| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 14 Oct 2025 03:48:48 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"68a9872e1741d0a241afddaac15d79c0"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=5zGRM8Q9aNsPy%2BirJcvNI8gPobgFLN8JEqW6zPRvuRc5mq7sIrzzv59FL0N%2F%2BDY4o3EWCkMHyCZkaaFZRZwkSt28dh%2Bf82KqFt3UPs960890nq2xhGRqZEzezXLov76gyElnQSPIKmzHI5tr1sXxzitTFYqXrPuPC7qXhcJhe17q3snPX1TMtmFTnaikoEQCea7D4vI18Jq3xiJj%2BoJzYAKOFJFCpAfj0RiX4AhrH4eDAGd7XAcPIwruT91AQU5Are3OfEB3ZbJGv9DofCZCKw%3D%3D--4rcqz7I5tU%2FD0Ely--PL9h2SnA3OSPUD1%2BfVML%2Bw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.638602472.1760413728; Path=/; Domain=github.com; Expires=Wed, 14 Oct 2026 03:48:48 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 14 Oct 2026 03:48:48 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: E57A:50661:26D3E5:36F120:68EDC820
Release Release v4.2 · OWASP/wstg · GitHub
Loading
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Compare
dd33419
This commit was created on GitHub.com and signed with GitHub’s verified signature.
The key has expired.
Published here: https://owasp.org/www-project-web-security-testing-guide/v42/
- Guide:
- Add GraphQL API testing scenario and details (WSTG-APIT-01).
- Add Test Objectives to all scenarios.
- Add Testing for HTTP Method Overriding (WSTG-CONF-06).
- Add to Review Webpage Content for Information Leakage (WSTG-INFO-05).
- Add Testing for Session Hijacking (WSTG-SESS-09).
- Add to Testing for Bypassing Authorization Schema (WSTG-ATHZ-02).
- Add to Testing for Local File Inclusion (WSTG-INPV-11.1).
- Add Appendix F: Leveraging Dev Tools.
- Add Testing for Server-Side Request Forgery (WSTG-INPV-19).
- Add to Testing for Weak Lock Out Mechanism (WSTG-ATHN-03).
- Merge section Fingerprint Web Application (WSTG-INFO-09) into Fingerprint Web Application Framework (WSTG-INFO-08).
- Merge section Testing for HTTP Verb Tampering (WSTG-INPV-03) into Test HTTP Methods (WSTG-CONF-06).
- Merge section Testing for Stack Traces (WSTG-ERRH-02) into Testing for Improper Error Handling (WSTG-ERRH-01).
- Update Frontispiece (Chapter 1).
- Update Introduction (Chapter 2).
- Update Test HTTP Strict Transport Security (WSTG-CONF-07).
- Update Review Webserver Metafiles for Information Leakage (WSTG-INFO-03).
- Update Penetration Testing Methodologies (Chapter 3.8).
- Update Test HTTP Methods (WSTG-CONF-06).
- Update Test Upload of Malicious Files (WSTG-BUSL-09).
- Update Testing for Weak Encryption (WSTG-CRYP-04).
- Update Testing for SSI Injection (WSTG-INPV-08).
- Update Testing for Format String Injection (WSTG-INPV-13).
- Update DOM-Based Cross Site Scripting to include sources, sinks, and their corresponding references (WSTG-CLNT-01).
- Remove Testing for Buffer Overflow (WSTG-INPV-13).
- Rewrite Fuzz Vectors (Appendix C).
- Rewrite Testing for Weak Transport Layer Security (WSTG-CRYP-01).
- Rewrite Role Definitions (WSTG-IDNT-01).
- Rewrite Weak Lockout (WSTG-ATHN-03).
- Rewrite Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01).
- Rewrite Session Fixation Testing (WSTG-SESS-03).
- Rewrite Testing for Improper Error Handling (WSTG-ERRH-01).
- Rewrite Reporting section.
- Update Test for Process Timing (WSTG-BUSL-04).
- Update Contributor Guide, Style Guide, and Content Templates.
- Standardize HTTP request/response examples.
- Establish consistent terminology.
- Change MiTM terminology to manipulator-in-the-middle, aligning with other industry projects such as ZAP.
- Add reference and linking details.
- Update references and links for tools, remove links and references for seemingly un-maintained tools.
- Revise CIS-CAT and Wappalyzer references.
- Add OWASP trademark registration.
- Repository housekeeping:
- Add Codespaces support.
- Establish GitLocalize (https://gitlocalize.com/repo/5220) as a facility through which the project will accept translations.
- Add terminology linting.
- Add "Sponsor" details.
- Automate creation of JSON "checklist".
- Add action to refresh stale issues.
- Add README and documentation for GitHub Action workflows.
- Add manual triggers to various workflows (such as PDF generation).
- For future use:
- Establish a layout plan for v5.
- Establish release plans and milestones/projects for 4.2, 4.3, and 5.0.
- Based on:
- ~120 Pull Requests.
- 2 Google docs for planning and data collection.
- Innumerable Slack discussions.
- Test additions:
| Test ID | Test Name |
|---|---|
| WSTG-SESS-09 | Testing for Session Hijacking |
| WSTG-INPV-19 | Testing for Server-Side Request Forgery |
| WSTG-APIT-01 | Testing GraphQL |
- Test scenarios which were re-written:
| Test ID | v4.1 Test Name | New Test Name |
|---|---|---|
| WSTG-INPV-13 | Testing for Buffer Overflow | Testing for Format String Injection |
| WSTG-ERRH-01 | Analysis of Error Codes | Testing for Improper Error Handling |
| WSTG-CRYP-01 | Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection | Testing for Weak Transport Layer Security |
- Test name modifications:
| Test ID | v4.1 Test Name | New Test Name |
|---|---|---|
| WSTG-INFO-05 | Review Webpage Comments and Metadata for Information Leakage | Review Webpage Content for Information Leakage |
| WSTG-CONF-04 | Backup and Unreferenced Files for Sensitive Information | Review Old Backup and Unreferenced Files for Sensitive Information |
| WSTG-ATHZ-01 | Testing Directory Traversal - File Include | Testing Directory Traversal File Include |
| WSTG-SESS-01 | Testing for Bypassing Session Management Schema | Testing for Session Management Schema |
| WSTG-SESS-07 | Test Session Timeout | Testing Session Timeout |
| WSTG-INPV-10 | IMAP/SMTP Injection | Testing for IMAP SMTP Injection |
| WSTG-INPV-15 | Testing for HTTP Splitting/Smuggling | Testing for HTTP Splitting Smuggling |
| WSTG-ERRH-02 | Analysis of Stack Traces | Testing for Stack Traces |
| WSTG-CLNT-12 | Test Local Storage | Test Browser Storage |
Assets 5
32 people reacted
You can’t perform that action at this time.