Wstg Versions Save

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

20230928

6 months ago

Temporary release between 4.2 and 4.3 to attach PDF and ePub.

v4.2

3 years ago

Published here: https://owasp.org/www-project-web-security-testing-guide/v42/

- Guide:
  - Add GraphQL API testing scenario and details (WSTG-APIT-01).
  - Add Test Objectives to all scenarios.
  - Add Testing for HTTP Method Overriding (WSTG-CONF-06).
  - Add to Review Webpage Content for Information Leakage (WSTG-INFO-05).
  - Add Testing for Session Hijacking (WSTG-SESS-09).
  - Add to Testing for Bypassing Authorization Schema (WSTG-ATHZ-02).
  - Add to Testing for Local File Inclusion (WSTG-INPV-11.1).
  - Add Appendix F: Leveraging Dev Tools.
  - Add Testing for Server-Side Request Forgery (WSTG-INPV-19).
  - Add to Testing for Weak Lock Out Mechanism (WSTG-ATHN-03).
  - Merge section Fingerprint Web Application (WSTG-INFO-09) into Fingerprint Web Application Framework (WSTG-INFO-08).
  - Merge section Testing for HTTP Verb Tampering (WSTG-INPV-03) into Test HTTP Methods (WSTG-CONF-06).
  - Merge section Testing for Stack Traces (WSTG-ERRH-02) into Testing for Improper Error Handling (WSTG-ERRH-01).
  - Update Frontispiece (Chapter 1).
  - Update Introduction (Chapter 2).
  - Update Test HTTP Strict Transport Security (WSTG-CONF-07).
  - Update Review Webserver Metafiles for Information Leakage (WSTG-INFO-03).
  - Update Penetration Testing Methodologies (Chapter 3.8).
  - Update Test HTTP Methods (WSTG-CONF-06).
  - Update Test Upload of Malicious Files (WSTG-BUSL-09).
  - Update Testing for Weak Encryption (WSTG-CRYP-04).
  - Update Testing for SSI Injection (WSTG-INPV-08).
  - Update Testing for Format String Injection (WSTG-INPV-13).
  - Update DOM-Based Cross Site Scripting to include sources, sinks, and their corresponding references (WSTG-CLNT-01).
  - Remove Testing for Buffer Overflow (WSTG-INPV-13).
  - Rewrite Fuzz Vectors (Appendix C).
  - Rewrite Testing for Weak Transport Layer Security (WSTG-CRYP-01).
  - Rewrite Role Definitions (WSTG-IDNT-01).
  - Rewrite Weak Lockout (WSTG-ATHN-03).
  - Rewrite Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01).
  - Rewrite Session Fixation Testing (WSTG-SESS-03).
  - Rewrite Testing for Improper Error Handling (WSTG-ERRH-01).
  - Rewrite Reporting section.
  - Update Test for Process Timing (WSTG-BUSL-04).
  - Update Contributor Guide, Style Guide, and Content Templates.
  - Standardize HTTP request/response examples.
  - Establish consistent terminology.
  - Change MiTM terminology to manipulator-in-the-middle, aligning with other industry projects such as ZAP.
  - Add reference and linking details.
  - Update references and links for tools, remove links and references for seemingly un-maintained tools.
  - Revise CIS-CAT and Wappalyzer references.
  - Add OWASP trademark registration.
- Repository housekeeping:
  - Add Codespaces support.
  - Establish GitLocalize (https://gitlocalize.com/repo/5220) as a facility through which the project will accept translations.
  - Add terminology linting.
  - Add "Sponsor" details.
  - Automate creation of JSON "checklist".
  - Add action to refresh stale issues.
  - Add README and documentation for GitHub Action workflows.
  - Add manual triggers to various workflows (such as PDF generation).
- For future use:
  - Establish a layout plan for v5.
  - Establish release plans and milestones/projects for 4.2, 4.3, and 5.0.
- Based on:
  - ~120 Pull Requests.
  - 2 Google docs for planning and data collection.
  - Innumerable Slack discussions.
  • Test additions:
Test ID Test Name
WSTG-SESS-09 Testing for Session Hijacking
WSTG-INPV-19 Testing for Server-Side Request Forgery
WSTG-APIT-01 Testing GraphQL
  • Test scenarios which were re-written:
Test ID v4.1 Test Name New Test Name
WSTG-INPV-13 Testing for Buffer Overflow Testing for Format String Injection
WSTG-ERRH-01 Analysis of Error Codes Testing for Improper Error Handling
WSTG-CRYP-01 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection Testing for Weak Transport Layer Security
  • Test name modifications:
Test ID v4.1 Test Name New Test Name
WSTG-INFO-05 Review Webpage Comments and Metadata for Information Leakage Review Webpage Content for Information Leakage
WSTG-CONF-04 Backup and Unreferenced Files for Sensitive Information Review Old Backup and Unreferenced Files for Sensitive Information
WSTG-ATHZ-01 Testing Directory Traversal - File Include Testing Directory Traversal File Include
WSTG-SESS-01 Testing for Bypassing Session Management Schema Testing for Session Management Schema
WSTG-SESS-07 Test Session Timeout Testing Session Timeout
WSTG-INPV-10 IMAP/SMTP Injection Testing for IMAP SMTP Injection
WSTG-INPV-15 Testing for HTTP Splitting/Smuggling Testing for HTTP Splitting Smuggling
WSTG-ERRH-02 Analysis of Stack Traces Testing for Stack Traces
WSTG-CLNT-12 Test Local Storage Test Browser Storage

