Today, software development and security testing have become a significant technical challenge. The immense rise of web applications that enable businesses, networking, etc., requires a robust approach for writing and securing the internet, web applications, and data. OWASP and OWASP top 10 are essential in securing web applications and data.

Security testing is essential when developing web applications. However, many organizations overlook this integral component of the Software Development Life Cycle (SDLC). This OWASP Web Security Testing Guide covers the OWASP testing framework, its scope, the principles of successful testing, and its techniques. It also covers reporting best practices and testing for specific vulnerabilities via code inspection and penetration testing.

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to web application and software security. The OWASP guide helps set a security standard for developers and practitioners worldwide. They can use the OWASP standard as guidelines for security testing and code review while developing web applications.

The OWASP offerings, including everything from online tools and videos to forums and events, are free and easily accessible through its website. It sets forward an “open community” model under which anyone can participate and contribute to OWASP-related online chat, projects, etc.

Why is OWASP important?

Creating a guide like this that covers all the crucial aspects of SLDC security is an undertaking task and requires the expertise of people around the world. One of the crucial factors of the OWASP guide is that it is open and easily accessible for anyone involved in the web application development process.

It captures the consensus of leading experts around the world, and the OWASP community can evolve and expand with the increasingly evolving application security threat landscape. It helps guide developers and practitioners on how to perform security testing quickly, effectively, and efficiently.

Among the main benefits of OWASP, we can highlight the following:

  • Secured applications against cyber attacks
  • Reductions of errors and operational failures in the system
  • Increased chances of application success
  • Stronger encryption methods
  • Enhanced brand reputation

Following the OWASP guide is essential for anyone involved in web application development. Different roles in the organizations can use this guide:

  • Developers can use this guide to ensure secure code production.
  • Software testers and QA to expand test use cases for testing applications.
  • Security specialists to identify gaps in the security testing of applications./li>

While this guide covers different techniques to identify security holes, it should not be considered a complete checklist as new vulnerabilities are always popping up, and organizations can use this guide as a good place to start.

Put OWASP Top 10 on automation

Ready to automate OWASP Top 10?

By eliminating the hundreds of hours of manual effort that were previously required to maintain your Compliance reports and certifications, you can now spend more time on other daily tasks.

Let’s Automate

What is OWASP top 10?

The OWASP Top 10 report consists of the ten most critical web application security risks. The image above highlights the new installment of the OWASP Top 10 2021 report. This list consists of the most recent update that occurred in 2021. 

According to the new list, three new categories have been added. The risks added are ranked based on security defects, their frequency to occur, the severity of vulnerabilities, and potential impacts. Developers and security practitioners can use this report to get an insight into the most prevalent security risk so that they can minimize the presence of known risks as much as possible while developing web applications. 

  • Broken Access Control (A01:2021)

Moved to number 1 from number 5 in the 2021 report based on severity, broken access control is among the top security weaknesses that can aid in accessing user accounts by attackers. This risk had more occurrences in the applications than in any other category. 

  • Cryptographic Failures (A02:2021)

Previously known as sensitive data exposure, shifts up to 2nd position depicting failures related to cryptography. This category sheds light on the risk when sensitive data is exposed and compromised during application development.

  • Injection(A03:2021)

Injection falls to number 3 from number 1, comprising cross-site scripting as part of this category. It occurs when an attacker injects an invalid data code into a web application to make it do something it was not designed to do. 

  • Insecure Design (A04:2021)

Insecure design is a new category added to the OWASP top 10 2021 report and focuses on risks related to design flaws. For an industry trying to “shift left”, threat modeling, secure design patterns, and principles may not be enough. 

  • Security Misconfiguration (A05:2021)

It is no surprise that security misconfiguration moves up to the number 5 position as “90% of applications were tested for some form of misconfiguration”.  It occurs from configuration errors or shortcomings. XML External Entities (XXE) is being added to this category now. 

  • Vulnerable & Outdated Components (A06:2021)

Previously known as using components with known vulnerabilities, vulnerable and outdated components move up from number 9 to 6 and focus on the components underlying known and potential risks. Also, outdated components must be evaluated for risks. 

