Need help with wstg?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

OWASP
2.4K Stars 610 Forks Creative Commons Attribution Share Alike 4.0 International 680 Commits 57 Opened issues

Description

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

Services available

!
?

Need anything else?

Contributors list

OWASP Web Security Testing Guide

Contributions Welcome OWASP Flagship Twitter Follow

Creative Commons License

Welcome to the official repository for the Open Web Application Security Project® (OWASP®) Web Security Testing Guide (WSTG). The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of security professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.

We are currently working on release version 5.0. You can read the current document here on GitHub.

For the last stable release, check release 4.2. Also available online.

How To Reference WSTG Scenarios

Each scenario has an identifier in the format

WSTG--
, where: 'category' is a 4 character upper case string that identifies the type of test or weakness, and 'number' is a zero-padded numeric value from 01 to 99. For example:
WSTG-INFO-02
is the second Information Gathering test.

The identifiers may change between versions therefore it is preferable that other documents, reports, or tools use the format:

WSTG---
, where: 'version' is the version tag with punctuation removed. For example:
WSTG-v42-INFO-02
would be understood to mean specifically the second Information Gathering test from version 4.2.

If identifiers are used without including the

 element then they should be assumed to refer to the latest Web Security Testing Guide content. Obviously as the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.

Linking

Linking to Web Security Testing Guide scenarios should be done using versioned links not

stable
or
latest
which will definitely change with time. However, it is the project team's intention that versioned links not change. For example:
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html
. Note: the
v42
element refers to version 4.2.

Contributions, Feature Requests, and Feedback

We are actively inviting new contributors! To start, read the contribution guide.

First time here? Here are GitHub's suggestions for first-time contributors to this repository.

This project is only possible thanks to the work of many dedicated volunteers. Everyone is encouraged to help in ways large and small. Here are a few ways you can help:

  • Read the current content and help us fix any spelling mistakes or grammatical errors.
  • Help with translation efforts.
  • Choose an existing issue and submit a pull request to fix it.
  • Open a new issue to report an opportunity for improvement.

To learn how to contribute successfully, read the contribution guide.

Successful contributors appear on the project's list of authors, reviewers, or editors.

Chat With Us

We're easy to find on Slack:

  1. Join the OWASP Group Slack with this invitation link.
  2. Join this project's channel, #testing-guide.

Feel free to ask questions, suggest ideas, or share your best recipes.

You can @ us on Twitter @owasp_wstg.

You can also join our Google Group.

Project Leaders

Core Team

Open Web Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.