OWASP Testing Guide
  • Foreword by Eoin Keary
  • Frontispiece
  • Introduction
  • The OWASP Testing Framework
    • The Web Security Testing Framework
    • Penetration Testing Methodologies
  • Web Application Security Testing
    • Introduction and Objectives
    • Information Gathering
      • Conduct Search Engine Discovery Reconnaissance for Information Leakage (WSTG-INFO-01)
      • Fingerprint Web Server (WSTG-INFO-02)
      • Review Webserver Metafiles for Information Leakage (WSTG-INFO-03)
      • Enumerate Applications on Webserver (WSTG-INFO-04)
      • Review Webpage Content for Information Leakage (WSTG-INFO-05)
      • Identify Application Entry Points (WSTG-INFO-06)
      • Map Execution Paths Through Application (WSTG-INFO-07)
      • Fingerprint Web Application Framework (WSTG-INFO-08)
      • Fingerprint Web Application (WSTG-INFO-09)
      • Map Application Architecture (WSTG-INFO-10)
    • Configuration and Deployment Management Testing
      • Test Network Infrastructure Configuration (WSTG-CONF-01)
      • Test Application Platform Configuration (WSTG-CONF-02)
      • Test File Extensions Handling for Sensitive Information (WSTG-CONF-03)
      • Review Old Backup and Unreferenced Files for Sensitive Information (WSTG-CONF-04)
      • Enumerate Infrastructure and Application Admin Interfaces (WSTG-CONF-05)
      • Test HTTP Methods (WSTG-CONF-06)
      • Test HTTP Strict Transport Security (WSTG-CONF-07)
      • Test RIA Cross Domain Policy (WSTG-CONF-08)
      • Test File Permission (WSTG-CONF-09)
      • Test for Subdomain Takeover (WSTG-CONF-10)
      • Test Cloud Storage (WSTG-CONF-11)
      • Testing for Content Security Policy (WSTG-CONF-12)
    • Identity Management Testing
      • Test Role Definitions (WSTG-IDNT-01)
      • Test User Registration Process (WSTG-IDNT-02)
      • Test Account Provisioning Process (WSTG-IDNT-03)
      • Testing for Account Enumeration and Guessable User Account (WSTG-IDNT-04)
      • Testing for Weak or Unenforced Username Policy (WSTG-IDNT-05)
    • Authentication Testing
      • Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01)
      • Testing for Default Credentials (WSTG-ATHN-02)
      • Testing for Weak Lock Out Mechanism (WSTG-ATHN-03)
      • Testing for Bypassing Authentication Schema (WSTG-ATHN-04)
      • Testing for Vulnerable Remember Password (WSTG-ATHN-05)
      • Testing for Browser Cache Weaknesses (WSTG-ATHN-06)
      • Testing for Weak Password Policy (WSTG-ATHN-07)
      • Testing for Weak Security Question Answer (WSTG-ATHN-08)
      • Testing for Weak Password Change or Reset Functionalities (WSTG-ATHN-09)
      • Testing for Weaker Authentication in Alternative Channel (WSTG-ATHN-10)
      • Testing Multi-Factor Authentication (MFA) (WSTG-AUTH-11)
    • Authorization Testing
      • Testing Directory Traversal File Include (WSTG-ATHZ-01)
      • Testing for Bypassing Authorization Schema (WSTG-ATHZ-02)
      • Testing for Privilege Escalation (WSTG-ATHZ-03)
      • Testing for Insecure Direct Object References (WSTG-ATHZ-04)
      • Testing for OAuth Authorization Server Weaknesses
      • Testing for OAuth Client Weaknesses
      • Testing for OAuth Weaknesses (WSTG-ATHZ-05)
    • Session Management Testing
      • Testing for Session Management Schema (WSTG-SESS-01)
      • Testing for Cookies Attributes (WSTG-SESS-02)
      • Testing for Session Fixation (WSTG-SESS-03)
      • Testing for Exposed Session Variables (WSTG-SESS-04)
      • Testing for Cross Site Request Forgery (WSTG-SESS-05)
      • Testing for Logout Functionality (WSTG-SESS-06)
      • Testing Session Timeout (WSTG-SESS-07)
      • Testing for Session Puzzling (WSTG-SESS-08)
      • Testing for Session Hijacking (WSTG-SESS-09)
      • Testing JSON Web Tokens (WSTG-SESS-10)
    • Input Validation Testing
      • Testing for Reflected Cross Site Scripting (WSTG-INPV-01)
      • Testing for Stored Cross Site Scripting (WSTG-INPV-02)
      • Testing for HTTP Verb Tampering (WSTG-INPV-03)
      • Testing for HTTP Parameter Pollution (WSTG-INPV-04)
      • Testing for Oracle
      • Testing for MySQL
      • Testing for SQL Server
      • Testing PostgreSQL
      • Testing for MS Access
