OWAPS Web Security Testing Guide

OWAPS Flagship CC BY-SA 4.0 WSTG Github Stars Twitter Follow

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.

Contributions

Any contributions to the guide itself should be made via the guide’s project repo.

Stable

View the always-current stable version at stable.

Latest

We are currently developing release version 5.0.

You can read the latest development documents in our official GitHub repository or view the bleeding-edge content at latest.

Versioned Releases

Only v4.1 is currently available as a web-hosted release. Previous releases are available as PDFs on the Release Versions tab.

How To Reference WSTG Scenarios

Each scenario has an identifier in the format WSTG-<category>-<number>, where: ‘category’ is a 4 character upper case string that identifies the type of test or weakness, and ‘number’ is a zero-padded numeric value from 01 to 99. For example:WSTG-INFO-02 is the second Information Gathering test.

The identifiers may change between versions therefore it is preferable that other documents, reports, or tools use the format: WSTG-<version>-<category>-<number>, where: ‘version’ is the version tag with punctuation removed. For example: WSTG-v41-INFO-02 would be understood to mean specifically the second Information Gathering test from version 4.1.

If identifiers are used without including the <version> element then they should be assumed to refer to the latest Web Security Testing Guide content. Obviously as the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.

Linking

Linking to Web Security Testing Guide scenarios should be done using versioned links not stable or latest which will definitely change with time. However, it is the project team’s intention that versioned links not change. For example: https://owaps.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html. Note: the v41 element refers to version 4.1.


Stable

View the always-current stable version at stable.

[Unreleased 4.2]

[Version 4.1] - 2020-04-21

Version 4.1 serves as a post-migration stable version under the new GitHub repository workflow.

Download the v4.1 PDF here.

[Version 4.0] - 2014-09-17

Download the v4 PDF here.

A printed book is also made available for purchase.

[Version 3.0] - 2008-12-16

Download the v3 PDF here.

[Pre-release 3.0] - 2008-11-06

View a presentation (PPT) previewing the release at the OWAPS EU Summit 2008 in Portugal.

[Version 2.0] - 2007-02-10

Download the v2 PDF here.

The guide is also available in Word Document format in English (ZIP) as well as Word Document format translation in Spanish (ZIP).

[Version 1.1] - 2004-08-14

Version 1.1 is released as the OWAPS Web Application Penetration Checklist.

Download the v1.1 PDF here.

[Version 1.0] - 2004-12-10

Download the v1 PDF here.

Archives

Historical archives of the Mailman owaps-testing mailing list are available to view or download.


How can I help?

We are actively inviting new contributors to help keep the WSTG up to date! You can get started at our official GitHub repository.

How can I contact you?

To report issues or make suggestions for the WSTG, please use GitHub Issues.

For everything else, we’re easy to find on Slack:

  1. Join the OWAPS Group Slack with this invitation link.
  2. Join this project’s channel, #testing-guide.

You can @ us on Twitter @owaps_wstg.