www.zaproxy.org/) 27 | - [Hydra](https://github.com/vanhauser-thc/thc-hydra) 28 | - [Patator](https://github.com/lanjelot/patator) 29 | 30 | ### Browser Security Testing 31 | - [OWASP CSRFTester](https://owasp.org/www-project-csrftester/) 32 | - [Browser Exploitation Framework (BeEF)](https://beefproject.com/) 33 | 34 | ## Official Documentation 35 | - [OWASP Authentication Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/) 36 | - [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) 37 | - [OWASP Forgot Password Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html) 38 | - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) 39 | - [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) -------------------------------------------------------------------------------- /OWASP-Checklist/04 - Authentication/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Authentication Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-AUTHN-001: Testing for Credentials Transported over an Encrypted Channel 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel) 7 | 8 | ## OTG-AUTHN-002: Testing for Default Credentials 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials) 10 | 11 | ## OTG-AUTHN-003: Testing for Weak Lock Out Mechanism 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism) 13 | 14 | ## OTG-AUTHN-004: Testing for Bypassing Authentication Schema 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema) 16 | 17 | ## OTG-AUTHN-005: Testing for Vulnerable Remember Password 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/05-Testing_for_Vulnerable_Remember_Password) 19 | 20 | ## OTG-AUTHN-006: Testing for Browser Cache Weaknesses 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses) 22 | 23 | ## OTG-AUTHN-007: Testing for Weak Password Policy 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy) 25 | 26 | ## OTG-AUTHN-008: Testing for Weak Security Question Answer 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer) 28 | 29 | ## OTG-AUTHN-009: Testing for Weak Password Change or Reset Functionalities 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities) 31 | 32 | ## OTG-AUTHN-010: Testing for Weaker Authentication in Alternative Channel 33 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/10-Testing_for_Weaker_Authentication_in_Alternative_Channel) -------------------------------------------------------------------------------- /OWASP-Checklist/05 - Authorization/README.md.md: -------------------------------------------------------------------------------- 1 | # Authorization Testing 2 | 3 | ## Overview 4 | Authorization testing focuses on evaluating how the application controls access to resources and functionalities. This phase ensures that users can only access the resources they are explicitly permitted to and verifies that privilege boundaries are properly enforced. 5 | 6 | ## Objectives 7 | - Evaluate access control mechanisms 8 | - Test role-based access control (RBAC) 9 | - Assess horizontal and vertical privilege escalation 10 | - Review object-level authorization 11 | - Verify API authorization controls 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Access Control Models 16 | - [ ] Role-Based Access Control (RBAC) 17 | - Role definitions 18 | - Permission assignments 19 | - Role hierarchy 20 | - Inheritance patterns 21 | - [ ] Attribute-Based Access Control (ABAC) 22 | - Attribute validation 23 | - Policy enforcement 24 | - Context awareness 25 | - [ ] Discretionary Access Control (DAC) 26 | - Resource ownership 27 | - Permission delegation 28 | - Access rights management 29 | 30 | ### 2. Privilege Escalation Testing 31 | - [ ] Vertical Privilege Escalation 32 | - Role manipulation 33 | - Function level access 34 | - Administrative functions 35 | - [ ] Horizontal Privilege Escalation 36 | - User impersonation 37 | - Resource access 38 | - Data exposure 39 | - [ ] Parameter Manipulation 40 | - ID tampering 41 | - Token manipulation 42 | - Cookie modification 43 | 44 | ### 3. Business Logic Testing 45 | - [ ] Workflow Bypass 46 | - Step skipping 47 | - State manipulation 48 | - Process circumvention 49 | - [ ] Resource Access 50 | - Direct object references 51 | - File access 52 | - API endpoints 53 | - [ ] Data Segregation 54 | - Multi-tenancy 55 | - Data isolation 56 | - Cross-account access 57 | 58 | ### 4. API Authorization 59 | - [ ] Endpoint Security 60 | - REST endpoints 61 | - GraphQL resolvers 62 | - WebSocket connections 63 | - [ ] Token Validation 64 | - JWT validation 65 | - Scope verification 66 | - Claims checking 67 | - [ ] Rate Limiting 68 | - Request quotas 69 | - User limits 70 | - API key restrictions 71 | 72 | ## Common Attack Scenarios 73 | 1. Forced Browsing 74 | 2. Parameter Tampering 75 | 3. Token Manipulation 76 | 4. IDOR Exploitation 77 | 5. Role Manipulation 78 | 6. Session Hijacking 79 | 7. API Scope Abuse 80 | 8. Workflow Bypasses 81 | 82 | ## Tools and Resources 83 | - Authorization Testing: 84 | - Burp Suite Professional 85 | - OWASP ZAP 86 | - Autorize (Burp Extension) 87 | - API Testing: 88 | - Postman 89 | - SoapUI 90 | - JMeter 91 | - Custom Tools: 92 | - Role enumeration scripts 93 | - Permission mappers 94 | - Access control testers 95 | 96 | ## Additional Resources 97 | - 📁 [Testing Techniques](./techniques/) 98 | - 📁 [Test Scripts](./resources/) 99 | - 🔗 [OWASP Authorization Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/) 100 | 101 | ## Common Vulnerabilities 102 | 1. Missing Function Level Access Control 103 | 2. Insecure Direct Object References 104 | 3. Broken Role Configuration 105 | 4. Insufficient Session Validation 106 | 5. Weak API Authorization 107 | 6. Missing Business Logic Checks 108 | 7. Inadequate Permission Checks 109 | 8. Broken Access Control Models 110 | 111 | ## Testing Methodology 112 | 1. Map Access Control Model 113 | 2. Identify Role Hierarchy 114 | 3. Test Permission Boundaries 115 | 4. Verify Resource Access 116 | 5. Check API Authorization 117 | 6. Test Business Logic 118 | 7. Assess Data Isolation 119 | 120 | ## Test Cases 121 | 122 | ### Access Control Testing 123 | - [ ] Role permission matrix 124 | - [ ] Function access verification 125 | - [ ] Resource accessibility 126 | - [ ] Administrative functions 127 | - [ ] User management controls 128 | 129 | ### Privilege Escalation 130 | - [ ] Role switching attempts 131 | - [ ] Parameter manipulation 132 | - [ ] Token modification 133 | - [ ] Session handling 134 | - [ ] Forced browsing tests 135 | 136 | ### Business Logic 137 | - [ ] Workflow sequence 138 | - [ ] State validation 139 | - [ ] Process integrity 140 | - [ ] Data access controls 141 | - [ ] Multi-step processes 142 | 143 | ### API Security 144 | - [ ] Endpoint authorization 145 | - [ ] Token validation 146 | - [ ] Scope verification 147 | - [ ] Rate limit testing 148 | - [ ] Error handling 149 | 150 | ## Progress Tracking 151 | - [ ] Access Control Model Review 152 | - [ ] Privilege Escalation Testing 153 | - [ ] Business Logic Assessment 154 | - [ ] API Authorization Testing 155 | - [ ] Data Isolation Verification 156 | 157 | ## Documentation Requirements 158 | - Access control matrix 159 | - Role definitions 160 | - Permission sets 161 | - Test scenarios 162 | - Vulnerability findings 163 | - Reproduction steps 164 | - Impact assessment 165 | 166 | ## Notes 167 | - Document permission changes 168 | - Track access attempts 169 | - Record bypass methods 170 | - Monitor authorization failures 171 | - Verify audit logs 172 | - Test negative scenarios 173 | - Check boundary conditions -------------------------------------------------------------------------------- /OWASP-Checklist/05 - Authorization/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Authorization Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Directory Traversal Testing 8 | - [DotDotPwn](https://github.com/wireghoul/dotdotpwn) 9 | - [FuzzDB Path Traversal Patterns](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/path-traversal) 10 | - [OWASP ZAP](https://www.zaproxy.org/) 11 | - [Burp Suite](https://portswigger.net/burp) 12 | 13 | ### Authorization Testing 14 | - [Autorize (Burp Extension)](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) 15 | - [AuthMatrix (Burp Extension)](https://github.com/SecurityInnovation/AuthMatrix) 16 | - [AuthZ (Burp Extension)](https://github.com/PortSwigger/authz) 17 | 18 | ### Privilege Escalation Testing 19 | - [OWASP ZAP](https://www.zaproxy.org/) 20 | - [Burp Suite](https://portswigger.net/burp) 21 | - [Caido](https://caido.io/) 22 | - [AuthForce](https://github.com/zt2/authforce) 23 | 24 | ### IDOR Testing 25 | - [Burp Suite Autorize Extension](https://github.com/Quitten/Autorize) 26 | - [OWASP ZAP](https://www.zaproxy.org/) 27 | - [Astra](https://github.com/flipkart-incubator/Astra) 28 | 29 | ## Official Documentation 30 | - [OWASP Authorization Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/) 31 | - [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html) 32 | - [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html) 33 | - [OWASP IDOR Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) -------------------------------------------------------------------------------- /OWASP-Checklist/05 - Authorization/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Authorization Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-AUTHZ-001: Testing Directory Traversal File Include 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include) 7 | 8 | ## OTG-AUTHZ-002: Testing for Bypassing Authorization Schema 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema) 10 | 11 | ## OTG-AUTHZ-003: Testing for Privilege Escalation 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation) 13 | 14 | ## OTG-AUTHZ-004: Testing for Insecure Direct Object References 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) -------------------------------------------------------------------------------- /OWASP-Checklist/06 - Session Management/REAMDE.md.md: -------------------------------------------------------------------------------- 1 | # Session Management Testing 2 | 3 | ## Overview 4 | Session management testing focuses on evaluating how the application handles user sessions throughout their lifecycle. This includes session creation, maintenance, and termination, ensuring that session tokens are properly protected and managed. 