STD · 01 // Primary
OWASP WSTG v4.2
Web Security Testing Guide — the primary methodology framework. Every check in the engagement traces back to a WSTG section.
Methodology Brief · WSTG v4.2 · ASVS v4.0.3
TLP: Amber
Section 01 // Overview
Web Application
Penetration
Testing.
Standards-aligned, manual-driven web application security testing. Scanner output is a starting point, not a deliverable.
Phases
11
WSTG-aligned
Engagement
5 — 25 days
Tier dependent
Primary Standard
WSTG v4.2
OWASP
Verification
ASVS L2 / L3
L3 for sensitive apps
Section 02 // Methodology Standards
What we test against.
STD · 02 // Verification
OWASP ASVS v4.0.3
Application Security Verification Standard. Level 2 default; Level 3 for sensitive apps (payments, health, regulated data).
STD · 03 // API
OWASP API Security Top 10 (2023)
Applied when the engagement is API-heavy. BOLA, BOPLA, broken auth, mass assignment, SSRF, inventory drift — all in scope.
STD · 04 // Severity
CWE Top 25
Used for severity classification and CWE-mapping on every finding. Pairs with CVSS v3.1 in the deliverable.
Section 03 // Scoping Inputs
Before we engage.
The faster these inputs arrive, the more time we spend on business logic and authorization paths instead of reconnaissance.
01Application URL(s) — production, staging, dev environments
02Test accounts — minimum 2 per role for IDOR + horizontal authZ
03Roles in the app (admin, user, viewer, billing, etc.)
04API documentation — OpenAPI / Postman / GraphQL schema
05Tech stack (informs targeted checks; not required)
06Out-of-scope features — third-party integrations, live PSP flows
07Production vs staging — staging with prod-like data recommended
08WAF active? — off for first round; on for retest to validate rules
09Testing window — 24×7 or business hours
10Data sensitivity — PII / PHI / PCI in scope?
Section 04 // Engagement Tiers
Three pricing tracks.
Starter
Single app, simple auth, ~50 endpoints.
5
$5k — $10k
Standard
Single app, complex auth (SSO, MFA, roles), ~100 endpoints, API surface.
8 — 10
$12k — $25k
Enterprise
Multiple apps / microservices, deep API surface, business-logic focus.
15 — 25
$30k — $60k
Custom Scope
None of these fit? Send the shape of the app and we'll write you a tailored quote.
Section 05 // Methodology
Eleven phases.
Click any phase to expand. Phases flagged ★ High Value are where most real impact is found.
01
Information Gathering
~0.5 day
WSTG-INFO
Application functionality, tech stack, entry points
Spider / crawl all reachable endpoints
Identify authenticated areas, role separations
Map API endpoints — OpenAPI / Swagger / Postman / GraphQL
Framework fingerprinting (Wappalyzer, BuiltWith)
Client-side tech (React / Vue / Angular / mobile)
Public OSINT — GitHub leaks, sourcemaps, exposed configs
02
Configuration & Deployment Testing
~0.5 day
WSTG-CONF
Server config, HTTP headers, TLS, CORS, CSP
Subdomain takeover potential
Default content / admin panels exposed
Information leakage — verbose errors, stack traces, banners
Backup / source files —
.git, .env, .bak
03
Identity & Authentication
~1 day
WSTG-IDNTWSTG-ATHN
Account enumeration — login, registration, password reset
Username / password policy strength
Authentication bypass — forced browsing, parameter manipulation
Credential transport — HTTPS enforcement, no GET params
Password reset — token entropy, expiry, single-use, account binding
MFA bypass — backup codes, race conditions, downgrade
SSO — SAML, OAuth, OIDC (token forgery, replay, redirect abuse)
Session — token entropy, expiry, fixation, regeneration on auth state change
04
★ High ValueAuthorization Testing
~1 — 2 days
WSTG-ATHZ
IDOR — horizontal (User A → User B's data) and vertical (User → Admin)
Mass assignment / over-posting
Privilege escalation via parameter tampering
Role bypass via direct URL access
API authorization — GraphQL field-level, REST per-endpoint
Tenant isolation (multi-tenant SaaS)
05
Session Management
~0.5 day
WSTG-SESS
Cookie attributes — HttpOnly, Secure, SameSite
CSRF protection — token presence, validation
Logout invalidation
Concurrent session handling
JWT validation — algorithm confusion, key confusion, expiry, audience, issuer
06
Input Validation
~1 — 2 days
WSTG-INPV
SQL injection (all engines, including NoSQL)
XSS — reflected, stored, DOM-based
Command injection
LDAP / NoSQL injection
XML injection / XXE
SSRF — cloud metadata endpoints, internal services
File upload — extension bypass, content-type, polyglot, path traversal
Path traversal
Open redirect
Server-side template injection (SSTI) — Jinja2, Twig, etc.
