The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.
Any contributions to the guide itself should be made via the guide’s project repo.
View the always-current stable version at stable.
We are currently developing release version 5.0.
v4.2 is currently available as a web-hosted release and PDF. Previous releases are available as PDFs and in some cases web content via the Release Versions tab.
Each scenario has an identifier in the format WSTG-- , where: ‘category’ is a 4 character upper case string that identifies the type of test or weakness, and ‘number’ is a zero-padded numeric value from 01 to 99. For example: WSTG-INFO-02 is the second Information Gathering test.
The identifiers may change between versions therefore it is preferable that other documents, reports, or tools use the format: WSTG--- , where: ‘version’ is the version tag with punctuation removed. For example: WSTG-v41-INFO-02 would be understood to mean specifically the second Information Gathering test from version 4.1.
If identifiers are used without including the element then they should be assumed to refer to the latest Web Security Testing Guide content. Obviously as the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.
Linking to Web Security Testing Guide scenarios should be done using versioned links not stable or latest which will definitely change with time. However, it is the project team’s intention that versioned links not change. For example: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server . Note: the v42 element refers to version 4.2.
View the always-current stable version at stable.
Version 4.2 introduces new testing scenarios, updates existing chapters, and offers an improved writing style and chapter layout.
Version 4.1 serves as a post-migration stable version under the new GitHub repository workflow.
A printed book is also made available for purchase.
View a presentation (PPT) previewing the release at the OWASP EU Summit 2008 in Portugal.
Version 1.1 is released as the OWASP Web Application Penetration Checklist.
Historical archives of the Mailman owasp-testing mailing list are available to view or download.
We are actively inviting new contributors to help keep the WSTG up to date! You can get started at our official GitHub repository.
To report issues or make suggestions for the WSTG, please use GitHub Issues.
For everything else, we’re easy to find on Slack:
You can @ us on Twitter @owasp_wstg.
The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.