Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
reduce vs flatmap recursive
(version: 0)
Comparing performance of:
reduce vs flatMAp
Created:
2 years ago
by:
Guest
Jump to the latest result
Tests:
reduce
const data = { "id": "QL1XLymWE3w2iZA3E2xuj", "title": "OWASP - Web Testing Checklist", "description": "This checklist is based on OWASP Testing Guide and it includes a \u201clow level\u201d penetration testing guide that describes techniques for testing most common web application security issues and security checks to make sure that all vulnerability types are covered.", "closedAt": null, "blocked": false, "items": [ { "type": "category", "title": "Information Gathering", "items": [ { "id": "60IhvL7GNb7ncIiAHggnKw", "type": "check", "title": "Conduct Search Engine Discovery Reconnaissance for Information Leakage", "description": "Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's site) or indirectly (via third-party services).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage", "ref": "WSTG-INFO-01", "status": "todo", "result": "not_applicable", "items": [ { "id": "4JdxRNU76DFKaSXnWFjhJY", "title": "WSTG-INFO-01_1", "status": "todo", "blocked": false, "checkId": "60IhvL7GNb7ncIiAHggnKw", "rank": 1, "result": { "value": "not_applicable", "pocAvailable": true, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "D8sbZ9ZyPV0XBMuFteGA3", "type": "check", "title": "Fingerprint Web Server", "description": "Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/02-Fingerprint_Web_Server", "ref": "WSTG-INFO-02", "status": "in_progress", "result": "passed", "items": [ { "id": "7bQsKf09hYpLewyd9AJ2DU", "title": "WSTG-INFO-02_1", "status": "in_progress", "blocked": false, "checkId": "D8sbZ9ZyPV0XBMuFteGA3", "rank": 1, "result": { "value": "passed", "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5o88WI5Mi8i8LrNpeswgT1", "type": "check", "title": "Review Webserver Metafiles for Information Leakage", "description": "Identify hidden or obfuscated paths and functionality through the analysis of metadata files.\nExtract and map other information that could lead to a better understanding of the systems at hand.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/03-Review_Webserver_Metafiles_for_Information_Leakage", "ref": "WSTG-INFO-03", "status": "todo", "result": null, "items": [ { "id": "2kMilDrKI7e8J1e5I2Pns8", "title": "WSTG-INFO-03_1", "status": "todo", "blocked": false, "checkId": "5o88WI5Mi8i8LrNpeswgT1", "rank": 1, "result": { "value": null, "pocAvailable": true, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "n2ZEU007Pk6LVenGfVK6t", "type": "check", "title": "Enumerate Applications on Webserver", "description": "Enumerate the applications within the scope that exist on a web server.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/04-Enumerate_Applications_on_Webserver", "ref": "WSTG-INFO-04", "status": "in_progress", "result": "passed", "items": [ { "id": "7jEoKyq90H2gwd35uisI7I", "title": "WSTG-INFO-04_1", "status": "in_progress", "blocked": false, "checkId": "n2ZEU007Pk6LVenGfVK6t", "rank": 1, "result": { "value": "passed", "pocAvailable": false, "countReportsLinked": 1 }, "assignee": null } ] }, { "id": "6RZObp1xGpzu6r04QKf6xm", "type": "check", "title": "Review Web Page Content for Information Leakage", "description": "Review web page comments, metadata, and redirect bodies to find any information leakage.\nGather JavaScript files and review the JS code to better understand the application and to find any information leakage.\nIdentify if source map files or other frontend debug files exist.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/05-Review_Web_Page_Content_for_Information_Leakage", "ref": "WSTG-INFO-05", "status": "todo", "result": null, "items": [ { "id": "3QOYjEM9dhVgvAClWtmdd7", "title": "WSTG-INFO-05_1", "status": "todo", "blocked": false, "checkId": "6RZObp1xGpzu6r04QKf6xm", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6yI5X56LROrnR4WdlA2JoH", "type": "check", "title": "Identify Application Entry Points", "description": "Identify possible entry and injection points through request and response analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/06-Identify_Application_Entry_Points", "ref": "WSTG-INFO-06", "status": "todo", "result": null, "items": [ { "id": "33rLMf2XGsZi5bQRnXmfxO", "title": "WSTG-INFO-06_1", "status": "todo", "blocked": false, "checkId": "6yI5X56LROrnR4WdlA2JoH", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5b7NEhm2YGqAdDNxKaRwwZ", "type": "check", "title": "Map Execution Paths Through Application", "description": "Map the target application and understand the principal workflows.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/07-Map_Execution_Paths_Through_Application", "ref": "WSTG-INFO-07", "status": "in_progress", "result": null, "items": [ { "id": "25OEzXB6IDLtQacQ2QYOG2", "title": "WSTG-INFO-07_1", "status": "in_progress", "blocked": false, "checkId": "5b7NEhm2YGqAdDNxKaRwwZ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "36V7iywjArebMqqUdvH43b", "type": "check", "title": "Fingerprint Web Application Framework", "description": "Fingerprint the components used by the web applications.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/08-Fingerprint_Web_Application_Framework", "ref": "WSTG-INFO-08", "status": "todo", "result": null, "items": [ { "id": "5L0lCZ0ol11TMyrYkBk0Rg", "title": "WSTG-INFO-08_1", "status": "todo", "blocked": false, "checkId": "36V7iywjArebMqqUdvH43b", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3gxL1FKjQLNyRF0330t4NP", "type": "check", "title": "Fingerprint Web Application", "description": "This content has been merged into: Fingerprint Web Application Framework.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/09-Fingerprint_Web_Application", "ref": "WSTG-INFO-09", "status": "todo", "result": null, "items": [ { "id": "Vg7KS9CaG3Bu3YQxCvEiy", "title": "WSTG-INFO-09_1", "status": "todo", "blocked": false, "checkId": "3gxL1FKjQLNyRF0330t4NP", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5PfskJykrZOacFLTXRxGsN", "type": "check", "title": "Map Application Architecture", "description": "Understand the architecture of the application and the technologies in use.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/10-Map_Application_Architecture", "ref": "WSTG-INFO-10", "status": "todo", "result": null, "items": [ { "id": "3Ud2O7Sw2Jeido96jrHrcS", "title": "WSTG-INFO-10_1", "status": "todo", "blocked": false, "checkId": "5PfskJykrZOacFLTXRxGsN", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Configuration and Deployment Management Testing", "items": [ { "id": "5GCIJ9e1sLsR2RgZ35z7bB", "type": "check", "title": "Test Network Infrastructure Configuration", "description": "Review the applications' configurations set across the network and validate that they are not vulnerable.\nValidate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/01-Test_Network_Infrastructure_Configuration", "ref": "WSTG-CONF-01", "status": "todo", "result": null, "items": [ { "id": "59UELnjAJ2ExVgK3GQ0yl8", "title": "WSTG-CONF-01_1", "status": "todo", "blocked": false, "checkId": "5GCIJ9e1sLsR2RgZ35z7bB", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "CDumZOXap3geS55l2enVJ", "type": "check", "title": "Test Application Platform Configuration", "description": "Ensure that default and known files have been removed.\nValidate that no debugging code or extensions are left in the production environments.\nReview the logging mechanisms set in place for the application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/02-Test_Application_Platform_Configuration", "ref": "WSTG-CONF-02", "status": "todo", "result": null, "items": [ { "id": "efE7wJz63l6gxZ2UeqFe", "title": "WSTG-CONF-02_1", "status": "todo", "blocked": false, "checkId": "CDumZOXap3geS55l2enVJ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3KYbvT3gszflgHGolJ7pgA", "type": "check", "title": "Test File Extensions Handling for Sensitive Information", "description": "Brute force sensitive file extensions that might contain raw data such as scripts, credentials, etc.\nValidate that no system framework bypasses exist for the rules that have been set", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/03-Test_File_Extensions_Handling_for_Sensitive_Information", "ref": "WSTG-CONF-03", "status": "todo", "result": null, "items": [ { "id": "7g7gR1u9qt5S4RxCkMl4Js", "title": "WSTG-CONF-03_1", "status": "todo", "blocked": false, "checkId": "3KYbvT3gszflgHGolJ7pgA", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3Wtw2lAqUobXJmdGwgI9L7", "type": "check", "title": "Review Old Backup and Unreferenced Files for Sensitive Information", "description": "Find and analyse unreferenced files that might contain sensitive information.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information", "ref": "WSTG-CONF-04", "status": "todo", "result": null, "items": [ { "id": "MCcUuYYbv9HOWcwuRgcSp", "title": "WSTG-CONF-04_1", "status": "todo", "blocked": false, "checkId": "3Wtw2lAqUobXJmdGwgI9L7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5OiGRBdKAYA8mx1C0ujSbY", "type": "check", "title": "Enumerate Infrastructure and Application Admin Interfaces", "description": "Identify hidden administrator interfaces and functionality.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces", "ref": "WSTG-CONF-05", "status": "todo", "result": null, "items": [ { "id": "49wSaNlZ0mG0xUhG0mdIYS", "title": "WSTG-CONF-05_1", "status": "todo", "blocked": false, "checkId": "5OiGRBdKAYA8mx1C0ujSbY", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2RMYRFOab1o2YyAVcMiQww", "type": "check", "title": "Test HTTP Methods", "description": "Enumerate supported HTTP methods.\nTest for access control bypass.\nTest HTTP method overriding techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/06-Test_HTTP_Methods", "ref": "WSTG-CONF-06", "status": "todo", "result": null, "items": [ { "id": "7lyHqDp8L6FA58Tr3eNn14", "title": "WSTG-CONF-06_1", "status": "todo", "blocked": false, "checkId": "2RMYRFOab1o2YyAVcMiQww", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6zUldnSr1l1wpRfARNivhC", "type": "check", "title": "Test HTTP Strict Transport Security", "description": "Review the HSTS header and its validity.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/07-Test_HTTP_Strict_Transport_Security", "ref": "WSTG-CONF-07", "status": "todo", "result": null, "items": [ { "id": "7Z91tdcfOB941bm3Iwk01T", "title": "WSTG-CONF-07_1", "status": "todo", "blocked": false, "checkId": "6zUldnSr1l1wpRfARNivhC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "L9tbrygzgj5Mk9hH246Jd", "type": "check", "title": "Test RIA Cross Domain Policy", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/08-Test_RIA_Cross_Domain_Policy", "ref": "WSTG-CONF-08", "status": "todo", "result": null, "items": [ { "id": "6ctaUBLDyfbxVasXTkPH78", "title": "WSTG-CONF-08_1", "status": "todo", "blocked": false, "checkId": "L9tbrygzgj5Mk9hH246Jd", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2XZJlyC2jeqdWwagfTkFzN", "type": "check", "title": "Test File Permission", "description": "Review and identify any rogue file permissions.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/09-Test_File_Permission", "ref": "WSTG-CONF-09", "status": "todo", "result": null, "items": [ { "id": "3s9kdE7UiZrj6sHfHoqIVr", "title": "WSTG-CONF-09_1", "status": "todo", "blocked": false, "checkId": "2XZJlyC2jeqdWwagfTkFzN", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1IjEfNbjOg443fqUSokpMh", "type": "check", "title": "Test for Subdomain Takeover", "description": "Enumerate all possible domains (previous and current).\nIdentify forgotten or misconfigured domains.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/10-Test_for_Subdomain_Takeover", "ref": "WSTG-CONF-10", "status": "todo", "result": null, "items": [ { "id": "32olG8CiL62AjAEtL8vZH", "title": "WSTG-CONF-10_1", "status": "todo", "blocked": false, "checkId": "1IjEfNbjOg443fqUSokpMh", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5NZCLypAPwxnu97Wop0iVs", "type": "check", "title": "Test Cloud Storage", "description": "Assess that the access control configuration for the storage services is properly in place.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/11-Test_Cloud_Storage", "ref": "WSTG-CONF-11", "status": "todo", "result": null, "items": [ { "id": "3KJeKynYf5jsvNc6v2viRD", "title": "WSTG-CONF-11_1", "status": "todo", "blocked": false, "checkId": "5NZCLypAPwxnu97Wop0iVs", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3aE9FmI43OqwtTFEfO4yID", "type": "check", "title": "Testing for Content Security Policy", "description": "Review the Content-Security-Policy header or meta element to identify misconfigurations.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/12-Test_for_Content_Security_Policy", "ref": "WSTG-CONF-12", "status": "todo", "result": null, "items": [ { "id": "110wDlUJvBSEqlUys4d0Uy", "title": "WSTG-CONF-12_1", "status": "todo", "blocked": false, "checkId": "3aE9FmI43OqwtTFEfO4yID", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7Xjd3PHoQ6vQzLhdPZEI3k", "type": "check", "title": "Test Path Confusion", "description": "Make sure application paths are configured correctly.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/13-Test_for_Path_Confusion", "ref": "WSTG-CONF-13", "status": "todo", "result": null, "items": [ { "id": "3m612bu8eieOALBBlkPahO", "title": "WSTG-CONF-13_1", "status": "todo", "blocked": false, "checkId": "7Xjd3PHoQ6vQzLhdPZEI3k", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Identity Management Testing", "items": [ { "id": "drQ5Yu2Kan1wlnQ38qZsG", "type": "check", "title": "Test Role Definitions", "description": "Identify and document roles used by the application.\nAttempt to switch, change, or access another role.\nReview the granularity of the roles and the needs behind the permissions given.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/01-Test_Role_Definitions", "ref": "WSTG-IDNT-01", "status": "todo", "result": null, "items": [ { "id": "52OOCa00CZbVNmoD10tvsW", "title": "WSTG-IDNT-01_1", "status": "todo", "blocked": false, "checkId": "drQ5Yu2Kan1wlnQ38qZsG", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4g4dnhqCgKfmaOj9cbSnSS", "type": "check", "title": "Test User Registration Process", "description": "Verify that the identity requirements for user registration are aligned with business and security requirements.\nValidate the registration process.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/02-Test_User_Registration_Process", "ref": "WSTG-IDNT-02", "status": "todo", "result": null, "items": [ { "id": "2mM66KPoiHm3mkmMAtNn7P", "title": "WSTG-IDNT-02_1", "status": "todo", "blocked": false, "checkId": "4g4dnhqCgKfmaOj9cbSnSS", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2IovKxTrS96tUJrzYnzGp2", "type": "check", "title": "Test Account Provisioning Process", "description": "Verify which accounts may provision other accounts and of what type.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/03-Test_Account_Provisioning_Process", "ref": "WSTG-IDNT-03", "status": "todo", "result": null, "items": [ { "id": "5ABN63Go0d9XXrNX8XFNJp", "title": "WSTG-IDNT-03_1", "status": "todo", "blocked": false, "checkId": "2IovKxTrS96tUJrzYnzGp2", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1uN0PaIOFyLjHWRrzoAnFy", "type": "check", "title": "Testing for Account Enumeration and Guessable User Account", "description": "Review processes that pertain to user identification (*e.g.* registration, login, etc.).\nEnumerate users where possible through response analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/04-Testing_for_Account_Enumeration_and_Guessable_User_Account", "ref": "WSTG-IDNT-04", "status": "todo", "result": null, "items": [ { "id": "5Ec2gyQV6fnSXLXOBm6R9D", "title": "WSTG-IDNT-04_1", "status": "todo", "blocked": false, "checkId": "1uN0PaIOFyLjHWRrzoAnFy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3X6uM3I2DEptyZOptB5EAI", "type": "check", "title": "Testing for Weak or Unenforced Username Policy", "description": "Determine whether a consistent account name structure renders the application vulnerable to account enumeration.\nDetermine whether the application's error messages permit account enumeration.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/05-Testing_for_Weak_or_Unenforced_Username_Policy", "ref": "WSTG-IDNT-05", "status": "todo", "result": null, "items": [ { "id": "3pLtPKyjeUvDZKaSakCYTB", "title": "WSTG-IDNT-05_1", "status": "todo", "blocked": false, "checkId": "3X6uM3I2DEptyZOptB5EAI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Authentication Testing", "items": [ { "id": "3SQpNg4NHDDDKTk6YFNBef", "type": "check", "title": "Testing for Credentials Transported over an Encrypted Channel", "description": "This content has been merged into: Testing for Sensitive Information Sent via Unencrypted Channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel", "ref": "WSTG-ATHN-01", "status": "todo", "result": null, "items": [ { "id": "5yecoDeBWQirx6VW7D8rYT", "title": "WSTG-ATHN-01_1", "status": "todo", "blocked": false, "checkId": "3SQpNg4NHDDDKTk6YFNBef", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2JfMZ2f7B9Qf5OBVgAknhe", "type": "check", "title": "Testing for Default Credentials", "description": "Determine whether the application has any user accounts with default passwords.\nReview whether new user accounts are created with weak or predictable passwords.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/02-Testing_for_Default_Credentials", "ref": "WSTG-ATHN-02", "status": "todo", "result": null, "items": [ { "id": "3KKJ0yH06LgCbgdnRIxdmQ", "title": "WSTG-ATHN-02_1", "status": "todo", "blocked": false, "checkId": "2JfMZ2f7B9Qf5OBVgAknhe", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "lz428xqsQm9r8ZJfvvytI", "type": "check", "title": "Testing for Weak Lock Out Mechanism", "description": "Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.\nEvaluate the unlock mechanism's resistance to unauthorized account unlocking.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/03-Testing_for_Weak_Lock_Out_Mechanism", "ref": "WSTG-ATHN-03", "status": "todo", "result": null, "items": [ { "id": "aBoTcnBPqwRTBUnULTZuT", "title": "WSTG-ATHN-03_1", "status": "todo", "blocked": false, "checkId": "lz428xqsQm9r8ZJfvvytI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "333kZwu4PvfGkR6uX0JfHc", "type": "check", "title": "Testing for Bypassing Authentication Schema", "description": "Ensure that authentication is applied across all services that require it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/04-Testing_for_Bypassing_Authentication_Schema", "ref": "WSTG-ATHN-04", "status": "todo", "result": null, "items": [ { "id": "1dGaCYnspuzlYe5U9NUGAE", "title": "WSTG-ATHN-04_1", "status": "todo", "blocked": false, "checkId": "333kZwu4PvfGkR6uX0JfHc", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "66dm3iYXMkGTCKhxistE4k", "type": "check", "title": "Testing for Vulnerable Remember Password", "description": "Validate that the generated session is managed securely and do not put the user's credentials in danger.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/05-Testing_for_Vulnerable_Remember_Password", "ref": "WSTG-ATHN-05", "status": "todo", "result": null, "items": [ { "id": "3y1fiPSnTqdO13YwaDmyat", "title": "WSTG-ATHN-05_1", "status": "todo", "blocked": false, "checkId": "66dm3iYXMkGTCKhxistE4k", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "20TXwBCgKd9si6D0O0mbCk", "type": "check", "title": "Testing for Browser Cache Weaknesses", "description": "Review if the application stores sensitive information on the client-side.\nReview if access can occur without authorization.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/06-Testing_for_Browser_Cache_Weaknesses", "ref": "WSTG-ATHN-06", "status": "todo", "result": null, "items": [ { "id": "4DpsNmQS8nT6HnK2igNNJw", "title": "WSTG-ATHN-06_1", "status": "todo", "blocked": false, "checkId": "20TXwBCgKd9si6D0O0mbCk", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1Ctpi50oi5AUhZCIlv42fT", "type": "check", "title": "Testing for Weak Password Policy", "description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/07-Testing_for_Weak_Password_Policy", "ref": "WSTG-ATHN-07", "status": "todo", "result": null, "items": [ { "id": "6utwl28BbdQqp0wm2LODtg", "title": "WSTG-ATHN-07_1", "status": "todo", "blocked": false, "checkId": "1Ctpi50oi5AUhZCIlv42fT", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6j5phsyf40BfdQujCdbIay", "type": "check", "title": "Testing for Weak Security Question Answer", "description": "Determine the complexity and how straight-forward the questions are.\nAssess possible user answers and brute force capabilities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/08-Testing_for_Weak_Security_Question_Answer", "ref": "WSTG-ATHN-08", "status": "todo", "result": null, "items": [ { "id": "1vMfl61N9jx2gUa8wYN7xa", "title": "WSTG-ATHN-08_1", "status": "todo", "blocked": false, "checkId": "6j5phsyf40BfdQujCdbIay", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6Gqme1CnDnDy1juncAGb3c", "type": "check", "title": "Testing for Weak Password Change or Reset Functionalities", "description": "Determine whether the password change and reset functionality allows accounts to be compromised.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities", "ref": "WSTG-ATHN-09", "status": "todo", "result": null, "items": [ { "id": "43jw9ImRrU9Y8g7n3vRper", "title": "WSTG-ATHN-09_1", "status": "todo", "blocked": false, "checkId": "6Gqme1CnDnDy1juncAGb3c", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2hau77yI6r4en9TpLc5Hgw", "type": "check", "title": "Testing for Weaker Authentication in Alternative Channel", "description": "Identify alternative authentication channels.\nAssess the security measures used and if any bypasses exists on the alternative channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/10-Testing_for_Weaker_Authentication_in_Alternative_Channel", "ref": "WSTG-ATHN-10", "status": "todo", "result": null, "items": [ { "id": "yPRnmDBZRMSvhDj7rZFeu", "title": "WSTG-ATHN-10_1", "status": "todo", "blocked": false, "checkId": "2hau77yI6r4en9TpLc5Hgw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3AO4O32KnVCccM8UzZ5f2G", "type": "check", "title": "Testing Multi-Factor Authentication (MFA)", "description": "Identify the type of MFA used by the application.\nDetermine whether the MFA implementation is robust and secure.\nAttempt to bypass the MFA.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/11-Testing_Multi-Factor_Authentication", "ref": "WSTG-ATHN-11", "status": "todo", "result": null, "items": [ { "id": "5v394QkdwnheWyXrPSXtjA", "title": "WSTG-ATHN-11_1", "status": "todo", "blocked": false, "checkId": "3AO4O32KnVCccM8UzZ5f2G", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Authorization Testing", "items": [ { "id": "2ZrtGtVD7dxEJbY2zkFnfB", "type": "check", "title": "Testing Directory Traversal File Include", "description": "Identify injection points that pertain to path traversal.\nAssess bypassing techniques and identify the extent of path traversal.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/01-Testing_Directory_Traversal_File_Include", "ref": "WSTG-ATHZ-01", "status": "todo", "result": null, "items": [ { "id": "73If6yNnANqO62SkunglKZ", "title": "WSTG-ATHZ-01_1", "status": "todo", "blocked": false, "checkId": "2ZrtGtVD7dxEJbY2zkFnfB", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3hUPPENIry3xkCsNPDMMHb", "type": "check", "title": "Testing for Bypassing Authorization Schema", "description": "Assess if horizontal or vertical access is possible.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/02-Testing_for_Bypassing_Authorization_Schema", "ref": "WSTG-ATHZ-02", "status": "todo", "result": null, "items": [ { "id": "7MEXLngrzXBdf3yRqG6Ik3", "title": "WSTG-ATHZ-02_1", "status": "todo", "blocked": false, "checkId": "3hUPPENIry3xkCsNPDMMHb", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "13SHJl2QqUw207cIuh2uIR", "type": "check", "title": "Testing for Privilege Escalation", "description": "Identify injection points related to privilege manipulation.\nFuzz or otherwise attempt to bypass security measures.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/03-Testing_for_Privilege_Escalation", "ref": "WSTG-ATHZ-03", "status": "todo", "result": null, "items": [ { "id": "7d7uBT3dWt3WNlKhGb8goc", "title": "WSTG-ATHZ-03_1", "status": "todo", "blocked": false, "checkId": "13SHJl2QqUw207cIuh2uIR", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1rdeetyxDwEZc5JqHSv5hY", "type": "check", "title": "Testing for Insecure Direct Object References", "description": "Identify points where object references may occur.\nAssess the access control measures and if they're vulnerable to IDOR.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/04-Testing_for_Insecure_Direct_Object_References", "ref": "WSTG-ATHZ-04", "status": "todo", "result": null, "items": [ { "id": "5hW8Zh1iNDJ274ZZymLqL0", "title": "WSTG-ATHZ-04_1", "status": "todo", "blocked": false, "checkId": "1rdeetyxDwEZc5JqHSv5hY", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5Stq6WtkjScNFEk3NGPICO", "type": "check", "title": "Testing for OAuth Weaknesses", "description": "Determine if OAuth2 implementation is vulnerable or using a deprecated or custom implementation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/05-Testing_for_OAuth_Weaknesses", "ref": "WSTG-ATHZ-05", "status": "todo", "result": null, "items": [ { "id": "2jaTfEXouCQqll1TYVZpSF", "title": "WSTG-ATHZ-05_1", "status": "todo", "blocked": false, "checkId": "5Stq6WtkjScNFEk3NGPICO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Session Management Testing", "items": [ { "id": "3USg5n9656E2d5mTrFJ91E", "type": "check", "title": "Testing for Session Management Schema", "description": "Gather session tokens, for the same user and for different users where possible.\nAnalyze and ensure that enough randomness exists to stop session forging attacks.\nModify cookies that are not signed and contain information that can be manipulated.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/01-Testing_for_Session_Management_Schema", "ref": "WSTG-SESS-01", "status": "todo", "result": null, "items": [ { "id": "5melVaTekq1GZsQRslORsT", "title": "WSTG-SESS-01_1", "status": "todo", "blocked": false, "checkId": "3USg5n9656E2d5mTrFJ91E", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1VtvNUPt0MOi8mPi20ZopW", "type": "check", "title": "Testing for Cookies Attributes", "description": "Ensure that the proper security configuration is set for cookies.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/02-Testing_for_Cookies_Attributes", "ref": "WSTG-SESS-02", "status": "todo", "result": null, "items": [ { "id": "3LUqoO6uFPVNvSH2u0lQii", "title": "WSTG-SESS-02_1", "status": "todo", "blocked": false, "checkId": "1VtvNUPt0MOi8mPi20ZopW", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4GeEVgBKIQGQcfBTqSNXMD", "type": "check", "title": "Testing for Session Fixation", "description": "Analyze the authentication mechanism and its flow.\nForce cookies and assess the impact.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/03-Testing_for_Session_Fixation", "ref": "WSTG-SESS-03", "status": "todo", "result": null, "items": [ { "id": "POiEJ7C6BrobTng3gl2J4", "title": "WSTG-SESS-03_1", "status": "todo", "blocked": false, "checkId": "4GeEVgBKIQGQcfBTqSNXMD", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1Q9AOX6mkwxTcGKKllF5w5", "type": "check", "title": "Testing for Exposed Session Variables", "description": "Ensure that proper encryption is implemented.\nReview the caching configuration.\nAssess the channel and methods' security.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/04-Testing_for_Exposed_Session_Variables", "ref": "WSTG-SESS-04", "status": "todo", "result": null, "items": [ { "id": "2cikQe08L4mlp7dqVQ8EOB", "title": "WSTG-SESS-04_1", "status": "todo", "blocked": false, "checkId": "1Q9AOX6mkwxTcGKKllF5w5", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "79ZuBfRjKfb7VX8QAVgmok", "type": "check", "title": "Testing for Cross Site Request Forgery", "description": "Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/05-Testing_for_Cross_Site_Request_Forgery", "ref": "WSTG-SESS-05", "status": "todo", "result": null, "items": [ { "id": "1CSlX5alKh4vSmz2HIbQ3P", "title": "WSTG-SESS-05_1", "status": "todo", "blocked": false, "checkId": "79ZuBfRjKfb7VX8QAVgmok", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "Ggbw68HqUrT9EAdEA284l", "type": "check", "title": "Testing for Logout Functionality", "description": "Assess the logout UI.\nAnalyze the session timeout and if the session is properly killed after logout.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/06-Testing_for_Logout_Functionality", "ref": "WSTG-SESS-06", "status": "todo", "result": null, "items": [ { "id": "7XQPZMnrsmehQAIswIY4dv", "title": "WSTG-SESS-06_1", "status": "todo", "blocked": false, "checkId": "Ggbw68HqUrT9EAdEA284l", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "38wIktSbw3QoazLE1lNfib", "type": "check", "title": "Testing Session Timeout", "description": "Validate that a hard session timeout exists.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/07-Testing_Session_Timeout", "ref": "WSTG-SESS-07", "status": "todo", "result": null, "items": [ { "id": "3D1zn77YcSBRFtVDsyj3KG", "title": "WSTG-SESS-07_1", "status": "todo", "blocked": false, "checkId": "38wIktSbw3QoazLE1lNfib", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5HxYWIBXUleHrrBQNsLGhq", "type": "check", "title": "Testing for Session Puzzling", "description": "Identify all session variables.\nBreak the logical flow of session generation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/08-Testing_for_Session_Puzzling", "ref": "WSTG-SESS-08", "status": "todo", "result": null, "items": [ { "id": "6BqovplxNGMyUg7PIK8UxK", "title": "WSTG-SESS-08_1", "status": "todo", "blocked": false, "checkId": "5HxYWIBXUleHrrBQNsLGhq", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "70njqXpOUgRXvvxr2wnIbF", "type": "check", "title": "Testing for Session Hijacking", "description": "Identify vulnerable session cookies.\nHijack vulnerable cookies and assess the risk level.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/09-Testing_for_Session_Hijacking", "ref": "WSTG-SESS-09", "status": "todo", "result": null, "items": [ { "id": "7ERiQi9RI3BElkE5B3c5xQ", "title": "WSTG-SESS-09_1", "status": "todo", "blocked": false, "checkId": "70njqXpOUgRXvvxr2wnIbF", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4FtrkH1XAIA2o1eUe2D7Ko", "type": "check", "title": "Testing JSON Web Tokens", "description": "Determine whether the JWTs expose sensitive information.\nDetermine whether the JWTs can be tampered with or modified.