OWASP Web Security Testing Guide (WSTG)


The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of security professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.

How to get this guide

To use this guide, please use a method listed below.


In a Linux (Debian OS), run the following command(s).

git clone https://github.com/OWASP/wstg.git


Download directly from the following link:


How To Reference WSTG Scenarios

Each scenario has an identifier in the format WSTG-<category>-<number>, where: 'category' is a 4 character upper case string that identifies the type of test or weakness, and 'number' is a zero-padded numeric value from 01 to 99. For example:WSTG-INFO-02 is the second Information Gathering test.


The identifiers may change between versions therefore it is preferable that other documents, reports, or tools use the format: WSTG-<version>-<category>-<number>, where: 'version' is the version tag with punctuation removed. For example: WSTG-v42-INFO-02 would be understood to mean specifically the second Information Gathering test from version 4.2.


If identifiers are used without including the <version> element then they should be assumed to refer to the latest Web Security Testing Guide content. Obviously as the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.





Next steps:


This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.