Releases: OWASP/wstg
Releases · OWASP/wstg
20230928-Prerelease
Temporary release between 4.2 and 4.3 to attach PDF and ePub.
Release v4.2
Published here: https://owasp.org/www-project-web-security-testing-guide/v42/
- Guide:
- Add GraphQL API testing scenario and details (WSTG-APIT-01).
- Add Test Objectives to all scenarios.
- Add Testing for HTTP Method Overriding (WSTG-CONF-06).
- Add to Review Webpage Content for Information Leakage (WSTG-INFO-05).
- Add Testing for Session Hijacking (WSTG-SESS-09).
- Add to Testing for Bypassing Authorization Schema (WSTG-ATHZ-02).
- Add to Testing for Local File Inclusion (WSTG-INPV-11.1).
- Add Appendix F: Leveraging Dev Tools.
- Add Testing for Server-Side Request Forgery (WSTG-INPV-19).
- Add to Testing for Weak Lock Out Mechanism (WSTG-ATHN-03).
- Merge section Fingerprint Web Application (WSTG-INFO-09) into Fingerprint Web Application Framework (WSTG-INFO-08).
- Merge section Testing for HTTP Verb Tampering (WSTG-INPV-03) into Test HTTP Methods (WSTG-CONF-06).
- Merge section Testing for Stack Traces (WSTG-ERRH-02) into Testing for Improper Error Handling (WSTG-ERRH-01).
- Update Frontispiece (Chapter 1).
- Update Introduction (Chapter 2).
- Update Test HTTP Strict Transport Security (WSTG-CONF-07).
- Update Review Webserver Metafiles for Information Leakage (WSTG-INFO-03).
- Update Penetration Testing Methodologies (Chapter 3.8).
- Update Test HTTP Methods (WSTG-CONF-06).
- Update Test Upload of Malicious Files (WSTG-BUSL-09).
- Update Testing for Weak Encryption (WSTG-CRYP-04).
- Update Testing for SSI Injection (WSTG-INPV-08).
- Update Testing for Format String Injection (WSTG-INPV-13).
- Update DOM-Based Cross Site Scripting to include sources, sinks, and their corresponding references (WSTG-CLNT-01).
- Remove Testing for Buffer Overflow (WSTG-INPV-13).
- Rewrite Fuzz Vectors (Appendix C).
- Rewrite Testing for Weak Transport Layer Security (WSTG-CRYP-01).
- Rewrite Role Definitions (WSTG-IDNT-01).
- Rewrite Weak Lockout (WSTG-ATHN-03).
- Rewrite Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01).
- Rewrite Session Fixation Testing (WSTG-SESS-03).
- Rewrite Testing for Improper Error Handling (WSTG-ERRH-01).
- Rewrite Reporting section.
- Update Test for Process Timing (WSTG-BUSL-04).
- Update Contributor Guide, Style Guide, and Content Templates.
- Standardize HTTP request/response examples.
- Establish consistent terminology.
- Change MiTM terminology to manipulator-in-the-middle, aligning with other industry projects such as ZAP.
- Add reference and linking details.
- Update references and links for tools, remove links and references for seemingly un-maintained tools.
- Revise CIS-CAT and Wappalyzer references.
- Add OWASP trademark registration.
- Repository housekeeping:
- Add Codespaces support.
- Establish GitLocalize (https://gitlocalize.com/repo/5220) as a facility through which the project will accept translations.
- Add terminology linting.
- Add "Sponsor" details.
- Automate creation of JSON "checklist".
- Add action to refresh stale issues.
- Add README and documentation for GitHub Action workflows.
- Add manual triggers to various workflows (such as PDF generation).
- For future use:
- Establish a layout plan for v5.
- Establish release plans and milestones/projects for 4.2, 4.3, and 5.0.
- Based on:
- ~120 Pull Requests.
- 2 Google docs for planning and data collection.
- Innumerable Slack discussions.