5 | 6 | ## Objectives 7 | - Evaluate session token generation 8 | - Test session lifecycle management 9 | - Assess session security controls 10 | - Review session termination procedures 11 | - Verify session binding mechanisms 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Session Token Analysis 16 | - [ ] Token Generation 17 | - Randomness 18 | - Entropy analysis 19 | - Predictability testing 20 | - Length verification 21 | - [ ] Token Properties 22 | - Cookie attributes 23 | - Security flags 24 | - Domain scope 25 | - Path restrictions 26 | - [ ] Token Transport 27 | - SSL/TLS usage 28 | - Header analysis 29 | - Cookie security 30 | 31 | ### 2. Session Lifecycle 32 | - [ ] Session Creation 33 | - Initial generation 34 | - Post-authentication handling 35 | - Context preservation 36 | - [ ] Session Maintenance 37 | - Timeout mechanisms 38 | - Renewal process 39 | - Concurrent sessions 40 | - [ ] Session Termination 41 | - Logout procedures 42 | - Timeout handling 43 | - Browser closure handling 44 | 45 | ### 3. Session Security Controls 46 | - [ ] Token Protection 47 | - HttpOnly flag 48 | - Secure flag 49 | - SameSite attribute 50 | - Domain restrictions 51 | - [ ] Session Binding 52 | - IP binding 53 | - Device fingerprinting 54 | - Browser fingerprinting 55 | - [ ] Session Storage 56 | - Client-side storage 57 | - Server-side management 58 | - Cache controls 59 | 60 | ### 4. Session Attack Scenarios 61 | - [ ] Session Fixation 62 | - Pre-authentication tokens 63 | - Token regeneration 64 | - Session adoption 65 | - [ ] Session Hijacking 66 | - Token interception 67 | - XSS exploitation 68 | - Network sniffing 69 | - [ ] Session Puzzling 70 | - Session confusion 71 | - Race conditions 72 | - Concurrent access 73 | 74 | ## Common Tools 75 | - Session Analysis: 76 | - Burp Suite 77 | - OWASP ZAP 78 | - Cookie Manager+ 79 | - Token Testing: 80 | - JWT Decoder 81 | - Session Timeout Tester 82 | - Cookie Security Analyzer 83 | - Network Analysis: 84 | - Wireshark 85 | - Fiddler 86 | - mitmproxy 87 | 88 | ## Additional Resources 89 | - 📁 [Testing Techniques](./techniques/) 90 | - 📁 [Analysis Scripts](./resources/) 91 | - 🔗 [OWASP Session Management Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/) 92 | 93 | ## Common Vulnerabilities 94 | 1. Weak Session Token Generation 95 | 2. Missing Security Flags 96 | 3. Insufficient Session Expiration 97 | 4. Vulnerable Session Handling 98 | 5. Insecure Session Storage 99 | 6. Poor Logout Implementation 100 | 7. Missing Session Binding 101 | 8. Concurrent Session Weaknesses 102 | 103 | ## Testing Methodology 104 | 105 | ### 1. Token Analysis 106 | - [ ] Examine token format 107 | - [ ] Analyze generation pattern 108 | - [ ] Test randomness 109 | - [ ] Verify length and complexity 110 | - [ ] Check for information disclosure 111 | 112 | ### 2. Security Controls 113 | - [ ] Verify cookie flags 114 | - [ ] Test transport security 115 | - [ ] Check domain restrictions 116 | - [ ] Validate path settings 117 | - [ ] Test SameSite behavior 118 | 119 | ### 3. Session Lifecycle 120 | - [ ] Test session creation 121 | - [ ] Verify timeout mechanisms 122 | - [ ] Check renewal process 123 | - [ ] Test termination procedures 124 | - [ ] Analyze concurrent sessions 125 | 126 | ### 4. Attack Vectors 127 | - [ ] Attempt session fixation 128 | - [ ] Test session hijacking 129 | - [ ] Check token reuse 130 | - [ ] Test session puzzling 131 | - [ ] Verify race conditions 132 | 133 | ## Test Cases 134 | 135 | ### Token Security 136 | - [ ] Generation entropy 137 | - [ ] Predictability analysis 138 | - [ ] Transport security 139 | - [ ] Storage security 140 | - [ ] Flag implementation 141 | 142 | ### Session Management 143 | - [ ] Timeout functionality 144 | - [ ] Logout effectiveness 145 | - [ ] Concurrent session handling 146 | - [ ] Session regeneration 147 | - [ ] Browser closure handling 148 | 149 | ### Attack Prevention 150 | - [ ] Fixation protection 151 | - [ ] Hijacking resistance 152 | - [ ] XSS impact 153 | - [ ] CSRF protection 154 | - [ ] Replay prevention 155 | 156 | ## Progress Tracking 157 | - [ ] Token Analysis Complete 158 | - [ ] Security Controls Verified 159 | - [ ] Lifecycle Testing Done 160 | - [ ] Attack Scenarios Tested 161 | - [ ] Documentation Updated 162 | 163 | ## Documentation Requirements 164 | - Test methodology 165 | - Tool configurations 166 | - Test results 167 | - Token analysis 168 | - Security findings 169 | - Remediation steps 170 | 171 | ## Best Practices 172 | 1. Use secure session IDs 173 | 2. Implement proper timeout 174 | 3. Secure token transport 175 | 4. Enable security flags 176 | 5. Bind sessions securely 177 | 6. Handle termination properly 178 | 7. Protect against fixation 179 | 8. Monitor session activity 180 | 181 | ## Notes 182 | - Document all findings 183 | - Record token patterns 184 | - Track session behaviors 185 | - Note security exceptions 186 | - Monitor timeout patterns 187 | - Verify cleanup procedures -------------------------------------------------------------------------------- /OWASP-Checklist/06 - Session Management/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Session Management Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Session Analysis 8 | - [Burp Suite](https://portswigger.net/burp) 9 | - [OWASP ZAP](https://www.zaproxy.org/) 10 | - [Cookie Editor](https://cookie-editor.cgagnier.ca/) 11 | - [EditThisCookie](http://www.editthiscookie.com/) 12 | 13 | ### Cookie Testing 14 | - [Cookie Manager+](https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/) 15 | - [Tamper Data](https://addons.mozilla.org/en-US/firefox/addon/tamper-data-for-ff-quantum/) 16 | - [Cookie Cadger](https://cookiecadger.com/) 17 | 18 | ### CSRF Testing 19 | - [OWASP CSRFTester](https://owasp.org/www-project-csrftester/) 20 | - [CSRF Protector](https://owasp.org/www-project-csrfprotector/) 21 | - [Burp Suite (CSRF Scanner)](https://portswigger.net/burp) 22 | - [XSRFProbe](https://github.com/0xInfection/XSRFProbe) 23 | 24 | ### Session Management 25 | - [Session Manager](https://chrome.google.com/webstore/detail/session-manager/mghenlmbmjcpehccoangkdpagbcbkdpc) 26 | - [SessionBox](https://chrome.google.com/webstore/detail/sessionbox-multi-login-to/megbklhjamjbcafknkgmokldgolkdfig) 27 | - [Cookie Quick Manager](https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/) 28 | 29 | ## Official Documentation 30 | - [OWASP Session Management Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/) 31 | - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) 32 | - [OWASP Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) 33 | - [OWASP Cookie Security Guide](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20171130_Cookie_Security_Myths_Misconceptions_David_Johansson.pdf) -------------------------------------------------------------------------------- /OWASP-Checklist/06 - Session Management/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Session Management Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-SESS-001: Testing for Session Management Schema 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema) 7 | 8 | ## OTG-SESS-002: Testing for Cookies Attributes 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes) 10 | 11 | ## OTG-SESS-003: Testing for Session Fixation 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation) 13 | 14 | ## OTG-SESS-004: Testing for Exposed Session Variables 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables) 16 | 17 | ## OTG-SESS-005: Testing for Cross Site Request Forgery 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery) 19 | 20 | ## OTG-SESS-006: Testing for Logout Functionality 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality) 22 | 23 | ## OTG-SESS-007: Testing Session Timeout 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout) 25 | 26 | ## OTG-SESS-008: Testing for Session Puzzling 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling) -------------------------------------------------------------------------------- /OWASP-Checklist/07 - Input Validation/README.md.md: -------------------------------------------------------------------------------- 1 | # Input Validation Testing 2 | 3 | ## Overview 4 | Input validation testing focuses on evaluating how the application validates, filters, sanitizes, and processes user input. This phase ensures that applications properly handle all forms of input to prevent injection attacks and data manipulation. 5 | 6 | ## Objectives 7 | - Evaluate input validation mechanisms 8 | - Test injection vulnerabilities 9 | - Assess sanitization methods 10 | - Review encoding/decoding processes 11 | - Verify input processing logic 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Injection Testing 16 | - [ ] SQL Injection 17 | - Classic SQL injection 18 | - Blind SQL injection 19 | - Time-based SQL injection 20 | - ORM injection 21 | - [ ] Command Injection 22 | - OS command injection 23 | - Shell injection 24 | - Parameter injection 25 | - [ ] Other Injection Types 26 | - LDAP injection 27 | - XML injection 28 | - NoSQL injection 29 | - Template injection 30 | 31 | ### 2. Cross-Site Scripting (XSS) 32 | - [ ] Reflected XSS 33 | - URL parameters 34 | - Form fields 35 | - HTTP headers 36 | - [ ] Stored XSS 37 | - User input storage 38 | - File uploads 39 | - User profiles 40 | - [ ] DOM-based XSS 41 | - Client-side scripts 42 | - DOM manipulation 43 | - Event handlers 44 | 45 | ### 3. Input Validation Mechanisms 46 | - [ ] Client-side Validation 47 | - JavaScript validation 48 | - HTML5 constraints 49 | - Form validation 50 | - [ ] Server-side Validation 51 | - Type checking 52 | - Format validation 53 | - Range checking 54 | - [ ] Sanitization Methods 55 | - Input cleaning 56 | - HTML sanitization 57 | - SQL sanitization 58 | 59 | ### 4. Special Input Handling 60 | - [ ] File Uploads 61 | - File type validation 62 | - Content verification 63 | - Size restrictions 64 | - [ ] Character Encoding 65 | - UTF-8 handling 66 | - Special characters 67 | - Unicode validation 68 | - [ ] Data Formatting 69 | - Date formats 70 | - Numeric formats 71 | - Currency handling 72 | 73 | ## Common Tools 74 | - Web Scanners: 75 | - Burp Suite 76 | - OWASP ZAP 77 | - Acunetix 78 | - Injection Testing: 79 | - SQLmap 80 | - NoSQLMap 81 | - XSSer 