  • Identification & Authentication Failures (A07:2021)

Previously known as broken authentication, this category has shifted from number 2 to 7 but remains an integral part of the OWASP Top 10. It includes CWEs related to identification failures that result in compromised passwords, keywords, and sessions, leading to identity theft. 

  • Software & Data Integrity Failures (A08:2021)

Introduced as a new category in 2021, it highlights assumptions without verifying integrity related to software updates, critical data, and CI/CD pipelines. Insecure deserialization is now a part of this category. 

  • Security Logging & Monitoring Failures (A09:2021)

Previously known as Insufficient Logging and Monitoring, this category has shifted up from number 10 to 9 and includes more types of failures that are challenging to test and aren’t represented in the CVE/CVSS data. Failure in this category can result in more severe compromising activities. 

  • Server-side Request Forgery (A10:2021)

Added as a new category in the OWASP Top 10 2021, Server-side Request Forgery (SSRF) focuses on the severity and incidence of SSRF attacks. 

The OWASP Testing Project

The OWASP Testing Project is built with the expertise of leading experts from all around the world. The main goal of this testing framework is to provide knowledge about the when, how, where, what, and why of testing the security of web applications. 

You can use this framework and adjust it according to your testing requirements. It helps organizations test web applications to build secure software. Walk through the complete guide to have a better insight into the OWASP testing framework. 

Principles of Testing

The OWASP Testing Project clears some major misconceptions about developing a testing methodology. It puts forward some basic principles of testing for professionals when performing security tests on software. 

  • There is no silver bullet

While it may look tempting to secure applications using security scanners and firewalls against attacks, there is no silver bullet for insecure software. The application of security assessment software may be useful, but it may not provide complete security analysis and in-depth test coverage. 

  • Think strategically, not tactically

Previously, security professionals used to follow the patch-and-penetrate model for security testing. It involved fixing bugs but without proper investigations of the root cause. This technique has become outdated. Security professionals should build security in the Software Development Life Cycle and think strategically to prevent the recurrence of security issues. 

  • The SLDC is King

Developers are well aware of the Software Development Life Cycle. It is essential to integrate security into each phase of the SLDC. While every organization has its individual methods and phases of an SDLC model, it must consider different security applications for each conceptual phase to make them a part of the existing process.  

  • Test early & test often

This will help detect security bugs early in the SDLC and at a lower cost. For this, organizations must educate their development and QA teams about security issues and how they can implement different security measures in the SDLC to detect and prevent security attacks. 

  • Test Automation

Leverage dynamic application security testing (DAST), static application security testing (SAST), and software composition analysis (SCA) or dependency tracking tools for standard automated test workflows in modern development methodologies to maintain security information and vulnerabilities in the development process. 

  • Understand the scope of security

Understanding the scope of security is crucial for app development. Knowing the amount of security a given project will require can help protect assets by giving a classification (e.g, sensitive, secret, top-secret, confidential, etc) that will state how the data needs to be handled. 

Different regulations also help understand what needs to be followed and how you can implement security for web applications. For example, Directive 96/46/EC4 and Regulation (EU) 2016/679 (General Data Protection Regulation) restrict organizations to handle customer data securely, whatever the application. 

  • Develop the right mindset

Developing the right mindset while looking for gaps in the security system is very crucial for secure app development. It requires an “out of the box” mindset to think like an attacker and go beyond what is expected. Each web application is developed in its unique way and requires security testing accordingly.

  • Use the right tools

The right tools can play a critical role in efficient security testing. While there is no silver bullet to the problem, selecting the right tools can help you automate many routine security tasks. However, depending completely on the use of tools is not good. One should understand their usage and integrate them into the system accordingly.

  • The Devil is in the Details

A superficial review of an application can instill false confidence in its security and can be dangerous. Look out for the correct findings and security gaps. Report and verify every action taken in every possible aspect of the application security is tested.

  • Use source code when available

Black-box penetration tests may not be as effective and efficient to secure applications as they may seem. Security staff can use the source code while reviewing applications. It can help them identify vulnerabilities in the application source. 

  • Develop metrics

Organizations must develop metrics to reveal application security trends. Consistent metrics can help organizations understand:

  • If there is a need for more education or security training for the staff.
  • If there is anything in the security mechanism not understood by the development teams.
  • If the security issues are decreasing with time or not.

Metrics are not easy to develop. However, using a standard such as the IEEE can prove to be beneficial in the start. 