- Test additions:
| Test ID | Test Name |
|---|---|
| WSTG-SESS-09 | Testing for Session Hijacking |
| WSTG-INPV-19 | Testing for Server-Side Request Forgery |
| WSTG-APIT-01 | Testing GraphQL |
- Test scenarios which were re-written:
| Test ID | v4.1 Test Name | New Test Name |
|---|---|---|
| WSTG-INPV-13 | Testing for Buffer Overflow | Testing for Format String Injection |
| WSTG-ERRH-01 | Analysis of Error Codes | Testing for Improper Error Handling |
| WSTG-CRYP-01 | Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection | Testing for Weak Transport Layer Security |
- Test name modifications:
| Test ID | v4.1 Test Name | New Test Name |
|---|---|---|
| WSTG-INFO-05 | Review Webpage Comments and Metadata for Information Leakage | Review Webpage Content for Information Leakage |
| WSTG-CONF-04 | Backup and Unreferenced Files for Sensitive Information | Review Old Backup and Unreferenced Files for Sensitive Information |
| WSTG-ATHZ-01 | Testing Directory Traversal - File Include | Testing Directory Traversal File Include |
| WSTG-SESS-01 | Testing for Bypassing Session Management Schema | Testing for Session Management Schema |
| WSTG-SESS-07 | Test Session Timeout | Testing Session Timeout |
| WSTG-INPV-10 | IMAP/SMTP Injection | Testing for IMAP SMTP Injection |
| WSTG-INPV-15 | Testing for HTTP Splitting/Smuggling | Testing for HTTP Splitting Smuggling |
| WSTG-ERRH-02 | Analysis of Stack Traces | Testing for Stack Traces |
| WSTG-CLNT-12 | Test Local Storage | Test Browser Storage |
Release v4.1
Published here: https://owasp.org/www-project-web-security-testing-guide/v41/
- Finish all formatting, image restoration, etc for the MediaWiki to GitHub migration.
- Move identifiers from file names/headings into the document content.
- Shorten identifiers to 4 characters categories and 2 digits.
- Revise and relocate ORM Injection into SQL Injection section.
- Simplify numbering of all content/assets.
- Various grammar and typo fixes throughout.
- All headings now use Title Caps.
- Add Host Header attacks section.
- Add Subdomain Takeover section.
- Add Cloud Storage section.
- Add Client Side SQLi section.
- Re-wrote Cookie Testing section, adding SameSite Cookies and Cookie Prefix info.
- Re-wrote Format String section.
- Fix all broken links.
- Replace various images in sections 2, 3, and 4.
- Revise Browser Cache Weakness section, including new screenshots and details for modern browsers and mobile considerations.
- Revise Client Side Storage section.
- Revise Search Engine Discovery and Recon section.
- Revise Fingerprint Web Server section.
- Revise CSRF section, and add JSON CSRF info.
- Revise password policy guidance.
- Revise web backdoors content to not be detected/blocked/removed by Windows Defender.
- Revise Remember Password section.
- Improve Identify Application Entry Points section.
- Add references and 3rd example to Business Logic Data Validation section.
- Clarify passive and active testing.
- Remove unsupported statistics.
- Remove all old www.owasp.org links and update to owasp.org where migration occurred.
- Remove misleading examples using META Cache-Control.
- Tons of typo fixes and acronym capitalization.
- New cover image for PDF.
- Project: Create Contributor Guide, Style Guide, and Content Templates.
- Project: Establish project Code of Conduct.
- Project: Establish @owasp_wstg twitter presence.
- Repo: Add markdown linting.
- Repo: Add link checking.
- Repo: Setup Issue and PR templates.
- Repo: Automate deployment of 'latest' content to owasp.org website.
- Repo: Automate deployment of versioned and stable content to owasp.org website.
- Repo: Automate creation of PDF.
- For future use:
- Establish a layout plan for v5.
- Establish release plans and milestones/projects for 4.1, 4.x, and 5.0.
Based on:
* ~260 Pull Requests.
* 3 Google docs for planning and data collection.
* A dozen Hangouts calls across various timezone.
* Innumerable Slack discussions.