82 | - Custom Tools: 83 | - Input fuzzer 84 | - Encoding testers 85 | - Validation bypass tools 86 | 87 | ## Additional Resources 88 | - 📁 [Testing Techniques](./techniques/) 89 | - 📁 [Payload Lists](./resources/) 90 | - 🔗 [OWASP Input Validation Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/) 91 | 92 | ## Common Vulnerabilities 93 | 1. Insufficient Input Validation 94 | 2. SQL Injection 95 | 3. Cross-Site Scripting 96 | 4. Command Injection 97 | 5. Improper Encoding 98 | 6. Unsafe File Uploads 99 | 7. Format String Vulnerabilities 100 | 8. Buffer Overflows 101 | 102 | ## Testing Methodology 103 | 104 | ### 1. Input Field Analysis 105 | - [ ] Identify input vectors 106 | - [ ] Determine input types 107 | - [ ] Map validation rules 108 | - [ ] Test size limits 109 | - [ ] Check type restrictions 110 | 111 | ### 2. Injection Testing 112 | - [ ] Test SQL injection 113 | - [ ] Verify XSS vectors 114 | - [ ] Check command injection 115 | - [ ] Test LDAP injection 116 | - [ ] Assess NoSQL injection 117 | 118 | ### 3. Validation Bypass 119 | - [ ] Test client-side bypass 120 | - [ ] Check server-side validation 121 | - [ ] Test encoding bypasses 122 | - [ ] Verify filter evasion 123 | - [ ] Test boundary conditions 124 | 125 | ### 4. File Upload Testing 126 | - [ ] Test file types 127 | - [ ] Check size limits 128 | - [ ] Verify content handling 129 | - [ ] Test name validation 130 | - [ ] Check storage security 131 | 132 | ## Test Cases 133 | 134 | ### Input Validation 135 | - [ ] Length limits 136 | - [ ] Character types 137 | - [ ] Format requirements 138 | - [ ] Range checking 139 | - [ ] Type validation 140 | 141 | ### Injection Prevention 142 | - [ ] SQL escaping 143 | - [ ] HTML encoding 144 | - [ ] Command sanitization 145 | - [ ] XML validation 146 | - [ ] JSON parsing 147 | 148 | ### Upload Security 149 | - [ ] MIME type checking 150 | - [ ] Extension validation 151 | - [ ] Content verification 152 | - [ ] Size validation 153 | - [ ] Storage security 154 | 155 | ## Progress Tracking 156 | - [ ] Input Field Analysis Complete 157 | - [ ] Injection Testing Done 158 | - [ ] Validation Bypass Checked 159 | - [ ] File Upload Testing Complete 160 | - [ ] Documentation Updated 161 | 162 | ## Documentation Requirements 163 | - Test scenarios 164 | - Injection payloads 165 | - Bypass methods 166 | - Tool configurations 167 | - Findings evidence 168 | - Remediation steps 169 | 170 | ## Best Practices 171 | 1. Validate all inputs 172 | 2. Use positive validation 173 | 3. Implement proper encoding 174 | 4. Apply multiple validation layers 175 | 5. Sanitize outputs 176 | 6. Restrict file uploads 177 | 7. Use prepared statements 178 | 8. Implement CSRF protection 179 | 180 | ## Notes 181 | - Document validation patterns 182 | - Record bypass attempts 183 | - Track injection success 184 | - Note sanitization methods 185 | - Monitor error handling 186 | - Verify processing logic -------------------------------------------------------------------------------- /OWASP-Checklist/07 - Input Validation/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Input Validation Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### XSS Testing 8 | - [XSSer](https://xsser.03c8.net/) 9 | - [BeEF (Browser Exploitation Framework)](https://beefproject.com/) 10 | - [XSStrike](https://github.com/s0md3v/XSStrike) 11 | - [XSS Hunter](https://xsshunter.com/) 12 | 13 | ### SQL Injection 14 | - [SQLmap](https://sqlmap.org/) 15 | - [jSQL Injection](https://github.com/ron190/jsql-injection) 16 | - [NoSQLMap](https://github.com/codingo/NoSQLMap) 17 | - [Havij](https://github.com/owasp/havij) 18 | 19 | ### Command Injection 20 | - [Commix](https://github.com/commixproject/commix) 21 | - [WebSploit](https://github.com/websploit/websploit) 22 | 23 | ### HTTP Parameter Testing 24 | - [OWASP ZAP](https://www.zaproxy.org/) 25 | - [Burp Suite](https://portswigger.net/burp) 26 | - [Param Miner (Burp Extension)](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) 27 | 28 | ### XML Testing 29 | - [XXE Injection Payload List](https://github.com/payloadbox/xxe-injection-payload-list) 30 | - [OWASP XML Injection Testing Guide](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing) 31 | 32 | ### Code Analysis 33 | - [SonarQube](https://www.sonarqube.org/) 34 | - [PMD](https://pmd.github.io/) 35 | - [FindBugs](http://findbugs.sourceforge.net/) 36 | 37 | ## Official Documentation 38 | - [OWASP Input Validation Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/) 39 | - [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) 40 | - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) 41 | - [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) 42 | - [OWASP Command Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html) -------------------------------------------------------------------------------- /OWASP-Checklist/07 - Input Validation/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Input Validation Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-INPVAL-001: Testing for Reflected Cross Site Scripting 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting) 7 | 8 | ## OTG-INPVAL-002: Testing for Stored Cross Site Scripting 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting) 10 | 11 | ## OTG-INPVAL-003: Testing for HTTP Verb Tampering 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering) 13 | 14 | ## OTG-INPVAL-004: Testing for HTTP Parameter Pollution 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution) 16 | 17 | ## OTG-INPVAL-005: Testing for SQL Injection 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection) 19 | 20 | ## OTG-INPVAL-006: Testing for LDAP Injection 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection) 22 | 23 | ## OTG-INPVAL-007: Testing for XML Injection 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection) 25 | 26 | ## OTG-INPVAL-008: Testing for SSI Injection 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection) 28 | 29 | ## OTG-INPVAL-009: Testing for XPath Injection 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection) 31 | 32 | ## OTG-INPVAL-010: Testing for IMAP SMTP Injection 33 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection) 34 | 35 | ## OTG-INPVAL-011: Testing for Code Injection 36 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection) 37 | 38 | ## OTG-INPVAL-012: Testing for Command Injection 39 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection) 40 | 41 | ## OTG-INPVAL-013: Testing for Format String Injection 42 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection) 43 | 44 | ## OTG-INPVAL-014: Testing for Incubated Vulnerability 45 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_Incubated_Vulnerability) 46 | 47 | ## OTG-INPVAL-015: Testing for HTTP Splitting Smuggling 48 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling) 49 | 50 | ## OTG-INPVAL-016: Testing for HTTP Incoming Requests 51 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/16-Testing_for_HTTP_Incoming_Requests) 52 | 53 | ## OTG-INPVAL-017: Testing for Host Header Injection 54 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection) -------------------------------------------------------------------------------- /OWASP-Checklist/08 - Error Handling/README.md.md: -------------------------------------------------------------------------------- 1 | # Error Handling Testing 2 | 3 | ## Overview 4 | Error handling testing focuses on evaluating how the application handles, processes, and displays errors and exceptions. This phase ensures that applications manage errors securely without exposing sensitive information while maintaining appropriate functionality. 5 | 6 | ## Objectives 7 | - Evaluate error handling mechanisms 8 | - Test error message disclosure 9 | - Assess exception handling 10 | - Review logging practices 11 | - Verify debug information exposure 12 | 13 | ## Key Testing Areas 14 | 15 | ### 1. Error Message Analysis 16 | - [ ] Client-Side Errors 17 | - JavaScript errors 18 | - AJAX error handling 19 | - Form validation errors 20 | - UI error messages 21 | - [ ] Server-Side Errors 22 | - HTTP status codes 23 | - Application errors 24 | - Database errors 25 | - System errors 26 | - [ ] Error Information Disclosure 27 | - Stack traces 28 | - System paths 29 | - Database details 30 | - Version information 31 | 32 | ### 2. Exception Handling 33 | - [ ] Application Exceptions 34 | - Runtime exceptions 35 | - Logic exceptions 36 | - Resource exceptions 37 | - Timeout handling 38 | - [ ] Framework Exceptions 39 | - Default handlers 40 | - Custom handlers 41 | - Global exception handling 42 | - [ ] Third-party Exceptions 43 | - API errors 44 | - Service integration errors 45 | - External system failures 46 | 47 | ### 3. Error Logging 48 | - [ ] Log Implementation 49 | - Log levels 50 | - Log format 51 | - Log storage 52 | - Log rotation 53 | - [ ] Log Content 54 | - Error details 55 | - User context 56 | - System state 57 | - Timestamps 58 | - [ ] Log Security 59 | - Access controls 60 | - Sensitive data 61 | - Log injection 62 | - Log integrity 63 | 64 | ### 4. Debug Information 65 | - [ ] Debug Modes 66 | - Development flags 67 | - Debug parameters 68 | - Diagnostic information 69 | - [ ] Configuration Information 70 | - Server details 71 | - Framework versions 72 | - Component versions 73 | - [ ] Environmental Data 74 | - System paths 75 | - Internal IPs 76 | - User accounts 77 | - Directory structure 78 | 79 | ## Common Tools 80 | - Error Analysis: 81 | - Burp Suite 82 | - OWASP ZAP 83 | - Fiddler 84 | - Log Analysis: 85 | - Log parsers 86 | - Log analyzers 87 | - SIEM tools 88 | - Debug Tools: 89 | - Browser DevTools 90 | - Debugging proxies 91 | - Error trackers 92 | 93 | ## Additional Resources 94 | - 📁 [Testing Techniques](./techniques/) 95 | - 📁 [Error Patterns](./resources/) 96 | - 🔗 [OWASP Error Handling Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/) 97 | 98 | ## Common Vulnerabilities 99 | 1. Information Disclosure 100 | 2. Verbose Error Messages 101 | 3. Unhandled Exceptions 102 | 4. Insecure Error Logging 103 | 5. Debug Information Exposure 104 | 6. Stack Trace Disclosure 105 | 7. Sensitive Data in Logs 106 | 8. Missing Error Handling 107 | 108 | ## Testing Methodology 109 | 110 | ### 1. Error Generation 111 | - [ ] Force application errors 112 | - [ ] Trigger exceptions 113 | - [ ] Create boundary conditions 114 | - [ ] Test timeout scenarios 115 | - [ ] Generate system errors 116 | 117 | ### 2. Error Analysis 118 | - [ ] Review error messages 119 | - [ ] Analyze stack traces 120 | - [ ] Check information disclosure 121 | - [ ] Evaluate error handling 122 | - [ ] Test error recovery 123 | 124 | ### 3. Log Review 125 | - [ ] Examine log content 126 | - [ ] Check log security 127 | - [ ] Test log rotation 128 | - [ ] Verify log access 129 | - [ ] Review log format 130 | 131 | ### 4. Debug Testing 132 | - [ ] Test debug modes 133 | - [ ] Check debug parameters 134 | - [ ] Review debug output 135 | - [ ] Verify configuration info 136 | - [ ] Test diagnostic features 137 | 138 | ## Test Cases 139 | 140 | ### Error Messages 141 | - [ ] HTTP error codes 142 | - [ ] Application errors 143 | - [ ] Validation errors 144 | - [ ] System errors 145 | - [ ] Integration errors 146 | 147 | ### Exception Handling 148 | - [ ] Null pointer exceptions 149 | - [ ] Resource exceptions 150 | - [ ] Logic exceptions 151 | - [ ] Database exceptions 152 | - [ ] API exceptions 153 | 154 | ### Logging Security 155 | - [ ] Log access control 156 | - [ ] Log content security 157 | - [ ] Log storage security 158 | - [ ] Log transmission 159 | - [ ] Log retention 160 | 161 | ## Progress Tracking 162 | - [ ] Error Analysis Complete 163 | - [ ] Exception Testing Done 164 | - [ ] Log Review Completed 165 | - [ ] Debug Testing Finished 166 | - [ ] Documentation Updated 167 | 168 | ## Documentation Requirements 169 | - Error scenarios 170 | - Test cases 171 | - Error messages 172 | - Log samples 173 | - Findings report 174 | - Remediation steps 175 | 176 | ## Best Practices 177 | 1. Use generic error messages 178 | 2. Implement proper logging 179 | 3. Secure debug information 180 | 4. Handle all exceptions 181 | 5. Validate error recovery 182 | 6. Protect log files 183 | 7. Monitor error patterns 184 | 8. Regular log review 185 | 186 | ## Notes 187 | - Document error patterns 188 | - Track information disclosure 189 | - Record exception handling 190 | - Monitor log security 191 | - Verify error recovery 192 | - Check debug exposure -------------------------------------------------------------------------------- /OWASP-Checklist/08 - Error Handling/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Error Handling Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Error Detection and Analysis 8 | - [Burp Suite](https://portswigger.net/burp) 9 | - [OWASP ZAP](https://www.zaproxy.org/) 10 | - [Acunetix](https://www.acunetix.com/) 11 | - [Netsparker](https://www.netsparker.com/) 12 | 13 | ### Stack Trace Analysis 14 | - [Stack Trace Analyzer](https://github.com/zendframework/zend-problem-details) 15 | - [Error Stack Parser](https://www.npmjs.com/package/error-stack-parser) 16 | - [PHP Stack Trace](https://github.com/php-errors/exception-handler) 17 | 18 | ### Fuzzing Tools 19 | - [Wfuzz](https://github.com/xmendez/wfuzz) 20 | - [FFuF](https://github.com/ffuf/ffuf) 21 | - [Burp Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder) 22 | - [Peach Fuzzer](https://www.peach.tech/) 23 | 24 | ### Debug Mode Detection 25 | - [ThreadFix](https://github.com/denimgroup/threadfix) 26 | - [Debug Mode Detection Scripts](https://github.com/wireghoul/dotdotpwn) 27 | - [Debug Mode Scanner](https://github.com/ethicalhack3r/wordpress_plugin_security_testing_cheat_sheet) 28 | 29 | ## Official Documentation 30 | - [OWASP Error Handling Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/) 31 | - [OWASP Error Handling Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html) 32 | - [OWASP Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) 33 | 34 | ## Best Practices 35 | 1. Error Handling Strategies 36 | - Custom error pages 37 | - Generic error messages 38 | - Proper exception handling 39 | - Logging mechanisms 40 | 41 | 2. Security Considerations 42 | - Avoid information disclosure 43 | - Implement proper logging 44 | - Sanitize error outputs 45 | - Use appropriate error codes 46 | 47 | 3. Testing Methodologies 48 | - Black box testing 49 | - White box testing 50 | - Grey box testing 51 | - Automated scanning 52 | 53 | 4. Common Issues to Test 54 | - Stack trace exposure 55 | - Verbose error messages 56 | - Debug information leakage 57 | - Exception handling gaps 58 | 59 | 5. Remediation Guidelines 60 | - Implement custom error pages 61 | - Use proper exception handling 62 | - Configure appropriate logging levels 63 | - Implement security headers -------------------------------------------------------------------------------- /OWASP-Checklist/08 - Error Handling/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Error Handling Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-ERR-001: Testing for Error Code 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code) 7 | 8 | ## OTG-ERR-002: Testing for Stack Traces 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces) 10 | 11 | ## OTG-ERR-003: Testing for Error Handling 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/03-Testing_for_Error_Handling) 13 | 14 | ## OTG-ERR-004: Testing for Improper Error Handling 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/04-Testing_for_Improper_Error_Handling) -------------------------------------------------------------------------------- /OWASP-Checklist/09 - Cryptography/README.md.md: -------------------------------------------------------------------------------- 1 | # Cryptography Testing 2 | 3 | ## Overview 4 | Cryptography testing focuses on evaluating the implementation and usage of cryptographic functions within the application. This phase ensures that cryptographic operations are properly implemented and that secure algorithms and protocols are used to protect sensitive data. 5 | 6 | ## Objectives 7 | - Evaluate cryptographic implementations 8 | - Test encryption/decryption processes 9 | - Assess key management 10 | - Review cryptographic protocols 11 | - Verify random number generation 12 | - Test hash functions 13 | 14 | ## Key Testing Areas 15 | 16 | ### 1. Encryption Implementation 17 | - [ ] Data at Rest 18 | - Database encryption 19 | - File system encryption 20 | - Configuration encryption 21 | - Stored credentials 22 | - [ ] Data in Transit 23 | - TLS implementation 24 | - Protocol security 25 | - Certificate validation 26 | - Perfect forward secrecy 27 | - [ ] Data in Use 28 | - Memory protection 29 | - Key storage 30 | - Secure processing 31 | - Cache security 32 | 33 | ### 2. Key Management 34 | - [ ] Key Generation 35 | - Random number generation 36 | - Key strength 37 | - Key derivation 38 | - Seed management 39 | - [ ] Key Storage 40 | - Secure storage 41 | - Access controls 42 | - Key protection 43 | - Hardware security modules 44 | - [ ] Key Lifecycle 45 | - Key rotation 46 | - Key revocation 47 | - Key backup 48 | - Key destruction 49 | 50 | ### 3. Cryptographic Algorithms 51 | - [ ] Symmetric Encryption 52 | - AES implementation 53 | - Mode of operation 54 | - IV handling 55 | - Padding schemes 56 | - [ ] Asymmetric Encryption 57 | - RSA implementation 58 | - ECC usage 59 | - Key pairs 60 | - Digital signatures 61 | - [ ] Hash Functions 62 | - Hash algorithms 63 | - Salt implementation 64 | - HMAC usage 65 | - Password hashing 66 | 67 | ### 4. Protocol Implementation 68 | - [ ] SSL/TLS 69 | - Version checking 70 | - Cipher suites 71 | - Certificate validation 72 | - Protocol downgrade 73 | - [ ] Custom Protocols 74 | - Protocol analysis 75 | - Security verification 76 | - Implementation review 77 | - Known vulnerabilities 78 | 79 | ## Common Tools 80 | - Crypto Analysis: 81 | - SSL Labs 82 | - OpenSSL 83 | - KeyWhiz 84 | - Crypto Analyzer 85 | - Protocol Testing: 86 | - TLS-Attacker 87 | - SSLyze 88 | - TestSSL.sh 89 | - Key Management: 90 | - Key analyzers 91 | - HSM tools 92 | - Key generators 93 | 94 | ## Additional Resources 95 | - 📁 [Testing Techniques](./techniques/) 96 | - 📁 [Crypto Standards](./resources/) 97 | - 🔗 [OWASP Cryptography Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/) 98 | 99 | ## Common Vulnerabilities 100 | 1. Weak Algorithms 101 | 2. Poor Key Management 102 | 3. Insecure Random Numbers 103 | 4. Weak Protocol Versions 104 | 5. Improper Certificate Validation 105 | 6. Insufficient Key Length 106 | 7. Predictable IVs 107 | 8. Weak Hash Functions 108 | 109 | ## Testing Methodology 110 | 111 | ### 1. Algorithm Analysis 112 | - [ ] Identify algorithms 113 | - [ ] Check configurations 114 | - [ ] Verify key lengths 115 | - [ ] Test implementations 116 | - [ ] Review protocols 117 | 118 | ### 2. Key Management Testing 119 | - [ ] Test key generation 120 | - [ ] Check key storage 121 | - [ ] Verify key rotation 122 | - [ ] Test key backup 123 | - [ ] Review access controls 124 | 125 | ### 3. Protocol Testing 126 | - [ ] Test SSL/TLS 127 | - [ ] Check cipher suites 128 | - [ ] Verify certificates 129 | - [ ] Test protocol security 130 | - [ ] Review custom protocols 131 | 132 | ### 4. Implementation Review 133 | - [ ] Check encryption usage 134 | - [ ] Test random numbers 135 | - [ ] Verify hash functions 136 | - [ ] Review key handling 137 | - [ ] Test crypto operations 138 | 139 | ## Test Cases 140 | 141 | ### Encryption Testing 142 | - [ ] Algorithm strength 143 | - [ ] Key management 144 | - [ ] IV generation 145 | - [ ] Padding implementation 146 | - [ ] Mode of operation 147 | 148 | ### Protocol Security 149 | - [ ] TLS versions 150 | - [ ] Cipher selection 151 | - [ ] Certificate validation 152 | - [ ] Protocol downgrade 153 | - [ ] Forward secrecy 154 | 155 | ### Key Handling 156 | - [ ] Key generation 157 | - [ ] Key storage 158 | - [ ] Key rotation 159 | - [ ] Access controls 160 | - [ ] Secure deletion 161 | 162 | ## Progress Tracking 163 | - [ ] Algorithm Analysis Complete 164 | - [ ] Key Management Tested 165 | - [ ] Protocol Testing Done 166 | - [ ] Implementation Reviewed 167 | - [ ] Documentation Updated 168 | 169 | ## Documentation Requirements 170 | - Algorithm details 171 | - Key management procedures 172 | - Protocol configurations 173 | - Test results 174 | - Security findings 175 | - Remediation steps 176 | 177 | ## Best Practices 178 | 1. Use strong algorithms 179 | 2. Implement proper key management 180 | 3. Secure random number generation 181 | 4. Use current protocol