Convert Figma logo to code with AI

OWASP logowstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

7,099
1,307
7,099
54
View on GitHub

Top Related Projects

OWASP's avatar

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

OWASP's avatar

ASVS

2,678

Application Security Verification Standard

OWASP's avatar

Top10

4,235

Official OWASP Top 10 Document Repository

Quick Overview

The OWASP Web Security Testing Guide (WSTG) is a comprehensive manual for web application security testing. It provides a framework of best practices for testing the security of web applications and web services, covering various aspects of web security assessment.

Pros

  • Comprehensive coverage of web application security testing techniques
  • Regularly updated to address emerging threats and technologies
  • Open-source and community-driven, ensuring diverse perspectives and contributions
  • Widely recognized and respected in the cybersecurity industry

Cons

  • Can be overwhelming for beginners due to its extensive content
  • Requires frequent updates to keep pace with rapidly evolving web technologies
  • Some sections may lack depth in certain specialized areas of web security
  • Implementation of all recommended tests can be time-consuming for large applications

Getting Started

To get started with the OWASP Web Security Testing Guide:

  1. Visit the official GitHub repository: https://github.com/OWASP/wstg
  2. Read the project's README file for an overview and contribution guidelines
  3. Navigate to the document folder to access the guide's content
  4. Start with the "Introduction and Objectives" section to understand the guide's structure
  5. Use the table of contents to find specific testing categories or techniques
  6. Consider joining the OWASP Slack channel for discussions and support

Note: This is not a code library, so there are no code examples or quick start instructions. The WSTG is a comprehensive guide for manual and automated web application security testing.

Competitor Comparisons

OWASP logo

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Pros of CheatSheetSeries

  • More concise and focused content, easier for quick reference
  • Covers a broader range of security topics beyond web testing
  • Regularly updated with new cheat sheets and security best practices

Cons of CheatSheetSeries

  • Less in-depth coverage of specific testing methodologies
  • May not provide as much context or explanation for each security concept
  • Lacks the structured testing framework approach found in wstg

Code Comparison

While both repositories primarily focus on documentation rather than code, they do include some code snippets for illustration. Here's a brief comparison:

wstg:

<form action="/login" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" value="Login">
</form>

CheatSheetSeries:

// Secure password storage using bcrypt
const bcrypt = require('bcrypt');
const saltRounds = 10;
const hashedPassword = await bcrypt.hash(password, saltRounds);

The wstg example focuses on HTML structure for testing, while CheatSheetSeries provides more practical security implementation snippets.

OWASP logo

ASVS

2,678

Application Security Verification Standard

Pros of ASVS

  • Provides a comprehensive set of security requirements for web applications
  • Offers a structured approach to application security verification
  • Includes detailed guidelines for different levels of security assurance

Cons of ASVS

  • May be overwhelming for beginners due to its extensive coverage
  • Requires more interpretation and adaptation for specific project needs
  • Less focused on practical testing techniques compared to WSTG

Code Comparison

ASVS example (security requirement):

V1.1.3 Verify that all authentication controls are enforced on the server side.

WSTG example (testing guideline):

4.4.3 Testing for Weak Lock Out Mechanism
- Attempt to log in with an incorrect password multiple times
- Check if the account is locked after a certain number of attempts

While ASVS focuses on defining security requirements, WSTG provides practical testing guidelines. ASVS offers a more comprehensive security framework, while WSTG is more hands-on and testing-oriented. Both repositories complement each other, with ASVS setting the standards and WSTG offering methods to verify compliance with those standards.

OWASP logo

Top10

4,235

Official OWASP Top 10 Document Repository

Pros of Top10

  • Concise and easy to understand, focusing on the most critical security risks
  • Widely recognized and adopted in the industry
  • Updated regularly to reflect current security trends

Cons of Top10

  • Less comprehensive than WSTG, covering only the top 10 risks
  • Provides less detailed testing methodologies and techniques
  • May not cover all specific vulnerabilities relevant to a particular application

Code Comparison

While both repositories primarily contain documentation rather than code, WSTG includes more specific testing examples. Here's a brief comparison:

WSTG example (SQL Injection):

SELECT * FROM users WHERE name = '' OR '1'='1';

Top10 example (general guideline):

Implement input validation and parameterized queries

The WSTG provides more concrete examples of vulnerabilities, while Top10 offers higher-level guidance.

Summary

WSTG is a comprehensive testing guide with detailed methodologies, while Top10 focuses on the most critical security risks. WSTG is more suitable for in-depth security testing, whereas Top10 serves as a quick reference for prioritizing security efforts.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

OWASP Web Security Testing Guide

Contributions Welcome OWASP Flagship Twitter Follow

Creative Commons License

Welcome to the official repository for the Open Web Application Security Project® (OWASP®) Web Security Testing Guide (WSTG). The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of security professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.

We are currently working on release version 5.0. You can read the current document here on GitHub.

For the last stable release, check release 4.2. Also available online.

How To Reference WSTG Scenarios

Each scenario has an identifier in the format WSTG-<category>-<number>, where: 'category' is a 4 character upper case string that identifies the type of test or weakness, and 'number' is a zero-padded numeric value from 01 to 99. For example:WSTG-INFO-02 is the second Information Gathering test.

The identifiers may change between versions. Therefore, it is preferable that other documents, reports, or tools use the format: WSTG-<version>-<category>-<number>, where: 'version' is the version tag with punctuation removed. For example: WSTG-v42-INFO-02 would be understood to mean specifically the second Information Gathering test from version 4.2.

If identifiers are used without including the <version> element, they should be assumed to refer to the latest Web Security Testing Guide content. As the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.

Linking

Linking to Web Security Testing Guide scenarios should be done using versioned links not stable or latest, which will change with time. However, it is the project team's intention that versioned links do not change. For example: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html. Note: the v42 element refers to version 4.2.

Contributions, Feature Requests, and Feedback

We are actively inviting new contributors! To start, read the contribution guide.

First time here? Here are GitHub's suggestions for first-time contributors to this repository.

This project is only possible thanks to the work of many dedicated volunteers. Everyone is encouraged to help in ways large and small. Here are a few ways you can help:

  • Read the current content and help us fix any spelling mistakes or grammatical errors.
  • Help with translation efforts.
  • Choose an existing issue and submit a pull request to fix it.
  • Open a new issue to report an opportunity for improvement.

To learn how to contribute successfully, read the contribution guide.

Successful contributors appear on the project's list of authors, reviewers, or editors.

Chat With Us

We're easy to find on Slack:

  1. Join the OWASP Group Slack with this invitation link.
  2. Join this project's channel, #testing-guide.

Feel free to ask questions, suggest ideas, or share your best recipes.

You can @ us on Twitter @owasp_wstg.

You can also join our Google Group.

Project Leaders

Core Team

Translations

Open Web Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc.