nosql ssji injection detected

Feel free to consult our, Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities, MongoDB server leaks 11 million user records from e-marketing service, Unsecured MongoDB database exposes real-time locations of families, A Benevolent Hacker Is Warning Owners of Unsecured Cassandra Databases, the youtube video accompanying this article. Data activity monitoring. This week, were going to cover NoSQLMap, the antithesis of SQLMap. We defined 127.0.0.1 as the network address and 29 as the subnet mask. consider URL parameters, POST parameters, and even sometimes HTTP headers. These tests should validate that all the security requirements have been met as were defined in the design phase and should include penetration testing on the application and hosting infrastructure, which is recommended to resemble the production infrastructure as much as possible. NoSQL injection vulnerabilities allow attackers to inject code into commands for databases that dont use SQL queries, such as MongoDB. In this post, we will look at specific injection attack types, namely Server-Side JavaScript and Blind NoSQL injections. Copyright 2023, OWASP Foundation, Inc. A Quick Introduction to NoSQL Puzanov has a BSc in communication systems engineering from Ben Gurion University. Finally, the last part calls a new MapReduce to balance the injected code into the original statement. ", blog, 1 June 2015; Queries can also include regular expressions and conditions as well as limit which fields are queried. Lets see how NoSQL injection differs from traditional SQL injection and what you can do to prevent it. For the attack to succeed, a few conditions must be met. Some databases, such as MongoDB, have many third-party REST APIs; many lack the security measures we describe here. WSTG - Latest 4. WebSide JavaScript Injection: Attacking NoSQL and Node.js. to test for NoSQL injections Traditional relational databases don't meet these scalability requirements; they require a single database node to execute all operations of the same transaction1. The NoSQL injection vulnerability can be used by a malicious actor to access and modify sensitive data, including usernames, email addresses, password hashes and login tokens. Reduce risk. When this string is passed as a token, the database will be checked for the existence of random_token and will add my_crafted_token with the value root. If youre searching for a place to share your software expertise, start contributing to InfoQ. Your Information will be kept private . injection Yet these databases are still potentially vulnerable to injection attacks, even if they arent using the traditional SQL syntax. Security information and event management (SIEM) systems aggregate and correlate logs to help attack detection. Attend in-person or get video-only pass to recordings. They control access to databases, monitor activities with customizable security alerts, and create auditable reports of data access and security events. Where SQL injection would execute within the database engine, NoSQL variants may execute during within the application layer or the database layer, depending on the NoSQL API used and data model. But if data is not being stored in structured tables, then how is it being stored? NoSQL Injection Breaking the query structure, as has been done in SQL injection, is more difficult with a JSON structured query. IEEE Softwareoffers solid, peer-reviewed information about today's strategic technology issues. 2. The main features are: Add Passive and Active Scanner checks. Manipulate the standard Insertion Points identified by Burp, in such a way as to reduce user-induced errors. Privacy Notice, Terms And Conditions, Cookie Policy, Live Webinar and Q&A: More Wood & Less Arrows: How to Build an Efficient Cloud Application Architecture (June 22, 2023), Analysis and Mitigation of NoSQL Injections, DevOps News Editor @InfoQ; Director of Products @Second State, Articles contributor @InfoQ; Software Developer, CEO @Pact, .NET News Editor @InfoQ; Lead Engineer @Vista, former Microsoft MVP, Lead Editor, Software Architecture and Design @InfoQ; Senior Principal Engineer, I consent to InfoQ.com handling my data as explained in this, Architectures Youve Always Wondered About, Operationalizing Responsible AI in Practice, Effective Test Automation Approaches for Modern CI/CD Pipelines, Building an Efficient Cloud Application Architecture (Live Webinar June 22, 2023) - Save Your Seat, More Wood & Less Arrows: How to Build an Efficient Cloud Application Architecture, "The New Page of Injections Book: Memcached Injections", "7 Advantages of Interactive Application Security Testing (IAST) over Static (SAST) and Dynamic (DAST) Testing", "Organizations Ramp up on NoSQL Databases, but What about Security? The problem is that many tools in the market today lack rules for detecting NoSQL injections. As a result, a growing number of distributed, NoSQL key-value stores satisfy the scalability requirements of modern large-scale applications. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax. Finally, users must have permissions and access to the Mongoose HTTP interface. Cookie Preferences Trust Center Modern Slavery Statement Privacy Legal, Copyright 2023 Imperva. Although cache APIs are usually very simple because key-value queries are simple, we found a possible injection attack on Memcached, the second most popular key-value store, owing to a vulnerability in the Memcached driver on certain PHP versions. For this reason, anyone testing for NoSQL injection attacks will need to familiarize themselves with the syntax, data model, and underlying programming language in order to craft specific tests. In other variants, the vulnerability might lead to illegal data access or privileged actions performed by an unprivileged user. Writing for InfoQ has opened many doors and increased career opportunities for me. Installing is as easy as cloning the repository and running the setup.py script. WSTG - Latest HIDSs typically learn an application's normal behavior and provide alerts of activities that don't conform to the expected behavior, which can point to an attack. Mitigating NoSQL Injection Attacks: Part 2. 9. Popular databases that allow this include MongoDB and CouchDB and its descendants, Cloudant and BigCouch. NoSQL injection Download BApp. For example, using well-validated libraries for encryption reduces the risk of developers implementing encryption on their own and introducing vulnerabilities into an algorithm. Awareness. E. Sahafizadeh and M.A. How do we go about finding misconfigurations and vulnerabilities related to NoSQL databases? This attack will succeed in any case in which the username is correcta valid assumption as harvesting usernames isn't difficult. In SQL terminology, this query is similar to. A NoSQL database is used to store the data accessed via a Web application. NoSQLMap is an open-source Python tool designed to audit for, as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases and web applications using NoSQL in order to disclose or clone data from the database. Although the drivers themselves might not be vulnerable, sometimes they present unsafe APIs that, when used incorrectly by the application developer, could introduce vulnerabilities in the application. A very-basic NoSQL injection can be studied here -- https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html-- which is available from your testing tools if you install the purposely-insecure Nodegoat application. 29 Figure 6. I. Novikov, "The New Page of Injections Book: Memcached Injections", Proc. A typical insert statement in MongoDB could be the following: This inserts a new document into the books collection with a title and author field. SQL is designed to enable queries to be performed against a database, extracting data based upon logical operators. Second, similarly to SQL injection attacks10, proper privilege isolation can minimize the damage in the case of data store exposure via the injections we describe in this article. nosql-injection NoSQL Injection Similar to firewalls that can detect attacks at the network level, host-based intrusion detection systems (HIDSs) guard the execution of the application and workloads on servers. To mitigate this issue, we need to cast the parameters received from the request to the proper type, in this case, using the string. Top 10 most popular databases according to db-engines.com popularity ranking, August 2015. The NoSQL injection vulnerability can be used by a malicious actor to access and modify sensitive data, including usernames, email addresses, password hashes and login tokens. In PHP, such code can look like this (where $param is user input): This code sums the field given by $param for each item by name. First, the cost of fixing a bug in the development phase is much cheaper than later in the life cycle, especially because security testing tends to occur after functional testing, and fixing security bugs might introduce the need to repeat the functional testing. To get the sum or average of these fields, the developer writes a MapReduce function that takes the field name that it should act on (amount or price) as a parameter from the user. PHP V8JS Injection For example, in this article, we show how attackers can exploit the syntax of the $ne (not equal) operator, which lets them illegally log in to the system without appropriate credentials. We recommend using mature databases with built-in security measures. L. Okman et al. Let's take a model of a store that has a collection of items; each item has a price and an amount. Try to identity SSJI using experimental payloads. Hacker Tools: NoSQLMap No SQL, Yes exploitation Scanner NoSQL Injection Live Webinar and Q&A: More Wood & Less Arrows: How to Build an Efficient Cloud Application Architecture (June 22, 2023) This content represents the latest contributions to the Web Security Testing Guide, and may frequently change. But, because user input isn't being escaped here, a malicious input (that might include arbitrary JavaScript) will execute. The exposure of a REST API enables simple exposure of the database to applicationseven HTML5 onlybased applicationsbecause it terminates the need for a mediate