bmt 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. data/lib/data/0.1/methodologies/ai_llm.json +515 -278
  4. data/lib/data/0.1/methodologies/api_testing.json +24 -52
  5. data/lib/data/0.9/mappings/templates.json +17 -0
  6. data/lib/data/0.9/mappings/templates.schema.json +62 -0
  7. data/lib/data/0.9/methodologies/active_directory.json +426 -0
  8. data/lib/data/0.9/methodologies/ai_llm.json +280 -0
  9. data/lib/data/0.9/methodologies/api_testing.json +687 -0
  10. data/lib/data/0.9/methodologies/binaries.json +252 -0
  11. data/lib/data/0.9/methodologies/internal_network.json +454 -0
  12. data/lib/data/0.9/methodologies/mobile_android.json +514 -0
  13. data/lib/data/0.9/methodologies/mobile_ios.json +452 -0
  14. data/lib/data/0.9/methodologies/network.json +207 -0
  15. data/lib/data/0.9/methodologies/template.json +83 -0
  16. data/lib/data/0.9/methodologies/website_testing.json +1078 -0
  17. data/lib/data/0.9/schema.json +124 -0
  18. metadata +21 -8
  19. /data/lib/data/{0.1 → 0.9}/methodologies/hardware_testing.json +0 -0
data/lib/data/0.9/methodologies/website_testing.json ADDED
@@ -0,0 +1,1078 @@
1
+ {
2
+ "metadata": {
3
+ "title": "Website Testing",
4
+ "release_date": "2025-04-24T00:00:00+00:00",
5
+ "description": "Bugcrowd Web Methodology Testing",
6
+ "vrt_version": "1.16"
7
+ },
8
+ "content": {
9
+ "steps": [
10
+ {
11
+ "key": "information",
12
+ "title": "Information gathering",
13
+ "description": "",
14
+ "type": "checklist",
15
+ "items": [
16
+ {
17
+ "key": "search_engine_discovery_and_reconnaissance",
18
+ "title": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage",
19
+ "caption": "OTG-INFO-001, WAHHM - Recon and Analysis",
20
+ "description": "Query search engines for leaked credentials, configurations, or documents via misindexing.",
21
+ "tools": "bbot, dorky, Censys, Google Dorks, Shodan",
22
+ "vrt_category": "sensitive_data_exposure"
23
+ },
24
+ {
25
+ "key": "fingerprint",
26
+ "title": "Fingerprint Web Server",
27
+ "caption": "OTG-INFO-002, WAHHM - Recon and Analysis",
28
+ "description": "Identify server, CMS, or database software and version to exploit CVEs or misconfigurations.",
29
+ "tools": "httpx, Nuclei, Wappalyzer",
30
+ "vrt_category": "server_security_misconfiguration"
31
+ },
32
+ {
33
+ "key": "webserver_metafiles",
34
+ "title": "Review Webserver Metafiles for Information Leakage",
35
+ "caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
36
+ "description": "Check robots.txt, sitemap.xml and identify <META> Tags from website for exposed endpoints or directories.",
37
+ "tools": "Browser, curl, wget"
38
+ },
39
+ {
40
+ "key": "enumerate_applications",
41
+ "title": "Enumerate Applications on Webserver",
42
+ "caption": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis",
43
+ "description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers to expand the attack surface.",
44
+ "tools": "Amass, bbot, ffuf, gowitness, Subfinder"
45
+ },
46
+ {
47
+ "key": "webpage_comments_and_metadata",
48
+ "title": "Review Webpage Comments and Metadata for Information Leakage",
49
+ "caption": "OTG-INFO-005, WAHHM - Recon and Analysis",
50
+ "description": "Analyze HTML and JavaScript for leaked API keys, credentials, or endpoints.",
51
+ "tools": "Browser, GitDorker, LinkFinder, TruffleHog",
52
+ "vrt_category": "sensitive_data_exposure"
53
+ },
54
+ {
55
+ "key": "application_entry_points",
56
+ "title": "Identify application entry points",
57
+ "caption": "OTG-INFO-006, WAHHM - Recon and Analysis",
58
+ "description": "Identify forms, APIs, or parameters for injection or logic vulnerabilities.",
59
+ "tools": "Arjun, Burp Suite (Param-miner), kiterunner"
60
+ },
61
+ {
62
+ "key": "execution_paths",
63
+ "title": "Map execution paths through application",
64
+ "caption": "OTG-INFO-007, WAHHM - Recon and Analysis",
65
+ "description": "Map application workflows to uncover hidden or unprotected routes.",
66
+ "tools": "Burp Suite, ffuf, Interlace, nuclei"
67
+ },
68
+ {
69
+ "key": "fingerprint_webapp_framework",
70
+ "title": "Fingerprint Web Application Framework",
71
+ "caption": "OTG-INFO-008, WAHHM - Recon and Analysis",
72
+ "description": "Identify the web application framework or CMS by examining HTTP headers, cookies, source code, and specific file/folder structures for characteristic indicators.",
73
+ "tools": "BuiltWith, Burp Suite, httpx, Wappalyzer"
74
+ },
75
+ {
76
+ "key": "fingerprint_webapp",
77
+ "title": "Fingerprint Web Application",
78
+ "caption": "OTG-INFO-009, WAHHM - Recon and Analysis",
79
+ "description": "Identify the web application and version to determine known vulnerabilities and the appropriate exploits.",
80
+ "tools": "Nuclei, httpx, Wappalyzer"
81
+ },
82
+ {
83
+ "key": "application_architecture",
84
+ "title": "Map Application Architecture",
85
+ "caption": "OTG-INFO-010, WAHHM - Recon and Analysis",
86
+ "description": "Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database",
87
+ "tools": "Censys, httpx, Shodan, wafw00f, Wappalyzer"
88
+ }
89
+ ]
90
+ },
91
+ {
92
+ "key": "config_and_deploy_management",
93
+ "title": "Configuration and Deploy Management Testing",
94
+ "description": "",
95
+ "type": "checklist",
96
+ "items": [
97
+ {
98
+ "key": "network_and_infrastructure",
99
+ "title": "Test Network/Infrastructure Configuration",
100
+ "caption": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
101
+ "description": "Assess infrastructure interactions and configuration management for software, backend DB servers, WebDAV, and FTP to uncover known vulnerabilities.",
102
+ "tools": "naabu, Nessus, Nmap, RustScan",
103
+ "vrt_category": "server_security_misconfiguration"
104
+ },
105
+ {
106
+ "key": "application_platform",
107
+ "title": "Test Application Platform Configuration",
108
+ "caption": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
109
+ "description": "Testing application platform configuration involves identifying default installation paths, handling server errors, enforcing minimal privileges, and managing software logging.",
110
+ "tools": "Browser, ffuf, Nuclei",
111
+ "vrt_category": "server_security_misconfiguration"
112
+ },
113
+ {
114
+ "key": "file_extensions_handling",
115
+ "title": "Test File Extensions Handling for Sensitive Information",
116
+ "caption": "OTG-CONFIG-003, WAHHM - Recon and Analysis",
117
+ "description": "Locate crucial files and information with the following extensions: .asa, .inc, .sql, .zip, .tar, .pdf, .txt, and others.",
118
+ "tools": "Browser, ffuf",
119
+ "vrt_category": "sensitive_data_exposure"
120
+ },
121
+ {
122
+ "key": "backup_and_unreferenced_files",
123
+ "title": "Backup and Unreferenced Files for Sensitive Information",
124
+ "caption": "OTG-CONFIG-004, WAHHM - Recon and Analysis",
125
+ "description": "Examine JavaScript code, comments, cache, and backup files (.old, .bak, .inc, .src). Utilize filename guessing to discover additional files.",
126
+ "tools": "Browser, ffuf, gau, LinkFinder",
127
+ "vrt_category": "sensitive_data_exposure"
128
+ },
129
+ {
130
+ "key": "admin_interfaces",
131
+ "title": "Enumerate Infrastructure and Application Admin Interfaces",
132
+ "caption": "OTG-CONFIG-005, WAHHM - Recon and Analysis",
133
+ "description": "Perform directory and file enumeration. Extract comments and links from source code, specifically looking for administrative interfaces (e.g., /admin, /administrator, /backoffice, /backend). Investigate alternative server ports, such as Tomcat running on port 8080.",
134
+ "tools": "Burp Suite, ffuf, gau, kiterunner, LinkFinder"
135
+ },
136
+ {
137
+ "key": "http_methods",
138
+ "title": "Test HTTP Methods",
139
+ "caption": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
140
+ "description": "Probe risky HTTP methods (e.g., OPTIONS, TRACE, PUT) for unauthorized access.",
141
+ "tools": "Burp Suite, curl, ffuf",
142
+ "vrt_category": "server_security_misconfiguration"
143
+ },
144
+ {
145
+ "key": "http_transport_security",
146
+ "title": "Test HTTP Strict Transport Security",
147
+ "caption": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
148
+ "description": "Check the HTTP response headers from the web server to identify the presence and details of the Strict-Transport-Security (HSTS) header.",
149
+ "tools": "Browser, Burp Suite, curl",
150
+ "vrt_category": "server_security_misconfiguration"
151
+ },
152
+ {
153
+ "key": "ria_cross_domain_policy",
154
+ "title": "Test RIA cross domain policy",
155
+ "caption": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
156
+ "description": "Test crossdomain.xml and clientaccesspolicy.xml for permissive data access.",
157
+ "tools": "Burp Suite, curl, wget",
158
+ "vrt_category": "server_security_misconfiguration"
159
+ },
160
+ {
161
+ "key": "test_for_subdomain_takeover",
162
+ "title": "Test for Subdomain Takeover",
163
+ "caption": "OTG-CONFIG-010",
164
+ "description": "Exploit dangling DNS records for subdomain takeover.",
165
+ "tools": "Amass, bbot, dig, gowitness, subfinder",
166
+ "vrt_category": "server_security_misconfiguration"
167
+ },
168
+ {
169
+ "key": "test_cloud_storage",
170
+ "title": "Test Cloud Storage",
171
+ "caption": "OTG-CONFIG-011",
172
+ "description": "Check AWS S3 buckets, GCP Cloud Storage, and Azure Blob Storage for public data exposure.",
173
+ "tools": "awscli, Azure CLI, CloudFox, GCPBucketBrute, s3recon",
174
+ "vrt_category": "server_security_misconfiguration"
175
+ },
176
+ {
177
+ "key": "web_cache_deception",
178
+ "title": "Web Cache Deception",
179
+ "caption": "",
180
+ "description": "Cache sensitive pages as public resources via path manipulation.",
181
+ "tools": "Browser, Burp Suite (Param-miner), curl",
182
+ "vrt_category": "server_security_misconfiguration"
183
+ },
184
+ {
185
+ "key": "web_cache_poisoning",
186
+ "title": "Web Cache Poisoning",
187
+ "caption": "",
188
+ "description": "Poison CDN or service worker cache with malicious content.",
189
+ "tools": "Browser, Burp Suite (Param-miner), curl",
190
+ "vrt_category": "server_security_misconfiguration"
191
+ },
192
+ {
193
+ "key": "content_security_policy",
194
+ "title": "Testing Content Security Policy (CSP)",
195
+ "caption": "",
196
+ "description": "Assess the implementation of the Content Security Policy to ensure it effectively mitigates risks of cross-site scripting (XSS) and data injection attacks.",
197
+ "tools": "Burp Suite, CSP Evaluator, ZAP",
198
+ "vrt_category": "server_security_misconfiguration"
199
+ }
200
+ ]
201
+ },
202
+ {
203
+ "key": "identity_management",
204
+ "title": "Identity Management Testing",
205
+ "description": "",
206
+ "type": "checklist",
207
+ "items": [
208
+ {
209
+ "key": "role_definition",
210
+ "title": "Test Role Definitions",
211
+ "caption": "OTG-IDENT-001, WAHHM - Test Handling of Access",
212
+ "description": "Validate the system roles defined within the application by creating a permission matrix.",
213
+ "tools": "Browser, Burp Suite, ZAP",
214
+ "vrt_category": "broken_access_control"
215
+ },
216
+ {
217
+ "key": "user_registration",
218
+ "title": "Test User Registration Process",
219
+ "caption": "OTG-IDENT-002, WAHHM - Test Handling of Access",
220
+ "description": "Verify that the identity requirements for user registration are aligned with business and security requirements",
221
+ "tools": "Browser, Burp Suite, ZAP",
222
+ "vrt_category": "server_security_misconfiguration"
223
+ },
224
+ {
225
+ "key": "account_provisioning",
226
+ "title": "Test Account Provisioning Process",
227
+ "caption": "OTG-IDENT-003, WAHHM - Test Handling of Access",
228
+ "description": "Identify the roles with user provisioning capabilities and the permissible scope of the accounts they can provision.",
229
+ "tools": "Browser, Burp Suite, ZAP"
230
+ },
231
+ {
232
+ "key": "guessable_user_accounts",
233
+ "title": "Testing for Account Enumeration and Guessable User Account",
234
+ "caption": "OTG-IDENT-004, WAHHM - Test Handling of Access",
235
+ "description": "Check login and forgot password mechanisms for generic error leakage and return code vulnerabilities, and attempt to enumerate valid users through direct methods or timing exploits.",
236
+ "tools": "Browser, Burp Suite, ZAP",
237
+ "vrt_category": "server_security_misconfiguration"
238
+ },
239
+ {
240
+ "key": "username_policy",
241
+ "title": "Testing for Weak or unenforced username policy",
242
+ "caption": "OTG-IDENT-005, WAHHM - Test Handling of Access",
243
+ "description": "User account naming conventions often follow predictable patterns (e.g., initials and last name), making valid account names easily guessable.",
244
+ "tools": "Browser, Burp Suite, ZAP",
245
+ "vrt_category": "server_security_misconfiguration"
246
+ },
247
+ {
248
+ "key": "guest_accounts_permission",
249
+ "title": "Test Permissions of Guest/Training Accounts",
250
+ "caption": "OTG-IDENT-006, WAHHM - Test Handling of Access",
251
+ "description": "Evaluate if guest and training account access permissions consistently align with the defined access policy.",
252
+ "tools": "Browser, Burp Suite, ZAP",
253
+ "vrt_category": "server_security_misconfiguration"
254
+ },
255
+ {
256
+ "key": "account_suspension_resumption",
257
+ "title": "Test Account Suspension/Resumption Process",
258
+ "caption": "OTG-IDENT-007, WAHHM - Test Handling of Access",
259
+ "description": "Verify the alignment of user registration identity requirements with business and security needs, and subsequently validate the entire registration process.",
260
+ "tools": "Browser, Burp Suite, ZAP",
261
+ "vrt_category": "server_security_misconfiguration"
262
+ }
263
+ ]
264
+ },
265
+ {
266
+ "key": "authentication",
267
+ "title": "Authentication Testing",
268
+ "description": "",
269
+ "type": "checklist",
270
+ "items": [
271
+ {
272
+ "key": "encrypted_credentials",
273
+ "title": "Testing for Credentials Transported over an Encrypted Channel",
274
+ "caption": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
275
+ "description": "Check the referrer whether it’s HTTP or HTTPs. Sending data through HTTP and HTTPS.",
276
+ "tools": "Burp Suite, ZAP",
277
+ "vrt_category": "broken_authentication_and_session_management"
278
+ },
279
+ {
280
+ "key": "default_credentials",
281
+ "title": "Testing for default credentials",
282
+ "caption": "OTG-AUTHN-002, WAHHM - Test Handling of Access",
283
+ "description": "Test for default credentials in common applications and default passwords assigned to new accounts.",
284
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
285
+ "vrt_category": "server_security_misconfiguration"
286
+ },
287
+ {
288
+ "key": "lock_out_mechanism",
289
+ "title": "Testing for Weak Lockout Mechanism",
290
+ "caption": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
291
+ "description": "Evaluate the strength of the account lockout against password guessing and the security of the account unlock process.",
292
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
293
+ "vrt_category": "server_security_misconfiguration"
294
+ },
295
+ {
296
+ "key": "bypass_schema",
297
+ "title": "Testing for bypassing authentication schema",
298
+ "caption": "OTG-AUTHN-004, WAHHM - Test Handling of Access",
299
+ "description": "Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection",
300
+ "tools": "Arjun, Browser, Burp Suite, kiterunner, Param-miner, ZAP",
301
+ "vrt_category": "broken_authentication_and_session_management"
302
+ },
303
+ {
304
+ "key": "remember_password",
305
+ "title": "Test remember password functionality",
306
+ "caption": "OTG-AUTHN-005, WAHHM - Test Handling of Access",
307
+ "description": "Check application cookies for password storage (ensuring they are not in plaintext but hashed) and verify the autocomplete=off attribute on password fields.",
308
+ "tools": "Browser, Burp Suite, ZAP",
309
+ "vrt_category": "broken_authentication_and_session_management"
310
+ },
311
+ {
312
+ "key": "browser_cache",
313
+ "title": "Testing for Browser cache weakness",
314
+ "caption": "OTG-AUTHN-006, WAHHM - Miscellaneous Tests",
315
+ "description": "Test for browser history vulnerabilities after logout and examine HTTP response headers for proper cache control directives (e.g., Cache-Control: no-cache)",
316
+ "tools": "Browser, Burp Suite, ZAP, Firefox add-on CacheViewer2",
317
+ "vrt_category": "server_security_misconfiguration"
318
+ },
319
+ {
320
+ "key": "password_policy",
321
+ "title": "Testing for Weak password policy",
322
+ "caption": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
323
+ "description": "Assess the application's resistance to dictionary-based brute-force attacks by evaluating password length, complexity, reuse restrictions, and aging requirements.",
324
+ "tools": "Browser, Burp Suite, ZAP, Hydra",
325
+ "vrt_category": "insufficient_security_configurability"
326
+ },
327
+ {
328
+ "key": "security_question",
329
+ "title": "Testing for Weak security question/answer",
330
+ "caption": "OTG-AUTHN-008, WAHHM - Test Handling of Access",
331
+ "description": "Test password reset questions for inherent weakness (pre-generated, self-generated) and susceptibility to brute-force attacks due to unlimited attempts.",
332
+ "tools": "Browser, Burp Suite, ZAP",
333
+ "vrt_category": "broken_authentication_and_session_management"
334
+ },
335
+ {
336
+ "key": "change_password",
337
+ "title": "Testing for weak password change or reset functionalities",
338
+ "caption": "OTG-AUTHN-009, WAHHM - Test Handling of Access",
339
+ "description": "Test password reset for plaintext password display, insecure email transmission, and missing random tokens, and assess password change for old password requirement and CSRF vulnerability.",
340
+ "tools": "Browser, Burp Suite, ZAP",
341
+ "vrt_category": "broken_authentication_and_session_management"
342
+ },
343
+ {
344
+ "key": "alternative_channel",
345
+ "title": "Testing for Weaker authentication in alternative channel",
346
+ "caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
347
+ "description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
348
+ "tools": "Browser, Burp Suite, ZAP"
349
+ },
350
+ {
351
+ "key": "single_sign_on_misconfigurations",
352
+ "title": "Single Sign-On Misconfigurations",
353
+ "caption": "",
354
+ "description": "Exploit OAuth or OpenID Connect flaws (e.g., redirect URI tampering)",
355
+ "tools": "Browser, Burp Suite, ZAP"
356
+ },
357
+ {
358
+ "key": "testing_for_mfa",
359
+ "title": "Testing for 2FA/MFA",
360
+ "caption": "",
361
+ "description": "Attempt to bypass the implemented two-factor authentication to identify potential weaknesses.",
362
+ "tools": "Browser, Burp Suite, ZAP"
363
+ },
364
+ {
365
+ "key": "testing_for_password_reset_token",
366
+ "title": "Testing for Password Reset Token Exposure to Third-Party Domains",
367
+ "caption": "",
368
+ "description": "Check if password reset tokens are exposed to third-party domains via referrer headers or other methods.",
369
+ "tools": "Browser, Burp Suite, ZAP"
370
+ },
371
+ {
372
+ "key": "testing_for_reusable_password_reset_token",
373
+ "title": "Testing for Reusable Password Reset Tokens",
374
+ "caption": "",
375
+ "description": "Determine if password reset tokens can be used multiple times.",
376
+ "tools": "Browser, Burp Suite, ZAP"
377
+ }
378
+ ]
379
+ },
380
+ {
381
+ "key": "authorization",
382
+ "title": "Authorization Testing",
383
+ "description": "",
384
+ "type": "checklist",
385
+ "items": [
386
+ {
387
+ "key": "directory_traversal_and_file_include",
388
+ "title": "Testing Directory traversal/file include",
389
+ "caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
390
+ "description": "Test for Dot-Dot-Slash (../), Directory Traversal, Local File Inclusion (LFI), and Remote File Inclusion (RFI) vulnerabilities.",
391
+ "tools": "Arjun, Burp Suite, ffuf, Param-miner, Wfuzz, ZAP",
392
+ "vrt_category": "server_side_injection"
393
+ },
394
+ {
395
+ "key": "bypass_schema",
396
+ "title": "Testing for bypassing authorization schema",
397