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/10-Testing_JSON_Web_Tokens", "ref": "WSTG-SESS-10", "status": "todo", "result": null, "items": [ { "id": "44GavL2SWyflmMbdE3HX1C", "title": "WSTG-SESS-10_1", "status": "todo", "blocked": false, "checkId": "4FtrkH1XAIA2o1eUe2D7Ko", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Input Validation Testing", "items": [ { "id": "FTGLng58bkdoL44WhDxix", "type": "check", "title": "Testing for Reflected Cross Site Scripting", "description": "Identify variables that are reflected in responses.\nAssess the input they accept and the encoding that gets applied on return (if any).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/01-Testing_for_Reflected_Cross_Site_Scripting", "ref": "WSTG-INPV-01", "status": "todo", "result": null, "items": [ { "id": "5y3reJgVfrNBnZ3HXgalz9", "title": "WSTG-INPV-01_1", "status": "todo", "blocked": false, "checkId": "FTGLng58bkdoL44WhDxix", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6utWjKa2eNPyxg6L4s2T2G", "type": "check", "title": "Testing for Stored Cross Site Scripting", "description": "Identify stored input that is reflected on the client-side.\nAssess the input they accept and the encoding that gets applied on return (if any).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/02-Testing_for_Stored_Cross_Site_Scripting", "ref": "WSTG-INPV-02", "status": "todo", "result": null, "items": [ { "id": "4PgWi8tCI8qA1b1ZeIDwEY", "title": "WSTG-INPV-02_1", "status": "todo", "blocked": false, "checkId": "6utWjKa2eNPyxg6L4s2T2G", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "67v9wdqIadk608UbYED7Zw", "type": "check", "title": "Testing for HTTP Verb Tampering", "description": "This content has been merged into: Test HTTP Methods", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/03-Testing_for_HTTP_Verb_Tampering", "ref": "WSTG-INPV-03", "status": "todo", "result": null, "items": [ { "id": "2gzE4JIwEygl4bfmwMdECZ", "title": "WSTG-INPV-03_1", "status": "todo", "blocked": false, "checkId": "67v9wdqIadk608UbYED7Zw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6Dr2byCJgr2zwlxG1qhcNl", "type": "check", "title": "Testing for HTTP Parameter Pollution", "description": "Identify the backend and the parsing method used.\nAssess injection points and try bypassing input filters using HPP.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/04-Testing_for_HTTP_Parameter_Pollution", "ref": "WSTG-INPV-04", "status": "todo", "result": null, "items": [ { "id": "6zV6VWfLeKSCsxiAG1Ig61", "title": "WSTG-INPV-04_1", "status": "todo", "blocked": false, "checkId": "6Dr2byCJgr2zwlxG1qhcNl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7eYOngQ5wY7uit0ZdIh0Ci", "type": "check", "title": "Testing for SQL Injection", "description": "Identify SQL injection points.\nAssess the severity of the injection and the level of access that can be achieved through it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/05-Testing_for_SQL_Injection", "ref": "WSTG-INPV-05", "status": "todo", "result": null, "items": [ { "id": "4ZkYEG6A6omxGWtKPAAyD6", "title": "WSTG-INPV-05_1", "status": "todo", "blocked": false, "checkId": "7eYOngQ5wY7uit0ZdIh0Ci", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1mkEaTA9jNwNCdQokzsLwQ", "type": "check", "title": "Testing for LDAP Injection", "description": "Identify LDAP injection points.\nAssess the severity of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/06-Testing_for_LDAP_Injection", "ref": "WSTG-INPV-06", "status": "todo", "result": null, "items": [ { "id": "3WuTb1BIreNesm1jCIV1NK", "title": "WSTG-INPV-06_1", "status": "todo", "blocked": false, "checkId": "1mkEaTA9jNwNCdQokzsLwQ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5fmDVrUJy6Nf0TAZ8CRzxl", "type": "check", "title": "Testing for XML Injection", "description": "Identify XML injection points.\nAssess the types of exploits that can be attained and their severities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/07-Testing_for_XML_Injection", "ref": "WSTG-INPV-07", "status": "todo", "result": null, "items": [ { "id": "6EjmentnnVloLM5MUDVdQp", "title": "WSTG-INPV-07_1", "status": "todo", "blocked": false, "checkId": "5fmDVrUJy6Nf0TAZ8CRzxl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3i6GgiTQ5Ph8sWcwuz02G5", "type": "check", "title": "Testing for SSI Injection", "description": "Identify SSI injection points.\nAssess the severity of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/08-Testing_for_SSI_Injection", "ref": "WSTG-INPV-08", "status": "todo", "result": null, "items": [ { "id": "2hhzhLJ0mNyc7PnO2hPKyb", "title": "WSTG-INPV-08_1", "status": "todo", "blocked": false, "checkId": "3i6GgiTQ5Ph8sWcwuz02G5", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2r3FnbUlzALUXAkClK1BNj", "type": "check", "title": "Testing for XPath Injection", "description": "Identify XPATH injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/09-Testing_for_XPath_Injection", "ref": "WSTG-INPV-09", "status": "todo", "result": null, "items": [ { "id": "5HyNNrDN6POw6aBQyQQGA9", "title": "WSTG-INPV-09_1", "status": "todo", "blocked": false, "checkId": "2r3FnbUlzALUXAkClK1BNj", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3mTvYVb2La0UviXa9UMMY3", "type": "check", "title": "Testing for IMAP SMTP Injection", "description": "Identify IMAP\/SMTP injection points.\nUnderstand the data flow and deployment structure of the system.\nAssess the injection impacts.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/10-Testing_for_IMAP_SMTP_Injection", "ref": "WSTG-INPV-10", "status": "todo", "result": null, "items": [ { "id": "5wsx4k6AIAKkSJN20oXUw1", "title": "WSTG-INPV-10_1", "status": "todo", "blocked": false, "checkId": "3mTvYVb2La0UviXa9UMMY3", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "13ibWn9vtJY1uNIMkjXPqU", "type": "check", "title": "Testing for Code Injection", "description": "Identify injection points where you can inject code into the application.\nAssess the injection severity.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/11-Testing_for_Code_Injection", "ref": "WSTG-INPV-11", "status": "todo", "result": null, "items": [ { "id": "1WOUTNfKRw9pRl1rseEnzc", "title": "WSTG-INPV-11_1", "status": "todo", "blocked": false, "checkId": "13ibWn9vtJY1uNIMkjXPqU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1kYBvTjU9srpCMMlppcF1Y", "type": "check", "title": "Testing for Command Injection", "description": "Identify and assess the command injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/12-Testing_for_Command_Injection", "ref": "WSTG-INPV-12", "status": "todo", "result": null, "items": [ { "id": "4WJiSGtKx4nmhLTgHvSFGd", "title": "WSTG-INPV-12_1", "status": "todo", "blocked": false, "checkId": "1kYBvTjU9srpCMMlppcF1Y", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "YZd93XyXpgpBPYe9INw54", "type": "check", "title": "Testing for Buffer Overflow", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/13-Testing_for_Buffer_Overflow", "ref": "WSTG-INPV-13", "status": "todo", "result": null, "items": [ { "id": "5cBdLCwIxM8FMIg3yvxKMw", "title": "WSTG-INPV-13_1", "status": "todo", "blocked": false, "checkId": "YZd93XyXpgpBPYe9INw54", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1nvAWhjd5wD7siH7keCI6w", "type": "check", "title": "Testing for Format String Injection", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/13-Testing_for_Format_String_Injection", "ref": "WSTG-INPV-13", "status": "todo", "result": null, "items": [ { "id": "7RK51rifcf7Ki8yVW1cSHP", "title": "WSTG-INPV-13_1", "status": "todo", "blocked": false, "checkId": "1nvAWhjd5wD7siH7keCI6w", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4yhcCutIpnPWIFt1adcKpy", "type": "check", "title": "Testing for Incubated Vulnerability", "description": "Identify injections that are stored and require a recall step to the stored injection.\nUnderstand how a recall step could occur.\nSet listeners or activate the recall step if possible.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/14-Testing_for_Incubated_Vulnerability", "ref": "WSTG-INPV-14", "status": "todo", "result": null, "items": [ { "id": "KivZRJUcapP3JseKmz4V5", "title": "WSTG-INPV-14_1", "status": "todo", "blocked": false, "checkId": "4yhcCutIpnPWIFt1adcKpy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "wm473WJkKTtHR3fWDiHMw", "type": "check", "title": "Testing for HTTP Splitting Smuggling", "description": "Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable.\nAssess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/15-Testing_for_HTTP_Splitting_Smuggling", "ref": "WSTG-INPV-15", "status": "todo", "result": null, "items": [ { "id": "21BIn0czicm9OPm285k23M", "title": "WSTG-INPV-15_1", "status": "todo", "blocked": false, "checkId": "wm473WJkKTtHR3fWDiHMw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1pRC0BdLI5pNpF8e1oCkyS", "type": "check", "title": "Testing for HTTP Incoming Requests", "description": "Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.\nMonitor HTTP traffic without changes of end user Browser proxy or client-side application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/16-Testing_for_HTTP_Incoming_Requests", "ref": "WSTG-INPV-16", "status": "todo", "result": null, "items": [ { "id": "2Ao9Cej6Md0hxRHLauUTOA", "title": "WSTG-INPV-16_1", "status": "todo", "blocked": false, "checkId": "1pRC0BdLI5pNpF8e1oCkyS", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4rVMw0PsEyNu50z1DR9PGx", "type": "check", "title": "Testing for Host Header Injection", "description": "Assess if the Host header is being parsed dynamically in the application.\nBypass security controls that rely on the header.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/17-Testing_for_Host_Header_Injection", "ref": "WSTG-INPV-17", "status": "todo", "result": null, "items": [ { "id": "7VhDNh0Q29oeavwhxnpO4A", "title": "WSTG-INPV-17_1", "status": "todo", "blocked": false, "checkId": "4rVMw0PsEyNu50z1DR9PGx", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5RU8dV3S0TEuUfxlP3bq60", "type": "check", "title": "Testing for Server-side Template Injection", "description": "Detect template injection vulnerability points.\nIdentify the templating engine.\nBuild the exploit.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/18-Testing_for_Server-side_Template_Injection", "ref": "WSTG-INPV-18", "status": "todo", "result": null, "items": [ { "id": "4t0STJ9Rrs4TrwELSuZtv8", "title": "WSTG-INPV-18_1", "status": "todo", "blocked": false, "checkId": "5RU8dV3S0TEuUfxlP3bq60", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "dG4UZOl06Vl5z4LMl0RcT", "type": "check", "title": "Testing for Server-Side Request Forgery", "description": "Identify SSRF injection points.\nTest if the injection points are exploitable.\nAsses the severity of the vulnerability.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/19-Testing_for_Server-Side_Request_Forgery", "ref": "WSTG-INPV-19", "status": "todo", "result": null, "items": [ { "id": "6l82t2Ga7flSsP3onOc6oK", "title": "WSTG-INPV-19_1", "status": "todo", "blocked": false, "checkId": "dG4UZOl06Vl5z4LMl0RcT", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "53YZkzP1ngDxN7hoEURBsO", "type": "check", "title": "Testing for Mass Assignment", "description": "Identify requests that modify objects\nAssess if it is possible to modify fields never intended to be modified from outside", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/20-Testing_for_Mass_Assignment", "ref": "WSTG-INPV-20", "status": "todo", "result": null, "items": [ { "id": "1xIkQ7qcFUjj6jh0u2skgz", "title": "WSTG-INPV-20_1", "status": "todo", "blocked": false, "checkId": "53YZkzP1ngDxN7hoEURBsO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Testing for Error Handling", "items": [ { "id": "4bopUtbUPg4ty6c5q35Ii3", "type": "check", "title": "Testing for Improper Error Handling", "description": "Identify existing error output.\nAnalyze the different output returned.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/01-Testing_For_Improper_Error_Handling", "ref": "WSTG-ERRH-01", "status": "todo", "result": null, "items": [ { "id": "45b0hNQekFsP8K0Zea7Nos", "title": "WSTG-ERRH-01_1", "status": "todo", "blocked": false, "checkId": "4bopUtbUPg4ty6c5q35Ii3", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2iGa5OEPafEsDUHeo6BFFu", "type": "check", "title": "Testing for Stack Traces", "description": "This content has been merged into: Testing for Improper Error Handling.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/02-Testing_for_Stack_Traces", "ref": "WSTG-ERRH-02", "status": "todo", "result": null, "items": [ { "id": "4SKZ0yDIk0Q5nhQhPIOMrV", "title": "WSTG-ERRH-02_1", "status": "todo", "blocked": false, "checkId": "2iGa5OEPafEsDUHeo6BFFu", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Testing for Weak Cryptography", "items": [ { "id": "7KxQtDqOY6NXmNXjiiBNtp", "type": "check", "title": "Testing for Weak Transport Layer Security", "description": "Validate the service configuration.\nReview the digital certificate's cryptographic strength and validity.\nEnsure that the TLS security is not bypassable and is properly implemented across the application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/01-Testing_for_Weak_Transport_Layer_Security", "ref": "WSTG-CRYP-01", "status": "todo", "result": null, "items": [ { "id": "3JUiNrRlcpeonk9QyY5CHH", "title": "WSTG-CRYP-01_1", "status": "todo", "blocked": false, "checkId": "7KxQtDqOY6NXmNXjiiBNtp", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "vPZr2AP0dY367WonUz6Wy", "type": "check", "title": "Testing for Padding Oracle", "description": "Identify encrypted messages that rely on padding.\nAttempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/02-Testing_for_Padding_Oracle", "ref": "WSTG-CRYP-02", "status": "todo", "result": null, "items": [ { "id": "1k62tW6pzvelkCTmWCgbkn", "title": "WSTG-CRYP-02_1", "status": "todo", "blocked": false, "checkId": "vPZr2AP0dY367WonUz6Wy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7XMTzVShk1PWUZvvqnJVu7", "type": "check", "title": "Testing for Sensitive Information Sent via Unencrypted Channels", "description": "Identify sensitive information transmitted through the various channels.\nAssess the privacy and security of the channels used.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels", "ref": "WSTG-CRYP-03", "status": "todo", "result": null, "items": [ { "id": "4nZHRDTrboacqHEWDljoLq", "title": "WSTG-CRYP-03_1", "status": "todo", "blocked": false, "checkId": "7XMTzVShk1PWUZvvqnJVu7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2lS9DXA6cpcMwYNytq0oEU", "type": "check", "title": "Testing for Weak Encryption", "description": "Provide a guideline for the identification weak encryption or hashing uses and implementations.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/04-Testing_for_Weak_Encryption", "ref": "WSTG-CRYP-04", "status": "todo", "result": null, "items": [ { "id": "5KWbMxAYLzqExNuhU9x6lp", "title": "WSTG-CRYP-04_1", "status": "todo", "blocked": false, "checkId": "2lS9DXA6cpcMwYNytq0oEU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Business Logic Testing", "items": [ { "id": "21Mw4d26XHFtsIJyaqyHYn", "type": "check", "title": "Test Business Logic Data Validation", "description": "Identify data injection points.\nValidate that all checks are occurring on the backend and can't be bypassed.\nAttempt to break the format of the expected data and analyze how the application is handling it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/01-Test_Business_Logic_Data_Validation", "ref": "WSTG-BUSL-01", "status": "todo", "result": null, "items": [ { "id": "2DpYFvHDe7q4m00NgJ535o", "title": "WSTG-BUSL-01_1", "status": "todo", "blocked": false, "checkId": "21Mw4d26XHFtsIJyaqyHYn", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4rM1ah8usPRgCMY0P8anQ7", "type": "check", "title": "Test Ability to Forge Requests", "description": "Review the project documentation looking for guessable, predictable, or hidden functionality of fields.