driver and lets any programming language perform HTTP queries on the database. The easiest way to view NoSQLMap is as the NoSQL variant of SQLMap. Second, developers might learn from their bugs in an early stage and not repeat them in similar places in later code development. For example, a developer who already understands weaknesses is less likely to introduce one into the software. Today, the situation is better, and popular databases have introduced built-in protection mechanisms7. WebExample 2: NoSQL SSJS Injection Vulnerability (PHP + MongoDB) The MongoDB shell provides a sleep() function which makes time-based detection much easier to perform.. JavaScript enables complicated transactions and queries on the database engine. The advantages are clear, but does this feature come with a security risk? To mitigate the risks of REST API exposure and CSRF attacks, there's a need to control the requests, limiting their format. This enables attackers to do almost anything with the data, including accessing unauthorized data and altering, deleting, and inserting data. By injecting special characters relevant to the target API language, and observing the results, a tester can determine if the application correctly sanitized the input. Other instructions might be injected using this technique: incr SQL injection is a well-known vulnerability. Cache platforms often store authentication tokens and container access control lists), which must be revalidated for each subsequent user request. According to W3Techs.com statistics on PHP versions of websites in production, more than 86 percent of PHP websites use a version older than 5.5, which means they're vulnerable to this injection if they use Memcached. Key-value data stores such as Memcached, Redis, and Tachyon are in-memory data stores, designed to speed up the performance of applications, cloud infrastructure and platforms, and big data frameworks. Although relatively safe, the popular JavaScript Object Notation (JSON) representation format allows new types of injection attacks. A NoSQL injection, similar to that of a SQL injection, can allow attackers to bypass authentication, exfiltrate sensitive data, tamper with data on the database, or even compromise the database and the underlying server. Advances in Computer Science, vol. Some low-level techniques and protocols have changed, but the risks of injection, improper access control management, and unsafe network exposure remain high. sum(sum); }, { out: totals });. We illustrate this with an example attack in MongoDBa document-oriented database that multiple large vendors, including eBay, Foursquare, and LinkedIn, have adopted. Defining what needs to be protected in the application and how this will occur ensures this functionality is translated to tasks in the development phase and receives the right amount of attention. Figure 1. Efforts invested in securing the application code might be wasted if the deployment is insecure. Imperva Web Application Attack Report, 4th ed., Imperva, 2013; NoSQLMap is an open-source Python tool designed to audit for, as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases and web applications using NoSQL in order to disclose or clone data from the database. WebNoSQL injection attacks may execute in different areas of an application than traditional SQL injection. A Quick Introduction to NoSQL Mass Storage Systems and Technologies (MSST), 2013, pp. A common feature of NoSQL databases is the ability to run JavaScript in the database engine to perform complicated queries or transactions such as MapReduce. NoSQL Injection WebSide JavaScript Injection: Attacking NoSQL and Node.js. These attacks allow bypassing authentication or access mechanisms by injecting code in conditional statements, generating expressions that are always true (tautologies). Last time, we covered the anatomy of a NoSQL injection, as well as how to mitigate it. Typically NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call. Please note that JavaScript must be enabled to display rating and popularity information. For this, a strict network configuration is recommended to ensure that the database is accessible only to relevant hosts, such as the application server. Analysis and Mitigation of NoSQL Injections Try to identify NoSQLi. His research interests include application security, specifically in cloud environments. NoSQL injection attacks may execute in different areas of an application than traditional SQL injection. Unfortunately, code analysis of the application layer alone is insufficient to ensure that all threats are mitigated. Mitigating NoSQL Injection Attacks: Part 2. The concept of a secure internal network has been invalidated in countless attacks on enterprises such as the Adobe password breach, RSA Security, and Sony. Attackers place an HTML form in the website and a JavaScript that will submit the form automatically, such as. 1. Protection of APIs. The world's #1 web penetration testing toolkit. Today, managing proper authentication and role-based access control authorization on most popular NoSQL databases is possible. Follow Article