+ "caption": "OTG-AUTHZ-002, WAHHM - Test Handling of Access",
398
+ "description": "Test for the ability to access resources without authentication, bypass Access Control Lists (ACLs), and perform forceful browsing to restricted areas (e.g., /admin/adduser.jsp)",
399
+ "tools": "Burp Suite (Authorize), ZAP",
400
+ "vrt_category": "broken_access_control"
401
+ },
402
+ {
403
+ "key": "privilege_escalation",
404
+ "title": "Testing for Privilege Escalation",
405
+ "caption": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
406
+ "description": "Escalate privileges via parameter tampering or logic flaws.",
407
+ "tools": "Burp Suite (Authorize), ZAP",
408
+ "vrt_category": "broken_authentication_and_session_management"
409
+ },
410
+ {
411
+ "key": "direct_object_reference",
412
+ "title": "Testing for Insecure Direct Object References",
413
+ "caption": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
414
+ "description": "Access objects by manipulating identifiers (e.g., user IDs)",
415
+ "tools": "Burp Suite (Authorize), ZAP",
416
+ "vrt_category": "broken_access_control"
417
+ }
418
+ ]
419
+ },
420
+ {
421
+ "key": "session_management",
422
+ "title": "Session Management Testing",
423
+ "description": "",
424
+ "type": "checklist",
425
+ "items": [
426
+ {
427
+ "key": "bypass_schema",
428
+ "title": "Testing for Bypassing Session Management Schema",
429
+ "caption": "OTG-SESS-001, WAHHM - Test Handling of Access",
430
+ "description": "Predictable SessionIDs transmitted without encryption expose a vulnerability to interception and potential brute-force attacks, leading to authentication bypass.",
431
+ "tools": "Browser, Burp Suite, ZAP",
432
+ "vrt_category": "broken_authentication_and_session_management"
433
+ },
434
+ {
435
+ "key": "cookies",
436
+ "title": "Testing for Cookies attributes",
437
+ "caption": "OTG-SESS-002, WAHHM - Test Handling of Access",
438
+ "description": "Check HTTPOnly and Secure flag expiration, inspect for sensitive data.",
439
+ "tools": "Browser, Burp Suite, ZAP",
440
+ "vrt_category": "server_security_misconfiguration"
441
+ },
442
+ {
443
+ "key": "fixation",
444
+ "title": "Testing for Session Fixation",
445
+ "caption": "OTG-SESS-003, WAHHM - Test Handling of Access",
446
+ "description": "The application doesn't renew the cookie after a successful user authentication.",
447
+ "tools": "Burp Suite, ZAP",
448
+ "vrt_category": "broken_authentication_and_session_management"
449
+ },
450
+ {
451
+ "key": "exposed_variables",
452
+ "title": "Testing for Exposed Session Variables",
453
+ "caption": "OTG-SESS-004, WAHHM - Test Handling of Access",
454
+ "description": "Unencrypted and reused session tokens sent via GET requests expose sessions to easy interception and hijacking.",
455
+ "tools": "Burp Suite, ZAP",
456
+ "vrt_category": "broken_authentication_and_session_management"
457
+ },
458
+ {
459
+ "key": "csrf",
460
+ "title": "Testing for Cross Site Request Forgery",
461
+ "caption": "OTG-SESS-005, WAHHM - Test Handling of Access",
462
+ "description": "Predictable URLs combined with missing CSRF tokens allow attackers to directly trigger actions on behalf of logged-in users.",
463
+ "tools": "Burp Suite, ZAP",
464
+ "vrt_category": "cross_site_request_forgery_csrf"
465
+ },
466
+ {
467
+ "key": "logout",
468
+ "title": "Testing for logout functionality",
469
+ "caption": "OTG-SESS-006, WAHHM - Test Handling of Access",
470
+ "description": "Verify session invalidation server-side and across SSO after logout to prevent reuse.",
471
+ "tools": "Burp Suite, ZAP",
472
+ "vrt_category": "broken_authentication_and_session_management"
473
+ },
474
+ {
475
+ "key": "timeout",
476
+ "title": "Test Session Timeout",
477
+ "caption": "OTG-SESS-007, WAHHM - Test Handling of Access",
478
+ "description": "Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.",
479
+ "tools": "Burp Suite, ZAP",
480
+ "vrt_category": "broken_authentication_and_session_management"
481
+ },
482
+ {
483
+ "key": "puzzling",
484
+ "title": "Testing for Session puzzling",
485
+ "caption": "OTG-SESS-008, WAHHM - Test Handling of Access",
486
+ "description": "Reusing session variables for multiple purposes allows attackers to manipulate application flow by accessing pages in unintended sequences.",
487
+ "tools": "Burp Proxy, ZAP",
488
+ "vrt_category": "broken_authentication_and_session_management"
489
+ },
490
+ {
491
+ "key": "concurrent",
492
+ "title": "Test for Concurrent Sessions",
493
+ "caption": "",
494
+ "description": "Check how the application manages multiple active sessions for the same account. Ensure it prevents risks like session hijacking and improper session handling.",
495
+ "tools": "Browser, Burp Suite, ZAP",
496
+ "vrt_category": "broken_authentication_and_session_management"
497
+ },
498
+ {
499
+ "key": "permission",
500
+ "title": "Test for Session Validity After Permission Change",
501
+ "caption": "",
502
+ "description": "Check if sessions remain valid when user permissions are changed.",
503
+ "tools": "Browser, Burp Suite, ZAP",
504
+ "vrt_category": "broken_authentication_and_session_management"
505
+ },
506
+ {
507
+ "key": "json_web_token",
508
+ "title": "JSON Web Token (JWT) Attacks",
509
+ "caption": "",
510
+ "description": "Check the security of JWTs by ensuring strong signing algorithms, preventing tampering, and protecting sensitive data. Verify secure transmission, token expiration, and revocation practices.",
511
+ "tools": "Burp Suite, jwt_tool, jwtXploiter, ZAP",
512
+ "vrt_category": "broken_authentication_and_session_management"
513
+ }
514
+ ]
515
+ },
516
+ {
517
+ "key": "data_validation",
518
+ "title": "Data Validation Testing",
519
+ "description": "",
520
+ "type": "checklist",
521
+ "items": [
522
+ {
523
+ "key": "reflected_xss",
524
+ "title": "Testing for Reflected Cross Site Scripting",
525
+ "caption": "OTG-INPVAL-001, WAHHM - Test Handling of Input",
526
+ "description": "Bypass input validation and leverage HTTP Parameter Pollution to inject XSS payloads, circumventing standard XSS detection vectors.",
527
+ "tools": "Arjun, Burp Suite (Param-miner), ZAP"
528
+ },
529
+ {
530
+ "key": "stored_xss",
531
+ "title": "Testing for Stored Cross Site Scripting",
532
+ "caption": "OTG-INPVAL-002, WAHHM - Test Handling of Input",
533
+ "description": "Identify and exploit persistent cross-site scripting vectors within input handling and HTML rendering to achieve arbitrary JavaScript execution across multiple authenticated user contexts.",
534
+ "tools": "Burp Suite, XSSer, ZAP",
535
+ "vrt_category": "cross_site_scripting_xss"
536
+ },
537
+ {
538
+ "key": "http_verb_tampering",
539
+ "title": "Testing for HTTP Verb Tampering",
540