  • Document the test results

It is as crucial to document the test results as to perform the tests. The record must include the tests taken, by whom, when the tests were performed, and the details of security findings during the tests. Moreover, the report must be clear for the business owners to identify gaps in the security system. 

Testing Techniques

There are different testing techniques organizations can adopt to build security testing programs according to their requirements. In this section, we will mention four techniques along with their advantages and disadvantages. 

Manual inspections and reviews

Manual inspections are human reviews that play an essential role in testing security techniques followed in the organization. They help analyze the people, policies, processes, and technology decisions with the help of documentation and interviews. 

Manual inspections are one of the powerful and effective testing techniques that help by asking people different questions at different levels of testing. It can help understand whether people follow security measures, understand security protocols, or have the skills to design secure applications or not. 

However, a trust-but-verified model must be adopted as nothing told to the reviewer can be accurate, and there are chances of errors. 


  • Flexible
  • Early in the SDLC
  • Promotes teamwork
  • Requires no hard and fast technology


  • Time-consuming
  • Requires human skills and thought to be effective

Threat Modeling

Threat modeling is a technique designers use to predict threat attacks or how malicious attackers can harm the application or computer system. It is a cost-effective method to integrate security in the design phase (can be implemented in other phases too) of SDLC. All applications must develop and document a threat model. 

It is recommended by OWASP to take an approach that simply follows the NIST 800-30 standard for risk assessment. This approach will involve:

  • Decomposing the application
  • Defining and classifying the assets
  • Exploring potential vulnerabilities
  • Exploring potential threats
  • Creating mitigation strategies


  • Flexible
  • Help prioritize threats early in SDLC
  • Risk Control


  • Difficult to break down threats and predict actual risk
  • A good threat model may not always lead to good software.

Source Code Review

Source code security analysis, also known as source code review, is a process of examining the source code of web applications to identify security errors. Testing web applications require the availability of the source code for testing purposes. This technique is most liked by experts. They agree on the fact all necessary information is present in the code and can help identify security vulnerabilities. 

According to OWASP experts, any other form of analysis or testing can not detect serious security issues better than this technique. Many problems are hard to discover with other methods. 


  • Fast and reliable
  • Competent and effective 
  • Provides accuracy


  • High project implementation cost
  • Highly skilled security developers are required 
  • Unable to detect runtime errors easily

Penetration testing

Also known as black-box testing or ethical hacking, penetration testing is a technique to test networks or applications for security vulnerabilities. In this technique, the penetration test team acts as the user of applications, and the tester attacks the system or application to exploit security vulnerabilities. 

While penetration testing is an effective technique for networks, it may not prove to be beneficial in application security. Also, organizations must not use this as a stand-alone technique for security issues. “In practice, a penetration test can only identify a small representative sample of all possible security risks in a system.” wrote Gary McGraw in Software Penetration Testing.


  • Fast and cheap
  • Identify and resolve security vulnerabilities 
  • Can be handled with a lower skill set than source code review


  • Happen too late in SDLC
  • Above the surface-only testing 

The Need For a Balanced Approach

With so many security testing techniques and processes for web applications, it sometimes becomes difficult to choose the right technique and when to use it. There are no right or wrong techniques when it comes to security testing; instead, every phase of SDLC requires a different technique.

While there are different processes for each phase, organizations mostly rely on penetrating testing that may not be enough for web application security. No single technique is enough to address and resolve security vulnerabilities.

The right approach is a balanced approach consisting of several techniques for security testing. From manual review to source code review to CI/CD pipeline testing, a balanced approach must include testing at all phases of the SDLC.

There will be times and situations where only one process will be possible. Also, security testing techniques vary in different projects. The following image consists of the right proportion of test efforts according to test techniques in the SDLC

Let’s automate the OWASP Top 10 process with CyberArrow

CyberArrow simplifies the OWASP Top 10 implementation procedure so you can concentrate on developing a secure business.

Let’s Automate
Deriving Security Test Requirements

You must know the testing objectives to have a successful security testing program. Security requirements specify these objectives. In this section, we will discuss the testing objective and how you can document requirements by deriving them from applicable standards and regulations. 