      • Testing for NoSQL Injection
      • Testing for ORM Injection
      • Testing for Client-side
      • Testing for SQL Injection (WSTG-INPV-05)
      • Testing for LDAP Injection (WSTG-INPV-06)
      • Testing for XML Injection (WSTG-INPV-07)
      • Testing for SSI Injection (WSTG-INPV-08)
      • Testing for XPath Injection (WSTG-INPV-09)
      • Testing for IMAP SMTP Injection (WSTG-INPV-10)
      • Testing for File Inclusion
      • Testing for Code Injection (WSTG-INPV-11)
      • Testing for Command Injection (WSTG-INPV-12)
      • Testing for Buffer Overflow (WSTG-INPV-13)
      • Testing for Format String Injection (WSTG-INPV-13)
      • Testing for Incubated Vulnerability (WSTG-INPV-14)
      • Testing for HTTP Splitting Smuggling (WSTG-INPV-15)
      • Testing for HTTP Incoming Requests (WSTG-INPV-16)
      • Testing for Host Header Injection (WSTG-INPV-17)
      • Testing for Server-side Template Injection (WSTG-INPV-18)
      • Testing for Server-Side Request Forgery (WSTG-INPV-19)
      • Testing for Mass Assignment (WSTG-INPV-20)
    • Testing for Error Handling
      • Testing for Improper Error Handling (WSTG-ERRH-01)
      • Testing for Stack Traces (WSTG-ERRH-02)
    • Testing for Weak Cryptography
      • Testing for Weak Transport Layer Security (WSTG-CRYP-01)
      • Testing for Padding Oracle (WSTG-CRYP-02)
      • Testing for Sensitive Information Sent via Unencrypted Channels (WSTG-CRYP-03)
      • Testing for Weak Encryption (WSTG-CRYP-04)
    • Business Logic Testing
      • Introduction to Business Logic
      • Test Business Logic Data Validation (WSTG-BUSL-01)
      • Test Ability to Forge Requests (WSTG-BUSL-02)
      • Test Integrity Checks (WSTG-BUSL-03)
      • Test for Process Timing (WSTG-BUSL-04)
      • Test Number of Times a Function Can Be Used Limits (WSTG-BUSL-05)
      • Testing for the Circumvention of Work Flows (WSTG-BUSL-06)
      • Test Defenses Against Application Misuse (WSTG-BUSL-07)
      • Test Upload of Unexpected File Types (WSTG-BUSL-08)
      • Test Upload of Malicious Files (WSTG-BUSL-09)
      • Test Payment Functionality (WSTG-BUSL-10)
    • Client-Side Testing
      • Testing for Self DOM Based Cross-Site Scripting
      • Testing for DOM-Based Cross Site Scripting (WSTG-CLNT-01)
      • Testing for JavaScript Execution (WSTG-CLNT-02)
      • Testing for HTML Injection (WSTG-CLNT-03)
      • Testing for Client-side URL Redirect (WSTG-CLNT-04)
      • Testing for CSS Injection (WSTG-CLNT-05)
      • Testing for Client-side Resource Manipulation (WSTG-CLNT-06)
      • Testing Cross Origin Resource Sharing (WSTG-CLNT-07)
      • Testing for Cross Site Flashing (WSTG-CLNT-08)
      • Testing for Clickjacking (WSTG-CLNT-09)
      • Testing WebSockets (WSTG-CLNT-10)
      • Testing Web Messaging (WSTG-CLNT-11)
      • Testing Browser Storage (WSTG-CLNT-12)
      • Testing for Cross Site Script Inclusion (WSTG-CLNT-13)
      • Testing for Reverse Tabnabbing (WSTG-CLNT-14)
    • API Testing
      • Testing GraphQL (WSTG-APIT-01)
  • Reporting
    • Reporting
    • Vulnerability Naming Schemes
  • Appendix
    • Testing Tools Resource
    • Suggested Reading
    • Fuzz Vectors
    • Encoded Injection
    • History
    • Leveraging Dev Tools
  • Testing Checklist
  • Table of Contents
  • REST Assessment Cheat Sheet
  • API Testing
Powered by GitBook
On this page
  • Accessing Dev Tools
  • Capabilities
  • User-Agent Switching
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • Edit/Resend Requests
  • Related Testing
  • Mozilla Firefox
  • Google Chrome
  • Cookie Editing
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • Local Storage Editing
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • Disable CSS
  • Related Testing
  • General
  • Disable JavaScript
  • Google Chrome
  • Mozilla Firefox
  • View HTTP Headers
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • Screenshots
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • Offline Mode
  • Google Chrome
  • Mozilla Firefox
  • Encoding and Decoding
  • Related Testing
  • General
  • Responsive Design Mode
  • Related Testing
  • Google Chrome
  • Mozilla Firefox
  • References
  1. Appendix