\nInsert logically valid data in order to bypass normal business logic workflow.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/02-Test_Ability_to_Forge_Requests", "ref": "WSTG-BUSL-02", "status": "todo", "result": null, "items": [ { "id": "385OFn4w42yUq7Laof1VIV", "title": "WSTG-BUSL-02_1", "status": "todo", "blocked": false, "checkId": "4rM1ah8usPRgCMY0P8anQ7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2P8Dho2qZdBA6VBdSCkVqM", "type": "check", "title": "Test Integrity Checks", "description": "Review the project documentation for components of the system that move, store, or handle data.\nDetermine what type of data is logically acceptable by the component and what types the system should guard against.\nDetermine who should be allowed to modify or read that data in each component.\nAttempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/03-Test_Integrity_Checks", "ref": "WSTG-BUSL-03", "status": "todo", "result": null, "items": [ { "id": "2s623svdzf8TlrcwH00xut", "title": "WSTG-BUSL-03_1", "status": "todo", "blocked": false, "checkId": "2P8Dho2qZdBA6VBdSCkVqM", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "KtwC0Ks7ck6AhU73nlYLq", "type": "check", "title": "Test for Process Timing", "description": "Review the project documentation for system functionality that may be impacted by time.\nDevelop and execute misuse cases.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/04-Test_for_Process_Timing", "ref": "WSTG-BUSL-04", "status": "todo", "result": null, "items": [ { "id": "60vDYt58br97iARGidh7u4", "title": "WSTG-BUSL-04_1", "status": "todo", "blocked": false, "checkId": "KtwC0Ks7ck6AhU73nlYLq", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4oSDHl2bD0Cs9dIP6tZZZ8", "type": "check", "title": "Test Number of Times a Function Can Be Used Limits", "description": "Identify functions that must set limits to the times they can be called.\nAssess if there is a logical limit set on the functions and if it is properly validated.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits", "ref": "WSTG-BUSL-05", "status": "todo", "result": null, "items": [ { "id": "4n1KTq5vy2Qgu3h2EDKtpt", "title": "WSTG-BUSL-05_1", "status": "todo", "blocked": false, "checkId": "4oSDHl2bD0Cs9dIP6tZZZ8", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3J4uprRMySV4c4FeYlOqKX", "type": "check", "title": "Testing for the Circumvention of Work Flows", "description": "Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.\nDevelop a misuse case and try to circumvent every logic flow identified.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/06-Testing_for_the_Circumvention_of_Work_Flows", "ref": "WSTG-BUSL-06", "status": "todo", "result": null, "items": [ { "id": "14kdeb1KhJ13SJa4TeaGj9", "title": "WSTG-BUSL-06_1", "status": "todo", "blocked": false, "checkId": "3J4uprRMySV4c4FeYlOqKX", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6SAuC5xy2fiI14CzaD21b7", "type": "check", "title": "Test Defenses Against Application Misuse", "description": "Generate notes from all tests conducted against the system.\nReview which tests had a different functionality based on aggressive input.\nUnderstand the defenses in place and verify if they are enough to protect the system against bypassing techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/07-Test_Defenses_Against_Application_Misuse", "ref": "WSTG-BUSL-07", "status": "todo", "result": null, "items": [ { "id": "4VK5QYmQT4SzXutH6DdUX7", "title": "WSTG-BUSL-07_1", "status": "todo", "blocked": false, "checkId": "6SAuC5xy2fiI14CzaD21b7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2Ymftbn0VoP4rnUIJbxzB8", "type": "check", "title": "Test Upload of Unexpected File Types", "description": "Review the project documentation for file types that are rejected by the system.\nVerify that the unwelcomed file types are rejected and handled safely.\nVerify that file batch uploads are secure and do not allow any bypass against the set security measures.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/08-Test_Upload_of_Unexpected_File_Types", "ref": "WSTG-BUSL-08", "status": "todo", "result": null, "items": [ { "id": "CbX9Ugfz6eBXxwV0XQMVR", "title": "WSTG-BUSL-08_1", "status": "todo", "blocked": false, "checkId": "2Ymftbn0VoP4rnUIJbxzB8", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7LY159B7popyyO4p9bB8vs", "type": "check", "title": "Test Upload of Malicious Files", "description": "Identify the file upload functionality.\nReview the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious.\nIf documentation is not available then consider what would be appropriate based on the purpose of the application.\nDetermine how the uploaded files are processed.\nObtain or create a set of malicious files for testing.\nTry to upload the malicious files to the application and determine whether it is accepted and processed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/09-Test_Upload_of_Malicious_Files", "ref": "WSTG-BUSL-09", "status": "todo", "result": null, "items": [ { "id": "4pauBNI8jOat7YUkSusxEL", "title": "WSTG-BUSL-09_1", "status": "todo", "blocked": false, "checkId": "7LY159B7popyyO4p9bB8vs", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1pfZVCtGpKVVNGQd6ngrpC", "type": "check", "title": "Test Payment Functionality", "description": "Determine whether the business logic for the e-commerce functionality is robust.\nUnderstand how the payment functionality works.\nDetermine whether the payment functionality is secure.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/10-Test-Payment-Functionality", "ref": "WSTG-BUSL-10", "status": "todo", "result": null, "items": [ { "id": "1OXfJCITRr99TWrID9Ru0E", "title": "WSTG-BUSL-10_1", "status": "todo", "blocked": false, "checkId": "1pfZVCtGpKVVNGQd6ngrpC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Client-side Testing", "items": [ { "id": "5QStfbuzhpUHhJkjHV9pqO", "type": "check", "title": "Testing for DOM-Based Cross Site Scripting", "description": "Identify DOM sinks.\nBuild payloads that pertain to every sink type.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/01-Testing_for_DOM-based_Cross_Site_Scripting", "ref": "WSTG-CLNT-01", "status": "todo", "result": null, "items": [ { "id": "15pBn6slFuLq1ej971I3I3", "title": "WSTG-CLNT-01_1", "status": "todo", "blocked": false, "checkId": "5QStfbuzhpUHhJkjHV9pqO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2WyCI1HI9pAe7KNGhsMzYE", "type": "check", "title": "Testing for JavaScript Execution", "description": "Identify sinks and possible JavaScript injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/02-Testing_for_JavaScript_Execution", "ref": "WSTG-CLNT-02", "status": "todo", "result": null, "items": [ { "id": "2dmkJ7KNyY8kGtrELjOTwI", "title": "WSTG-CLNT-02_1", "status": "todo", "blocked": false, "checkId": "2WyCI1HI9pAe7KNGhsMzYE", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "332prvQE5Ik09A8bbrR9kG", "type": "check", "title": "Testing for HTML Injection", "description": "Identify HTML injection points and assess the severity of the injected content.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/03-Testing_for_HTML_Injection", "ref": "WSTG-CLNT-03", "status": "todo", "result": null, "items": [ { "id": "3y2t8CFMuQ814tmcwhGEEm", "title": "WSTG-CLNT-03_1", "status": "todo", "blocked": false, "checkId": "332prvQE5Ik09A8bbrR9kG", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3EJBfwCFLfYClrlvaOLFXU", "type": "check", "title": "Testing for Client-side URL Redirect", "description": "Identify injection points that handle URLs or paths.\nAssess the locations that the system could redirect to.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/04-Testing_for_Client-side_URL_Redirect", "ref": "WSTG-CLNT-04", "status": "todo", "result": null, "items": [ { "id": "2APcphDhH1NsWH0qeeacQJ", "title": "WSTG-CLNT-04_1", "status": "todo", "blocked": false, "checkId": "3EJBfwCFLfYClrlvaOLFXU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6ZXLMOZLfE0kNTZTDDDMpl", "type": "check", "title": "Testing for CSS Injection", "description": "Identify CSS injection points.\nAssess the impact of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/05-Testing_for_CSS_Injection", "ref": "WSTG-CLNT-05", "status": "todo", "result": null, "items": [ { "id": "1csgrhybCJiARVAHgsEk37", "title": "WSTG-CLNT-05_1", "status": "todo", "blocked": false, "checkId": "6ZXLMOZLfE0kNTZTDDDMpl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4YaL5BBlTsUewEJCv72HRe", "type": "check", "title": "Testing for Client-side Resource Manipulation", "description": "Identify sinks with weak input validation.\nAssess the impact of the resource manipulation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/06-Testing_for_Client-side_Resource_Manipulation", "ref": "WSTG-CLNT-06", "status": "todo", "result": null, "items": [ { "id": "6D8kqEip6PBxPfFzQ4RcZ4", "title": "WSTG-CLNT-06_1", "status": "todo", "blocked": false, "checkId": "4YaL5BBlTsUewEJCv72HRe", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5gkWLwQ1p8ZDAHK1dc2qAD", "type": "check", "title": "Testing Cross Origin Resource Sharing", "description": "Identify endpoints that implement CORS.\nEnsure that the CORS configuration is secure or harmless.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/07-Testing_Cross_Origin_Resource_Sharing", "ref": "WSTG-CLNT-07", "status": "todo", "result": null, "items": [ { "id": "YmkWwQNetd6bVXJgIyPDs", "title": "WSTG-CLNT-07_1", "status": "todo", "blocked": false, "checkId": "5gkWLwQ1p8ZDAHK1dc2qAD", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "23I4IIQUvXW9X3QgVfMtTI", "type": "check", "title": "Testing for Cross Site Flashing", "description": "Decompile and analyze the application's code.\nAssess sinks inputs and unsafe method usages.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/08-Testing_for_Cross_Site_Flashing", "ref": "WSTG-CLNT-08", "status": "todo", "result": null, "items": [ { "id": "6huqD8NAe1KMi3PLjsUUYu", "title": "WSTG-CLNT-08_1", "status": "todo", "blocked": false, "checkId": "23I4IIQUvXW9X3QgVfMtTI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4eWP8KkUGMcKqsir0ezeIK", "type": "check", "title": "Testing for Clickjacking", "description": "Understand security measures in place.\nAssess how strict the security measures are and if they are bypassable.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/09-Testing_for_Clickjacking", "ref": "WSTG-CLNT-09", "status": "todo", "result": null, "items": [ { "id": "1OFpdQa0qTRilgl3pvTKX", "title": "WSTG-CLNT-09_1", "status": "todo", "blocked": false, "checkId": "4eWP8KkUGMcKqsir0ezeIK", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6941wk5NOVOXIpZ67OW7xC", "type": "check", "title": "Testing WebSockets", "description": "Identify the usage of WebSockets.\nAssess its implementation by using the same tests on normal HTTP channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/10-Testing_WebSockets", "ref": "WSTG-CLNT-10", "status": "todo", "result": null, "items": [ { "id": "1zHGqQPo2ScBoWwSqeQ4Pt", "title": "WSTG-CLNT-10_1", "status": "todo", "blocked": false, "checkId": "6941wk5NOVOXIpZ67OW7xC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7ReAhcWedaGxfsWjUavUvL", "type": "check", "title": "Testing Web Messaging", "description": "Assess the security of the message's origin.\nValidate that it's using safe methods and validating its input.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/11-Testing_Web_Messaging", "ref": "WSTG-CLNT-11", "status": "todo", "result": null, "items": [ { "id": "lngZtPGZKOic4VpIGJx7V", "title": "WSTG-CLNT-11_1", "status": "todo", "blocked": false, "checkId": "7ReAhcWedaGxfsWjUavUvL", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2MgvrcASrKvzqp8b9NMBIU", "type": "check", "title": "Testing Browser Storage", "description": "Determine whether the website is storing sensitive data in client-side storage.\nThe code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/12-Testing_Browser_Storage", "ref": "WSTG-CLNT-12", "status": "todo", "result": null, "items": [ { "id": "3UDmiG2YyXZ3qHPjJZVrCD", "title": "WSTG-CLNT-12_1", "status": "todo", "blocked": false, "checkId": "2MgvrcASrKvzqp8b9NMBIU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "53cqp0WizP5UcD6y9aEy2T", "type": "check", "title": "Testing for Cross Site Script Inclusion", "description": "Locate sensitive data across the system.\nAssess the leakage of sensitive data through various techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/13-Testing_for_Cross_Site_Script_Inclusion", "ref": "WSTG-CLNT-13", "status": "todo", "result": null, "items": [ { "id": "2swWlnHwBxYnApxwqPaFia", "title": "WSTG-CLNT-13_1", "status": "todo", "blocked": false, "checkId": "53cqp0WizP5UcD6y9aEy2T", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3l1QbxBui2hkNi4QDQLvCR", "type": "check", "title": "Testing for Reverse Tabnabbing", "description": "Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page by exploiting the \u201ctarget\u201d attribute in <a> tag.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/14-Testing_for_Reverse_Tabnabbing", "ref": "WSTG-CLNT-14", "status": "todo", "result": null, "items": [ { "id": "4fhAHWZLVgyuIedTDf4hYs", "title": "WSTG-CLNT-14_1", "status": "todo", "blocked": false, "checkId": "3l1QbxBui2hkNi4QDQLvCR", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "API Testing", "items": [ { "id": "5urrLsUSpEdS04mnHAm2SE", "type": "check", "title": "Testing GraphQL", "description": "Assess that a secure and production-ready configuration is deployed.\nValidate all input fields against generic attacks.\nEnsure that proper access controls are applied.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/12-API_Testing\/01-Testing_GraphQL", "ref": "WSTG-APIT-01", "status": "todo", "result": null, "items": [ { "id": "5XLTnHgsMq7qoi1SX66LAx", "title": "WSTG-APIT-01_1", "status": "todo", "blocked": false, "checkId": "5urrLsUSpEdS04mnHAm2SE", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] } ] } const target = '4JdxRNU76DFKaSXnWFjhJY' const transform = (arr) => { return arr.reduce((acc, element) => { if (element.items) { return { ...acc, ...transform(element.items) } } return { ...acc, ...{ [element.id]: element } } }, {}) } const result = transform(data.items)[target]
flatMAp
