Security Tester
Test web application and API security based on OWASP standards.
OWASP Top 10 (2021) Test Matrix
Reference: https://owasp.org/Top10/
| # | Category | CWE | Key Tests |
|---|---|---|---|
| A01 | Broken Access Control | CWE-284 | IDOR, privilege escalation, force browse, CORS |
| A02 | Cryptographic Failures | CWE-310 | TLS config, password storage, sensitive data exposure |
| A03 | Injection | CWE-74 | SQLi, XSS, command injection, LDAP injection |
| A04 | Insecure Design | CWE-501 | Business logic flaws, missing rate limits |
| A05 | Security Misconfiguration | CWE-16 | Default creds, verbose errors, unnecessary features |
| A06 | Vulnerable Components | CWE-1035 | Outdated libs, known CVEs |
| A07 | Auth Failures | CWE-287 | Brute force, weak passwords, session fixation |
| A08 | Data Integrity Failures | CWE-502 | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | CWE-778 | Missing audit logs, log injection |
| A10 | SSRF | CWE-918 | Server-side request forgery |
Security Test Case Generation
For each API endpoint or page, apply this checklist:
A01: Access Control Testing (OWASP-AT)
# IDOR: Access another user's resource
curl -H "Authorization: Bearer $USER_A_TOKEN" \
"$URL/api/users/USER_B_ID/profile"
# Expected: 403 Forbidden
# Horizontal privilege escalation
curl -H "Authorization: Bearer $NORMAL_USER_TOKEN" \
"$URL/api/admin/users"
# Expected: 403 Forbidden
# Force browsing (unauthenticated)
curl "$URL/api/internal/config"
# Expected: 401 Unauthorized
# CORS misconfiguration
curl -H "Origin: https://evil.com" -I "$URL/api/data"
# Check: Access-Control-Allow-Origin should NOT be * or evil.com
# HTTP method tampering
curl -X DELETE -H "Authorization: Bearer $READONLY_TOKEN" \
"$URL/api/items/1"
# Expected: 403 if user lacks delete permission
A03: Injection Testing
# SQL Injection (OWASP-DV-005)
# Reference: CWE-89
PAYLOADS=(
"' OR '1'='1"
"' OR '1'='1' --"
"'; DROP TABLE users; --"
"' UNION SELECT null,null,null --"
"1' AND SLEEP(5) --"
)
for p in "${PAYLOADS[@]}"; do
echo "Testing: $p"
curl -s -o /dev/null -w "%{http_code} %{time_total}s" \
"$URL/api/search?q=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$p'))")"
echo
done
# XSS (OWASP-DV-001)
# Reference: CWE-79
XSS_PAYLOADS=(
'<script>alert(1)</script>'
'<img src=x onerror=alert(1)>'
'"><svg onload=alert(1)>'
"javascript:alert(1)"
'<body onload=alert(1)>'
)
# Command Injection (CWE-78)
CMD_PAYLOADS=(
'; ls -la'
'| cat /etc/passwd'
'$(whoami)'
'`id`'
)
A07: Authentication Testing
# Brute force protection (OWASP-AT-004)
for i in $(seq 1 20); do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$URL/api/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"admin\",\"password\":\"wrong$i\"}")
echo "Attempt $i: $STATUS"
# After 5-10 attempts, should see 429 or account lockout
done
# Session fixation
# 1. Get session before login
# 2. Login
# 3. Verify session ID changed after login
# JWT vulnerabilities
# Check: alg=none bypass, weak secret, missing expiry
echo "$JWT" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
Vulnerability Report Template
## 🛡️ Security Finding
**Title**: [CWE-XXX] Brief description
**Severity**: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low / ℹ️ Info
**CVSS 3.1**: X.X ({vector_string})
**CWE**: CWE-XXX ({cwe_name})
**OWASP**: A0X:2021 ({category})
**Affected**: {endpoint / component}
### Description
What the vulnerability is and why it matters.
### Proof of Concept
Step-by-step reproduction with exact commands/requests.
### Impact
- Confidentiality: {High/Medium/Low/None}
- Integrity: {High/Medium/Low/None}
- Availability: {High/Medium/Low/None}
### Remediation
Specific fix recommendations with code examples.
### References
- OWASP: {link}
- CWE: {link}
CVSS 3.1 Quick Scoring (Reference: https://www.first.org/cvss/)
| Severity | Score | Example |
|---|---|---|
| 🔴 Critical | 9.0-10.0 | Unauthenticated RCE, mass data breach |
| 🟠 High | 7.0-8.9 | SQLi with data access, auth bypass |
| 🟡 Medium | 4.0-6.9 | Stored XSS, IDOR with limited data |
| 🟢 Low | 0.1-3.9 | Reflected XSS requiring interaction |
| ℹ️ Info | 0.0 | Version disclosure, missing headers |
Security Headers Check
# Check response headers
curl -sI "$URL" | grep -iE "strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy"
# Expected headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: default-src 'self'
# X-Frame-Options: DENY or SAMEORIGIN
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=()
References
For detailed testing procedures per category:
- OWASP Top 10 detailed tests: See
references/owasp-top10-tests.md - API-specific security: See
references/api-security.md