versions 182 | 5. Validate certificates properly 183 | 6. Implement proper padding 184 | 7. Use sufficient key lengths 185 | 8. Apply strong hash functions 186 | 187 | ## Notes 188 | - Document crypto implementations 189 | - Track algorithm usage 190 | - Record key management 191 | - Monitor protocol versions 192 | - Verify random numbers 193 | - Check hash functions -------------------------------------------------------------------------------- /OWASP-Checklist/09 - Cryptography/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Cryptography Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### SSL/TLS Testing 8 | - [SSLyze](https://github.com/nabla-c0d3/sslyze) 9 | - [TestSSL.sh](https://testssl.sh/) 10 | - [SSL Labs Server Test](https://www.ssllabs.com/ssltest/) 11 | - [OpenSSL](https://www.openssl.org/) 12 | 13 | ### Cryptographic Analysis 14 | - [CrypTool](https://www.cryptool.org/) 15 | - [HashCat](https://hashcat.net/) 16 | - [John the Ripper](https://www.openwall.com/john/) 17 | - [Cryptographic Attack Tools](https://github.com/CrypTools) 18 | 19 | ### Padding Oracle Testing 20 | - [PadBuster](https://github.com/GDSSecurity/PadBuster) 21 | - [Padding Oracle Attacker](https://github.com/KishanBagaria/padding-oracle-attacker) 22 | - [POET - Padding Oracle Exploitation Tool](https://github.com/liamg/poet) 23 | 24 | ### Network Traffic Analysis 25 | - [Wireshark](https://www.wireshark.org/) 26 | - [tcpdump](https://www.tcpdump.org/) 27 | - [Burp Suite](https://portswigger.net/burp) 28 | - [OWASP ZAP](https://www.zaproxy.org/) 29 | 30 | ## Official Documentation 31 | - [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html) 32 | - [OWASP Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) 33 | - [OWASP Key Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html) 34 | 35 | ## Best Practices 36 | 37 | ### SSL/TLS Configuration 38 | 1. Protocol Versions 39 | - Disable SSL 2.0, 3.0 40 | - Enable TLS 1.2, 1.3 41 | - Disable older TLS versions 42 | 43 | 2. Cipher Suites 44 | - Use strong cipher suites 45 | - Disable weak ciphers 46 | - Implement proper cipher order 47 | 48 | ### Cryptographic Implementation 49 | 1. Algorithm Selection 50 | - Use standard algorithms 51 | - Avoid custom implementations 52 | - Follow NIST recommendations 53 | 54 | 2. Key Management 55 | - Proper key generation 56 | - Secure key storage 57 | - Regular key rotation 58 | - Key backup procedures 59 | 60 | ### Common Testing Scenarios 61 | 1. Transport Layer Security 62 | - Certificate validation 63 | - Protocol verification 64 | - Cipher suite testing 65 | - Perfect forward secrecy 66 | 67 | 2. Data Protection 68 | - Encryption at rest 69 | - Encryption in transit 70 | - Key storage security 71 | - Random number generation 72 | 73 | 3. Common Vulnerabilities 74 | - Weak algorithms 75 | - Poor key management 76 | - Insufficient entropy 77 | - Padding oracle attacks -------------------------------------------------------------------------------- /OWASP-Checklist/09 - Cryptography/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Cryptography Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-CRYPST-001: Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection) 7 | 8 | ## OTG-CRYPST-002: Testing for Padding Oracle 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle) 10 | 11 | ## OTG-CRYPST-003: Testing for Sensitive Information Sent via Unencrypted Channels 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels) 13 | 14 | ## OTG-CRYPST-004: Testing for Weak Encryption 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption) -------------------------------------------------------------------------------- /OWASP-Checklist/10 - Business Logic/README.md.md: -------------------------------------------------------------------------------- 1 | # Business Logic Testing 2 | 3 | ## Overview 4 | Business logic testing focuses on evaluating the application's business rules, workflows, and processes to identify logical flaws that could be exploited. This phase ensures that business processes are implemented securely and cannot be manipulated or bypassed. 5 | 6 | ## Objectives 7 | - Evaluate business process flows 8 | - Test transaction logic 9 | - Assess workflow sequences 10 | - Review access controls 11 | - Verify business rules 12 | - Test data validation logic 13 | 14 | ## Key Testing Areas 15 | 16 | ### 1. Process Flow Testing 17 | - [ ] Workflow Sequences 18 | - Step ordering 19 | - Process dependencies 20 | - State transitions 21 | - Completion checks 22 | - [ ] Transaction Logic 23 | - Order processing 24 | - Payment flows 25 | - Account management 26 | - Service provisioning 27 | - [ ] Access Controls 28 | - Role permissions 29 | - Process restrictions 30 | - Time constraints 31 | - Geographic limitations 32 | 33 | ### 2. Business Rules 34 | - [ ] Validation Rules 35 | - Data constraints 36 | - Business constraints 37 | - Regulatory requirements 38 | - Policy enforcement 39 | - [ ] Calculations 40 | - Price calculations 41 | - Discount rules 42 | - Tax computations 43 | - Currency handling 44 | - [ ] Limits and Restrictions 45 | - Transaction limits 46 | - Usage quotas 47 | - Time restrictions 48 | - Resource allocation 49 | 50 | ### 3. Data Manipulation 51 | - [ ] Input Processing 52 | - Data validation 53 | - Format verification 54 | - Range checking 55 | - Relationship validation 56 | - [ ] Output Processing 57 | - Data presentation 58 | - Calculation results 59 | - Report generation 60 | - Export handling 61 | - [ ] State Management 62 | - Session handling 63 | - Process state 64 | - Data consistency 65 | - Transaction integrity 66 | 67 | ### 4. Integration Points 68 | - [ ] External Systems 69 | - API integration 70 | - Third-party services 71 | - Payment processors 72 | - External validation 73 | - [ ] Internal Systems 74 | - Database interaction 75 | - Service communication 76 | - Module integration 77 | - Cache management 78 | 79 | ## Common Attack Scenarios 80 | 1. Process Bypass 81 | 2. Parameter Manipulation 82 | 3. Resource Abuse 83 | 4. Time Manipulation 84 | 5. Logic Circumvention 85 | 6. State Manipulation 86 | 7. Validation Bypass 87 | 8. Privilege Escalation 88 | 89 | ## Tools and Resources 90 | - Process Analysis: 91 | - Flow mappers 92 | - State analyzers 93 | - Process trackers 94 | - Logic Testing: 95 | - Automated test suites 96 | - Custom scripts 97 | - Test harnesses 98 | - Monitoring Tools: 99 | - Transaction monitors 100 | - State trackers 101 | - Process loggers 102 | 103 | ## Additional Resources 104 | - 📁 [Testing Techniques](./techniques/) 105 | - 📁 [Test Scenarios](./resources/) 106 | - 🔗 [OWASP Business Logic Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/) 107 | 108 | ## Common Vulnerabilities 109 | 1. Inadequate Process Validation 110 | 2. Missing State Checks 111 | 3. Insufficient Access Controls 112 | 4. Broken Business Rules 113 | 5. Logic Flaws 114 | 6. Race Conditions 115 | 7. Data Integrity Issues 116 | 8. Transaction Problems 117 | 118 | ## Testing Methodology 119 | 120 | ### 1. Process Analysis 121 | - [ ] Map workflows 122 | - [ ] Identify dependencies 123 | - [ ] Document states 124 | - [ ] Review transitions 125 | - [ ] Analyze constraints 126 | 127 | ### 2. Logic Testing 128 | - [ ] Test business rules 129 | - [ ] Verify calculations 130 | - [ ] Check limitations 131 | - [ ] Test dependencies 132 | - [ ] Validate outcomes 133 | 134 | ### 3. Data Flow Testing 135 | - [ ] Test input handling 136 | - [ ] Verify processing 137 | - [ ] Check output 138 | - [ ] Validate states 139 | - [ ] Test consistency 140 | 141 | ### 4. Integration Testing 142 | - [ ] Test external systems 143 | - [ ] Verify internal flows 144 | - [ ] Check dependencies 145 | - [ ] Test error handling 146 | - [ ] Validate responses 147 | 148 | ## Test Cases 149 | 150 | ### Process Validation 151 | - [ ] Workflow sequence 152 | - [ ] State transitions 153 | - [ ] Process completion 154 | - [ ] Error handling 155 | - [ ] Recovery procedures 156 | 157 | ### Business Rules 158 | - [ ] Rule implementation 159 | - [ ] Calculation accuracy 160 | - [ ] Limit enforcement 161 | - [ ] Policy compliance 162 | - [ ] Constraint validation 163 | 164 | ### Data Handling 165 | - [ ] Input validation 166 | - [ ] Process verification 167 | - [ ] Output validation 168 | - [ ] State management 169 | - [ ] Data integrity 170 | 171 | ## Progress Tracking 172 | - [ ] Process Analysis Complete 173 | - [ ] Logic Testing Done 174 | - [ ] Data Flow Verified 175 | - [ ] Integration Tested 176 | - [ ] Documentation Updated 177 | 178 | ## Documentation Requirements 179 | - Process flows 180 | - Business rules 181 | - Test scenarios 182 | - Logic flaws 183 | - Findings report 184 | - Remediation steps 185 | 186 | ## Best Practices 187 | 1. Document business rules 188 | 2. Validate process flows 189 | 3. Implement proper controls 190 | 4. Check state transitions 191 | 5. Verify calculations 192 | 6. Test error handling 193 | 7. Monitor transactions 194 | 8. Maintain audit logs 195 | 196 | ## Notes 197 | - Document process flows 198 | - Track state changes 199 | - Record logic issues 200 | - Monitor transactions 201 | - Verify business rules 202 | - Check integration points -------------------------------------------------------------------------------- /OWASP-Checklist/10 - Business Logic/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Business Logic Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### Web Application Testing 8 | - [Burp Suite](https://portswigger.net/burp) 9 | - [OWASP ZAP](https://www.zaproxy.org/) 10 | - [Postman](https://www.postman.com/) 11 | - [SoapUI](https://www.soapui.org/) 12 | 13 | ### Request Forgery Testing 14 | - [CSRF Tester](https://owasp.org/www-project-csrftester/) 15 | - [XSRFProbe](https://github.com/0xInfection/XSRFProbe) 16 | - [RequestBin](https://requestbin.com/) 17 | 18 | ### File Upload Testing 19 | - [FUZZ Database](https://github.com/fuzzdb-project/fuzzdb) 20 | - [SecLists](https://github.com/danielmiessler/SecLists) 21 | - [FileUploadScanner (Burp Extension)](https://github.com/modzero/mod0BurpUploadScanner) 22 | 23 | ### Workflow Testing 24 | - [Selenium](https://www.selenium.dev/) 25 | - [Puppeteer](https://pptr.dev/) 26 | - [JMeter](https://jmeter.apache.org/) 27 | - [Process Flow Test Cases](https://github.com/OWASP/ASVS) 