Testing Objectives

One of the objectives of security testing is the validation of security control if they work as expected or not. Security requirements help document the functionality of the security control. Another objective of security testing is to implement security controls with no or few vulnerabilities. The OWASP Top 10 mentions some of these vulnerabilities, and some other vulnerabilities identified previously during risk assessments in the SDLC. 


Understanding business requirements is necessary to document security requirements. For example, if any business wants to provide financial services or deals with online transactions, the security section for its services will highlight the need to secure customer data, and also comply with applicable security standards or regulations.


Compliance with regulatory industry standards is the first step towards achieving security. For instance, a company that handles credit card data of customers needs to comply with the PCI-DSS regulation. According to this regulation, any company handling credit card information can’t store PINs and CCV2 data. 


These regulations are necessary for companies handling customer data and require security validation via testing and documentation. 

Security Requirements Validation

The main goal of security testing is to validate security requirements. Proper documentation of security requirements can help identify gaps in security controls, such as lack of basic authentication, authorization, or encryption controls. Also, the main objective of security assessment is a risk analysis that can help identify potential weaknesses in the security controls. 


If an application needs access to customer data, companies should use different encryption methods in the application to protect that data from threat actors. Different testing techniques can help detect vulnerabilities early in the SDLC. For example, threat modeling can identify security flaws in the design phase, or source code review can help review source code and highlight potential weaknesses in the application code during development. 

Security Testing and Risk Analysis

To support a risk mitigation strategy, security testing needs to consider the severity of the vulnerabilities that may be encountered during app development. Identified vulnerabilities can be reported by type, root cause, mitigations, and mapped according to the applications where they are found. 


Risk analysis during the SDLC can help identify and evaluate potential issues that can impact the application negatively. Security requirements must involve proper risk assessments to avoid vulnerabilities during the SDLC. 

Security Tests Integrated into Development and Testing Workflows
Security testing in the development workflow

Security testing in the development phase of the software development life cycle enables the developers to look for security flaws in the software components individually before they are built into an application. 


Source code review allows the developers to verify that the source code developed doesn’t consist of any vulnerabilities and its compliance with the secure coding standards. 

Security testing in the testing workflow

Once different components of the software are tested by developers in the development workflow and built into the application, it is time to test the application as a whole entity. These tests may act as the last line of defense for application security before it is released. It is crucial to carry out security testing in the testing workflow with great care. 

Security Test Data Analysis and Reporting

Once you are done security testing, and the application is ready to release, you must analyze security test data afterward. It can help you reduce vulnerabilities for the next application development process. Moreover, it enables organizations to measure the quality of their software security. 


There are certainly other factors that should be taken into consideration while evaluating the security posture of an application, such as the size of the application. According to the OWASP guide “application size has been statistically proven to be related to the number of issues found in the application during testing”.


Furthermore, reporting is an integral part of security testing. It can help understand why the mitigation controls were ineffective in alleviating the threat. According to OWASP, reporting best practices may include:

  • categorization of each vulnerability by type;
  • the security threat that each issue is exposed to; 
  • the root cause of each security issue, such as the bug or flaw; 
  • each testing technique used to find the issues; 
  • the remediation, or countermeasure, for each vulnerability; 
  • and the severity rating of each vulnerability (e.g., high, medium, low, or CVSS score).

The Web Security Testing Framework

The OWASP web security testing guide consists of a reference framework that organizations can adapt according to their security environment and culture. Many organizations still depend on penetration testing that occurs in the development phase. For secure app development, security testing needs to occur in various phases of the Software Development Life Cycle. 


Implementing security testing in the early phases of the SDLC is crucial for secure app development.


“In Writing Secure Code, Howard and LeBlanc note that issuing a security bulletin costs Microsoft at least $100,000, and it costs their customers collectively far more than that to implement the security patches. They also note that the US government’s CyberCrime website details recent criminal cases and the loss to organizations. Typical losses far exceed USD 100,000.”


The OWASP testing framework is built on a flexible approach and organizations can develop their own testing framework according to their testing requirements and needs. The web security testing framework can help organizations build a strategic process.


The OWASP experts have provided a general security framework that is given below. However, their purpose is not to impose it on anyone. It is recommended to mold the framework according to the organization’s security needs. 