+ "caption": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
541
+ "description": "Forge non-standard HTTP requests to probe and circumvent URL-based authentication and authorization mechanisms.",
542
+ "tools": "Burp Suite, HTTPie, httpx, ZAP",
543
+ "vrt_category": "server_security_misconfiguration"
544
+ },
545
+ {
546
+ "key": "http_param_pollution",
547
+ "title": "Testing for HTTP Parameter pollution",
548
+ "caption": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
549
+ "description": "Identify bypasses in input validation and filtering mechanisms via HTTP Parameter Pollution (HPP) to inject malicious payloads through user-supplied data.",
550
+ "tools": "Arjun, Burp Suite (Param-miner), ZAP",
551
+ "vrt_category": "server_side_injection"
552
+ },
553
+ {
554
+ "key": "sql_injection",
555
+ "title": "Testing for SQL Injection",
556
+ "caption": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
557
+ "description": "Identify and exploit SQL injection vulnerabilities (Union, Boolean, Error-based, Out-of-band, Time-delay) to achieve unauthorized database access and data manipulation.",
558
+ "tools": "Burp Proxy (SQLipy), SQLMap",
559
+ "vrt_category": "server_side_injection"
560
+ },
561
+ {
562
+ "key": "oracle",
563
+ "title": "Testing for Oracle",
564
+ "caption": "",
565
+ "description": "Discover PL/SQL web application endpoints, leverage PL/SQL packages for access, bypass exclusion mechanisms, and exploit SQL injection vulnerabilities.",
566
+ "tools": "SQLMap"
567
+ },
568
+ {
569
+ "key": "mysql",
570
+ "title": "Testing for MySQL",
571
+ "caption": "",
572
+ "description": "Identify target MySQL version and leverage single quote injection via information_schema to achieve arbitrary file read/write capabilities.",
573
+ "tools": "SQLMap"
574
+ },
575
+ {
576
+ "key": "sql_server",
577
+ "title": "Testing for SQL Server",
578
+ "caption": "",
579
+ "description": "Leverage comment operators, query separators, and stored procedures (like xp_cmdshell) to inject and execute arbitrary commands within the database.",
580
+ "tools": "SQLMap"
581
+ },
582
+ {
583
+ "key": "postgre_sql",
584
+ "title": "Testing PostgreSQL",
585
+ "caption": "",
586
+ "description": "Determine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)",
587
+ "tools": "SQLMap"
588
+ },
589
+ {
590
+ "key": "ms_access",
591
+ "title": "Testing for MS Access",
592
+ "caption": "",
593
+ "description": "Exploit error-based SQL injection (via GROUP BY) to enumerate database columns and extract schema information using targeted fuzzing lists.",
594
+ "tools": "SQLMap"
595
+ },
596
+ {
597
+ "key": "nosql_injection",
598
+ "title": "Testing for NoSQL injection",
599
+ "caption": "",
600
+ "description": "Identify NoSQL database vulnerabilities by injecting special characters (' \" \\ ; { } ) and reserved keywords to manipulate query logic and potentially gain unauthorized access.",
601
+ "tools": "NoSQLMap"
602
+ },
603
+ {
604
+ "key": "ldap_injection",
605
+ "title": "Testing for LDAP Injection",
606
+ "caption": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
607
+ "description": "Actively examining LDAP endpoints using specialized inputs to detect exploitable injection flaws that could lead to unauthorized data exposure or manipulation.",
608
+ "tools": "Burp Suite, ZAP",
609
+ "vrt_category": "server_side_injection"
610
+ },
611
+ {
612
+ "key": "orm_injection",
613
+ "title": "Testing for ORM Injection",
614
+ "caption": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
615
+ "description": "Analyze application data flow to detect injection points where crafted input can alter ORM-generated queries, enabling unintended database interactions.",
616
+ "tools": "SQLMap",
617
+ "vrt_category": "server_side_injection"
618
+ },
619
+ {
620
+ "key": "xml_injection",
621
+ "title": "Testing for XML Injection",
622
+ "caption": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
623
+ "description": "Analyze XML parsing mechanisms for vulnerabilities where maliciously structured XML input can be injected to manipulate application logic or extract sensitive data.",
624
+ "tools": "Burp Suite, oxml_xxe, XXEinjector, ZAP",
625
+ "vrt_category": "server_side_injection"
626
+ },
627
+ {
628
+ "key": "ssi_injection",
629
+ "title": "Testing for SSI Injection",
630
+ "caption": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
631
+ "description": "Examine .shtml resources for server-side include processing flaws that allow the injection of control characters and directives to achieve arbitrary code execution or sensitive file access on the server.",
632
+ "tools": "Burp Proxy, ZAP",
633
+ "vrt_category": "server_side_injection"
634
+ },
635
+ {
636
+ "key": "xpath_injection",
637
+ "title": "Testing for XPath Injection",
638
+ "caption": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
639
+ "description": "Analyze XML path processing for vulnerabilities where crafted input, such as single quotes and logical OR conditions (e.g., ' or '1'='1), can be injected to induce errors revealing underlying structure or bypass authentication logic.",
640
+ "tools": "Burp Suite, ReadyAPI, ZAP",
641
+ "vrt_category": "server_side_injection"
642
+ },
643
+ {
644
+ "key": "imap_smtp_injection",
645
+ "title": "Testing for IMAP/SMTP Injection",
646
+ "caption": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
647
+ "description": "Analyze mail client data handling for vulnerabilities where crafted input with special characters can be injected into IMAP/SMTP commands (headers, body, footer), potentially leading to unintended mail server actions or information disclosure.",
648
+ "tools": "Burp Suite, netcat, nmap IMAP/SMTP NSE script, ZAP",
649
+ "vrt_category": "server_side_injection"
650
+ },
651
+ {
652
+ "key": "code_injection",
653
+ "title": "Testing for Code Injection",
654
+ "caption": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
655
+ "description": "Analyze input fields for vulnerabilities where the injection of OS commands (e.g., ; system('id')) can lead to arbitrary command execution on the underlying system.",
656
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP",
657
+ "vrt_category": "server_side_injection"
658
+ },
659
+ {
660
+ "key": "local_file_inclusion",
661
+ "title": "Testing for Local File Inclusion",
662
+ "caption": "",
663
+ "description": "Analyze application file handling for vulnerabilities where manipulated input with dot-dot-slash sequences (../../) or PHP wrappers (php://filter) can be used to access sensitive local files.",
664
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP"
665
+ },
666
+ {
667
+ "key": "remote_file_inclusion",
668