const data = { "id": "QL1XLymWE3w2iZA3E2xuj", "title": "OWASP - Web Testing Checklist", "description": "This checklist is based on OWASP Testing Guide and it includes a \u201clow level\u201d penetration testing guide that describes techniques for testing most common web application security issues and security checks to make sure that all vulnerability types are covered.", "closedAt": null, "blocked": false, "items": [ { "type": "category", "title": "Information Gathering", "items": [ { "id": "60IhvL7GNb7ncIiAHggnKw", "type": "check", "title": "Conduct Search Engine Discovery Reconnaissance for Information Leakage", "description": "Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's site) or indirectly (via third-party services).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage", "ref": "WSTG-INFO-01", "status": "todo", "result": "not_applicable", "items": [ { "id": "4JdxRNU76DFKaSXnWFjhJY", "title": "WSTG-INFO-01_1", "status": "todo", "blocked": false, "checkId": "60IhvL7GNb7ncIiAHggnKw", "rank": 1, "result": { "value": "not_applicable", "pocAvailable": true, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "D8sbZ9ZyPV0XBMuFteGA3", "type": "check", "title": "Fingerprint Web Server", "description": "Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/02-Fingerprint_Web_Server", "ref": "WSTG-INFO-02", "status": "in_progress", "result": "passed", "items": [ { "id": "7bQsKf09hYpLewyd9AJ2DU", "title": "WSTG-INFO-02_1", "status": "in_progress", "blocked": false, "checkId": "D8sbZ9ZyPV0XBMuFteGA3", "rank": 1, "result": { "value": "passed", "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5o88WI5Mi8i8LrNpeswgT1", "type": "check", "title": "Review Webserver Metafiles for Information Leakage", "description": "Identify hidden or obfuscated paths and functionality through the analysis of metadata files.\nExtract and map other information that could lead to a better understanding of the systems at hand.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/03-Review_Webserver_Metafiles_for_Information_Leakage", "ref": "WSTG-INFO-03", "status": "todo", "result": null, "items": [ { "id": "2kMilDrKI7e8J1e5I2Pns8", "title": "WSTG-INFO-03_1", "status": "todo", "blocked": false, "checkId": "5o88WI5Mi8i8LrNpeswgT1", "rank": 1, "result": { "value": null, "pocAvailable": true, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "n2ZEU007Pk6LVenGfVK6t", "type": "check", "title": "Enumerate Applications on Webserver", "description": "Enumerate the applications within the scope that exist on a web server.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/04-Enumerate_Applications_on_Webserver", "ref": "WSTG-INFO-04", "status": "in_progress", "result": "passed", "items": [ { "id": "7jEoKyq90H2gwd35uisI7I", "title": "WSTG-INFO-04_1", "status": "in_progress", "blocked": false, "checkId": "n2ZEU007Pk6LVenGfVK6t", "rank": 1, "result": { "value": "passed", "pocAvailable": false, "countReportsLinked": 1 }, "assignee": null } ] }, { "id": "6RZObp1xGpzu6r04QKf6xm", "type": "check", "title": "Review Web Page Content for Information Leakage", "description": "Review web page comments, metadata, and redirect bodies to find any information leakage.\nGather JavaScript files and review the JS code to better understand the application and to find any information leakage.\nIdentify if source map files or other frontend debug files exist.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/05-Review_Web_Page_Content_for_Information_Leakage", "ref": "WSTG-INFO-05", "status": "todo", "result": null, "items": [ { "id": "3QOYjEM9dhVgvAClWtmdd7", "title": "WSTG-INFO-05_1", "status": "todo", "blocked": false, "checkId": "6RZObp1xGpzu6r04QKf6xm", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6yI5X56LROrnR4WdlA2JoH", "type": "check", "title": "Identify Application Entry Points", "description": "Identify possible entry and injection points through request and response analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/06-Identify_Application_Entry_Points", "ref": "WSTG-INFO-06", "status": "todo", "result": null, "items": [ { "id": "33rLMf2XGsZi5bQRnXmfxO", "title": "WSTG-INFO-06_1", "status": "todo", "blocked": false, "checkId": "6yI5X56LROrnR4WdlA2JoH", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5b7NEhm2YGqAdDNxKaRwwZ", "type": "check", "title": "Map Execution Paths Through Application", "description": "Map the target application and understand the principal workflows.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/07-Map_Execution_Paths_Through_Application", "ref": "WSTG-INFO-07", "status": "in_progress", "result": null, "items": [ { "id": "25OEzXB6IDLtQacQ2QYOG2", "title": "WSTG-INFO-07_1", "status": "in_progress", "blocked": false, "checkId": "5b7NEhm2YGqAdDNxKaRwwZ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "36V7iywjArebMqqUdvH43b", "type": "check", "title": "Fingerprint Web Application Framework", "description": "Fingerprint the components used by the web applications.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/08-Fingerprint_Web_Application_Framework", "ref": "WSTG-INFO-08", "status": "todo", "result": null, "items": [ { "id": "5L0lCZ0ol11TMyrYkBk0Rg", "title": "WSTG-INFO-08_1", "status": "todo", "blocked": false, "checkId": "36V7iywjArebMqqUdvH43b", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3gxL1FKjQLNyRF0330t4NP", "type": "check", "title": "Fingerprint Web Application", "description": "This content has been merged into: Fingerprint Web Application Framework.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/09-Fingerprint_Web_Application", "ref": "WSTG-INFO-09", "status": "todo", "result": null, "items": [ { "id": "Vg7KS9CaG3Bu3YQxCvEiy", "title": "WSTG-INFO-09_1", "status": "todo", "blocked": false, "checkId": "3gxL1FKjQLNyRF0330t4NP", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5PfskJykrZOacFLTXRxGsN", "type": "check", "title": "Map Application Architecture", "description": "Understand the architecture of the application and the technologies in use.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/01-Information_Gathering\/10-Map_Application_Architecture", "ref": "WSTG-INFO-10", "status": "todo", "result": null, "items": [ { "id": "3Ud2O7Sw2Jeido96jrHrcS", "title": "WSTG-INFO-10_1", "status": "todo", "blocked": false, "checkId": "5PfskJykrZOacFLTXRxGsN", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Configuration and Deployment Management Testing", "items": [ { "id": "5GCIJ9e1sLsR2RgZ35z7bB", "type": "check", "title": "Test Network Infrastructure Configuration", "description": "Review the applications' configurations set across the network and validate that they are not vulnerable.\nValidate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/01-Test_Network_Infrastructure_Configuration", "ref": "WSTG-CONF-01", "status": "todo", "result": null, "items": [ { "id": "59UELnjAJ2ExVgK3GQ0yl8", "title": "WSTG-CONF-01_1", "status": "todo", "blocked": false, "checkId": "5GCIJ9e1sLsR2RgZ35z7bB", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "CDumZOXap3geS55l2enVJ", "type": "check", "title": "Test Application Platform Configuration", "description": "Ensure that default and known files have been removed.\nValidate that no debugging code or extensions are left in the production environments.\nReview the logging mechanisms set in place for the application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/02-Test_Application_Platform_Configuration", "ref": "WSTG-CONF-02", "status": "todo", "result": null, "items": [ { "id": "efE7wJz63l6gxZ2UeqFe", "title": "WSTG-CONF-02_1", "status": "todo", "blocked": false, "checkId": "CDumZOXap3geS55l2enVJ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3KYbvT3gszflgHGolJ7pgA", "type": "check", "title": "Test File Extensions Handling for Sensitive Information", "description": "Brute force sensitive file extensions that might contain raw data such as scripts, credentials, etc.\nValidate that no system framework bypasses exist for the rules that have been set", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/03-Test_File_Extensions_Handling_for_Sensitive_Information", "ref": "WSTG-CONF-03", "status": "todo", "result": null, "items": [ { "id": "7g7gR1u9qt5S4RxCkMl4Js", "title": "WSTG-CONF-03_1", "status": "todo", "blocked": false, "checkId": "3KYbvT3gszflgHGolJ7pgA", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3Wtw2lAqUobXJmdGwgI9L7", "type": "check", "title": "Review Old Backup and Unreferenced Files for Sensitive Information", "description": "Find and analyse unreferenced files that might contain sensitive information.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information", "ref": "WSTG-CONF-04", "status": "todo", "result": null, "items": [ { "id": "MCcUuYYbv9HOWcwuRgcSp", "title": "WSTG-CONF-04_1", "status": "todo", "blocked": false, "checkId": "3Wtw2lAqUobXJmdGwgI9L7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5OiGRBdKAYA8mx1C0ujSbY", "type": "check", "title": "Enumerate Infrastructure and Application Admin Interfaces", "description": "Identify hidden administrator interfaces and functionality.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces", "ref": "WSTG-CONF-05", "status": "todo", "result": null, "items": [ { "id": "49wSaNlZ0mG0xUhG0mdIYS", "title": "WSTG-CONF-05_1", "status": "todo", "blocked": false, "checkId": "5OiGRBdKAYA8mx1C0ujSbY", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2RMYRFOab1o2YyAVcMiQww", "type": "check", "title": "Test HTTP Methods", "description": "Enumerate supported HTTP methods.\nTest for access control bypass.\nTest HTTP method overriding techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/06-Test_HTTP_Methods", "ref": "WSTG-CONF-06", "status": "todo", "result": null, "items": [ { "id": "7lyHqDp8L6FA58Tr3eNn14", "title": "WSTG-CONF-06_1", "status": "todo", "blocked": false, "checkId": "2RMYRFOab1o2YyAVcMiQww", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6zUldnSr1l1wpRfARNivhC", "type": "check", "title": "Test HTTP Strict Transport Security", "description": "Review the HSTS header and its validity.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/07-Test_HTTP_Strict_Transport_Security", "ref": "WSTG-CONF-07", "status": "todo", "result": null, "items": [ { "id": "7Z91tdcfOB941bm3Iwk01T", "title": "WSTG-CONF-07_1", "status": "todo", "blocked": false, "checkId": "6zUldnSr1l1wpRfARNivhC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "L9tbrygzgj5Mk9hH246Jd", "type": "check", "title": "Test RIA Cross Domain Policy", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/08-Test_RIA_Cross_Domain_Policy", "ref": "WSTG-CONF-08", "status": "todo", "result": null, "items": [ { "id": "6ctaUBLDyfbxVasXTkPH78", "title": "WSTG-CONF-08_1", "status": "todo", "blocked": false, "checkId": "L9tbrygzgj5Mk9hH246Jd", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2XZJlyC2jeqdWwagfTkFzN", "type": "check", "title": "Test File Permission", "description": "Review and identify any rogue file permissions.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/09-Test_File_Permission", "ref": "WSTG-CONF-09", "status": "todo", "result": null, "items": [ { "id": "3s9kdE7UiZrj6sHfHoqIVr", "title": "WSTG-CONF-09_1", "status": "todo", "blocked": false, "checkId": "2XZJlyC2jeqdWwagfTkFzN", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1IjEfNbjOg443fqUSokpMh", "type": "check", "title": "Test for Subdomain Takeover", "description": "Enumerate all possible domains (previous and current).\nIdentify forgotten or misconfigured domains.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/10-Test_for_Subdomain_Takeover", "ref": "WSTG-CONF-10", "status": "todo", "result": null, "items": [ { "id": "32olG8CiL62AjAEtL8vZH", "title": "WSTG-CONF-10_1", "status": "todo", "blocked": false, "checkId": "1IjEfNbjOg443fqUSokpMh", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5NZCLypAPwxnu97Wop0iVs", "type": "check", "title": "Test Cloud Storage", "description": "Assess that the access control configuration for the storage services is properly in place.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/11-Test_Cloud_Storage", "ref": "WSTG-CONF-11", "status": "todo", "result": null, "items": [ { "id": "3KJeKynYf5jsvNc6v2viRD", "title": "WSTG-CONF-11_1", "status": "todo", "blocked": false, "checkId": "5NZCLypAPwxnu97Wop0iVs", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3aE9FmI43OqwtTFEfO4yID", "type": "check", "title": "Testing for Content Security Policy", "description": "Review the Content-Security-Policy header or meta element to identify misconfigurations.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/12-Test_for_Content_Security_Policy", "ref": "WSTG-CONF-12", "status": "todo", "result": null, "items": [ { "id": "110wDlUJvBSEqlUys4d0Uy", "title": "WSTG-CONF-12_1", "status": "todo", "blocked": false, "checkId": "3aE9FmI43OqwtTFEfO4yID", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7Xjd3PHoQ6vQzLhdPZEI3k", "type": "check", "title": "Test Path Confusion", "description": "Make sure application paths are configured correctly.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/02-Configuration_and_Deployment_Management_Testing\/13-Test_for_Path_Confusion", "ref": "WSTG-CONF-13", "status": "todo", "result": null, "items": [ { "id": "3m612bu8eieOALBBlkPahO", "title": "WSTG-CONF-13_1", "status": "todo", "blocked": false, "checkId": "7Xjd3PHoQ6vQzLhdPZEI3k", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Identity Management Testing", "items": [ { "id": "drQ5Yu2Kan1wlnQ38qZsG", "type": "check", "title": "Test Role Definitions", "description": "Identify and document roles used by the application.\nAttempt to switch, change, or access another role.\nReview the granularity of the roles and the needs behind the permissions given.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/01-Test_Role_Definitions", "ref": "WSTG-IDNT-01", "status": "todo", "result": null, "items": [ { "id": "52OOCa00CZbVNmoD10tvsW", "title": "WSTG-IDNT-01_1", "status": "todo", "blocked": false, "checkId": "drQ5Yu2Kan1wlnQ38qZsG", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4g4dnhqCgKfmaOj9cbSnSS", "type": "check", "title": "Test User Registration Process", "description": "Verify that the identity requirements for user registration are aligned with business and security requirements.\nValidate the registration process.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/02-Test_User_Registration_Process", "ref": "WSTG-IDNT-02", "status": "todo", "result": null, "items": [ { "id": "2mM66KPoiHm3mkmMAtNn7P", "title": "WSTG-IDNT-02_1", "status": "todo", "blocked": false, "checkId": "4g4dnhqCgKfmaOj9cbSnSS", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2IovKxTrS96tUJrzYnzGp2", "type": "check", "title": "Test Account Provisioning Process", "description": "Verify which accounts may provision other accounts and of what type.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/03-Test_Account_Provisioning_Process", "ref": "WSTG-IDNT-03", "status": "todo", "result": null, "items": [ { "id": "5ABN63Go0d9XXrNX8XFNJp", "title": "WSTG-IDNT-03_1", "status": "todo", "blocked": false, "checkId": "2IovKxTrS96tUJrzYnzGp2", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1uN0PaIOFyLjHWRrzoAnFy", "type": "check", "title": "Testing for Account Enumeration and Guessable User Account", "description": "Review processes that pertain to user identification (*e.g.* registration, login, etc.).\nEnumerate users where possible through response analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/04-Testing_for_Account_Enumeration_and_Guessable_User_Account", "ref": "WSTG-IDNT-04", "status": "todo", "result": null, "items": [ { "id": "5Ec2gyQV6fnSXLXOBm6R9D", "title": "WSTG-IDNT-04_1", "status": "todo", "blocked": false, "checkId": "1uN0PaIOFyLjHWRrzoAnFy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3X6uM3I2DEptyZOptB5EAI", "type": "check", "title": "Testing for Weak or Unenforced Username Policy", "description": "Determine whether a consistent account name structure renders the application vulnerable to account enumeration.\nDetermine whether the application's error messages permit account enumeration.