This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Web Application Methodology

OWASP Testing Guide Approach

Framework Overview

The OWASP Web Security Testing Guide (WSTG) serves as an industry-standard reference for vulnerability coverage. Rather than dictating workflow, OWASP provides a checklist to ensure nothing is missed during testing.

OWASP Testing Categories Reference

The OWASP WSTG v4.2 organizes security tests into these categories:

  • Information Gathering (WSTG-INFO): Map scope, endpoints, frameworks and attack surface.

  • Configuration Management (WSTG-CONF): Identify misconfigurations in servers, frameworks and cloud services.

  • Identity & Authentication (WSTG-IDNT / WSTG-ATHN): Test authentication flows, credential management and MFA.

  • Authorization (WSTG-ATHZ): Validate access control, horizontal/vertical privilege separation and IDORs.

  • Session Management (WSTG-SESS): Evaluate session token handling, fixation, CSRF and expiry.

  • Input Validation (WSTG-INPV): Test for XSS, SQLi, command injection, template injection and request smuggling.

  • Error Handling (WSTG-ERRH): Identify information leakage from stack traces and error messages.

  • Cryptography (WSTG-CRYP): Verify TLS configuration, certificate validation and secure storage practices.

  • Business Logic (WSTG-BUSL): Assess workflow integrity, abuse cases and process assumptions.

  • Client-Side Testing (WSTG-CLNT): Test DOM XSS, CORS, client resource manipulation and clickjacking.

  • API Testing (WSTG-APIT): Evaluate REST/GraphQL endpoints, authentication, authorization and rate limits.

Key Insight: OWASP provides the what to test, but your workflow determines when and how to test efficiently.

Web Application Architecture

Modern Architecture Assessment

Understanding an application’s architecture is essential to identify attack vectors and define effective testing strategies.

Architecture Analysis Framework

Technology Stack Identification

  • Frontend: JavaScript frameworks (React, Angular, Vue), CSS frameworks, build tools, bundlers, and CDNs ⇒ focus on client-side vulnerabilities.

  • Backend: Web servers (Apache, Nginx, IIS), app frameworks, databases, caching ⇒ reveals server-side risks and escalation paths.

  • Tools: Wappalyzer, WhatWeb, Nuclei templates, and manual header analysis.

Application Topology Mapping

  • Objectives: Identify entry points, APIs, integrations, database connections, and external services.

  • Patterns: Monolith, microservices, serverless, SPAs ⇒ each requires tailored testing.

  • Documentation: Diagrams of data flows, trust boundaries, and dependencies to highlight attack paths.

Security Control Identification

  • WAFs: Detect, fingerprint, analyze rules, and assess rate limiting.

  • Authentication: SSO, MFA, session management, API auth ⇒ each introduces unique bypass possibilities.

  • Security Headers: CSP, HSTS, CORS, etc., provide insights into protection layers.

Architecture-Specific Testing Considerations

  • SPAs: Test APIs, token handling, and client-side security.

  • Microservices: Assess API gateways, inter-service auth, and communication.

  • Cloud-Native: Evaluate container security, serverless risks, and cloud misconfigurations.

PreviousAdvanced AD AttacksNextInformation Gathering & Reconnaissance

Last updated

Was this helpful?