+ "title": "Testing for Remote File Inclusion",
669
+ "caption": "",
670
+ "description": "Analyze web applications for vulnerabilities where external URLs provided as parameters (e.g., ?file=http://attacker.com/malicious_page) can be included and executed by the server, leading to arbitrary code execution or data compromise.",
671
+ "tools": "Arjun, Burp Suite (Param-miner), Liffy, ZAP"
672
+ },
673
+ {
674
+ "key": "command_injection",
675
+ "title": "Testing for Command Injection",
676
+ "caption": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
677
+ "description": "Analyze application input handling to identify vulnerabilities where crafted payloads leveraging OS-specific syntax (e.g., ``;,|+`) can be injected to execute arbitrary operating system commands on the underlying server.",
678
+ "tools": "Burp Suite, ZAP",
679
+ "vrt_category": "server_side_injection"
680
+ },
681
+ {
682
+ "key": "buffer_overflow",
683
+ "title": "Testing for Buffer overflow",
684
+ "caption": "OTG-INPVAL-014, WAHHM - Test Handling of Input",
685
+ "description": "Testing for heap overflow vulnerability\nTesting for stack overflow vulnerability\nTesting for format string vulnerability",
686
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP",
687
+ "vrt_category": "server_side_injection"
688
+ },
689
+ {
690
+ "key": "heap_overflow",
691
+ "title": "Testing for Heap overflow",
692
+ "caption": "",
693
+ "description": "Examining dynamic memory allocation to detect if writing beyond allocated heap buffers can corrupt data structures, potentially enabling arbitrary code execution.",
694
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
695
+ },
696
+ {
697
+ "key": "stack_overflow",
698
+ "title": "Testing for Stack overflow",
699
+ "caption": "",
700
+ "description": "Investigating function call mechanisms to find if excessive data written to the stack can overwrite return addresses or local variables, potentially leading to control-flow redirection.",
701
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
702
+ },
703
+ {
704
+ "key": "format_string",
705
+ "title": "Testing for Format string",
706
+ "caption": "",
707
+ "description": "Probing input handling with format specifiers to determine if attacker-controlled strings can be used to read from or write to arbitrary memory locations.",
708
+ "tools": "Burp Suite, Radamsa, wfuzz, ZAP"
709
+ },
710
+ {
711
+ "key": "incubated_vulnerabilities",
712
+ "title": "Testing for Incubated Vulnerabilities",
713
+ "caption": "OTG-INPVAL-015, WAHHM - Test Handling of Input",
714
+ "description": "Analyze application components (file upload, data handling, server configurations) for latent vulnerabilities like Stored XSS and SQL/XPath Injection, and identifying misconfigurations that could be exploited over time.",
715
+ "tools": "Burp Suite, ZAP",
716
+ "vrt_category": "server_security_misconfiguration"
717
+ },
718
+ {
719
+ "key": "http_response_splitting",
720
+ "title": "Testing for HTTP Response Splitting",
721
+ "caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
722
+ "description": "Analyze HTTP header handling for vulnerabilities allowing the injection of CRLF sequences (%0d%0a) to manipulate server responses and potentially conduct cross-user attacks.",
723
+ "tools": "Burp Suite, netcat, ZAP",
724
+ "vrt_category": "server_side_injection"
725
+ },
726
+ {
727
+ "key": "http_request_smuggling",
728
+ "title": "Testing for HTTP Request Smuggling",
729
+ "caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
730
+ "description": "Analyze backend HTTP processing for discrepancies in request parsing that allow the injection and misrouting of subsequent requests.",
731
+ "tools": "Burp Suite, netcat, ZAP",
732
+ "vrt_category": "server_side_injection"
733
+ },
734
+ {
735
+ "key": "host_header_injection",
736
+ "title": "Testing for Host Header Injection",
737
+ "caption": "OTG-INPVAL-017",
738
+ "description": "Analyze application handling of the Host header for vulnerabilities allowing manipulation to conduct actions like cache poisoning or redirect users to malicious sites.",
739
+ "tools": "Burp Suite, curl, ZAP",
740
+ "vrt_category": "server_security_misconfiguration"
741
+ },
742
+ {
743
+ "key": "server_side_template_injection",
744
+ "title": "Testing for Server-side Template Injection",
745
+ "caption": "OTG-INPVAL-018",
746
+ "description": "Analyze server-side template rendering for vulnerabilities allowing injection of malicious code within template syntax to achieve remote code execution or data exfiltration.",
747
+ "tools": "Burp Suite, ZAP",
748
+ "vrt_category": "server_security_misconfiguration"
749
+ },
750
+ {
751
+ "key": "server_side_request_forgery",
752
+ "title": "Testing for Server-Side Request Forgery",
753
+ "caption": "OTG-INPVAL-019",
754
+ "description": "Probe application functionality that handles external URLs to identify vulnerabilities allowing unauthorized server-initiated requests.",
755
+ "tools": "Burp Suite, interactsh, SSRFmap",
756
+ "vrt_category": "server_security_misconfiguration"
757
+ },
758
+ {
759
+ "key": "insecure_deserialization",
760
+ "title": "Testing for Insecure Deserialization",
761
+ "caption": "",
762
+ "description": "Analyze application endpoints that deserialize data for vulnerabilities allowing manipulation of serialized objects to achieve arbitrary code execution or other malicious outcomes.",
763
+ "tools": "Burp Suite, ysoserial, ZAP",
764
+ "vrt_category": "server_security_misconfiguration"
765
+ },
766
+ {
767
+ "key": "testing_for_graphql",
768
+ "title": "Testing for GraphQL",
769
+ "caption": "",
770
+ "description": "Assess GraphQL implementations for vulnerabilities related to introspection, denial-of-service via complex queries, and insecure field access.",
771
+ "tools": "Burp Suite (GraphQL Raider), graphql-cop, GraphQLmap, InQL",
772
+ "vrt_category": "server_security_misconfiguration"
773
+ }
774
+ ]
775
+ },
776
+ {
777
+ "key": "error_handling",
778
+ "title": "Error handling",
779
+ "description": "",
780
+ "type": "checklist",
781
+ "items": [
782
+ {
783
+ "key": "error_codes",
784
+ "title": "Analysis of Error Codes",
785
+ "caption": "OTG-ERR-001, WAHHM - Recon and Analysis",
786
+ "description": "Examine error messages and handling mechanisms for disclosure of sensitive data, internal system details, or potential for denial-of-service.",
787
+ "tools": "Burp Suite, ZAP",
788
+ "vrt_category": "server_security_misconfiguration"
789
+ },
790
+ {
791
+ "key": "stack_traces",
792
+ "title": "Analysis of Stack Traces",
793
+ "caption": "OTG-ERR-002, WAHHM - Recon and Analysis",
794
+ "description": "Check application responses for exposed stack traces that could disclose sensitive internal information.",