Different phases for security testing according to OWASP Testing Guide

Below are different security testing activities that can take place in the Software Development Life Cycle (SDLC):

  • Before development begins
  • During definition and design
  • During development
  • During deployment
  • During maintenance and operations

Phase 1: Before Development Begins

This phase consists of different security activities which can take place before app development begins.

  • Define an SDLC

Before development begins, organizations can address an SDLC where security testing is prioritized at each phase.

  • Review policies and standards

Ensure appropriate policies and standards for software development life cycle. Also, proper documentation needs to be done so that the development team can follow it for secure app development. 


For example, an application being made in Java will follow the Java secure coding standard. And same goes for cryptography and other standards. No policies or standards can claim to end security vulnerability completely during the SDLC. However, they can minimize the risk as much as possible.

  • Develop measurement and ensure traceability

Develop criteria and ensure traceability before development begins. Doing this can provide insight into the defects in both the product and the process.

Phase 2: During Definition and Design

The activities you can follow during the definition and design phase of the app are:

  • Review security requirements

Security requirements are a set of prerequisites for needed security that can help set conditions for security testing. They must be reviewed during the definition and design phase so that any gaps in the requirements are identified earlier. 


You can consider looking into the following security mechanism when looking for security gaps in requirements: 

  • Authentication and password management 
  • Data confidentiality 
  • Authorization and role management 
  • Code integrity 
  • Data validation, etc

  • Review design and architecture

Looking for security gaps in the design phase is one of the most cost-effective ways and it is easy to make changes during design if any vulnerability is identified. Properly document design and architecture. It can include models, textual documents, artifacts, etc. 


Reviewing in the design phase allows organizations to test whether they follow the security requirements as mentioned or not. In the event of discovered weaknesses, alternative approaches can be considered for fulfilling security requirements.

  • Create and review UML models

Unified Modeling Language (UML) describes how the application will work. Once designing is sorted, build or use pre-available UML models to understand the app’s working and identify weaknesses.

  • Create and review threat models

Once reviewing designing and UML models is done, consider undertaking threat modeling exercises. Create different threat scenarios and test for vulnerabilities based on those scenarios. Ensure that these threats are mitigated, reviewed, and removed from the application.

Phase 3: During Development

  • Code walkthrough

A code walkthrough is generally not a code review but a way to understand the flow and layout of the code. This can help security teams get a basic understanding and structure of the code that makes up the application.

  • Code reviews

Code review is a way to look for defects in the code. According to the OWASP guide, Static code reviews validate the code against a set of checklists, including:

  • Business requirements for availability, confidentiality, and integrity;
  • OWASP Guide or Top 10 Checklists for technical exposures (depending on the depth of the review);
  • Specific issues relating to the language or framework in use, such as the Scarlet paper for PHP or Microsoft Secure Coding checklists for ASP.NET; and
  • Any industry-specific requirements, such as Sarbanes-Oxley 404, COPPA, ISO/IEC 27002, APRA, HIPAA, Visa Merchant guidelines, or other regulatory regimes. 

Phase 4: During Deployment

  • Penetration testing

Generally, testing the requirements, analyzing the designs, and reviewing code can help resolve issues as much as possible. However, penetration testing after the application has been deployed acts as an additional check to look for security defects if any.

  • Configure management testing

Penetration testing can help examine app infrastructure and how it was deployed and secured. Review configuration aspects to ensure none are left at the default setting that can cause vulnerability exploitation.

Phase 5: During Maintenance and Operations

  • Conduct Operational Management Reviews

Once the application is deployed, conduct operational management reviews to check the operational sides of both application and its infrastructure.

  • Conduct Periodic Health Checks

Periodic (monthly or quarterly) health checks should be conducted on the application after deployment to check if new security vulnerabilities have been introduced or not.

  • Ensure Change Verification

A typical SDLC workflow is shown in the figure below:

There can be chances of certain changes in the application during the app testing phase. It is essential to ensure that the level of security is not affected by the changes made to the application.

Web Application Security Testing

Introduction and Objectives

Application security testing is necessary to develop secure web applications. This section will cover the OWASP security testing methodology and how you can test for vulnerabilities in the application with identified security controls. The approach to writing the OWASP guide is open and collaborative so that anyone can benefit from the information. It tends to create a methodology that will be:

  • Consistent 
  • Reproducible
  • Rigorous
  • Under quality control.