by Felipe Aragon - February 25, 2012 SQL injection is a well-known vulnerability. Post actions include adding documents. Injection Although the drivers themselves might not be vulnerable, sometimes they present unsafe APIs that, when used incorrectly by the application developer, could introduce vulnerabilities in the application that allow arbitrary operations on the database. WebNoSQL injection attacks may execute in different areas of an application than traditional SQL injection. In this post, we will look at specific injection attack types, namely Server-Side JavaScript and Blind NoSQL injections. It has challenged me and helped me grow in so many ways. NoSQL Injection As you can see from the output, it found open MongoDB servers on every IP it scanned in this subnetwork. A very-basic NoSQL injection can be studied here -- https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html-- which is available from your testing tools if you install the purposely-insecure Nodegoat application. NoSQL databases use different query languages, which makes traditional SQL injection techniques irrelevant. Chained with other There are plenty more advantages and a ton of database management systems out there. Figure 2. NoSQL is the opposite of SQL, its non-relational, it stands for either No SQL or Not only SQL depending on who you ask but in general it refers to non-relational database architectures. SSJI (Server Side JavaScript Injection): details and techniques on how applications that use a big data back end may be vulnerable. The following requests would make these (or similar) vulnerable web An application's security aspects must be thought of and defined in the early development stages. The following constructed query shows user input in bold and the rest in plain text: { username: tolkien, $or: [ {}, { a: a, password } ], $comment: successful MongoDB injection }. Download the latest version of Burp Suite. Let's use a MongoDB example to show an array injection vulnerabilityan attack similar to SQL injection in its technique and results. cached attributes include sensitive information that will cause the query execution to behave differently than intended. db.myCollection.find( { active: true, $where: function() { return obj.credits - obj.debits < $userInput; } } );; As with testing other types of injection, one does not need to fully exploit the vulnerability to demonstrate a problem. A set operation adds a key and its corresponding value to the database using Memcached. Life cycle of application and deployment security. In addition, new attack vectors might be found that were unknown at the time of development testing. On the down side, RASP takes a toll on performance, is tightly coupled with the programming language, and might break the application in production. 1-866-777-9980 14 comments mrthankyou commented on Apr 13, 2021 edited Query WIP PyMonogo Flask-PyMongo MongoEngine Flask MongoEngine Are you planning to discuss this vulnerability For example, consider a complicated transaction that demands JavaScript code and includes unsanitized user input as a parameter in the query. 12. By injecting an HTML form into a vulnerable website or tricking a user into the attacker's own website, an attacker can perform a post action on the target database, thus compromising the database. NoSQLMap is an open-source Python tool designed to audit for, as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases and web applications using NoSQL in order to disclose or clone data from the database. Other advantages include more scalability, facilitated by the possibility of data distribution and performance increases. NoSql Injection Cheatsheet WebExample 2: NoSQL SSJS Injection Vulnerability (PHP + MongoDB) The MongoDB shell provides a sleep() function which makes time-based detection much easier to perform.. GitHub page. These mechanisms are important for two reasons. insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1. ", "Protocol-Level Evasion of Web Application Firewalls", Cloudflare Workers Introduces connect() API to Create TCP Sockets, Tales of Kafka at Cloudflare: Lessons Learnt on the Way to 1 Trillion Messages, Infracopilot, a Conversational Infrastructure-as-Code Editor, Azure Deployment Environments Now Generally Available, Continuing the Culture and Methods Trends Conversation, Debugging Difficult Conversations as a Pathway to Happy and Productive Teams, AWS Shifts Strategy: Public GitHub Documentation to Be Retired, Visual Studio 2022 17.7 Preview 1: Productivity, Cloud and Game Development Enhancements, Microsoft Build 2023: Bing AI and Copilot Plugins for ChatGPT OpenAI, Microsoft Fabric and More, How Big Tech Lost Its Way - Regulation and Freedom, Unified Analytics Platform: Microsoft Fabric, The Zen of Green Software: Finding Balance in the Sustainable Growth Journey, Minecraft Welcomes Its First LLM-Powered Agent, Microsoft Authentication Library 4.54.0 Supports Managed Identities, OpenAI Launches its Official ChatGPT App for iOS, Unlocking Software Engineering Potential for Better Products, Microsoft Open-Sources 13 Billion Parameter Language and