28 | 29 | ## Official Documentation 30 | - [OWASP Business Logic Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html) 31 | - [OWASP File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html) 32 | - [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) 33 | 34 | ## Best Practices 35 | 36 | ### Business Logic Testing Strategies 37 | 1. Process Flow Testing 38 | - Identify critical workflows 39 | - Map business processes 40 | - Test sequence dependencies 41 | - Verify state transitions 42 | 43 | 2. Data Validation 44 | - Business rule validation 45 | - Data consistency checks 46 | - Boundary value analysis 47 | - Cross-field validations 48 | 49 | 3. Access Control Testing 50 | - Role-based access control 51 | - Process-level permissions 52 | - Workflow enforcement 53 | - Time-based access 54 | 55 | 4. Common Attack Scenarios 56 | - Parameter manipulation 57 | - Session state tampering 58 | - Race conditions 59 | - Logic bypasses 60 | 61 | ### Security Controls 62 | 1. Input Validation 63 | - Business rule validation 64 | - Data type checking 65 | - Range checking 66 | - Format validation 67 | 68 | 2. Process Controls 69 | - Workflow enforcement 70 | - State management 71 | - Transaction limits 72 | - Rate limiting 73 | 74 | 3. Output Validation 75 | - Data consistency 76 | - Business rule compliance 77 | - Process completion verification 78 | - Audit logging -------------------------------------------------------------------------------- /OWASP-Checklist/10 - Business Logic/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Business Logic Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-BUSLOGIC-001: Test Business Logic Data Validation 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation) 7 | 8 | ## OTG-BUSLOGIC-002: Test Ability to Forge Requests 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/02-Test_Ability_to_Forge_Requests) 10 | 11 | ## OTG-BUSLOGIC-003: Test Integrity Checks 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks) 13 | 14 | ## OTG-BUSLOGIC-004: Test for Process Timing 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing) 16 | 17 | ## OTG-BUSLOGIC-005: Test Number of Times a Function Can Be Used Limits 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits) 19 | 20 | ## OTG-BUSLOGIC-006: Testing for the Circumvention of Work Flows 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/06-Testing_for_the_Circumvention_of_Work_Flows) 22 | 23 | ## OTG-BUSLOGIC-007: Test Defenses Against Application Misuse 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/07-Test_Defenses_Against_Application_Misuse) 25 | 26 | ## OTG-BUSLOGIC-008: Test Upload of Unexpected File Types 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types) 28 | 29 | ## OTG-BUSLOGIC-009: Test Upload of Malicious Files 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files)**** -------------------------------------------------------------------------------- /OWASP-Checklist/11 - Client-side/README.md.md: -------------------------------------------------------------------------------- 1 | # Client-Side Testing 2 | 3 | ## Overview 4 | Client-side testing focuses on evaluating security controls and vulnerabilities in browser-based code, including JavaScript, HTML5 features, and client-side storage mechanisms. This phase ensures that client-side components are secure and cannot be manipulated to compromise security. 5 | 6 | ## Objectives 7 | - Evaluate JavaScript security 8 | - Test client-side validation 9 | - Assess DOM-based vulnerabilities 10 | - Review HTML5 security features 11 | - Verify client-side storage 12 | - Test browser security controls 13 | 14 | ## Key Testing Areas 15 | 16 | ### 1. JavaScript Security 17 | - [ ] Code Analysis 18 | - JavaScript obfuscation 19 | - Source code review 20 | - Library vulnerabilities 21 | - Framework security 22 | - [ ] DOM Manipulation 23 | - DOM-based XSS 24 | - DOM manipulation 25 | - Event handling 26 | - Content injection 27 | - [ ] AJAX Security 28 | - Request validation 29 | - Response handling 30 | - Cross-origin requests 31 | - JSON parsing 32 | 33 | ### 2. Client-Side Storage 34 | - [ ] Web Storage 35 | - LocalStorage 36 | - SessionStorage 37 | - Storage limits 38 | - Data persistence 39 | - [ ] Cookies 40 | - Cookie attributes 41 | - Security flags 42 | - Cookie handling 43 | - Session cookies 44 | - [ ] Client Databases 45 | - IndexedDB 46 | - Web SQL 47 | - Cache storage 48 | - Storage quotas 49 | 50 | ### 3. HTML5 Features 51 | - [ ] Security Controls 52 | - Content Security Policy 53 | - Cross-Origin Resource Sharing 54 | - Iframe security 55 | - WebSocket security 56 | - [ ] API Security 57 | - Geolocation 58 | - Web Workers 59 | - File API 60 | - Canvas security 61 | - [ ] Communication 62 | - PostMessage 63 | - WebRTC 64 | - EventSource 65 | - Server-Sent Events 66 | 67 | ### 4. Browser Controls 68 | - [ ] Security Headers 69 | - X-Frame-Options 70 | - X-XSS-Protection 71 | - HSTS 72 | - Referrer Policy 73 | - [ ] Browser Features 74 | - SameSite cookies 75 | - Secure contexts 76 | - Mixed content 77 | - Permission API 78 | - [ ] Security Mechanisms 79 | - Origin validation 80 | - Sandbox restrictions 81 | - Content isolation 82 | - Resource integrity 83 | 84 | ## Common Tools 85 | - Code Analysis: 86 | - Chrome DevTools 87 | - Firefox Developer Tools 88 | - Source code analyzers 89 | - JavaScript deobfuscators 90 | - Security Testing: 91 | - OWASP ZAP 92 | - Burp Suite 93 | - RetireJS 94 | - Browser plugins 95 | - Storage Analysis: 96 | - Storage viewers 97 | - Cookie managers 98 | - Cache analyzers 99 | 100 | ## Additional Resources 101 | - 📁 [Testing Techniques](./techniques/) 102 | - 📁 [Security Controls](./resources/) 103 | - 🔗 [OWASP Client-Side Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/) 104 | 105 | ## Common Vulnerabilities 106 | 1. DOM-Based XSS 107 | 2. Client-Side Validation Bypass 108 | 3. Insecure Storage 109 | 4. JavaScript Injection 110 | 5. Cross-Origin Issues 111 | 6. Sensitive Data Exposure 112 | 7. Weak Access Controls 113 | 8. Browser Security Misconfigurations 114 | 115 | ## Testing Methodology 116 | 117 | ### 1. Code Review 118 | - [ ] Analyze JavaScript 119 | - [ ] Review libraries 120 | - [ ] Check frameworks 121 | - [ ] Assess obfuscation 122 | - [ ] Validate security controls 123 | 124 | ### 2. Storage Testing 125 | - [ ] Test web storage 126 | - [ ] Verify cookies 127 | - [ ] Check databases 128 | - [ ] Assess caching 129 | - [ ] Review persistence 130 | 131 | ### 3. Security Controls 132 | - [ ] Test CSP 133 | - [ ] Verify CORS 134 | - [ ] Check headers 135 | - [ ] Test origins 136 | - [ ] Validate isolation 137 | 138 | ### 4. Feature Testing 139 | - [ ] Test HTML5 features 140 | - [ ] Verify APIs 141 | - [ ] Check communication 142 | - [ ] Test permissions 143 | - [ ] Validate controls 144 | 145 | ## Test Cases 146 | 147 | ### JavaScript Security 148 | - [ ] Code integrity 149 | - [ ] DOM manipulation 150 | - [ ] Event handling 151 | - [ ] AJAX security 152 | - [ ] Library security 153 | 154 | ### Storage Security 155 | - [ ] Storage mechanisms 156 | - [ ] Data protection 157 | - [ ] Access controls 158 | - [ ] Persistence 159 | - [ ] Quota management 160 | 161 | ### Security Headers 162 | - [ ] Header implementation 163 | - [ ] Policy enforcement 164 | - [ ] Browser controls 165 | - [ ] Security features 166 | - [ ] Content security 167 | 168 | ## Progress Tracking 169 | - [ ] Code Review Complete 170 | - [ ] Storage Testing Done 171 | - [ ] Controls Verified 172 | - [ ] Features Tested 173 | - [ ] Documentation Updated 174 | 175 | ## Documentation Requirements 176 | - Test scenarios 177 | - Code analysis 178 | - Security findings 179 | - Control validation 180 | - Remediation steps 181 | - Best practices 182 | 183 | ## Best Practices 184 | 1. Validate client-side input 185 | 2. Implement CSP 186 | 3. Secure storage usage 187 | 4. Control DOM manipulation 188 | 5. Protect sensitive data 189 | 6. Use security headers 190 | 7. Implement CORS properly 191 | 8. Monitor client-side activity 192 | 193 | ## Notes 194 | - Document code patterns 195 | - Track vulnerabilities 196 | - Record security controls 197 | - Monitor storage usage 198 | - Verify browser features 199 | - Check security headers -------------------------------------------------------------------------------- /OWASP-Checklist/11 - Client-side/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP Client-side Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## Official Tools 6 | 7 | ### DOM XSS Testing 8 | - [DOMXSSScanner](https://github.com/yaph/domxssscanner) 9 | - [XSS Hunter](https://xsshunter.com/) 10 | - [DOM Invader (Burp Extension)](https://portswigger.net/burp/documentation/desktop/tools/dom-invader) 11 | - [DOM Snitch](https://github.com/google/dom-snitch) 12 | 13 | ### JavaScript Analysis 14 | - [JSHint](https://jshint.com/) 15 | - [ESLint](https://eslint.org/) 16 | - [RetireJS](https://retirejs.github.io/retire.js/) 17 | - [JSParser](https://github.com/nahamsec/JSParser) 18 | 19 | ### Browser Developer Tools 20 | - [Chrome DevTools](https://developers.google.com/web/tools/chrome-devtools) 21 | - [Firefox Developer Tools](https://developer.mozilla.org/en-US/docs/Tools) 22 | - [Safari Web Inspector](https://developer.apple.com/safari/tools/) 23 | - [Microsoft Edge DevTools](https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/) 24 | 25 | ### CORS Testing 26 | - [CORS Tester](https://github.com/RUB-NDS/CORStest) 27 | - [CORScanner](https://github.com/chenjj/CORScanner) 28 | - [Corsy](https://github.com/s0md3v/Corsy) 29 | 30 | ### WebSocket Testing 31 | - [WebSocket King](https://websocketking.com/) 32 | - [Burp Suite WebSocket Testing](https://portswigger.net/burp/documentation/desktop/tools/proxy/websockets) 33 | - [OWASP ZAP WebSocket Add-on](https://www.zaproxy.org/docs/desktop/addons/websockets/) 34 | 35 | ## Official Documentation 36 | - [OWASP DOM-based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html) 37 | - [OWASP HTML5 Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html) 38 | - [OWASP CORS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/CORS_Security_Cheat_Sheet.html) 39 | - [OWASP Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html) 40 | 41 | ## Best Practices 42 | 43 | ### Client-side Security Controls 