Prototype pollution (Node.js)
HTTP request smuggling — front-end / back-end protocol mismatch
Deserialization — Java, .NET, PHP, Python pickle, Ruby Marshal
Race conditions — Burp send-group-in-parallel
07
Error Handling
~0.25 day
WSTG-ERRH
Verbose error messages — stack traces, DB query exposure
Information leakage via differential error responses
08
Cryptography
~0.5 day
WSTG-CRYP
TLS config (testssl.sh)
Weak cipher suites
Password storage — verify Argon2id / bcrypt via API behavior or code review
Sensitive data in transit — no plaintext over HTTP
JWT signing — no
alg: none, no symmetric where asymmetric expected
09
★ High ValueBusiness Logic
~1 — 2 days
WSTG-BUSL
Workflow circumvention — skip steps, replay states
Time / race condition abuse (e.g. apply same coupon twice via race)
Price manipulation
Quantity / limit bypass
Account takeover via business flow (e.g. account merge)
Domain-specific — fintech double-spend, SaaS tier-bypass, marketplace feedback manipulation
10
Client-Side
~0.5 day
WSTG-CLNT
DOM-based XSS
Sensitive data in JS bundles — API keys, internal endpoints, comments
Client-side enforcement of server-side concerns (role checks in JS only)
Sourcemap exposure
postMessage abuse
Web storage — sensitive data in localStorage / sessionStorage
11
API Testing
~1 — 2 days
OWASP API Top 10 (2023)
API1 · BOLA — Broken Object Level Authorization (IDOR)
API2 · Broken Authentication
API3 · BOPLA — Broken Object Property Level Authorization
API4 · Unrestricted Resource Consumption
API5 · Broken Function Level Authorization
API6 · Unrestricted Access to Sensitive Business Flows
API7 · SSRF
API8 · Security Misconfiguration
API9 · Improper Inventory Management
API10 · Unsafe Consumption of APIs
GraphQL-specific
Introspection enabled in prod
Field-level authZ bypass
Depth / complexity DoS
Batching abuse
Alias-based abuse
REST-specific
Mass assignment
Verb tampering — PUT / PATCH / DELETE on unintended endpoints
Content-type confusion
Section 06 // Deliverables
What you receive.
01
Executive Summary
One page. Business-focused. The narrative your board will read.
02
Methodology & Scope
What we tested, what was out of scope, and why.
03
Findings
Severity-ordered, CVSS v3.1. Each: title, affected endpoints, repro (curl / Burp), PoC, business impact, framework-specific remediation, CWE / OWASP refs.
04
Pass / Fail Matrix
Every WSTG check category marked tested + result. Audit trail by design.
05
Remediation Roadmap
Prioritized fix list. Sequenced for engineering teams, not just security.
06
Retest Report
Free for critical / high findings within 30 days of report delivery.
Section 07 // Common Findings
What we typically find.
Industry frequency. Sorted most-to-least common.
IDOR — object-level authorization
Very common
Excessive data exposure (API)
Very common
Missing rate limiting
Common
Missing security headers
Common
Insecure direct file access
Common
Stored XSS (rich text fields)
Common
JWT misconfiguration
Common
Insufficient session expiry
Common
Password reset weaknesses
Common
Mass assignment (Rails / Node)
Common
SSRF (URL-fetching features)
Common
GraphQL field-level authorization
Common
SQL injection
Rarer · ORMs help
Section 08 // Timeline
Day by day.
Standard 8-day engagement (Tier II). 15 working days end-to-end including report writing and readout.
01
Info gathering · config review
02
Auth · identity
03
AuthZ deep dive · IDOR
04
Input validation · XSS · SSRF
05
API · GraphQL
06
Business logic · client-side
07
Cleanup · validate · evidence
08
Buffer · re-validation
09
Report writing
10
Report writing
11
Report writing
12
Report writing
13
Report writing
14
Report delivery
15
Readout call
Section 09 // Anti-Patterns
How we don't operate.
×
Pure scanner-driven reports. Burp scan + report = low value. Manual exploitation is the deliverable.
×
Testing prod against live PSPs / real email flows. We use staging or mocks. Production transactions are not our test subject.
×
Skipping business logic for time. It's the highest-value category and the hardest to automate. We don't skip it.
×
Generic remediation guidance. "Validate input" isn't advice. Recommendations are specific to the framework you ship.
×
Skipping authenticated testing. Most real vulnerabilities live behind login. We test the whole surface, not just the front door.
×
Reporting scanner CVEs without exploitation context. If it can't be exploited in your environment, it doesn't ship as critical.