Add Appendix: Architectural Threat Modeling Checklist for Workflow & State Transition Abuse #1266
Description
What would you like added?
I propose adding a new appendix to the Web Security Testing Guide (WSTG) providing a concise architectural threat-modeling checklist focused on workflow abuse, state-transition manipulation, and authorization drift in modern distributed applications.
While WSTG contains individual tests for authorization and business-logic issues, it does not currently include a consolidated checklist for identifying architectural abuse patterns across UI, API, microservices, feature flags, and asynchronous workflows.
This appendix would provide practitioners with a repeatable method to identify design-level risks that are not detectable through vulnerability scanning.
Proposed Appendix Content (Draft):
-Architectural Threat Modeling Checklist – Workflow & State Abuse
-Are all workflow state transitions enforced server-side?
-Can APIs be executed out of order?
-Are tokens scoped or rotated on workflow phase changes?
-Are deprecated UI features fully removed from backend services?
-Are feature flags or kill-switches gating any security-relevant logic?
-Are authorization rules consistent across microservices?
-Are state transitions logged and monitored for anomalies?
-Are legacy endpoints discoverable through API enumeration?
-Are client-supplied workflow indicators trusted without validation?
Why This Is Needed?
These architectural failure patterns are now a primary breach vector in cloud-native systems, yet no concise checklist exists within WSTG to guide threat modeling for these risks. This appendix would fill a practical gap in the current testing guidance by helping teams systematically evaluate workflow and state-transition abuse.
Would you like to be assigned to this issue?
Check the box if you will submit a PR to add the proposed content. Please read CONTRIBUTING.md.
- Assign me, please!