Release Release v4.2 · OWASP/wstg · GitHub
Skip to content

Release v4.2

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 03 Dec 15:23
dd33419

Published here: https://owasp.org/www-project-web-security-testing-guide/v42/

- Guide:
  - Add GraphQL API testing scenario and details (WSTG-APIT-01).
  - Add Test Objectives to all scenarios.
  - Add Testing for HTTP Method Overriding (WSTG-CONF-06).
  - Add to Review Webpage Content for Information Leakage (WSTG-INFO-05).
  - Add Testing for Session Hijacking (WSTG-SESS-09).
  - Add to Testing for Bypassing Authorization Schema (WSTG-ATHZ-02).
  - Add to Testing for Local File Inclusion (WSTG-INPV-11.1).
  - Add Appendix F: Leveraging Dev Tools.
  - Add Testing for Server-Side Request Forgery (WSTG-INPV-19).
  - Add to Testing for Weak Lock Out Mechanism (WSTG-ATHN-03).
  - Merge section Fingerprint Web Application (WSTG-INFO-09) into Fingerprint Web Application Framework (WSTG-INFO-08).
  - Merge section Testing for HTTP Verb Tampering (WSTG-INPV-03) into Test HTTP Methods (WSTG-CONF-06).
  - Merge section Testing for Stack Traces (WSTG-ERRH-02) into Testing for Improper Error Handling (WSTG-ERRH-01).
  - Update Frontispiece (Chapter 1).
  - Update Introduction (Chapter 2).
  - Update Test HTTP Strict Transport Security (WSTG-CONF-07).
  - Update Review Webserver Metafiles for Information Leakage (WSTG-INFO-03).
  - Update Penetration Testing Methodologies (Chapter 3.8).
  - Update Test HTTP Methods (WSTG-CONF-06).
  - Update Test Upload of Malicious Files (WSTG-BUSL-09).
  - Update Testing for Weak Encryption (WSTG-CRYP-04).
  - Update Testing for SSI Injection (WSTG-INPV-08).
  - Update Testing for Format String Injection (WSTG-INPV-13).
  - Update DOM-Based Cross Site Scripting to include sources, sinks, and their corresponding references (WSTG-CLNT-01).
  - Remove Testing for Buffer Overflow (WSTG-INPV-13).
  - Rewrite Fuzz Vectors (Appendix C).
  - Rewrite Testing for Weak Transport Layer Security (WSTG-CRYP-01).
  - Rewrite Role Definitions (WSTG-IDNT-01).
  - Rewrite Weak Lockout (WSTG-ATHN-03).
  - Rewrite Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01).
  - Rewrite Session Fixation Testing (WSTG-SESS-03).
  - Rewrite Testing for Improper Error Handling (WSTG-ERRH-01).
  - Rewrite Reporting section.
  - Update Test for Process Timing (WSTG-BUSL-04).
  - Update Contributor Guide, Style Guide, and Content Templates.
  - Standardize HTTP request/response examples.
  - Establish consistent terminology.
  - Change MiTM terminology to manipulator-in-the-middle, aligning with other industry projects such as ZAP.
  - Add reference and linking details.
  - Update references and links for tools, remove links and references for seemingly un-maintained tools.
  - Revise CIS-CAT and Wappalyzer references.
  - Add OWASP trademark registration.
- Repository housekeeping:
  - Add Codespaces support.
  - Establish GitLocalize (https://gitlocalize.com/repo/5220) as a facility through which the project will accept translations.
  - Add terminology linting.
  - Add "Sponsor" details.
  - Automate creation of JSON "checklist".
  - Add action to refresh stale issues.
  - Add README and documentation for GitHub Action workflows.
  - Add manual triggers to various workflows (such as PDF generation).
- For future use:
  - Establish a layout plan for v5.
  - Establish release plans and milestones/projects for 4.2, 4.3, and 5.0.
- Based on:
  - ~120 Pull Requests.
  - 2 Google docs for planning and data collection.
  - Innumerable Slack discussions.
  • Test additions:
Test ID Test Name
WSTG-SESS-09 Testing for Session Hijacking
WSTG-INPV-19 Testing for Server-Side Request Forgery
WSTG-APIT-01 Testing GraphQL
  • Test scenarios which were re-written:
Test ID v4.1 Test Name New Test Name
WSTG-INPV-13 Testing for Buffer Overflow Testing for Format String Injection
WSTG-ERRH-01 Analysis of Error Codes Testing for Improper Error Handling
WSTG-CRYP-01 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection Testing for Weak Transport Layer Security
  • Test name modifications:
Test ID v4.1 Test Name New Test Name
WSTG-INFO-05 Review Webpage Comments and Metadata for Information Leakage Review Webpage Content for Information Leakage
WSTG-CONF-04 Backup and Unreferenced Files for Sensitive Information Review Old Backup and Unreferenced Files for Sensitive Information
WSTG-ATHZ-01 Testing Directory Traversal - File Include Testing Directory Traversal File Include
WSTG-SESS-01 Testing for Bypassing Session Management Schema Testing for Session Management Schema
WSTG-SESS-07 Test Session Timeout Testing Session Timeout
WSTG-INPV-10 IMAP/SMTP Injection Testing for IMAP SMTP Injection
WSTG-INPV-15 Testing for HTTP Splitting/Smuggling Testing for HTTP Splitting Smuggling
WSTG-ERRH-02 Analysis of Stack Traces Testing for Stack Traces
WSTG-CLNT-12 Test Local Storage Test Browser Storage