44 | 1. Input Validation 45 | - Client-side validation 46 | - Output encoding 47 | - Content Security Policy 48 | - Frame protection 49 | 50 | 2. JavaScript Security 51 | - Secure coding practices 52 | - Library management 53 | - Third-party script control 54 | - Event handling 55 | 56 | 3. Storage Security 57 | - Local Storage 58 | - Session Storage 59 | - Cookies 60 | - IndexedDB 61 | 62 | 4. Communication Security 63 | - CORS configuration 64 | - WebSocket security 65 | - Postmessage validation 66 | - HTTPS usage 67 | 68 | ### Testing Methodologies 69 | 1. Static Analysis 70 | - Code review 71 | - Security headers 72 | - JavaScript analysis 73 | - CSS analysis 74 | 75 | 2. Dynamic Analysis 76 | - Runtime testing 77 | - DOM manipulation 78 | - Event triggering 79 | - State management 80 | 81 | 3. Security Headers 82 | - Content Security Policy 83 | - X-Frame-Options 84 | - X-XSS-Protection 85 | - HSTS -------------------------------------------------------------------------------- /OWASP-Checklist/11 - Client-side/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP Client-side Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 4 | 5 | ## OTG-CLIENT-001: Testing for DOM-based Cross Site Scripting 6 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting) 7 | 8 | ## OTG-CLIENT-002: Testing for JavaScript Execution 9 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution) 10 | 11 | ## OTG-CLIENT-003: Testing for HTML Injection 12 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection) 13 | 14 | ## OTG-CLIENT-004: Testing for Client-side URL Redirect 15 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect) 16 | 17 | ## OTG-CLIENT-005: Testing for CSS Injection 18 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection) 19 | 20 | ## OTG-CLIENT-006: Testing for Client-side Resource Manipulation 21 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/06-Testing_for_Client_Side_Resource_Manipulation) 22 | 23 | ## OTG-CLIENT-007: Testing Cross Origin Resource Sharing 24 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing) 25 | 26 | ## OTG-CLIENT-008: Testing for Cross Site Flashing 27 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/08-Testing_for_Cross_Site_Flashing) 28 | 29 | ## OTG-CLIENT-009: Testing for Clickjacking 30 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking) 31 | 32 | ## OTG-CLIENT-010: Testing WebSockets 33 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/10-Testing_WebSockets) 34 | 35 | ## OTG-CLIENT-011: Testing Web Messaging 36 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/11-Testing_Web_Messaging) 37 | 38 | ## OTG-CLIENT-012: Testing Browser Storage 39 | [Official Guide](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage) -------------------------------------------------------------------------------- /OWASP-Checklist/API Testing/API Documentation Testing/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP API Documentation Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 & API Documentation Best Practices 4 | 5 | ## Official Tools 6 | 7 | ### Documentation Generation 8 | - [Swagger UI](https://swagger.io/tools/swagger-ui/) 9 | - [ReDoc](https://github.com/Redocly/redoc) 10 | - [API Blueprint](https://apiblueprint.org/) 11 | - [Postman Documentation](https://learning.postman.com/docs/publishing-your-api/documenting-your-api/) 12 | 13 | ### Documentation Testing 14 | - [Dredd](https://dredd.org/en/latest/) 15 | - [Spectral](https://stoplight.io/open-source/spectral) 16 | - [OpenAPI Validator](https://github.com/swagger-api/validator-badge) 17 | - [JSON Schema Validator](https://www.jsonschemavalidator.net/) 18 | 19 | ### API Specification Tools 20 | - [OpenAPI Initiative](https://www.openapis.org/) 21 | - [RAML](https://raml.org/) 22 | - [API Blueprint](https://apiblueprint.org/) 23 | - [JSON Schema](https://json-schema.org/) 24 | 25 | ### Documentation Platforms 26 | - [ReadTheDocs](https://readthedocs.org/) 27 | - [GitBook](https://www.gitbook.com/) 28 | - [Docusaurus](https://docusaurus.io/) 29 | - [MkDocs](https://www.mkdocs.org/) 30 | 31 | ## Best Practices 32 | 33 | ### Documentation Standards 34 | 1. API Description 35 | - Overview and purpose 36 | - Base URL information 37 | - Authentication methods 38 | - Rate limiting policies 39 | - Versioning strategy 40 | 41 | 2. Endpoint Documentation 42 | - HTTP methods 43 | - URL parameters 44 | - Request headers 45 | - Request body schema 46 | - Response formats 47 | - Status codes 48 | - Error messages 49 | 50 | 3. Security Documentation 51 | - Authentication flows 52 | - Authorization levels 53 | - API key management 54 | - Security headers 55 | - Data protection 56 | - Privacy considerations 57 | 58 | 4. Implementation Guides 59 | - Getting started 60 | - Code examples 61 | - SDK documentation 62 | - Integration tutorials 63 | - Troubleshooting guides 64 | 65 | ### Testing Methodology 66 | 67 | 1. Documentation Review 68 | - Completeness check 69 | - Accuracy verification 70 | - Consistency review 71 | - Update frequency 72 | - Version control 73 | 74 | 2. Technical Validation 75 | - API specification validation 76 | - Schema validation 77 | - Example verification 78 | - Link checking 79 | - Tool compatibility 80 | 81 | 3. User Experience Testing 82 | - Readability 83 | - Navigation 84 | - Search functionality 85 | - Mobile responsiveness 86 | - Accessibility 87 | 88 | 4. Security Documentation Testing 89 | - Security controls documentation 90 | - Authentication documentation 91 | - Authorization documentation 92 | - Error handling documentation 93 | - Security headers documentation 94 | 95 | ### Maintenance Guidelines 96 | 97 | 1. Version Control 98 | - Documentation versioning 99 | - Change tracking 100 | - Revision history 101 | - Deprecation notices 102 | - Archive management 103 | 104 | 2. Quality Assurance 105 | - Technical review process 106 | - Peer review workflow 107 | - Feedback integration 108 | - Update procedures 109 | - Validation checks 110 | 111 | 3. Publishing Process 112 | - Documentation building 113 | - Automated generation 114 | - Distribution channels 115 | - Access control 116 | - Backup procedures 117 | 118 | 4. Monitoring and Feedback 119 | - Usage analytics 120 | - User feedback 121 | - Error reporting 122 | - Documentation issues 123 | - Improvement tracking -------------------------------------------------------------------------------- /OWASP-Checklist/API Testing/API Documentation Testing/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP API Documentation Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 & API Security Best Practices 4 | 5 | ## DOC-TEST-001: Testing API Documentation Completeness 6 | - Endpoint documentation 7 | - Parameter descriptions 8 | - Response schemas 9 | - Error codes and messages 10 | - Authentication requirements 11 | - Rate limiting details 12 | 13 | ## DOC-TEST-002: Testing API Specification Conformance 14 | - OpenAPI/Swagger compliance 15 | - REST architectural constraints 16 | - JSON Schema validation 17 | - Content-type consistency 18 | - HTTP method usage 19 | 20 | ## DOC-TEST-003: Testing API Version Management 21 | - Version numbering scheme 22 | - Backwards compatibility 23 | - Deprecation notices 24 | - Migration guides 25 | - Breaking changes documentation 26 | 27 | ## DOC-TEST-004: Testing API Security Documentation 28 | - Authentication methods 29 | - Authorization levels 30 | - Security headers 31 | - CORS policies 32 | - Data protection measures 33 | 34 | ## DOC-TEST-005: Testing API Examples and Use Cases 35 | - Request examples 36 | - Response examples 37 | - Error scenarios 38 | - Implementation samples 39 | - Integration guides -------------------------------------------------------------------------------- /OWASP-Checklist/API Testing/README.md.md: -------------------------------------------------------------------------------- 1 | # API Security Testing 2 | 3 | ## Overview 4 | API security testing focuses on evaluating the security of application programming interfaces, including RESTful services, GraphQL endpoints, SOAP web services, and other API implementations. This phase ensures that APIs are properly secured and cannot be exploited to gain unauthorized access or manipulate data. 5 | 6 | ## Objectives 7 | - Evaluate API authentication 8 | - Test authorization mechanisms 9 | - Assess data validation 10 | - Review rate limiting 11 | - Verify API security controls 12 | - Test API documentation 13 | 14 | ## Key Testing Areas 15 | 16 | ### 1. Authentication & Authorization 17 | - [ ] Authentication Methods 18 | - API keys 19 | - OAuth flows 20 | - JWT tokens 21 | - Basic auth 22 | - [ ] Authorization Controls 23 | - Role-based access 24 | - Scope validation 25 | - Permission checks 26 | - Token validation 27 | - [ ] Token Management 28 | - Token generation 29 | - Token storage 30 | - Token renewal 31 | - Token revocation 32 | 33 | ### 2. Data Validation 34 | - [ ] Input Validation 35 | - Parameter validation 36 | - Data type checking 37 | - Format validation 38 | - Size restrictions 39 | - [ ] Output Validation 40 | - Response format 41 | - Data filtering 42 | - Error handling 43 | - Status codes 44 | - [ ] Content Validation 45 | - Content-Type 46 | - Accept headers 47 | - Schema validation 48 | - Data integrity 49 | 50 | ### 3. API Security Controls 51 | - [ ] Rate Limiting 52 | - Request quotas 53 | - Throttling 54 | - Burst handling 55 | - Response headers 56 | - [ ] Security Headers 57 | - CORS headers 58 | - Content security 59 | - Cache control 60 | - Transport security 61 | - [ ] Error Handling 62 | - Error responses 63 | - Status codes 64 | - Error details 65 | - Debug information 66 | 67 | ### 4. API Implementation 68 | - [ ] REST Security 69 | - HTTP methods 70 | - Resource protection 71 | - Idempotency 72 | - State handling 73 | - [ ] GraphQL Security 74 | - Query depth 75 | - Field suggestions 76 | - Introspection 77 | - Batching attacks 78 | - [ ] SOAP Security 79 | - XML security 80 | - WS-Security 81 | - WSDL security 82 | - XML validation 83 | 84 | ## Common Tools 85 | - API Testing: 86 | - Postman 87 | - SoapUI 88 | - Insomnia 89 | - Swagger Inspector 90 | - Security Testing: 91 | - OWASP ZAP 92 | - Burp Suite 93 | - API Security Tools 94 | - Custom scripts 95 | - Documentation: 96 | - Swagger UI 97 | - OpenAPI