# Web Security Testing Guide Checklist Contained in this folder is an Excel file which provides the following worksheets: * *Testing Checklist* - facilitates simple progress tracking against each of the "tests" outlined in the guide. * *Summary Findings* - facilitates creating a table of test outcomes and potential recommendations. * *Risk Assessment Calculator* - a dropdown driven sheet for calculating likelihood and impact scores, and a qualitative overall risk rating. * *References* - provides the lists/sets that the calculator is based upon. **Note:** The current (Excel) checklist is based on v4.2 of the OWASP Testing Guide, as content for v5 is still under development. ### Direct Link * [OWASP Testing Checklist (Excel)](https://raw.githubusercontent.com/OWASP/wstg/master/checklists/checklist.xlsx) * [OWASP Testing Checklist (Markdown)](https://raw.githubusercontent.com/OWASP/wstg/master/checklists/checklist.md) ### Excel File Hash SHA-256: 464dce37b4533a274a935d80018924f772d85c834d3e8b656b5e9b9be432072b ### Google Sheets Template The following instructions can be used to copy the Checklist spreadsheet template directly into a new Google sheet without having to save the doc locally first. 1. Go to this [Google Spreadsheet template](https://docs.google.com/spreadsheets/d/1csiYqA3DXhpz69K2JCLKN4H-kzkRFlFi/copy?copyCollaborators=false\©Comments=false\&title=WSTG+Checklist) 2. Click `Make a copy` button. This will create a new checklist in your logged in Google Drive. 3. You should now have a fully populated and functional Web Security Testing Guide Checklist in a Google sheet, with the four tabs as mentioned above. ## Testing Checklist The following is the list of items to test during the assessment: Note: The `Status` column can be set for values similar to "Pass", "Fail", "N/A". | Test ID | Test Name | Status | Notes | | ----------------- | -------------------------------------------------------------------------- | ------ | ----- | | **WSTG-INFO** | **Information Gathering** | | | | WSTG-INFO-01 | Conduct Search Engine Discovery and Reconnaissance for Information Leakage | | | | WSTG-INFO-02 | Fingerprint Web Server | | | | WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage | | | | WSTG-INFO-04 | Enumerate Applications on Webserver | | | | WSTG-INFO-05 | Review Webpage Content for Information Leakage | | | | WSTG-INFO-06 | Identify Application Entry Points | | | | WSTG-INFO-07 | Map Execution Paths Through Application | | | | WSTG-INFO-08 | Fingerprint Web Application Framework | | | | WSTG-INFO-09 | Fingerprint Web Application | | | | WSTG-INFO-10 | Map Application Architecture | | | | **WSTG-CONF** | **Configuration and Deploy Management Testing** | | | | WSTG-CONF-01 | Test Network Infrastructure Configuration | | | | WSTG-CONF-02 | Test Application Platform Configuration | | | | WSTG-CONF-03 | Test File Extensions Handling for Sensitive Information | | | | WSTG-CONF-04 | Review Old Backup and Unreferenced Files for Sensitive Information | | | | WSTG-CONF-05 | Enumerate Infrastructure and Application Admin Interfaces | | | | WSTG-CONF-06 | Test HTTP Methods | | | | WSTG-CONF-07 | Test HTTP Strict Transport Security | | | | WSTG-CONF-08 | Test RIA Cross Domain Policy | | | | WSTG-CONF-09 | Test File Permission | | | | WSTG-CONF-10 | Test for Subdomain Takeover | | | | WSTG-CONF-11 | Test Cloud Storage | | | | WSTG-CONF-12 | Testing for Content Security Policy | | | | WSTG-CONF-13 | Test Path Confusion | | | | WSTG-CONF-14 | Test Other HTTP Security Header Misconfigurations | | | | **WSTG-IDNT** | **Identity Management Testing** | | | | WSTG-IDNT-01 | Test Role Definitions | | | | WSTG-IDNT-02 | Test User Registration Process | | | | WSTG-IDNT-03 | Test Account Provisioning Process | | | | WSTG-IDNT-04 | Testing for Account Enumeration and Guessable User Account | | | | WSTG-IDNT-05 | Testing for Weak or Unenforced Username Policy | | | | **WSTG-ATHN** | **Authentication Testing** | | | | WSTG-ATHN-01 | Testing for Credentials Transported over an Encrypted Channel | | | | WSTG-ATHN-02 | Testing for Default Credentials | | | | WSTG-ATHN-03 | Testing for Weak Lock Out Mechanism | | | | WSTG-ATHN-04 | Testing for Bypassing Authentication Schema | | | | WSTG-ATHN-05 | Testing for Vulnerable Remember Password | | | | WSTG-ATHN-06 | Testing for Browser Cache Weakness | | | | WSTG-ATHN-07 | Testing for Weak Password Policy | | | | WSTG-ATHN-08 | Testing for Weak Security Question Answer | | | | WSTG-ATHN-09 | Testing for Weak Password Change or Reset Functionalities | | | | WSTG-ATHN-10 | Testing for Weaker Authentication in Alternative Channel | | | | WSTG-ATHN-11 | Testing Multi-Factor Authentication (MFA) | | | | **WSTG-ATHZ** | **Authorization Testing** | | | | WSTG-ATHZ-01 | Testing Directory Traversal File Include | | | | WSTG-ATHZ-02 | Testing for Bypassing Authorization Schema | | | | WSTG-ATHZ-03 | Testing for Privilege Escalation | | | | WSTG-ATHZ-04 | Testing for Insecure Direct Object References | | | | WSTG-ATHZ-05 | Testing for OAuth Weaknesses | | | | **WSTG-SESS** | **Session Management Testing** | | | | WSTG-SESS-01 | Testing for Session Management Schema | | | | WSTG-SESS-02 | Testing for Cookies Attributes | | | | WSTG-SESS-03 | Testing for Session Fixation | | | | WSTG-SESS-04 | Testing for Exposed Session Variables | | | | WSTG-SESS-05 | Testing for Cross Site Request Forgery | | | | WSTG-SESS-06 | Testing for Logout Functionality | | | | WSTG-SESS-07 | Testing Session Timeout | | | | WSTG-SESS-08 | Testing for Session Puzzling | | | | WSTG-SESS-09 | Testing for Session Hijacking | | | | WSTG-SESS-10 | Testing JSON Web Tokens | | | | WSTG-SESS-11 | Testing for Concurrent Sessions | | | | **WSTG-INPV** | **Input Validation Testing** | | | | WSTG-INPV-01 | Testing for Reflected Cross Site Scripting | | | | WSTG-INPV-02 | Testing for Stored Cross Site Scripting | | | | WSTG-INPV-03 | Testing for HTTP Verb Tampering | | | | WSTG-INPV-04 | Testing for HTTP Parameter pollution | | | | WSTG-INPV-05 | Testing for SQL Injection | | | | WSTG-INPV-06 | Testing for LDAP Injection | | | | WSTG-INPV-07 | Testing for XML Injection | | | | WSTG-INPV-08 | Testing for SSI Injection | | | | WSTG-INPV-09 | Testing for XPath Injection | | | | WSTG-INPV-10 | Testing for IMAP SMTP Injection | | | | WSTG-INPV-11 | Testing for Code Injection | | | | WSTG-INPV-12 | Testing for Command Injection | | | | WSTG-INPV-13 | Testing for Format String Injection | | | | WSTG-INPV-14 | Testing for Incubated Vulnerabilities | | | | WSTG-INPV-15 | Testing for HTTP Splitting Smuggling | | | | WSTG-INPV-16 | Testing for HTTP Incoming Requests | | | | WSTG-INPV-17 | Testing for Host Header Injection | | | | WSTG-INPV-18 | Testing for Server-Side Template Injection | | | | WSTG-INPV-19 | Testing for Server-Side Request Forgery | | | | WSTG-INPV-20 | Testing for Mass Assignment | | | | **WSTG-ERRH** | **Error Handling** | | | | WSTG-ERRH-01 | Testing for Improper Error Handling | | | | WSTG-ERRH-02 | Testing for Stack Traces | | | | **WSTG-CRYP** | **Cryptography** | | | | WSTG-CRYP-01 | Testing for Weak Transport Layer Security | | | | WSTG-CRYP-02 | Testing for Padding Oracle | | | | WSTG-CRYP-03 | Testing for Sensitive Information Sent Via Unencrypted Channels | | | | WSTG-CRYP-04 | Testing for Weak Encryption | | | | **WSTG-BUSLOGIC** | **Business Logic Testing** | | | | WSTG-BUSL-01 | Test Business Logic Data Validation | | | | WSTG-BUSL-02 | Test Ability to Forge Requests | | | | WSTG-BUSL-03 | Test Integrity Checks | | | | WSTG-BUSL-04 | Test for Process Timing | | | | WSTG-BUSL-05 | Test Number of Times a Function Can Be Used Limits | | | | WSTG-BUSL-06 | Testing for the Circumvention of Work Flows | | | | WSTG-BUSL-07 | Test Defenses Against Application Misuse | | | | WSTG-BUSL-08 | Test Upload of Unexpected File Types | | | | WSTG-BUSL-09 | Test Upload of Malicious Files | | | | WSTG-BUSL-10 | Test Payment Functionality | | | | **WSTG-CLIENT** | **Client-side Testing** | | | | WSTG-CLNT-01 | Testing for DOM Based Cross Site Scripting | | | | WSTG-CLNT-02 | Testing for JavaScript Execution | | | | WSTG-CLNT-03 | Testing for HTML Injection | | | | WSTG-CLNT-04 | Testing for Client-Side URL Redirect | | | | WSTG-CLNT-05 | Testing for CSS Injection | | | | WSTG-CLNT-06 | Testing for Client-Side Resource Manipulation | | | | WSTG-CLNT-07 | Test Cross Origin Resource Sharing | | | | WSTG-CLNT-08 | Testing for Cross Site Flashing | | | | WSTG-CLNT-09 | Testing for Clickjacking | | | | WSTG-CLNT-10 | Testing WebSockets | | | | WSTG-CLNT-11 | Test Web Messaging | | | | WSTG-CLNT-12 | Test Browser Storage | | | | WSTG-CLNT-13 | Testing for Cross Site Script Inclusion | | | | WSTG-CLNT-14 | Testing for Reverse Tabnabbing | | | | **WSTG-APIT** | **API Testing** | | | | WSTG-APIT-01 | API Reconnaissance | | | | WSTG-APIT-02 | API Broken Object Level Authorization | | | | WSTG-APIT-99 | Testing GraphQL | | |