Leveraging Dev Tools

This appendix outlines various details for use of in browser Developer Tool functionality to aid in security testing activities.

Obviously in browser functionality is not a substitute for: DAST (Dynamic Application Security Testing) tools, SAST (Static Application Security Testing) tools, or a tester's experience, however, it can be leveraged for some testing activities and report production related tasks.

Accessing Dev Tools

Opening Dev Tools can be accomplished in a number of ways.

  1. Via the keyboard shortcut F12.

  2. Via the keyboard shortcut ctrl + shift + i on Windows.

  3. Via the keyboard short cut cmd + option + i on Mac.

  4. Via the web page right-click context menu and then selecting Inspect in Google Chrome.

  5. Via the web page right-click context menu and then selecting Inspect Element in Mozilla Firefox.

  6. Via the triple dot 'kabob' menu in Google Chrome then selecting More Tools and then Developer Tools.

  7. Via the triple line 'hamburger' (or 'pancake') menu in Mozilla Firefox then selecting Web Developer and then Toggle Tools.

  8. Via the gear icon settings menu in Edge/IE then selecting Developer Tools.

NOTE: The majority of the instructions below assume that Dev Tools is already open or active.

Capabilities

Functionality
Chrome*
Firefox
Edge/IE
Safari

User-Agent Switching

Y

Y

Y

Y

Edit/Resend Requests

Y

Y

N

N

Cookie Editing

Y

Y

Y

N

Local Storage Editing

Y

Y

Y

N

Disable CSS

Y

Y

Y

Y

Disable JavaScript

Y

Y

N

Y

View HTTP Headers

Y

Y

Y

Y

Screenshots

Y

Y

Y

N

Offline Mode

Y

Y

N

N

Encoding and Decoding

Y

Y

Y

Y

Responsive Design Mode

Y

Y

Y

Y

* Anything that applies to Google Chrome should be applicable to all Chromium based applications. (Which includes Microsoft rebadging Edge around 2019/2020.)

User-Agent Switching

Related Testing

Google Chrome

  1. Click on triple dot 'kabob' menu on the right side of the Developer Tools pane, select More tools then select Network conditions.

  2. Un-check the "Select automatically" checkbox.

  3. Select the user agent from dropdown menu or enter a custom user agent

Mozilla Firefox

  1. Navigate to Firefox’s about:config page and click I accept the risk!.

  2. Enter general.useragent.override into the search field.

  3. Look for general.useragent.override, if you can't see this preference, look for one that show a set of radio buttons Boolean, Number, String select String then click the plus sign Add button on the about:config page.

Later click on the garbage can Delete button to the right of the general.useragent.override preference to remove the override and switch back to the default user agent.

Edit/Resend Requests

Related Testing

Mozilla Firefox

  1. Select the Network tab.

  2. Perform any action in the web application.

  3. Right-click on the HTTP request from the list and select Edit and Resend.

  4. Make desired modifications and click on the Send button.

  5. Right-click on the modified request and select Open in New Tab.

Google Chrome

  1. Select the Network tab.

  2. Perform any action in the web application.

  3. Right-click on the HTTP request from the list and select Copy > Copy as fetch.

  4. Paste the provided JavaScript code into the Console tab.

  5. Make any required modifications, and then hit enter to send the request.

Cookie Editing

Related Testing

Google Chrome

  1. Click the Application tab.

  2. Expand Cookies under the Storage heading.

  3. Select the relevant domain name.

  4. Double click in the Value column to edit any cookie value.

Note: Cookies can be deleted once selected by pressing the delete key, or from the right-click context menu.

Mozilla Firefox

  1. Click the Storage tab.

  2. Expand the Cookies section.

  3. Select the relevant domain name.

  4. Double click in the Value column to edit any cookie value.

Note: Cookies can be deleted once selected by pressing the delete key, or with various options from the right-click context menu.

Local Storage Editing

Related Testing

Google Chrome

  1. Click the Application tab.

  2. Expand Local Storage under the Storage heading.

  3. Select the relevant domain name.

  4. Double click in the Value column to edit any cookie value.

  5. Double click in the applicable Cell to edit the Key or Value.

Note: Editing Session Storage or Index DB follows essentially the same steps.

Note: Items can be added or deleted via the right-click context menu.

Mozilla Firefox

  1. Click the Storage tab.

  2. Expand the Local Storage section.

  3. Select the relevant domain name.

  4. Double click in the applicable Cell to edit the Key or Value.

Note: Editing Session Storage or Index DB follows essentially the same steps.