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/03-Identity_Management_Testing\/05-Testing_for_Weak_or_Unenforced_Username_Policy", "ref": "WSTG-IDNT-05", "status": "todo", "result": null, "items": [ { "id": "3pLtPKyjeUvDZKaSakCYTB", "title": "WSTG-IDNT-05_1", "status": "todo", "blocked": false, "checkId": "3X6uM3I2DEptyZOptB5EAI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Authentication Testing", "items": [ { "id": "3SQpNg4NHDDDKTk6YFNBef", "type": "check", "title": "Testing for Credentials Transported over an Encrypted Channel", "description": "This content has been merged into: Testing for Sensitive Information Sent via Unencrypted Channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel", "ref": "WSTG-ATHN-01", "status": "todo", "result": null, "items": [ { "id": "5yecoDeBWQirx6VW7D8rYT", "title": "WSTG-ATHN-01_1", "status": "todo", "blocked": false, "checkId": "3SQpNg4NHDDDKTk6YFNBef", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2JfMZ2f7B9Qf5OBVgAknhe", "type": "check", "title": "Testing for Default Credentials", "description": "Determine whether the application has any user accounts with default passwords.\nReview whether new user accounts are created with weak or predictable passwords.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/02-Testing_for_Default_Credentials", "ref": "WSTG-ATHN-02", "status": "todo", "result": null, "items": [ { "id": "3KKJ0yH06LgCbgdnRIxdmQ", "title": "WSTG-ATHN-02_1", "status": "todo", "blocked": false, "checkId": "2JfMZ2f7B9Qf5OBVgAknhe", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "lz428xqsQm9r8ZJfvvytI", "type": "check", "title": "Testing for Weak Lock Out Mechanism", "description": "Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.\nEvaluate the unlock mechanism's resistance to unauthorized account unlocking.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/03-Testing_for_Weak_Lock_Out_Mechanism", "ref": "WSTG-ATHN-03", "status": "todo", "result": null, "items": [ { "id": "aBoTcnBPqwRTBUnULTZuT", "title": "WSTG-ATHN-03_1", "status": "todo", "blocked": false, "checkId": "lz428xqsQm9r8ZJfvvytI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "333kZwu4PvfGkR6uX0JfHc", "type": "check", "title": "Testing for Bypassing Authentication Schema", "description": "Ensure that authentication is applied across all services that require it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/04-Testing_for_Bypassing_Authentication_Schema", "ref": "WSTG-ATHN-04", "status": "todo", "result": null, "items": [ { "id": "1dGaCYnspuzlYe5U9NUGAE", "title": "WSTG-ATHN-04_1", "status": "todo", "blocked": false, "checkId": "333kZwu4PvfGkR6uX0JfHc", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "66dm3iYXMkGTCKhxistE4k", "type": "check", "title": "Testing for Vulnerable Remember Password", "description": "Validate that the generated session is managed securely and do not put the user's credentials in danger.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/05-Testing_for_Vulnerable_Remember_Password", "ref": "WSTG-ATHN-05", "status": "todo", "result": null, "items": [ { "id": "3y1fiPSnTqdO13YwaDmyat", "title": "WSTG-ATHN-05_1", "status": "todo", "blocked": false, "checkId": "66dm3iYXMkGTCKhxistE4k", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "20TXwBCgKd9si6D0O0mbCk", "type": "check", "title": "Testing for Browser Cache Weaknesses", "description": "Review if the application stores sensitive information on the client-side.\nReview if access can occur without authorization.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/06-Testing_for_Browser_Cache_Weaknesses", "ref": "WSTG-ATHN-06", "status": "todo", "result": null, "items": [ { "id": "4DpsNmQS8nT6HnK2igNNJw", "title": "WSTG-ATHN-06_1", "status": "todo", "blocked": false, "checkId": "20TXwBCgKd9si6D0O0mbCk", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1Ctpi50oi5AUhZCIlv42fT", "type": "check", "title": "Testing for Weak Password Policy", "description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/07-Testing_for_Weak_Password_Policy", "ref": "WSTG-ATHN-07", "status": "todo", "result": null, "items": [ { "id": "6utwl28BbdQqp0wm2LODtg", "title": "WSTG-ATHN-07_1", "status": "todo", "blocked": false, "checkId": "1Ctpi50oi5AUhZCIlv42fT", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6j5phsyf40BfdQujCdbIay", "type": "check", "title": "Testing for Weak Security Question Answer", "description": "Determine the complexity and how straight-forward the questions are.\nAssess possible user answers and brute force capabilities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/08-Testing_for_Weak_Security_Question_Answer", "ref": "WSTG-ATHN-08", "status": "todo", "result": null, "items": [ { "id": "1vMfl61N9jx2gUa8wYN7xa", "title": "WSTG-ATHN-08_1", "status": "todo", "blocked": false, "checkId": "6j5phsyf40BfdQujCdbIay", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6Gqme1CnDnDy1juncAGb3c", "type": "check", "title": "Testing for Weak Password Change or Reset Functionalities", "description": "Determine whether the password change and reset functionality allows accounts to be compromised.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities", "ref": "WSTG-ATHN-09", "status": "todo", "result": null, "items": [ { "id": "43jw9ImRrU9Y8g7n3vRper", "title": "WSTG-ATHN-09_1", "status": "todo", "blocked": false, "checkId": "6Gqme1CnDnDy1juncAGb3c", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2hau77yI6r4en9TpLc5Hgw", "type": "check", "title": "Testing for Weaker Authentication in Alternative Channel", "description": "Identify alternative authentication channels.\nAssess the security measures used and if any bypasses exists on the alternative channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/10-Testing_for_Weaker_Authentication_in_Alternative_Channel", "ref": "WSTG-ATHN-10", "status": "todo", "result": null, "items": [ { "id": "yPRnmDBZRMSvhDj7rZFeu", "title": "WSTG-ATHN-10_1", "status": "todo", "blocked": false, "checkId": "2hau77yI6r4en9TpLc5Hgw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3AO4O32KnVCccM8UzZ5f2G", "type": "check", "title": "Testing Multi-Factor Authentication (MFA)", "description": "Identify the type of MFA used by the application.\nDetermine whether the MFA implementation is robust and secure.\nAttempt to bypass the MFA.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/04-Authentication_Testing\/11-Testing_Multi-Factor_Authentication", "ref": "WSTG-ATHN-11", "status": "todo", "result": null, "items": [ { "id": "5v394QkdwnheWyXrPSXtjA", "title": "WSTG-ATHN-11_1", "status": "todo", "blocked": false, "checkId": "3AO4O32KnVCccM8UzZ5f2G", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Authorization Testing", "items": [ { "id": "2ZrtGtVD7dxEJbY2zkFnfB", "type": "check", "title": "Testing Directory Traversal File Include", "description": "Identify injection points that pertain to path traversal.\nAssess bypassing techniques and identify the extent of path traversal.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/01-Testing_Directory_Traversal_File_Include", "ref": "WSTG-ATHZ-01", "status": "todo", "result": null, "items": [ { "id": "73If6yNnANqO62SkunglKZ", "title": "WSTG-ATHZ-01_1", "status": "todo", "blocked": false, "checkId": "2ZrtGtVD7dxEJbY2zkFnfB", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3hUPPENIry3xkCsNPDMMHb", "type": "check", "title": "Testing for Bypassing Authorization Schema", "description": "Assess if horizontal or vertical access is possible.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/02-Testing_for_Bypassing_Authorization_Schema", "ref": "WSTG-ATHZ-02", "status": "todo", "result": null, "items": [ { "id": "7MEXLngrzXBdf3yRqG6Ik3", "title": "WSTG-ATHZ-02_1", "status": "todo", "blocked": false, "checkId": "3hUPPENIry3xkCsNPDMMHb", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "13SHJl2QqUw207cIuh2uIR", "type": "check", "title": "Testing for Privilege Escalation", "description": "Identify injection points related to privilege manipulation.\nFuzz or otherwise attempt to bypass security measures.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/03-Testing_for_Privilege_Escalation", "ref": "WSTG-ATHZ-03", "status": "todo", "result": null, "items": [ { "id": "7d7uBT3dWt3WNlKhGb8goc", "title": "WSTG-ATHZ-03_1", "status": "todo", "blocked": false, "checkId": "13SHJl2QqUw207cIuh2uIR", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1rdeetyxDwEZc5JqHSv5hY", "type": "check", "title": "Testing for Insecure Direct Object References", "description": "Identify points where object references may occur.\nAssess the access control measures and if they're vulnerable to IDOR.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/04-Testing_for_Insecure_Direct_Object_References", "ref": "WSTG-ATHZ-04", "status": "todo", "result": null, "items": [ { "id": "5hW8Zh1iNDJ274ZZymLqL0", "title": "WSTG-ATHZ-04_1", "status": "todo", "blocked": false, "checkId": "1rdeetyxDwEZc5JqHSv5hY", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5Stq6WtkjScNFEk3NGPICO", "type": "check", "title": "Testing for OAuth Weaknesses", "description": "Determine if OAuth2 implementation is vulnerable or using a deprecated or custom implementation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/05-Authorization_Testing\/05-Testing_for_OAuth_Weaknesses", "ref": "WSTG-ATHZ-05", "status": "todo", "result": null, "items": [ { "id": "2jaTfEXouCQqll1TYVZpSF", "title": "WSTG-ATHZ-05_1", "status": "todo", "blocked": false, "checkId": "5Stq6WtkjScNFEk3NGPICO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Session Management Testing", "items": [ { "id": "3USg5n9656E2d5mTrFJ91E", "type": "check", "title": "Testing for Session Management Schema", "description": "Gather session tokens, for the same user and for different users where possible.\nAnalyze and ensure that enough randomness exists to stop session forging attacks.\nModify cookies that are not signed and contain information that can be manipulated.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/01-Testing_for_Session_Management_Schema", "ref": "WSTG-SESS-01", "status": "todo", "result": null, "items": [ { "id": "5melVaTekq1GZsQRslORsT", "title": "WSTG-SESS-01_1", "status": "todo", "blocked": false, "checkId": "3USg5n9656E2d5mTrFJ91E", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1VtvNUPt0MOi8mPi20ZopW", "type": "check", "title": "Testing for Cookies Attributes", "description": "Ensure that the proper security configuration is set for cookies.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/02-Testing_for_Cookies_Attributes", "ref": "WSTG-SESS-02", "status": "todo", "result": null, "items": [ { "id": "3LUqoO6uFPVNvSH2u0lQii", "title": "WSTG-SESS-02_1", "status": "todo", "blocked": false, "checkId": "1VtvNUPt0MOi8mPi20ZopW", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4GeEVgBKIQGQcfBTqSNXMD", "type": "check", "title": "Testing for Session Fixation", "description": "Analyze the authentication mechanism and its flow.\nForce cookies and assess the impact.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/03-Testing_for_Session_Fixation", "ref": "WSTG-SESS-03", "status": "todo", "result": null, "items": [ { "id": "POiEJ7C6BrobTng3gl2J4", "title": "WSTG-SESS-03_1", "status": "todo", "blocked": false, "checkId": "4GeEVgBKIQGQcfBTqSNXMD", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1Q9AOX6mkwxTcGKKllF5w5", "type": "check", "title": "Testing for Exposed Session Variables", "description": "Ensure that proper encryption is implemented.\nReview the caching configuration.\nAssess the channel and methods' security.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/04-Testing_for_Exposed_Session_Variables", "ref": "WSTG-SESS-04", "status": "todo", "result": null, "items": [ { "id": "2cikQe08L4mlp7dqVQ8EOB", "title": "WSTG-SESS-04_1", "status": "todo", "blocked": false, "checkId": "1Q9AOX6mkwxTcGKKllF5w5", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "79ZuBfRjKfb7VX8QAVgmok", "type": "check", "title": "Testing for Cross Site Request Forgery", "description": "Determine whether it is possible to initiate requests on a user's behalf that are not initiated by the user.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/05-Testing_for_Cross_Site_Request_Forgery", "ref": "WSTG-SESS-05", "status": "todo", "result": null, "items": [ { "id": "1CSlX5alKh4vSmz2HIbQ3P", "title": "WSTG-SESS-05_1", "status": "todo", "blocked": false, "checkId": "79ZuBfRjKfb7VX8QAVgmok", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "Ggbw68HqUrT9EAdEA284l", "type": "check", "title": "Testing for Logout Functionality", "description": "Assess the logout UI.\nAnalyze the session timeout and if the session is properly killed after logout.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/06-Testing_for_Logout_Functionality", "ref": "WSTG-SESS-06", "status": "todo", "result": null, "items": [ { "id": "7XQPZMnrsmehQAIswIY4dv", "title": "WSTG-SESS-06_1", "status": "todo", "blocked": false, "checkId": "Ggbw68HqUrT9EAdEA284l", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "38wIktSbw3QoazLE1lNfib", "type": "check", "title": "Testing Session Timeout", "description": "Validate that a hard session timeout exists.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/07-Testing_Session_Timeout", "ref": "WSTG-SESS-07", "status": "todo", "result": null, "items": [ { "id": "3D1zn77YcSBRFtVDsyj3KG", "title": "WSTG-SESS-07_1", "status": "todo", "blocked": false, "checkId": "38wIktSbw3QoazLE1lNfib", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5HxYWIBXUleHrrBQNsLGhq", "type": "check", "title": "Testing for Session Puzzling", "description": "Identify all session variables.\nBreak the logical flow of session generation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/08-Testing_for_Session_Puzzling", "ref": "WSTG-SESS-08", "status": "todo", "result": null, "items": [ { "id": "6BqovplxNGMyUg7PIK8UxK", "title": "WSTG-SESS-08_1", "status": "todo", "blocked": false, "checkId": "5HxYWIBXUleHrrBQNsLGhq", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "70njqXpOUgRXvvxr2wnIbF", "type": "check", "title": "Testing for Session Hijacking", "description": "Identify vulnerable session cookies.\nHijack vulnerable cookies and assess the risk level.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/09-Testing_for_Session_Hijacking", "ref": "WSTG-SESS-09", "status": "todo", "result": null, "items": [ { "id": "7ERiQi9RI3BElkE5B3c5xQ", "title": "WSTG-SESS-09_1", "status": "todo", "blocked": false, "checkId": "70njqXpOUgRXvvxr2wnIbF", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4FtrkH1XAIA2o1eUe2D7Ko", "type": "check", "title": "Testing JSON Web Tokens", "description": "Determine whether the JWTs expose sensitive information.\nDetermine whether the JWTs can be tampered with or modified.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/10-Testing_JSON_Web_Tokens", "ref": "WSTG-SESS-10", "status": "todo", "result": null, "items": [ { "id": "44GavL2SWyflmMbdE3HX1C", "title": "WSTG-SESS-10_1", "status": "todo", "blocked": false, "checkId": "4FtrkH1XAIA2o1eUe2D7Ko", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Input Validation Testing", "items": [ { "id": "FTGLng58bkdoL44WhDxix", "type": "check", "title": "Testing for Reflected Cross Site Scripting", "description": "Identify variables that are reflected in responses.\nAssess the input they accept and the encoding that gets applied on return (if any).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/01-Testing_for_Reflected_Cross_Site_Scripting", "ref": "WSTG-INPV-01", "status": "todo", "result": null, "items": [ { "id": "5y3reJgVfrNBnZ3HXgalz9", "title": "WSTG-INPV-01_1", "status": "todo", "blocked": false, "checkId": "FTGLng58bkdoL44WhDxix", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6utWjKa2eNPyxg6L4s2T2G", "type": "check", "title": "Testing for Stored Cross Site Scripting", "description": "Identify stored input that is reflected on the client-side.