What is Web Application Security Testing?

Security testing is and never will be an exact science where you can define all the ways and checklists for resolving security issues and identifying gaps in the security system. The OWASP Testing Methodology focuses on providing all the possible testing techniques, explaining them, and keeping them updated so that organizations and developers can benefit from the most of it and create a security testing framework according to their own conditions and circumstances.

The OWASP testing model consists of:

  • Tester
  • Tools and methodology
  • Application

It is built on two types of testing categories:

    • Passive Testing

In passive testing, the tester focuses on understanding the application’s logic and tries to explore it as a user.

    • Active Testing

Active testing consists of different testing methodologies which we will discuss below.

Information Gathering

Information gathering is crucial for security testing. Before the application enters the configuration and deployment phase, testers must gather related information about the application, such as how the security of the application works or how they can identify gaps in the app. 


Testers can use different methods to gather information. They can use search engines to perform preliminary surveys or research on websites and applications. It consists of index searching and associated content cache. 


Also, testers can gather design and configuration information by searching forums, newsgroups, etc. This can help them discover what information about the application and system is exposed on the organization’s website or via third-party servers. 


Another thing testers can do is to determine the version of a running web server via web server fingerprinting to discover any known vulnerabilities. Moreover, it is essential to review web server meta files and webpage content for any information leakage. 


Often many applications can contain hidden vulnerabilities or attackers’ strategies to exploit data through remote access. Additionally, organizations misconfigure applications due to the misconception that the app is only used internally and that any threat can not exist. Testers can perform web application discovery to resolve this issue.

Following are some other things that testers can do:

  • Identify application entry and injection points to map out areas of weakness within the application. 
  • Map execution paths through application and understand principle workflows 
  • Map application architecture based on the research.

Configuration and Deployment Management Testing

It is as important to understand the configuration of the web server hosting the application as to perform security testing for the application. Compromised application platform configuration can risk application security. Seemingly small problems in the infrastructure can lead to severe risks for other applications on the same server. 

What needs to be tested?

  • Known server vulnerabilities 
  • Administrative tools.

Unified Modeling Language (UML) describes how the application will work. Once designing is sorted, build or use pre-available UML models to understand the app’s working and identify weaknesses.

  • Black-box testing 
  • Gray-box testing.

Other tests in the configuration and deployment management testing may include:

  • Test file extensions

File extensions are used in web servers to determine technologies, languages, and plugins. Misconfiguration of web servers can easily reveal sensitive information. Test file extensions that handle sensitive information to determine attack scenarios and ensure no system bypass exists.

  • Review old backup and unreferenced files

Often old backup or unreferenced files are present within the web server that could contain important information about the infrastructure or credentials. They may grant access to the tester into inner workings, back doors, or the database server. However, these types of files can present several risks for the application.


They may contain vulnerabilities or expose sensitive data that can aid an attack against the application. It is necessary to find, analyze, and secure old backup files that may contain sensitive information.

  • Test HTTP methods

Different methods are offered by HTTP that are used to perform actions on the web server. The most common are GET and POST methods used to access information. While these are the most commonly used methods, there are other rare methods too that are often ignored by developers. Developers must test all the HTTP methods to check how they can impact the security features of an application. 

  • Test file permission

When different files and resources are given permissions settings, it can lead to the exposure of sensitive information, thus resulting in data theft. Files and resources’ permissions must be reviewed so that unauthorized users are not given unnecessary access to sensitive data or critical resources.

  • Test cloud storage

Unauthorized access to cloud storage may lead to sensitive information exposure. Cloud storage must be reviewed and tested against unauthorized access.

Identity Management Testing

 Identity management testing typically consists of the following tests:

  • Test Role Definitions

  • An administrator
  • An auditor
  • A support engineer
  • A customer 

After testing the attack vectors, the tester must identify and set up role definitions to handle application use cases. He must understand the permission access provided to each user. 

  • Test User Registration Process

Many websites offer automated registration processes to register their users. The identity requirements vary from system to system and depend on the security requirements of applications.  The task of the tester is to verify that user registration requirements match the business and its security requirements. Also, he must be able to validate the registration process. 

For example, some websites only demand email addresses for user verification, while others may demand additional identity requirements, such as name, date of birth, etc. 

