OWASP WSTG
What is OWASP WSTG?
OWASP WSTGThe OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
The OWASP Web Security Testing Guide (WSTG) is an open-source, community-maintained handbook that documents techniques and test cases for penetration testing and security assessment of web applications. Version 4.2 organizes content into chapters such as Information Gathering, Configuration Management, Identity Management, Authentication, Authorization, Session Management, Input Validation, Error Handling, Cryptography, Business Logic, Client-side, and API Testing, each containing detailed test IDs (e.g. WSTG-AUTHN-01). Each test describes objectives, how to test, and references. The WSTG is used as the basis for many pentest methodologies, RFP testing requirements, and as a learning resource alongside ASVS and the Top 10.
● Examples
- 01
A pentest report indexing each finding to the corresponding WSTG-INPV (Input Validation) test ID.
- 02
A new application security team using WSTG checklists to onboard pentesters and standardize methodology.
● Frequently asked questions
What is OWASP WSTG?
The OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP WSTG mean?
The OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
How does OWASP WSTG work?
The OWASP Web Security Testing Guide (WSTG) is an open-source, community-maintained handbook that documents techniques and test cases for penetration testing and security assessment of web applications. Version 4.2 organizes content into chapters such as Information Gathering, Configuration Management, Identity Management, Authentication, Authorization, Session Management, Input Validation, Error Handling, Cryptography, Business Logic, Client-side, and API Testing, each containing detailed test IDs (e.g. WSTG-AUTHN-01). Each test describes objectives, how to test, and references. The WSTG is used as the basis for many pentest methodologies, RFP testing requirements, and as a learning resource alongside ASVS and the Top 10.
How do you defend against OWASP WSTG?
Defences for OWASP WSTG typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP WSTG?
Common alternative names include: Web Security Testing Guide, WSTG.
● Related terms
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- compliance№ 781
OWASP Top 10
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
- compliance№ 783
OWASP ZAP
Zed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
- appsec№ 273
DAST (Dynamic Application Security Testing)
Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
● See also
- № 778OWASP MASVS