Vision Chatbot LLaVA, Minimising the Impact of Machine Learning on our Climate, Grafana Adds Service Accounts and Improves Debugging Experience, Java News Roundup: Java Turns 28, Payara Platform, Micronaut 4.0-M5, Spring Updates, JHipster Lite, JetBrains Compose Multiplatform for iOS Reaches Alpha, AI, ML & Data News Roundup: Generative Fill, Copilot, Aria, and Brain Chips, eBay and lastminute.com Adopt Contract Testing to Drive Architecture Evolution, AWS Adds Multi-AZ with Standby Support to OpenSearch Service, DevSusOps - Bringing Sustainability Concerns to Development and Operations, Curiosity and Self-Awareness are Must-Haves for Handling Conflict, Applying Test-Driven Development in the Cloud, Azure Container Storage Now in Public Preview, OpenAI is Using GPT-4 to Explain Neurons' Behavior in GPT-2, Breaking down Barriers: Introducing JDK 21s Approach to Beginner-Friendly Java Programming, Easy Implementation of GDPR with Aspect Oriented Programming, ASP.NET Core in .NET 8 Preview 4: Blazor Streaming, Form Handling, Native AOT, Identity API and More, Meta Open-Sources Computer Vision Foundation Model DINOv2, Data-Driven Decision Making - Software Delivery Performance Indicators at Different Granularities, Apache Pulsar 3.0 Delivers a New LTS Version and Efficiency Improvements, Rust Reviewed: the Current Trends and Pitfalls of the Ecosystem, GCC 13 Supports New C2x Features, Including nullptr, Enhanced Enumerations, and More, Learn about the new security vulnerabilities for NoSQL databases, Five types of NoSQL attacks like Tautologies, Union queries, JavaScript injections, Piggybacked queries, and Cross origin violation, OWASP group's published recommendations for testing NoSQL injection code, Learn how to mitigate security risks in NoSQL deployments, How to integrate NoSQL database vulnerability management in the entire software development lifecycle, information from the user request (for instance, the, the received string is passed as is and is not sanitized, and. Yet these databases are still potentially vulnerable to injection attacks, even if they Although such systems might be good at finding and blocking certain attacks, they aren't aware of the application logic and the rules under which the application is supposed to work, and they won't find 100 percent of the vulnerabilities. This is the second part of a two-part series on NoSQL injections. We hope that these will continue to improve and will become a common practice for NoSQL activity monitoring. This injection looks very similar to classic SQL injections. Because these NoSQL injection attacks may execute within a procedural language, rather than in the declarative SQL language, the potential impacts are greater than traditional SQL injection. Accelerate penetration testing - find more bugs, more quickly. Ron has a BSc in computer science from Ben Gurion University. What is NoSQL injection NoSQL (not only SQL) databases among the top 10 are MongoDB, Cassandra, and Redis; all three are growing in popularity. Also be sure to check outall the previous Hacker Tools articles, such asthe last one on JWT_Tool. Regarding SSJI attacks, a recent work that has the same grounds with NodeXP is Synode [6], which attempts to mitigate injection vulnerabilities in Node.js applications. In piggybacked queries, attackers exploit assumptions in the interpretation of escape sequences' special characters (such as termination characters like carriage return and line feed [CRLF]) to insert additional queries to be executed by the database, which could lead to arbitrary code execution by attackers. NoSQL database calls are written in the applications programming language, a custom API call, or formatted according to a common convention (such as XML, JSON, LINQ, etc). Avoid using other commands with similar effect, such as setTimeOut(), setInterval(), and Function(). Check out the youtube video accompanying this article for an example. Protect your business for 30 days on Imperva. What is NoSQL injection Web application firewalls (WAFs) are security tools that inspect HTTP data streams and detect malicious HTTP transactions. 8. I was able to deeply engage with experts and thought leaders to learn more about the topics I covered. NoSQL Injection For more details, source code, bug reporting and whatever please refer to the author github page, available here, Overall impact: View an example. The following conditions must occur to conduct the attack: If these conditions are met, attackers can inject queries or manipulate query logic, such as a piggyback query attack. WebBy requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. injection GET requests can often be typed into the browser directly by adding nosql into the URL directly: 1. site.com/page?query=term || '1'=='1 2. site.com/page?user [$ne]=nobody Try to identity SSJI using experimental payloads. For example, SQL injection attacks insert malicious code into the statements the application passes to the database layer. Since these queries often include user-provided input, they can be vulnerable to attack if input sanitization is not properly performed. Black Hat USA, 2014; where incr is used to increment a key, decr is used to decrement a key, and delete is used to delete a key. Kerner, "Glass Box: The Next Phase of Web Application Security Testing? NoSQL injection vulnerabilities allow attackers to inject code into commands for databases that dont use SQL queries, such as MongoDB. to test for NoSQL injections The benefit of RASP over other security technologies lies in its ability to inspect the flow of the program and data being processed internally. Yet these databases are still potentially vulnerable to injection attacks, even if they Under DDoS Attack? The best manual tools to start web security testing. 