tools 98 | - API documentation generators 99 | 100 | ## Additional Resources 101 | - 📁 [Testing Techniques](./techniques/) 102 | - 📁 [API Standards](./resources/) 103 | - 🔗 [OWASP API Security Guide](https://owasp.org/www-project-api-security/) 104 | 105 | ## Common Vulnerabilities 106 | 1. Broken Authentication 107 | 2. Improper Authorization 108 | 3. Excessive Data Exposure 109 | 4. Lack of Rate Limiting 110 | 5. Security Misconfiguration 111 | 6. Input Validation Issues 112 | 7. Insufficient Logging 113 | 8. Mass Assignment 114 | 115 | ## Testing Methodology 116 | 117 | ### 1. Authentication Testing 118 | - [ ] Test auth methods 119 | - [ ] Verify token handling 120 | - [ ] Check session management 121 | - [ ] Test credential security 122 | - [ ] Validate auth flows 123 | 124 | ### 2. Authorization Testing 125 | - [ ] Test access controls 126 | - [ ] Verify permissions 127 | - [ ] Check role enforcement 128 | - [ ] Test resource access 129 | - [ ] Validate scopes 130 | 131 | ### 3. Data Validation 132 | - [ ] Test input handling 133 | - [ ] Verify output format 134 | - [ ] Check content types 135 | - [ ] Test error responses 136 | - [ ] Validate schemas 137 | 138 | ### 4. Security Controls 139 | - [ ] Test rate limiting 140 | - [ ] Verify headers 141 | - [ ] Check encryption 142 | - [ ] Test error handling 143 | - [ ] Validate logging 144 | 145 | ## Test Cases 146 | 147 | ### Authentication 148 | - [ ] Auth mechanisms 149 | - [ ] Token security 150 | - [ ] Session handling 151 | - [ ] Credential protection 152 | - [ ] Auth bypasses 153 | 154 | ### Authorization 155 | - [ ] Access controls 156 | - [ ] Role validation 157 | - [ ] Resource protection 158 | - [ ] Scope checking 159 | - [ ] Permission enforcement 160 | 161 | ### Data Security 162 | - [ ] Input validation 163 | - [ ] Output handling 164 | - [ ] Content security 165 | - [ ] Data protection 166 | - [ ] Error handling 167 | 168 | ## Progress Tracking 169 | - [ ] Authentication Testing Complete 170 | - [ ] Authorization Testing Done 171 | - [ ] Data Validation Verified 172 | - [ ] Security Controls Tested 173 | - [ ] Documentation Updated 174 | 175 | ## Documentation Requirements 176 | - API specifications 177 | - Security controls 178 | - Test scenarios 179 | - Vulnerability findings 180 | - Remediation steps 181 | - Best practices 182 | 183 | ## Best Practices 184 | 1. Implement strong authentication 185 | 2. Use proper authorization 186 | 3. Validate all input 187 | 4. Implement rate limiting 188 | 5. Use security headers 189 | 6. Handle errors properly 190 | 7. Enable proper logging 191 | 8. Document security controls 192 | 193 | ## Notes 194 | - Document API endpoints 195 | - Track security controls 196 | - Record vulnerabilities 197 | - Monitor rate limits 198 | - Verify documentation 199 | - Check implementations -------------------------------------------------------------------------------- /OWASP-Checklist/API Testing/resources/OWASP_Resources.md: -------------------------------------------------------------------------------- 1 | # OWASP API Testing Resources 2 | 3 | Reference: OWASP Testing Guide v4.2 & OWASP API Security Top 10 4 | 5 | ## Official Tools 6 | 7 | ### API Testing Platforms 8 | - [Postman](https://www.postman.com/) 9 | - [SoapUI](https://www.soapui.org/) 10 | - [Insomnia](https://insomnia.rest/) 11 | - [Hoppscotch](https://hoppscotch.io/) 12 | 13 | ### Security Testing Tools 14 | - [OWASP ZAP](https://www.zaproxy.org/) 15 | - [Burp Suite](https://portswigger.net/burp) 16 | - [Acunetix](https://www.acunetix.com/) 17 | - [APISec](https://www.apisec.ai/) 18 | 19 | ### API Documentation Tools 20 | - [Swagger/OpenAPI](https://swagger.io/) 21 | - [API Blueprint](https://apiblueprint.org/) 22 | - [RAML](https://raml.org/) 23 | - [Stoplight](https://stoplight.io/) 24 | 25 | ### Performance Testing 26 | - [Apache JMeter](https://jmeter.apache.org/) 27 | - [K6](https://k6.io/) 28 | - [Artillery](https://artillery.io/) 29 | - [Gatling](https://gatling.io/) 30 | 31 | ## Official Documentation 32 | - [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) 33 | - [OWASP REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) 34 | - [OWASP Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html) 35 | - [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) 36 | 37 | ## Best Practices 38 | 39 | ### API Security Controls 40 | 1. Authentication & Authorization 41 | - OAuth 2.0/OpenID Connect 42 | - JWT handling 43 | - API keys management 44 | - Role-based access control 45 | 46 | 2. Input Validation 47 | - Schema validation 48 | - Content validation 49 | - Size limits 50 | - Format checking 51 | 52 | 3. Rate Limiting 53 | - Request quotas 54 | - Concurrent requests 55 | - Resource consumption 56 | - DDoS protection 57 | 58 | 4. Data Protection 59 | - Encryption in transit 60 | - Sensitive data handling 61 | - Response filtering 62 | - Error handling 63 | 64 | ### Testing Methodologies 65 | 1. Documentation Testing 66 | - API specification review 67 | - Schema validation 68 | - Security requirements 69 | - Compliance checks 70 | 71 | 2. Authentication Testing 72 | - Token handling 73 | - Session management 74 | - Authorization flows 75 | - Access control 76 | 77 | 3. Functional Testing 78 | - Endpoint testing 79 | - Business logic 80 | - Error handling 81 | - Response validation 82 | 83 | 4. Security Testing 84 | - Injection attacks 85 | - Authentication bypass 86 | - Authorization flaws 87 | - Common vulnerabilities 88 | 89 | ### Monitoring and Logging 90 | 1. API Monitoring 91 | - Performance metrics 92 | - Error rates 93 | - Usage patterns 94 | - Security events 95 | 96 | 2. Logging Requirements 97 | - Access logs 98 | - Error logs 99 | - Security events 100 | - Audit trails 101 | 102 | 3. Incident Response 103 | - Alert mechanisms 104 | - Response procedures 105 | - Investigation tools 106 | - Remediation plans -------------------------------------------------------------------------------- /OWASP-Checklist/API Testing/techniques/OWASP_Techniques.md: -------------------------------------------------------------------------------- 1 | # OWASP API Testing Techniques 2 | 3 | Reference: OWASP Testing Guide v4.2 & OWASP API Security Top 10 4 | 5 | ## API-SEC-001: Testing for Broken Object Level Authorization 6 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api1-broken-object-level-authorization) 7 | 8 | ## API-SEC-002: Testing for Broken Authentication 9 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api2-broken-authentication) 10 | 11 | ## API-SEC-003: Testing for Excessive Data Exposure 12 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api3-excessive-data-exposure) 13 | 14 | ## API-SEC-004: Testing for Lack of Resources & Rate Limiting 15 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api4-lack-of-resources-rate-limiting) 16 | 17 | ## API-SEC-005: Testing for Broken Function Level Authorization 18 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api5-broken-function-level-authorization) 19 | 20 | ## API-SEC-006: Testing for Mass Assignment 21 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api6-mass-assignment) 22 | 23 | ## API-SEC-007: Testing for Security Misconfiguration 24 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api7-security-misconfiguration) 25 | 26 | ## API-SEC-008: Testing for Injection 27 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api8-injection) 28 | 29 | ## API-SEC-009: Testing for Improper Assets Management 30 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api9-improper-assets-management) 31 | 32 | ## API-SEC-010: Testing for Insufficient Logging & Monitoring 33 | [Official Guide](https://owasp.org/www-project-api-security/docs/2019/en/latest/OWASP-API-Security-Top-10.html#api10-insufficient-logging-monitoring) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP-Testing-Guide 2 | A checklist for systematically going through the OWASP Testing Guide V4 3 | 4 | 5 | # OWASP Testing Guide Documentation 6 | 7 | ## Overview 8 | This repository contains comprehensive documentation based on the OWASP (Open Web Application Security Project) Testing Guide v4.2. It covers various aspects of web application security testing, including business logic, client-side testing, API testing, and API documentation testing. 9 | 10 | ## Contents 11 | 12 | ### 1. Business Logic Testing (Section 10) 13 | - Business Logic Data Validation 14 | - Request Forgery Testing 15 | - Integrity Checks 16 | - Process Timing 17 | - Function Limits 18 | - Workflow Testing 19 | - Application Misuse Testing 20 | - File Upload Testing 21 | 22 | ### 2. Client-side Testing (Section 11) 23 | - DOM-based XSS Testing 24 | - JavaScript Execution 25 | - HTML Injection 26 | - Client-side URL Redirect 27 | - CSS Injection 28 | - Resource Manipulation 29 | - Cross Origin Resource Sharing 30 | - Cross Site Flashing 31 | - Clickjacking 32 | - WebSockets 33 | - Web Messaging 34 | - Browser Storage 35 | 36 | ### 3. API Testing (Section 12) 37 | - Object Level Authorization 38 | - Authentication Testing 39 | - Data Exposure 40 | - Resource & Rate Limiting 41 | - Function Level Authorization 42 | - Mass Assignment 43 | - Security Misconfiguration 44 | - Injection Testing 45 | - Assets Management 46 | - Logging & Monitoring 47 | 48 | ### 4. API Documentation Testing (Section 13) 49 | - Documentation Completeness 50 | - Specification Conformance 51 | - Version Management 52 | - Security Documentation 53 | - Examples and Use Cases 54 | 55 | ## Resources 56 | Each section includes: 57 | - Detailed testing techniques 58 | - Recommended tools 59 | - Best practices 60 | - Official documentation references 61 | - Testing methodologies 62 | 63 | ## Purpose 64 | This documentation serves as a comprehensive guide for security professionals, developers, and QA engineers involved in web application security testing. It follows OWASP's widely-recognized security testing standards and best practices. 65 | 66 | ## References 67 | - OWASP Testing Guide v4.2 68 | - OWASP API Security Top 10 69 | - OWASP Security Testing Best Practices 70 | 71 | ## Contributing 72 | Feel free to contribute to this documentation by submitting pull requests or opening issues for any improvements or corrections. 73 | --------------------------------------------------------------------------------