\nAssess the input they accept and the encoding that gets applied on return (if any).", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/02-Testing_for_Stored_Cross_Site_Scripting", "ref": "WSTG-INPV-02", "status": "todo", "result": null, "items": [ { "id": "4PgWi8tCI8qA1b1ZeIDwEY", "title": "WSTG-INPV-02_1", "status": "todo", "blocked": false, "checkId": "6utWjKa2eNPyxg6L4s2T2G", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "67v9wdqIadk608UbYED7Zw", "type": "check", "title": "Testing for HTTP Verb Tampering", "description": "This content has been merged into: Test HTTP Methods", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/03-Testing_for_HTTP_Verb_Tampering", "ref": "WSTG-INPV-03", "status": "todo", "result": null, "items": [ { "id": "2gzE4JIwEygl4bfmwMdECZ", "title": "WSTG-INPV-03_1", "status": "todo", "blocked": false, "checkId": "67v9wdqIadk608UbYED7Zw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6Dr2byCJgr2zwlxG1qhcNl", "type": "check", "title": "Testing for HTTP Parameter Pollution", "description": "Identify the backend and the parsing method used.\nAssess injection points and try bypassing input filters using HPP.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/04-Testing_for_HTTP_Parameter_Pollution", "ref": "WSTG-INPV-04", "status": "todo", "result": null, "items": [ { "id": "6zV6VWfLeKSCsxiAG1Ig61", "title": "WSTG-INPV-04_1", "status": "todo", "blocked": false, "checkId": "6Dr2byCJgr2zwlxG1qhcNl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7eYOngQ5wY7uit0ZdIh0Ci", "type": "check", "title": "Testing for SQL Injection", "description": "Identify SQL injection points.\nAssess the severity of the injection and the level of access that can be achieved through it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/05-Testing_for_SQL_Injection", "ref": "WSTG-INPV-05", "status": "todo", "result": null, "items": [ { "id": "4ZkYEG6A6omxGWtKPAAyD6", "title": "WSTG-INPV-05_1", "status": "todo", "blocked": false, "checkId": "7eYOngQ5wY7uit0ZdIh0Ci", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1mkEaTA9jNwNCdQokzsLwQ", "type": "check", "title": "Testing for LDAP Injection", "description": "Identify LDAP injection points.\nAssess the severity of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/06-Testing_for_LDAP_Injection", "ref": "WSTG-INPV-06", "status": "todo", "result": null, "items": [ { "id": "3WuTb1BIreNesm1jCIV1NK", "title": "WSTG-INPV-06_1", "status": "todo", "blocked": false, "checkId": "1mkEaTA9jNwNCdQokzsLwQ", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5fmDVrUJy6Nf0TAZ8CRzxl", "type": "check", "title": "Testing for XML Injection", "description": "Identify XML injection points.\nAssess the types of exploits that can be attained and their severities.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/07-Testing_for_XML_Injection", "ref": "WSTG-INPV-07", "status": "todo", "result": null, "items": [ { "id": "6EjmentnnVloLM5MUDVdQp", "title": "WSTG-INPV-07_1", "status": "todo", "blocked": false, "checkId": "5fmDVrUJy6Nf0TAZ8CRzxl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3i6GgiTQ5Ph8sWcwuz02G5", "type": "check", "title": "Testing for SSI Injection", "description": "Identify SSI injection points.\nAssess the severity of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/08-Testing_for_SSI_Injection", "ref": "WSTG-INPV-08", "status": "todo", "result": null, "items": [ { "id": "2hhzhLJ0mNyc7PnO2hPKyb", "title": "WSTG-INPV-08_1", "status": "todo", "blocked": false, "checkId": "3i6GgiTQ5Ph8sWcwuz02G5", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2r3FnbUlzALUXAkClK1BNj", "type": "check", "title": "Testing for XPath Injection", "description": "Identify XPATH injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/09-Testing_for_XPath_Injection", "ref": "WSTG-INPV-09", "status": "todo", "result": null, "items": [ { "id": "5HyNNrDN6POw6aBQyQQGA9", "title": "WSTG-INPV-09_1", "status": "todo", "blocked": false, "checkId": "2r3FnbUlzALUXAkClK1BNj", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3mTvYVb2La0UviXa9UMMY3", "type": "check", "title": "Testing for IMAP SMTP Injection", "description": "Identify IMAP\/SMTP injection points.\nUnderstand the data flow and deployment structure of the system.\nAssess the injection impacts.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/10-Testing_for_IMAP_SMTP_Injection", "ref": "WSTG-INPV-10", "status": "todo", "result": null, "items": [ { "id": "5wsx4k6AIAKkSJN20oXUw1", "title": "WSTG-INPV-10_1", "status": "todo", "blocked": false, "checkId": "3mTvYVb2La0UviXa9UMMY3", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "13ibWn9vtJY1uNIMkjXPqU", "type": "check", "title": "Testing for Code Injection", "description": "Identify injection points where you can inject code into the application.\nAssess the injection severity.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/11-Testing_for_Code_Injection", "ref": "WSTG-INPV-11", "status": "todo", "result": null, "items": [ { "id": "1WOUTNfKRw9pRl1rseEnzc", "title": "WSTG-INPV-11_1", "status": "todo", "blocked": false, "checkId": "13ibWn9vtJY1uNIMkjXPqU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1kYBvTjU9srpCMMlppcF1Y", "type": "check", "title": "Testing for Command Injection", "description": "Identify and assess the command injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/12-Testing_for_Command_Injection", "ref": "WSTG-INPV-12", "status": "todo", "result": null, "items": [ { "id": "4WJiSGtKx4nmhLTgHvSFGd", "title": "WSTG-INPV-12_1", "status": "todo", "blocked": false, "checkId": "1kYBvTjU9srpCMMlppcF1Y", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "YZd93XyXpgpBPYe9INw54", "type": "check", "title": "Testing for Buffer Overflow", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/13-Testing_for_Buffer_Overflow", "ref": "WSTG-INPV-13", "status": "todo", "result": null, "items": [ { "id": "5cBdLCwIxM8FMIg3yvxKMw", "title": "WSTG-INPV-13_1", "status": "todo", "blocked": false, "checkId": "YZd93XyXpgpBPYe9INw54", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1nvAWhjd5wD7siH7keCI6w", "type": "check", "title": "Testing for Format String Injection", "description": "This content has been removed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/13-Testing_for_Format_String_Injection", "ref": "WSTG-INPV-13", "status": "todo", "result": null, "items": [ { "id": "7RK51rifcf7Ki8yVW1cSHP", "title": "WSTG-INPV-13_1", "status": "todo", "blocked": false, "checkId": "1nvAWhjd5wD7siH7keCI6w", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4yhcCutIpnPWIFt1adcKpy", "type": "check", "title": "Testing for Incubated Vulnerability", "description": "Identify injections that are stored and require a recall step to the stored injection.\nUnderstand how a recall step could occur.\nSet listeners or activate the recall step if possible.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/14-Testing_for_Incubated_Vulnerability", "ref": "WSTG-INPV-14", "status": "todo", "result": null, "items": [ { "id": "KivZRJUcapP3JseKmz4V5", "title": "WSTG-INPV-14_1", "status": "todo", "blocked": false, "checkId": "4yhcCutIpnPWIFt1adcKpy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "wm473WJkKTtHR3fWDiHMw", "type": "check", "title": "Testing for HTTP Splitting Smuggling", "description": "Assess if the application is vulnerable to splitting, identifying what possible attacks are achievable.\nAssess if the chain of communication is vulnerable to smuggling, identifying what possible attacks are achievable.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/15-Testing_for_HTTP_Splitting_Smuggling", "ref": "WSTG-INPV-15", "status": "todo", "result": null, "items": [ { "id": "21BIn0czicm9OPm285k23M", "title": "WSTG-INPV-15_1", "status": "todo", "blocked": false, "checkId": "wm473WJkKTtHR3fWDiHMw", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1pRC0BdLI5pNpF8e1oCkyS", "type": "check", "title": "Testing for HTTP Incoming Requests", "description": "Monitor all incoming and outgoing HTTP requests to the Web Server to inspect any suspicious requests.\nMonitor HTTP traffic without changes of end user Browser proxy or client-side application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/16-Testing_for_HTTP_Incoming_Requests", "ref": "WSTG-INPV-16", "status": "todo", "result": null, "items": [ { "id": "2Ao9Cej6Md0hxRHLauUTOA", "title": "WSTG-INPV-16_1", "status": "todo", "blocked": false, "checkId": "1pRC0BdLI5pNpF8e1oCkyS", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4rVMw0PsEyNu50z1DR9PGx", "type": "check", "title": "Testing for Host Header Injection", "description": "Assess if the Host header is being parsed dynamically in the application.\nBypass security controls that rely on the header.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/17-Testing_for_Host_Header_Injection", "ref": "WSTG-INPV-17", "status": "todo", "result": null, "items": [ { "id": "7VhDNh0Q29oeavwhxnpO4A", "title": "WSTG-INPV-17_1", "status": "todo", "blocked": false, "checkId": "4rVMw0PsEyNu50z1DR9PGx", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5RU8dV3S0TEuUfxlP3bq60", "type": "check", "title": "Testing for Server-side Template Injection", "description": "Detect template injection vulnerability points.\nIdentify the templating engine.\nBuild the exploit.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/18-Testing_for_Server-side_Template_Injection", "ref": "WSTG-INPV-18", "status": "todo", "result": null, "items": [ { "id": "4t0STJ9Rrs4TrwELSuZtv8", "title": "WSTG-INPV-18_1", "status": "todo", "blocked": false, "checkId": "5RU8dV3S0TEuUfxlP3bq60", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "dG4UZOl06Vl5z4LMl0RcT", "type": "check", "title": "Testing for Server-Side Request Forgery", "description": "Identify SSRF injection points.\nTest if the injection points are exploitable.\nAsses the severity of the vulnerability.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/19-Testing_for_Server-Side_Request_Forgery", "ref": "WSTG-INPV-19", "status": "todo", "result": null, "items": [ { "id": "6l82t2Ga7flSsP3onOc6oK", "title": "WSTG-INPV-19_1", "status": "todo", "blocked": false, "checkId": "dG4UZOl06Vl5z4LMl0RcT", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "53YZkzP1ngDxN7hoEURBsO", "type": "check", "title": "Testing for Mass Assignment", "description": "Identify requests that modify objects\nAssess if it is possible to modify fields never intended to be modified from outside", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/20-Testing_for_Mass_Assignment", "ref": "WSTG-INPV-20", "status": "todo", "result": null, "items": [ { "id": "1xIkQ7qcFUjj6jh0u2skgz", "title": "WSTG-INPV-20_1", "status": "todo", "blocked": false, "checkId": "53YZkzP1ngDxN7hoEURBsO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Testing for Error Handling", "items": [ { "id": "4bopUtbUPg4ty6c5q35Ii3", "type": "check", "title": "Testing for Improper Error Handling", "description": "Identify existing error output.\nAnalyze the different output returned.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/01-Testing_For_Improper_Error_Handling", "ref": "WSTG-ERRH-01", "status": "todo", "result": null, "items": [ { "id": "45b0hNQekFsP8K0Zea7Nos", "title": "WSTG-ERRH-01_1", "status": "todo", "blocked": false, "checkId": "4bopUtbUPg4ty6c5q35Ii3", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2iGa5OEPafEsDUHeo6BFFu", "type": "check", "title": "Testing for Stack Traces", "description": "This content has been merged into: Testing for Improper Error Handling.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/02-Testing_for_Stack_Traces", "ref": "WSTG-ERRH-02", "status": "todo", "result": null, "items": [ { "id": "4SKZ0yDIk0Q5nhQhPIOMrV", "title": "WSTG-ERRH-02_1", "status": "todo", "blocked": false, "checkId": "2iGa5OEPafEsDUHeo6BFFu", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Testing for Weak Cryptography", "items": [ { "id": "7KxQtDqOY6NXmNXjiiBNtp", "type": "check", "title": "Testing for Weak Transport Layer Security", "description": "Validate the service configuration.\nReview the digital certificate's cryptographic strength and validity.\nEnsure that the TLS security is not bypassable and is properly implemented across the application.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/01-Testing_for_Weak_Transport_Layer_Security", "ref": "WSTG-CRYP-01", "status": "todo", "result": null, "items": [ { "id": "3JUiNrRlcpeonk9QyY5CHH", "title": "WSTG-CRYP-01_1", "status": "todo", "blocked": false, "checkId": "7KxQtDqOY6NXmNXjiiBNtp", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "vPZr2AP0dY367WonUz6Wy", "type": "check", "title": "Testing for Padding Oracle", "description": "Identify encrypted messages that rely on padding.\nAttempt to break the padding of the encrypted messages and analyze the returned error messages for further analysis.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/02-Testing_for_Padding_Oracle", "ref": "WSTG-CRYP-02", "status": "todo", "result": null, "items": [ { "id": "1k62tW6pzvelkCTmWCgbkn", "title": "WSTG-CRYP-02_1", "status": "todo", "blocked": false, "checkId": "vPZr2AP0dY367WonUz6Wy", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7XMTzVShk1PWUZvvqnJVu7", "type": "check", "title": "Testing for Sensitive Information Sent via Unencrypted Channels", "description": "Identify sensitive information transmitted through the various channels.\nAssess the privacy and security of the channels used.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels", "ref": "WSTG-CRYP-03", "status": "todo", "result": null, "items": [ { "id": "4nZHRDTrboacqHEWDljoLq", "title": "WSTG-CRYP-03_1", "status": "todo", "blocked": false, "checkId": "7XMTzVShk1PWUZvvqnJVu7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2lS9DXA6cpcMwYNytq0oEU", "type": "check", "title": "Testing for Weak Encryption", "description": "Provide a guideline for the identification weak encryption or hashing uses and implementations.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/09-Testing_for_Weak_Cryptography\/04-Testing_for_Weak_Encryption", "ref": "WSTG-CRYP-04", "status": "todo", "result": null, "items": [ { "id": "5KWbMxAYLzqExNuhU9x6lp", "title": "WSTG-CRYP-04_1", "status": "todo", "blocked": false, "checkId": "2lS9DXA6cpcMwYNytq0oEU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Business Logic Testing", "items": [ { "id": "21Mw4d26XHFtsIJyaqyHYn", "type": "check", "title": "Test Business Logic Data Validation", "description": "Identify data injection points.\nValidate that all checks are occurring on the backend and can't be bypassed.\nAttempt to break the format of the expected data and analyze how the application is handling it.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/01-Test_Business_Logic_Data_Validation", "ref": "WSTG-BUSL-01", "status": "todo", "result": null, "items": [ { "id": "2DpYFvHDe7q4m00NgJ535o", "title": "WSTG-BUSL-01_1", "status": "todo", "blocked": false, "checkId": "21Mw4d26XHFtsIJyaqyHYn", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4rM1ah8usPRgCMY0P8anQ7", "type": "check", "title": "Test Ability to Forge Requests", "description": "Review the project documentation looking for guessable, predictable, or hidden functionality of fields.\nInsert logically valid data in order to bypass normal business logic workflow.