10. db.myCollection.find( { $where: "this.credits == this.debits" } ); Optionally JavaScript is also evaluated to allow more advanced conditions. Home>Blog>NoSQL SSJI Authentication Bypass. Most NoSQL injection vulnerabilities occur because developers accept and process user inputs without properly sanitizing them. However, these are only initial results; the problem hasnt been sufficiently studied or received the required attention. In this view, you can see the different things NoSQLMap can do. At recent conferences in San Francisco and London, the speakers clearly showed what "scalable" can really mean, from a trillion messages to exabytes of data. A typical query could be. Analysis and Mitigation of NoSQL Injections, Jan 18, 2017 Second, attackers must trick users into entering the infected site by means of phishing or inject an infection into a site that users visit regularly. First, attackers must have control over a website either of their own or from exploiting a benign, unsecured website. InfoQ seeks a full-time Editor-in-Chief to join C4Media's international, always remote team. instructions how to enable JavaScript in your web browser, Injection payload wordlist with examples of NoSQL Injection for MongoDB, Bryan Sullivan from Adobe: NoSQL, But Even Less Security, Erlend from Bekk Consulting: Security NOSQL-injection, Felipe Aragon from Syhunt: NoSQL/SSJS Injection, MongoDB Documentation: How does MongoDB address SQL or Query injection?, PHP Documentation: MongoDB Driver Classes, 2.10 Security Tests Integrated in Development and Testing Workflows, 2.11 Security Test Data Analysis and Reporting, 3.6 Phase 5 During Maintenance and Operations, 4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage, 4.1.3 Review Webserver Metafiles for Information Leakage, 4.1.4 Enumerate Applications on Webserver, 4.1.5 Review Web Page Content for Information Leakage, 4.1.7 Map Execution Paths Through Application, 4.1.8 Fingerprint Web Application Framework, 4.2 Configuration and Deployment Management Testing, 4.2.1 Test Network Infrastructure Configuration, 4.2.2 Test Application Platform Configuration, 4.2.3 Test File Extensions Handling for Sensitive Information, 4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information, 4.2.5 Enumerate Infrastructure and Application Admin Interfaces, 4.2.7 Test HTTP Strict Transport Security, 4.3.4 Testing for Account Enumeration and Guessable User Account, 4.3.5 Testing for Weak or Unenforced Username Policy, 4.4.1 Testing for Credentials Transported over an Encrypted Channel, 4.4.3 Testing for Weak Lock Out Mechanism, 4.4.4 Testing for Bypassing Authentication Schema, 4.4.5 Testing for Vulnerable Remember Password, 4.4.6 Testing for Browser Cache Weaknesses, 4.4.8 Testing for Weak Security Question Answer, 4.4.9 Testing for Weak Password Change or Reset Functionalities, 4.4.10 Testing for Weaker Authentication in Alternative Channel, 4.4.11 Testing Multi-Factor Authentication, 4.5.1 Testing Directory Traversal File Include, 4.5.2 Testing for Bypassing Authorization Schema, 4.5.4 Testing for Insecure Direct Object References, 4.5.5.1 Testing for OAuth Authorization Server Weaknesses, 4.5.5.2 Testing for OAuth Client Weaknesses, 4.6.1 Testing for Session Management Schema, 4.6.4 Testing for Exposed Session Variables, 4.6.5 Testing for Cross Site Request Forgery, 4.7.1 Testing for Reflected Cross Site Scripting, 4.7.2 Testing for Stored Cross Site Scripting, 4.7.4 Testing for HTTP Parameter Pollution, 4.7.13 Testing for Format String Injection, 4.7.14 Testing for Incubated Vulnerability, 4.7.15 Testing for HTTP Splitting Smuggling, 4.7.16 Testing for HTTP Incoming Requests, 4.7.18 Testing for Server-side Template Injection, 4.7.19 Testing for Server-Side Request Forgery, 4.8.1 Testing for Improper Error Handling, 4.9.1 Testing for Weak Transport Layer Security, 4.9.3 Testing for Sensitive Information Sent via Unencrypted Channels, 4.10.1 Test Business Logic Data Validation, 4.10.5 Test Number of Times a Function Can Be Used Limits, 4.10.6 Testing for the Circumvention of Work Flows, 4.10.7 Test Defenses Against Application Misuse, 4.10.8 Test Upload of Unexpected File Types, 4.11.1 Testing for DOM-Based Cross Site Scripting, 4.11.1.1 Testing for Self DOM Based Cross-Site Scripting, 4.11.4 Testing for Client-side URL Redirect, 4.11.6 Testing for Client-side Resource Manipulation, 4.11.7 Testing Cross Origin Resource Sharing, 4.11.13 Testing for Cross Site Script Inclusion.