795
+ "tools": "Burp Suite, ZAP",
796
+ "vrt_category": "server_security_misconfiguration"
797
+ },
798
+ {
799
+ "key": "forbidden_bypass",
800
+ "title": "Testing for 403 forbidden bypass",
801
+ "caption": "",
802
+ "description": "Test various techniques like HTTP verb manipulation, URL encoding, directory traversal, header manipulation, path fuzzing, case manipulation, adding a trailing slash, and attaching a URL fragment to bypass 403 Forbidden errors",
803
+ "tools": "Burp Suite (403-bypasser), ZAP, 403jump",
804
+ "vrt_category": "server_security_misconfiguration"
805
+ }
806
+ ]
807
+ },
808
+ {
809
+ "key": "cryptography",
810
+ "title": "Cryptography",
811
+ "description": "",
812
+ "type": "checklist",
813
+ "items": [
814
+ {
815
+ "key": "transport_layer_protection",
816
+ "title": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection",
817
+ "caption": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
818
+ "description": "Identify SSL service, Identify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)",
819
+ "tools": "testssl.sh, nmap --script ssl-enum-ciphers",
820
+ "vrt_category": "server_security_misconfiguration"
821
+ },
822
+ {
823
+ "key": "padding_oracle",
824
+ "title": "Testing for Padding Oracle",
825
+ "caption": "OTG-CRYPST-002, WAHHM - Test Handling of Access",
826
+ "description": "Evaluate application behavior across three ciphertext states: valid decryption, decryption resulting in errors (non-padding), and padding-related decryption failures.",
827
+ "tools": "Burp Suite (Padding Oracle Hunter), PadBuster, python-paddingoracle, POET",
828
+ "vrt_category": "broken_authentication_and_session_management"
829
+ },
830
+ {
831
+ "key": "unencrypted_channels",
832
+ "title": "Testing for Sensitive information sent via unencrypted channels",
833
+ "caption": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
834
+ "description": "Ensure encrypted transport for sensitive information: authentication secrets, session tokens, and protected data (e.g., PCI, customer records)",
835
+ "tools": "Burp Suite, curl, ZAP",
836
+ "vrt_category": "broken_authentication_and_session_management"
837
+ },
838
+ {
839
+ "key": "weak_encryption",
840
+ "title": "Testing for Weak Encryption",
841
+ "caption": "OTG-CRYPST-004, WAHHM - Test Handling of Access",
842
+ "description": "Identify weak encryption algorithms (e.g., MD5, SHA-1) in storage or transit.",
843
+ "tools": "DevTools, Burp Suite, ZAP",
844
+ "vrt_category": "cryptographic_weakness"
845
+ }
846
+ ]
847
+ },
848
+ {
849
+ "key": "business_logic",
850
+ "title": "Business Logic Testing",
851
+ "description": "",
852
+ "type": "checklist",
853
+ "items": [
854
+ {
855
+ "key": "data_validation",
856
+ "title": "Test Business Logic Data Validation",
857
+ "caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
858
+ "description": "Evaluate business logic for proper data validation implementation, covering range checks, format validation, consistency checks, and adherence to business rules.",
859
+ "tools": "Burp Suite, ZAP",
860
+ "vrt_category": "broken_access_control"
861
+ },
862
+ {
863
+ "key": "forge_requests",
864
+ "title": "Test Ability to Forge Requests",
865
+ "caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
866
+ "description": "Test the ability to forge HTTP requests to assess potential vulnerabilities related to request manipulation and unauthorized actions.",
867
+ "tools": "Burp Suite, ZAP",
868
+ "vrt_category": "server_side_injection"
869
+ },
870
+ {
871
+ "key": "integrity_check",
872
+ "title": "Test Integrity Checks",
873
+ "caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
874
+ "description": "Validate data integrity across application components (inputs, databases, logs) by verifying expected data types, formats, and authorized modifications based on business logic. Attempt to inject invalid data and unauthorized operations.",
875
+ "tools": "Burp Suite, ZAP",
876
+ "vrt_category": "broken_access_control"
877
+ },
878
+ {
879
+ "key": "process_timing",
880
+ "title": "Test for Process Timing",
881
+ "caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
882
+ "description": "Exploit race conditions via timing attacks.",
883
+ "tools": "Burp Suite (Turbo Intruder), ZAP",
884
+ "vrt_category": "server_side_injection"
885
+ },
886
+ {
887
+ "key": "usage_limits",
888
+ "title": "Test Number of Times a Function Can be Used Limits",
889
+ "caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
890
+ "description": "Attempt to exceed defined rate limits on critical endpoints to verify proper implementation and resilience.",
891
+ "tools": "Burp Suite, ZAP",
892
+ "vrt_category": "broken_access_control"
893
+ },
894
+ {
895
+ "key": "workflow_circumvention",
896
+ "title": "Testing for the Circumvention of Work Flows",
897
+ "caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
898
+ "description": "Skip workflow steps (e.g., payment) for unauthorized access.",
899
+ "tools": "Burp Suite, ZAP",
900
+ "vrt_category": "broken_access_control"
901
+ },
902
+ {
903
+ "key": "application_misuse",
904
+ "title": "Test Defenses Against Application Mis-use",
905
+ "caption": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws",
906
+ "description": "Test for vulnerabilities allowing abuse of application functionality (e.g., excessive resource consumption, unintended workflows).",
907
+ "tools": "Burp Suite, ZAP"
908
+ },
909
+ {
910
+ "key": "upload_unexpected_files",
911
+ "title": "Test Upload of Unexpected File Types",
912
+ "caption": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws",
913
+ "description": "Test Upload of Unexpected File Types to assess the application's handling of non-standard file uploads and prevent potential security risks like remote code execution.",
914
+ "tools": "Burp Suite, curl, ZAP"
915
+ },
916
+ {
917
+ "key": "malicious_files",
918
+ "title": "Test Upload of Malicious Files",
919
+ "caption": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
920
+ "description": "Test Upload of Malicious Files to Assess Potential for Remote Code Execution, Data Exposure, or System Compromise.",
921
+ "tools": "Burp Suite, curl, ZAP",
922
+ "vrt_category": "server_security_misconfiguration"
923
+ },
924
+ {
925
+ "key": "exif_metadata",
926
+ "title": "Testing for Stripped EXIF Geolocation Metadata in Uploaded Images",
927
+ "caption": "",
928
+ "description": "Check uploaded images for unstripped EXIF metadata leaking sensitive data.",
929
+ "tools": "exiftool",
930
+ "vrt_category": "server_security_misconfiguration"
931
+ },
932
+ {
933
+ "key": "csv_injection",
934