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/02-Test_Ability_to_Forge_Requests", "ref": "WSTG-BUSL-02", "status": "todo", "result": null, "items": [ { "id": "385OFn4w42yUq7Laof1VIV", "title": "WSTG-BUSL-02_1", "status": "todo", "blocked": false, "checkId": "4rM1ah8usPRgCMY0P8anQ7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2P8Dho2qZdBA6VBdSCkVqM", "type": "check", "title": "Test Integrity Checks", "description": "Review the project documentation for components of the system that move, store, or handle data.\nDetermine what type of data is logically acceptable by the component and what types the system should guard against.\nDetermine who should be allowed to modify or read that data in each component.\nAttempt to insert, update, or delete data values used by each component that should not be allowed per the business logic workflow.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/03-Test_Integrity_Checks", "ref": "WSTG-BUSL-03", "status": "todo", "result": null, "items": [ { "id": "2s623svdzf8TlrcwH00xut", "title": "WSTG-BUSL-03_1", "status": "todo", "blocked": false, "checkId": "2P8Dho2qZdBA6VBdSCkVqM", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "KtwC0Ks7ck6AhU73nlYLq", "type": "check", "title": "Test for Process Timing", "description": "Review the project documentation for system functionality that may be impacted by time.\nDevelop and execute misuse cases.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/04-Test_for_Process_Timing", "ref": "WSTG-BUSL-04", "status": "todo", "result": null, "items": [ { "id": "60vDYt58br97iARGidh7u4", "title": "WSTG-BUSL-04_1", "status": "todo", "blocked": false, "checkId": "KtwC0Ks7ck6AhU73nlYLq", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4oSDHl2bD0Cs9dIP6tZZZ8", "type": "check", "title": "Test Number of Times a Function Can Be Used Limits", "description": "Identify functions that must set limits to the times they can be called.\nAssess if there is a logical limit set on the functions and if it is properly validated.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits", "ref": "WSTG-BUSL-05", "status": "todo", "result": null, "items": [ { "id": "4n1KTq5vy2Qgu3h2EDKtpt", "title": "WSTG-BUSL-05_1", "status": "todo", "blocked": false, "checkId": "4oSDHl2bD0Cs9dIP6tZZZ8", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3J4uprRMySV4c4FeYlOqKX", "type": "check", "title": "Testing for the Circumvention of Work Flows", "description": "Review the project documentation for methods to skip or go through steps in the application process in a different order from the intended business logic flow.\nDevelop a misuse case and try to circumvent every logic flow identified.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/06-Testing_for_the_Circumvention_of_Work_Flows", "ref": "WSTG-BUSL-06", "status": "todo", "result": null, "items": [ { "id": "14kdeb1KhJ13SJa4TeaGj9", "title": "WSTG-BUSL-06_1", "status": "todo", "blocked": false, "checkId": "3J4uprRMySV4c4FeYlOqKX", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6SAuC5xy2fiI14CzaD21b7", "type": "check", "title": "Test Defenses Against Application Misuse", "description": "Generate notes from all tests conducted against the system.\nReview which tests had a different functionality based on aggressive input.\nUnderstand the defenses in place and verify if they are enough to protect the system against bypassing techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/07-Test_Defenses_Against_Application_Misuse", "ref": "WSTG-BUSL-07", "status": "todo", "result": null, "items": [ { "id": "4VK5QYmQT4SzXutH6DdUX7", "title": "WSTG-BUSL-07_1", "status": "todo", "blocked": false, "checkId": "6SAuC5xy2fiI14CzaD21b7", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2Ymftbn0VoP4rnUIJbxzB8", "type": "check", "title": "Test Upload of Unexpected File Types", "description": "Review the project documentation for file types that are rejected by the system.\nVerify that the unwelcomed file types are rejected and handled safely.\nVerify that file batch uploads are secure and do not allow any bypass against the set security measures.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/08-Test_Upload_of_Unexpected_File_Types", "ref": "WSTG-BUSL-08", "status": "todo", "result": null, "items": [ { "id": "CbX9Ugfz6eBXxwV0XQMVR", "title": "WSTG-BUSL-08_1", "status": "todo", "blocked": false, "checkId": "2Ymftbn0VoP4rnUIJbxzB8", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7LY159B7popyyO4p9bB8vs", "type": "check", "title": "Test Upload of Malicious Files", "description": "Identify the file upload functionality.\nReview the project documentation to identify what file types are considered acceptable, and what types would be considered dangerous or malicious.\nIf documentation is not available then consider what would be appropriate based on the purpose of the application.\nDetermine how the uploaded files are processed.\nObtain or create a set of malicious files for testing.\nTry to upload the malicious files to the application and determine whether it is accepted and processed.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/09-Test_Upload_of_Malicious_Files", "ref": "WSTG-BUSL-09", "status": "todo", "result": null, "items": [ { "id": "4pauBNI8jOat7YUkSusxEL", "title": "WSTG-BUSL-09_1", "status": "todo", "blocked": false, "checkId": "7LY159B7popyyO4p9bB8vs", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "1pfZVCtGpKVVNGQd6ngrpC", "type": "check", "title": "Test Payment Functionality", "description": "Determine whether the business logic for the e-commerce functionality is robust.\nUnderstand how the payment functionality works.\nDetermine whether the payment functionality is secure.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/10-Business_Logic_Testing\/10-Test-Payment-Functionality", "ref": "WSTG-BUSL-10", "status": "todo", "result": null, "items": [ { "id": "1OXfJCITRr99TWrID9Ru0E", "title": "WSTG-BUSL-10_1", "status": "todo", "blocked": false, "checkId": "1pfZVCtGpKVVNGQd6ngrpC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "Client-side Testing", "items": [ { "id": "5QStfbuzhpUHhJkjHV9pqO", "type": "check", "title": "Testing for DOM-Based Cross Site Scripting", "description": "Identify DOM sinks.\nBuild payloads that pertain to every sink type.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/01-Testing_for_DOM-based_Cross_Site_Scripting", "ref": "WSTG-CLNT-01", "status": "todo", "result": null, "items": [ { "id": "15pBn6slFuLq1ej971I3I3", "title": "WSTG-CLNT-01_1", "status": "todo", "blocked": false, "checkId": "5QStfbuzhpUHhJkjHV9pqO", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2WyCI1HI9pAe7KNGhsMzYE", "type": "check", "title": "Testing for JavaScript Execution", "description": "Identify sinks and possible JavaScript injection points.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/02-Testing_for_JavaScript_Execution", "ref": "WSTG-CLNT-02", "status": "todo", "result": null, "items": [ { "id": "2dmkJ7KNyY8kGtrELjOTwI", "title": "WSTG-CLNT-02_1", "status": "todo", "blocked": false, "checkId": "2WyCI1HI9pAe7KNGhsMzYE", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "332prvQE5Ik09A8bbrR9kG", "type": "check", "title": "Testing for HTML Injection", "description": "Identify HTML injection points and assess the severity of the injected content.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/03-Testing_for_HTML_Injection", "ref": "WSTG-CLNT-03", "status": "todo", "result": null, "items": [ { "id": "3y2t8CFMuQ814tmcwhGEEm", "title": "WSTG-CLNT-03_1", "status": "todo", "blocked": false, "checkId": "332prvQE5Ik09A8bbrR9kG", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3EJBfwCFLfYClrlvaOLFXU", "type": "check", "title": "Testing for Client-side URL Redirect", "description": "Identify injection points that handle URLs or paths.\nAssess the locations that the system could redirect to.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/04-Testing_for_Client-side_URL_Redirect", "ref": "WSTG-CLNT-04", "status": "todo", "result": null, "items": [ { "id": "2APcphDhH1NsWH0qeeacQJ", "title": "WSTG-CLNT-04_1", "status": "todo", "blocked": false, "checkId": "3EJBfwCFLfYClrlvaOLFXU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6ZXLMOZLfE0kNTZTDDDMpl", "type": "check", "title": "Testing for CSS Injection", "description": "Identify CSS injection points.\nAssess the impact of the injection.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/05-Testing_for_CSS_Injection", "ref": "WSTG-CLNT-05", "status": "todo", "result": null, "items": [ { "id": "1csgrhybCJiARVAHgsEk37", "title": "WSTG-CLNT-05_1", "status": "todo", "blocked": false, "checkId": "6ZXLMOZLfE0kNTZTDDDMpl", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4YaL5BBlTsUewEJCv72HRe", "type": "check", "title": "Testing for Client-side Resource Manipulation", "description": "Identify sinks with weak input validation.\nAssess the impact of the resource manipulation.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/06-Testing_for_Client-side_Resource_Manipulation", "ref": "WSTG-CLNT-06", "status": "todo", "result": null, "items": [ { "id": "6D8kqEip6PBxPfFzQ4RcZ4", "title": "WSTG-CLNT-06_1", "status": "todo", "blocked": false, "checkId": "4YaL5BBlTsUewEJCv72HRe", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "5gkWLwQ1p8ZDAHK1dc2qAD", "type": "check", "title": "Testing Cross Origin Resource Sharing", "description": "Identify endpoints that implement CORS.\nEnsure that the CORS configuration is secure or harmless.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/07-Testing_Cross_Origin_Resource_Sharing", "ref": "WSTG-CLNT-07", "status": "todo", "result": null, "items": [ { "id": "YmkWwQNetd6bVXJgIyPDs", "title": "WSTG-CLNT-07_1", "status": "todo", "blocked": false, "checkId": "5gkWLwQ1p8ZDAHK1dc2qAD", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "23I4IIQUvXW9X3QgVfMtTI", "type": "check", "title": "Testing for Cross Site Flashing", "description": "Decompile and analyze the application's code.\nAssess sinks inputs and unsafe method usages.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/08-Testing_for_Cross_Site_Flashing", "ref": "WSTG-CLNT-08", "status": "todo", "result": null, "items": [ { "id": "6huqD8NAe1KMi3PLjsUUYu", "title": "WSTG-CLNT-08_1", "status": "todo", "blocked": false, "checkId": "23I4IIQUvXW9X3QgVfMtTI", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "4eWP8KkUGMcKqsir0ezeIK", "type": "check", "title": "Testing for Clickjacking", "description": "Understand security measures in place.\nAssess how strict the security measures are and if they are bypassable.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/09-Testing_for_Clickjacking", "ref": "WSTG-CLNT-09", "status": "todo", "result": null, "items": [ { "id": "1OFpdQa0qTRilgl3pvTKX", "title": "WSTG-CLNT-09_1", "status": "todo", "blocked": false, "checkId": "4eWP8KkUGMcKqsir0ezeIK", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "6941wk5NOVOXIpZ67OW7xC", "type": "check", "title": "Testing WebSockets", "description": "Identify the usage of WebSockets.\nAssess its implementation by using the same tests on normal HTTP channels.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/10-Testing_WebSockets", "ref": "WSTG-CLNT-10", "status": "todo", "result": null, "items": [ { "id": "1zHGqQPo2ScBoWwSqeQ4Pt", "title": "WSTG-CLNT-10_1", "status": "todo", "blocked": false, "checkId": "6941wk5NOVOXIpZ67OW7xC", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "7ReAhcWedaGxfsWjUavUvL", "type": "check", "title": "Testing Web Messaging", "description": "Assess the security of the message's origin.\nValidate that it's using safe methods and validating its input.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/11-Testing_Web_Messaging", "ref": "WSTG-CLNT-11", "status": "todo", "result": null, "items": [ { "id": "lngZtPGZKOic4VpIGJx7V", "title": "WSTG-CLNT-11_1", "status": "todo", "blocked": false, "checkId": "7ReAhcWedaGxfsWjUavUvL", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "2MgvrcASrKvzqp8b9NMBIU", "type": "check", "title": "Testing Browser Storage", "description": "Determine whether the website is storing sensitive data in client-side storage.\nThe code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/12-Testing_Browser_Storage", "ref": "WSTG-CLNT-12", "status": "todo", "result": null, "items": [ { "id": "3UDmiG2YyXZ3qHPjJZVrCD", "title": "WSTG-CLNT-12_1", "status": "todo", "blocked": false, "checkId": "2MgvrcASrKvzqp8b9NMBIU", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "53cqp0WizP5UcD6y9aEy2T", "type": "check", "title": "Testing for Cross Site Script Inclusion", "description": "Locate sensitive data across the system.\nAssess the leakage of sensitive data through various techniques.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/13-Testing_for_Cross_Site_Script_Inclusion", "ref": "WSTG-CLNT-13", "status": "todo", "result": null, "items": [ { "id": "2swWlnHwBxYnApxwqPaFia", "title": "WSTG-CLNT-13_1", "status": "todo", "blocked": false, "checkId": "53cqp0WizP5UcD6y9aEy2T", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] }, { "id": "3l1QbxBui2hkNi4QDQLvCR", "type": "check", "title": "Testing for Reverse Tabnabbing", "description": "Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page by exploiting the \u201ctarget\u201d attribute in <a> tag.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/11-Client-side_Testing\/14-Testing_for_Reverse_Tabnabbing", "ref": "WSTG-CLNT-14", "status": "todo", "result": null, "items": [ { "id": "4fhAHWZLVgyuIedTDf4hYs", "title": "WSTG-CLNT-14_1", "status": "todo", "blocked": false, "checkId": "3l1QbxBui2hkNi4QDQLvCR", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] }, { "type": "category", "title": "API Testing", "items": [ { "id": "5urrLsUSpEdS04mnHAm2SE", "type": "check", "title": "Testing GraphQL", "description": "Assess that a secure and production-ready configuration is deployed.\nValidate all input fields against generic attacks.\nEnsure that proper access controls are applied.", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/12-API_Testing\/01-Testing_GraphQL", "ref": "WSTG-APIT-01", "status": "todo", "result": null, "items": [ { "id": "5XLTnHgsMq7qoi1SX66LAx", "title": "WSTG-APIT-01_1", "status": "todo", "blocked": false, "checkId": "5urrLsUSpEdS04mnHAm2SE", "rank": 1, "result": { "value": null, "pocAvailable": false, "countReportsLinked": 0 }, "assignee": null } ] } ] } ] } const target = '4JdxRNU76DFKaSXnWFjhJY' const transform2 = (arr) => { return arr.flatMap((x) => { if (x.items) { return transform2(x.items) } return x }) } const result = transform2(data.items).find( (x) => x.id === target )
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (2)
Previous results
Fork
Test case name
Result
reduce
flatMAp
Fastest:
N/A
Slowest:
N/A
Latest run results:
No previous run results
This benchmark does not have any results yet. Be the first one
to run it!
Autogenerated LLM Summary
(model
llama3.2:3b
, generated one year ago):
It appears that the provided text is not a programming question, but rather some kind of data or log output from a web application security testing tool, such as the OWASP Web Security Testing Guide. However, I can try to help you extract information from it. Can you please specify what exactly you would like to know or accomplish with this data? Are you trying to: * Identify vulnerabilities in the application? * Analyze test results? * Understand how the testing tool works? Please provide more context or clarify your question, and I'll do my best to assist you.
Related benchmarks:
flatMap vs reduce using push
Reduce vs flatMap performance
Reduce Push vs. flatMap with subarrays
Flatmap vs reduce with objects
flatMap vs Reduce with push - test
Comments
Confirm delete:
Do you really want to delete benchmark?