Note: Items can be added or deleted via the right-click context menu.

Disable CSS

Related Testing

General

All major browsers support manipulating CSS leveraging the Dev Tools Console and JavaScript functionality:

  • To remove all external style-sheets: $('style,link[rel="stylesheet"]').remove();

  • To remove all internal style-sheets: $('style').remove();

  • To remove all in-line styles: Array.prototype.forEach.call(document.querySelectorAll('*'),function(el){el.removeAttribute('style');});

  • To remove everything from head tag: $('head').remove();

Disable JavaScript

Google Chrome

  1. Click on triple dot 'kabob' menu on the right side of the web developer toolbar and click on Settings.

  2. On the Preferences tab, under the Debugger section, check the Disable JavaScript checkbox.

Mozilla Firefox

  1. On the dev tools Debugger tab, click on the settings gear button in the upper right corner of the developer toolbar.

  2. Select Disable JavaScript from the dropdown (this is an enable/disable menu item; when JavaScript is disabled, the menu item has a check mark).

View HTTP Headers

Related Testing

Google Chrome

  1. On the Networking tab in Dev Tools select any URL or request.

  2. In the lower right hand pane select the Headers tab.

Mozilla Firefox

  1. On the Networking tab in Dev Tools select any URL or request.

  2. In the lower right hand pane select the Headers tab.

Screenshots

Related Testing

Google Chrome

  1. Press on the Toggle Device Toolbar button or press ctrl + shift + m.

  2. Click the triple dot 'kabob' menu in the Device Toolbar.

  3. Select Capture screenshot or Capture full size screenshot.

Mozilla Firefox

  1. Press the triple dot ellipsis button in the address bar.

  2. Select Take a Screenshot.

  3. Select either the Save full page or Save visible option.

Offline Mode

Google Chrome

  1. Navigate to Network tab.

  2. In the Throttle dropdown select Offline.

Mozilla Firefox

  1. From the triple line 'hamburger' (or 'pancake') menu select Web Developer and then Work Offline.

Encoding and Decoding

Related Testing

General

All major browsers support encoding and decoding strings in various ways leveraging the Dev Tools Console and JavaScript functionality:

  • Base64 encode: btoa("string-to-encode")

  • Base64 decode: atob("string-to-decode")

  • URL encode: encodeURIComponent("string-to-encode")

  • URL decode: decodeURIComponent("string-to-decode")

  • HTML encode: escape("string-to-encode")

  • HTML decode: unescape("string-to-decode")

Responsive Design Mode

Related Testing

Google Chrome

  1. Click the Toggle device toolbar button or press ctrl + shift + m.

Mozilla Firefox

  1. Click the Responsive Design Mode button or press ctrl + shift + m.

References

PreviousHistoryNextTesting Checklist

Last updated 2 years ago

Figure 6.F-1: Google Chrome Dev Tools User-Agent Switching Functionality

Set the value of general.useragent.override to whatever you might need.

Figure 6.F-2: Mozilla Firefox User-Agent Switching Functionality

Figure 6.F-3: Mozilla Firefox Cookie Editing Functionality

Figure 6.F-4: Google Chrome Headers View

Figure 6.F-5: Mozilla Firefox Headers View

Figure 6.F-6: Google Chrome Offline Option

Figure 6.F-7: Mozilla Firefox Offline Option

Many (perhaps even most) types of can benefit from various types of encoding.

Figure 6.F-8: Google Chrome Responsive Design Mode

Figure 6.F-9: Mozilla Firefox Responsive Design Mode

Testing for Browser Cache Weaknesses
User-Agent
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Business Logic Testing
Authentication Testing
Authorization Testing
Session Management Testing
Testing for Cookie Attributes
Testing Browser Storage
Testing for Client-side Resource Manipulation
Information Gathering
Reporting
Web Application Security Testing
Testing for Browser Cache Weaknesses
Testing for Weaker Authentication in Alternative Channel
Testing for Clickjacking
Web App Security Testing with Browsers
Black Hills Information Security - Webcast: Free Tools! How to Use Developer Tools and JavaScript in Webapp Pentests
Greg Malcolm - Chrome Developer Tools: Raiding the Armory
List of UserAgent Strings
User-Agent selection dropdown menu in Google Chrome
User-Agent configuration preference in Mozilla Firefox
Cookie Editing functionality in Mozilla Firefox
Headers View in Google Chrome
Headers View in Mozilla Firefox
Offline Option in Google Chrome
Offline Option in Mozilla Firefox
Responsive Design Mode in Google Chrome
Responsive Design Mode in Mozilla Firefox