- Guide:
- Add GraphQL API testing scenario and details (WSTG-APIT-01).
- Add Test Objectives to all scenarios.
- Add Testing for HTTP Method Overriding (WSTG-CONF-06).
- Add to Review Webpage Content for Information Leakage (WSTG-INFO-05).
- Add Testing for Session Hijacking (WSTG-SESS-09).
- Add to Testing for Bypassing Authorization Schema (WSTG-ATHZ-02).
- Add to Testing for Local File Inclusion (WSTG-INPV-11.1).
- Add Appendix F: Leveraging Dev Tools.
- Add Testing for Server-Side Request Forgery (WSTG-INPV-19).
- Add to Testing for Weak Lock Out Mechanism (WSTG-ATHN-03).
- Merge section Fingerprint Web Application (WSTG-INFO-09) into Fingerprint Web Application Framework (WSTG-INFO-08).
- Merge section Testing for HTTP Verb Tampering (WSTG-INPV-03) into Test HTTP Methods (WSTG-CONF-06).
- Merge section Testing for Stack Traces (WSTG-ERRH-02) into Testing for Improper Error Handling (WSTG-ERRH-01).
- Update Frontispiece (Chapter 1).
- Update Introduction (Chapter 2).
- Update Test HTTP Strict Transport Security (WSTG-CONF-07).
- Update Review Webserver Metafiles for Information Leakage (WSTG-INFO-03).
- Update Penetration Testing Methodologies (Chapter 3.8).
- Update Test HTTP Methods (WSTG-CONF-06).
- Update Test Upload of Malicious Files (WSTG-BUSL-09).
- Update Testing for Weak Encryption (WSTG-CRYP-04).
- Update Testing for SSI Injection (WSTG-INPV-08).
- Update Testing for Format String Injection (WSTG-INPV-13).
- Update DOM-Based Cross Site Scripting to include sources, sinks, and their corresponding references (WSTG-CLNT-01).
- Remove Testing for Buffer Overflow (WSTG-INPV-13).
- Rewrite Fuzz Vectors (Appendix C).
- Rewrite Testing for Weak Transport Layer Security (WSTG-CRYP-01).
- Rewrite Role Definitions (WSTG-IDNT-01).
- Rewrite Weak Lockout (WSTG-ATHN-03).
- Rewrite Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01).
- Rewrite Session Fixation Testing (WSTG-SESS-03).
- Rewrite Testing for Improper Error Handling (WSTG-ERRH-01).
- Rewrite Reporting section.
- Update Test for Process Timing (WSTG-BUSL-04).
- Update Contributor Guide, Style Guide, and Content Templates.
- Standardize HTTP request/response examples.
- Establish consistent terminology.
- Change MiTM terminology to manipulator-in-the-middle, aligning with other industry projects such as ZAP.
- Add reference and linking details.
- Update references and links for tools, remove links and references for seemingly un-maintained tools.
- Revise CIS-CAT and Wappalyzer references.
- Add OWASP trademark registration.
- Repository housekeeping:
- Add Codespaces support.
- Establish GitLocalize (https://gitlocalize.com/repo/5220) as a facility through which the project will accept translations.
- Add terminology linting.
- Add "Sponsor" details.
- Automate creation of JSON "checklist".
- Add action to refresh stale issues.
- Add README and documentation for GitHub Action workflows.
- Add manual triggers to various workflows (such as PDF generation).
- For future use:
- Establish a layout plan for v5.
- Establish release plans and milestones/projects for 4.2, 4.3, and 5.0.
- Based on:
- ~120 Pull Requests.
- 2 Google docs for planning and data collection.
- Innumerable Slack discussions.