+ "title": "Testing for CSV Injection",
935
+ "caption": "",
936
+ "description": "Check for formula injection vulnerabilities in CSV export functionality.",
937
+ "tools": "Burp Suite, ZAP",
938
+ "vrt_category": "server_security_misconfiguration"
939
+ },
940
+ {
941
+ "key": "password_requirement",
942
+ "title": "Testing for Lack of Password Confirmation",
943
+ "caption": "",
944
+ "description": "Verify absence of password confirmation prompts for sensitive actions: Account deletion, email change, password change, and 2FA management.",
945
+ "tools": "Browser, Burp Suite, ZAP",
946
+ "vrt_category": "server_security_misconfiguration"
947
+ }
948
+ ]
949
+ },
950
+ {
951
+ "key": "client_side",
952
+ "title": "Client Side Testing",
953
+ "description": "",
954
+ "type": "checklist",
955
+ "items": [
956
+ {
957
+ "key": "dom_based_xss",
958
+ "title": "Testing for DOM-based Cross-Site Scripting",
959
+ "caption": "OTG-CLIENT-001, WAHHM - Miscellaneous Tests",
960
+ "description": "Analyze client-side JavaScript for vulnerabilities where attacker-controlled data in the DOM can be manipulated to execute malicious scripts.",
961
+ "tools": "Browser, Burp Suite, DOMinator, ZAP",
962
+ "vrt_category": "cross_site_scripting_xss"
963
+ },
964
+ {
965
+ "key": "javascript_execution",
966
+ "title": "Testing for JavaScript Execution",
967
+ "caption": "OTG-CLIENT-002, WAHHM - Test Handling of Input",
968
+ "description": "Test for the ability to inject and execute malicious JavaScript.",
969
+ "tools": "Browser, Burp Suite, ZAP",
970
+ "vrt_category": "cross_site_scripting_xss"
971
+ },
972
+ {
973
+ "key": "html_injection",
974
+ "title": "Testing for HTML Injection",
975
+ "caption": "OTG-CLIENT-003, WAHHM - Test Handling of Input",
976
+ "description": "Check input fields and website areas for the ability to inject arbitrary HTML code.",
977
+ "tools": "Browser, Burp Suite, ZAP",
978
+ "vrt_category": "server_side_injection"
979
+ },
980
+ {
981
+ "key": "url_redirect",
982
+ "title": "Testing for Client-Side URL Redirect",
983
+ "caption": "OTG-CLIENT-004, WAHHM - Test Handling of Input",
984
+ "description": "Analyze client-side code for manipulable redirect parameters that could lead to phishing or malicious site redirects.",
985
+ "tools": "Browser, Burp Suite, ZAP",
986
+ "vrt_category": "unvalidated_redirects_and_forwards"
987
+ },
988
+ {
989
+ "key": "css_injection",
990
+ "title": "Testing for CSS Injection",
991
+ "caption": "OTG-CLIENT-005, WAHHM - Test Handling of Input",
992
+ "description": "Analyze CSS handling for vulnerabilities allowing injection of malicious styles to alter page rendering or extract sensitive information.",
993
+ "tools": "Browser, Burp Suite, ZAP",
994
+ "vrt_category": "server_security_misconfiguration"
995
+ },
996
+ {
997
+ "key": "resource_manipulation",
998
+ "title": "Testing for Client Side Resource Manipulation",
999
+ "caption": "OTG-CLIENT-006, WAHHM - Test Handling of Input",
1000
+ "description": "Assess the application's resilience against attacks that involve manipulating client-side resources to achieve malicious outcomes.",
1001
+ "tools": "Browser, Burp Suite, ZAP",
1002
+ "vrt_category": "server_security_misconfiguration"
1003
+ },
1004
+ {
1005
+ "key": "cors",
1006
+ "title": "Testing Cross-Origin Resource Sharing",
1007
+ "caption": "OTG-CLIENT-007, WAHHM - Miscellaneous Tests",
1008
+ "description": "Verify proper CORS configuration to prevent unauthorized cross-domain data access.",
1009
+ "tools": "Browser, Burp Suite, ZAP",
1010
+ "vrt_category": "server_security_misconfiguration"
1011
+ },
1012
+ {
1013
+ "key": "clickjacking",
1014
+ "title": "Testing for Clickjacking",
1015
+ "caption": "OTG-CLIENT-009, WAHHM - Miscellaneous Tests",
1016
+ "description": "Determine if the website implements sufficient client-side defenses (e.g., X-Frame-Options, Content-Security-Policy) to prevent rendering within a frame controlled by a malicious site.",
1017
+ "tools": "Browser, Burp Suite, ZAP",
1018
+ "vrt_category": "server_security_misconfiguration"
1019
+ },
1020
+ {
1021
+ "key": "web_sockets",
1022
+ "title": "Testing WebSockets",
1023
+ "caption": "OTG-CLIENT-010, WAHHM - Test Handling of Input",
1024
+ "description": "Check WebSocket endpoints by inspecting ws:// or wss:// URI scheme for proper authorization and data handling.",
1025
+ "tools": "Burp Suite, wscat, wssip, ZAP"
1026
+ },
1027
+ {
1028
+ "key": "web_messaging",
1029
+ "title": "Testing Web Messaging",
1030
+ "caption": "OTG-CLIENT-011, WAHHM - Test Handling of Input",
1031
+ "description": "Evaluate JavaScript Web Messaging implementation, focusing on validation of origin restrictions and secure data processing, including trusted domains.",
1032
+ "tools": "Browser, Burp Suite, ZAP"
1033
+ },
1034
+ {
1035
+ "key": "browser_storage",
1036
+ "title": "Testing Browser Storage",
1037
+ "caption": "OTG-CLIENT-012, WAHHM - Miscellaneous Tests",
1038
+ "description": "Evaluate the secure implementation and appropriate use of browser storage mechanisms (LocalStorage, SessionStorage, IndexedDB, Cookies) to prevent unauthorized access and data leakage.",
1039
+ "tools": "Browser"
1040
+ },
1041
+ {
1042
+ "key": "script_inclusion",
1043
+ "title": "Testing for Cross-Site Script Inclusion",
1044
+ "caption": "OTG-CLIENT-013",
1045
+ "description": "Verify the application's resistance to the inclusion of malicious, externally hosted JavaScript code within its execution context.",
1046
+ "tools": "Browser, Burp Suite, ZAP"
1047
+ },
1048
+ {
1049
+ "key": "outdated_javascript",
1050
+ "title": "Testing for Outdated JavaScript Dependency",
1051
+ "caption": "",
1052
+ "description": "Identify and assess outdated JavaScript dependencies for known vulnerabilities.",
1053
+ "tools": "BuiltWith, retire.js, Wappalyzer"
1054
+ },
1055
+ {
1056
+ "key": "dependency_confusion",
1057
+ "title": "Testing for Dependency Confusion",
1058
+ "caption": "",
1059
+ "description": "Validate that the application's build process and package manager are configured to exclusively source internal dependencies from trusted, private registries, mitigating dependency confusion vulnerabilities.",
1060
+ "tools": "confused, gau, snync, waybackurls"
1061
+ }
1062
+ ]
1063
+ },
1064
+ {
1065
+ "key": "upload_logs",
1066
+ "title": "Upload logs",
1067
+ "description": "This should include all associated traffic associated to the in-scope targets.",
1068
+ "type": "large_upload"
1069
+ },
1070
+ {
1071
+ "key": "executive_summary",
1072
+ "title": "Executive summary",
1073
+ "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
1074
+ "type": "executive_summary"
1075
+ }
1076
+ ]
1077
+ }
1078
+ }