  • Test Account Provisioning Process

Account provisioning can bring an opportunity for attackers if proper identity verification and authorization processes are not present. The tester must verify the provisioning process for user accounts.

  • Testing for Account Enumeration and Guessable User Account

Often, there are situations where attackers can gather usernames by entering valid or invalid usernames in the application or web server. Web applications may reveal if a username already exists. The attacker can get a list of usernames and use them to attack the web application.


Testers can review account enumeration and processes related to user identification. Also, they can ensure that the app generates a generic error message if any invalid user name is entered.

  • Testing for Weak or Unenforced Username Policy

A weak username policy can also lead to compromised data. Often user names for accounts are highly structured, and sometimes they are easily guessed. Testers must review username policies and ensure the generation of error messages when an invalid username is entered.

Authentication Testing

Authentication testing may contain several different tests and processes. Here, we will discuss six testing processes.

  • Testing for Credentials Transported over an Encrypted Channel

If credentials are not encrypted while they are being transferred through web applications, an attacker can attack user accounts by sniffing network traffic. A web application uses different encryption methods, including HTTP to ensure credentials are secured while in the transit phase. (client to server or server to client)


Failure in encryption in any of these credentials by the web application can cause data theft by an attacker. The tester can analyze situations, if any, where credentials are transmitted without encryption.

  • Testing for Default Credentials

When applications are installed, they are not properly configured, and the initial default credentials set for authorization are never changed. Penetration testers know these default credentials and often malicious attackers too. This can lead to unauthorized access to the web application. Testers must analyze new user accounts and review default, identifiable patterns, or credentials to prevent them from unauthorized access.

  • Testing for Vulnerable Remember Password

With a multitude of used applications, users can’t handle their credentials properly. They use different options to remember their credentials, such as the remember me option that allows users to stay authenticated and doesn’t require them to enter credentials again. 


Another option is the usage of password managers, enabling users to store their credentials securely.  Often these options can be vulnerable. Testers must validate that users’ credentials are not in danger in the generated session.

  • Testing for Browser Cache Weaknesses

Browsers save information in the form of cache and history. This can help web browsers improve their performance. Testers must review applications to ensure the browser does not retain sensitive information and access doesn’t occur without authorization.

  • Testing for Weak Password Policy

Weak passwords can lead to compromised access to user accounts. Introduce strong password policies or other authentication methods, such as two-factor authentication, to mitigate the risk of easily guessable passwords that facilitate unauthorized access.

  • Testing for Weaker Authentication in Alternative Channel

There might exist security gaps in alternative authentication channels for the same user accounts. Some of these channels can be completely different web applications using different hostnames or paths. Such as:

  • Standard website,
  • Mobile or a specific device,
  • Alternative country or language website, etc

Identifying and testing alternative channels can help reduce security vulnerabilities. Also, testers must analyze the security measures taken to secure these channels.

Session Management Testing

This section of the application security testing covers different processes for session management.

  • Testing for Session Management Schema

Web-based applications use cookies to store data for session management. Cookies play a vital role in application security. If somehow someone manages to tamper with the cookies, it can cause hijacking sessions of legitimate users and influence app operations in an unauthorized way. 


The tester should ensure that cookies must not contain information that can be manipulated. Also, it should be hard to modify cookies.

  • Testing for Cookies Attributes

As mentioned above, cookies have become a storage mechanism for web applications as they are flexible to use and provide protection.  Testers must ensure the setting of proper security configurations for cookies and apply attributes and prefixes based on application needs.

  • Testing for Logout Functionality

Session termination is an integral part of the session lifecycle. Multiple issues can prevent the session to terminate. A web application must allow the users to effectively end the session anytime through the user interface. For this, the tester can analyze the logout UI or session timeout.

  • Testing Session Timeout

For testing session timeout, the tester can ensure that the session is terminated when a user is idle for a specific time, and the sensitive data is not stored in the browser cache.

  • Testing for Session Hijacking

Attackers can hijack sessions by getting access to session cookies and impersonating them. To prevent session hijacking, session cookies must be stored. Testers can identify vulnerable session cookies and hijack them to assess the risk level.

Testing for Error Handling

Error handling is important when testing the security of web applications.