v4.1

3 years ago

Published here: https://owasp.org/www-project-web-security-testing-guide/v41/

- Finish all formatting, image restoration, etc for the MediaWiki to GitHub migration.
- Move identifiers from file names/headings into the document content.
- Shorten identifiers to 4 characters categories and 2 digits.
- Revise and relocate ORM Injection into SQL Injection section.
- Simplify numbering of all content/assets.
- Various grammar and typo fixes throughout.
- All headings now use Title Caps.
- Add Host Header attacks section.
- Add Subdomain Takeover section.
- Add Cloud Storage section.
- Add Client Side SQLi section.
- Re-wrote Cookie Testing section, adding SameSite Cookies and Cookie Prefix info.
- Re-wrote Format String section.
- Fix all broken links.
- Replace various images in sections 2, 3, and 4.
- Revise Browser Cache Weakness section, including new screenshots and details for modern browsers and mobile considerations.
- Revise Client Side Storage section.
- Revise Search Engine Discovery and Recon section.
- Revise Fingerprint Web Server section.
- Revise CSRF section, and add JSON CSRF info.
- Revise password policy guidance.
- Revise web backdoors content to not be detected/blocked/removed by Windows Defender.
- Revise Remember Password section.
- Improve Identify Application Entry Points section.
- Add references and 3rd example to Business Logic Data Validation section.
- Clarify passive and active testing.
- Remove unsupported statistics.
- Remove all old www.owasp.org links and update to owasp.org where migration occurred.
- Remove misleading examples using META Cache-Control.
- Tons of typo fixes and acronym capitalization.
- New cover image for PDF.

- Project: Create Contributor Guide, Style Guide, and Content Templates.
- Project: Establish project Code of Conduct.
- Project: Establish @owasp_wstg twitter presence.

- Repo: Add markdown linting.
- Repo: Add link checking.
- Repo: Setup Issue and PR templates.
- Repo: Automate deployment of 'latest' content to owasp.org website.
- Repo: Automate deployment of versioned and stable content to owasp.org website.
- Repo: Automate creation of PDF.

- For future use:
  - Establish a layout plan for v5.
  - Establish release plans and milestones/projects for 4.1, 4.x, and 5.0.

Based on:
* ~260 Pull Requests.
* 3 Google docs for planning and data collection.
* A dozen Hangouts calls across various timezone.
* Innumerable Slack discussions.