  • Testing for improper error handling

For several reasons, applications can generate errors. Often these errors are overlooked by developers because they may assume that a user can’t trigger any error. However, various errors can rise as network timeouts, stack traces, memory dump, etc. 


Handling errors improperly can allow the attackers to understand the APIs, map the services, perform DoS attacks on the system, and much more. Testers can test error handling by identifying errors and analyzing different outputs returned. 

Testing for Weak Cryptography

Weak cryptography can cause a malicious attacker to decrypt data that may contain sensitive information. Testing for weak cryptography comprises different testing processes:

  • Testing for Weak Transport Layer Security

If the information sent between the client and the server is not encrypted or protected properly, it can cause the attacker to read and modify it. HTTP uses Transport Layer Security (TLS) to protect this information. Over the years, there have been cryptographic weaknesses in the TLS protocols. Testing of these protocols is necessary. The tests must securely ensure the implementation of TLS.

  • Testing for Padding Oracle

Padding oracle is the functioning of an application that decrypts encrypted data sent by the client. This can also allow the attacker to decrypt data and cause leakage of sensitive data. It is necessary to identify encrypted messages relying on padding and analyze returned error messages after breaking the padding.

  • Testing for Sensitive Information Sent via Unencrypted Channels

Sensitive information transmitted through unencrypted channels is a security risk. While data must be protected where it is stored, it must also be protected during transmission. Testers can identify sensitive information and analyze the security and privacy of channels from where it is transmitted.

  • Testing for Weak Encryption

Weak encryption may cause sensitive data exposure, insecure sessions, broken authentication, and many other security risks. Testing for weak encryption can be done via source code review or other methods.

Client-Side Testing

It may include the following testing processes:

  • Testing for Javascript execution

Javascript injection vulnerability exists when an arbitrary Javascript code is injected into the application inside the victim’s browser. This vulnerability can cause the disclosure of users’ session cookies. Also, it can allow the attacker to manipulate the web content. This vulnerability can be tested by identifying and analyzing javascript injection points.

  • Testing for HTML injection

Same as Javascript injection, HTML injection exists when a user can control an input point, and an arbitrary HTML code is injected into a vulnerable web page. The consequences are the same as Javascript vulnerability which is the disclosure of users’ session cookies. Testers can identify HTML injection points and analyze the severity of the injected content.

  • Testing for Client-side URL redirect

Client-side URL redirection, also known as open redirection, can occur when user-controlled input is accepted by the application redirecting you to another external link. This external link seems to be authentic as it is generated by the application. However, it can lead to a malicious page, causing a phishing scam where the attacker can steal user credentials. Testers can identify injection points and assess locations to which the system could redirect.

  • Testing for web messaging

There are situations where different applications running on separate domains need to communicate with each other. This is known as web messaging. To prevent malicious use of this process, testers need to test for web messaging. They can analyze the message origin’s security and authenticate its input and that it is using safe messaging methods.

  • Testing for browser storage

Web browsers provide client-side storage for developers to store and retrieve data. These storages may include:

  • Local Storage 
  • Session Storage 
  • IndexedDB 
  • Web SQL (Deprecated) 
  • Cookies

These storage spaces on the client-side must be tested and authenticated. Also, testers can determine whether sensitive information is saved on the client-side, and testing should be done to analyze the possibilities of injection attacks on these storage objects. They must ensure that applications store sensitive data on the server side instead of the client side.


Reporting is an integral part of web application security testing. Performing the technical side assessment is half the process of security testing. The other half is reporting. The final product of the web application security testing is a well-written and documented report where all the tests and assessments performed are highlighted. Also, the report must be easy to understand and highlight all the risks found during security testing.

How can you start with the Web Security Testing Guide (WSTG)?

It can be overwhelming to start with the WSTG due to its scope and the amount of information it contains. Following are a few ways to implement WSTG with your SDLC.

Integrate WSTG into your SDLC

  • Security Training

Security training is necessary for both the testing teams and the developers. It can help them perform web application security according to their security requirements.

  • Prioritize your tests

Applying all the tests of the WSTG at the beginning is almost impossible. Firstly, choose the tests that set fit according to your security requirements and can address bigger risks. After that, you can add more tests to your SDLC gradually. This is how you can integrate WSTG into your SDLC.

CyberArrow can help you automate your OWASP Top 10 efforts with ease.