wstg
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Top Related Projects
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Application Security Verification Standard
Official OWASP Top 10 Document Repository
Quick Overview
The OWASP Web Security Testing Guide (WSTG) is a comprehensive manual for web application security testing. It provides a framework of best practices for testing the security of web applications and web services, covering various aspects of web security assessment.
Pros
- Comprehensive coverage of web application security testing techniques
- Regularly updated to address emerging threats and technologies
- Open-source and community-driven, ensuring diverse perspectives and contributions
- Widely recognized and respected in the cybersecurity industry
Cons
- Can be overwhelming for beginners due to its extensive content
- Requires frequent updates to keep pace with rapidly evolving web technologies
- Some sections may lack depth in certain specialized areas of web security
- Implementation of all recommended tests can be time-consuming for large applications
Getting Started
To get started with the OWASP Web Security Testing Guide:
- Visit the official GitHub repository: https://github.com/OWASP/wstg
- Read the project's README file for an overview and contribution guidelines
- Navigate to the
document
folder to access the guide's content - Start with the "Introduction and Objectives" section to understand the guide's structure
- Use the table of contents to find specific testing categories or techniques
- Consider joining the OWASP Slack channel for discussions and support
Note: This is not a code library, so there are no code examples or quick start instructions. The WSTG is a comprehensive guide for manual and automated web application security testing.
Competitor Comparisons
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Pros of CheatSheetSeries
- More concise and focused content, easier for quick reference
- Covers a broader range of security topics beyond web testing
- Regularly updated with new cheat sheets and security best practices
Cons of CheatSheetSeries
- Less in-depth coverage of specific testing methodologies
- May not provide as much context or explanation for each security concept
- Lacks the structured testing framework approach found in wstg
Code Comparison
While both repositories primarily focus on documentation rather than code, they do include some code snippets for illustration. Here's a brief comparison:
wstg:
<form action="/login" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" value="Login">
</form>
CheatSheetSeries:
// Secure password storage using bcrypt
const bcrypt = require('bcrypt');
const saltRounds = 10;
const hashedPassword = await bcrypt.hash(password, saltRounds);
The wstg example focuses on HTML structure for testing, while CheatSheetSeries provides more practical security implementation snippets.
Application Security Verification Standard
Pros of ASVS
- Provides a comprehensive set of security requirements for web applications
- Offers a structured approach to application security verification
- Includes detailed guidelines for different levels of security assurance
Cons of ASVS
- May be overwhelming for beginners due to its extensive coverage
- Requires more interpretation and adaptation for specific project needs
- Less focused on practical testing techniques compared to WSTG
Code Comparison
ASVS example (security requirement):
V1.1.3 Verify that all authentication controls are enforced on the server side.
WSTG example (testing guideline):
4.4.3 Testing for Weak Lock Out Mechanism
- Attempt to log in with an incorrect password multiple times
- Check if the account is locked after a certain number of attempts
While ASVS focuses on defining security requirements, WSTG provides practical testing guidelines. ASVS offers a more comprehensive security framework, while WSTG is more hands-on and testing-oriented. Both repositories complement each other, with ASVS setting the standards and WSTG offering methods to verify compliance with those standards.
Official OWASP Top 10 Document Repository
Pros of Top10
- Concise and easy to understand, focusing on the most critical security risks
- Widely recognized and adopted in the industry
- Updated regularly to reflect current security trends
Cons of Top10
- Less comprehensive than WSTG, covering only the top 10 risks
- Provides less detailed testing methodologies and techniques
- May not cover all specific vulnerabilities relevant to a particular application
Code Comparison
While both repositories primarily contain documentation rather than code, WSTG includes more specific testing examples. Here's a brief comparison:
WSTG example (SQL Injection):
SELECT * FROM users WHERE name = '' OR '1'='1';
Top10 example (general guideline):
Implement input validation and parameterized queries
The WSTG provides more concrete examples of vulnerabilities, while Top10 offers higher-level guidance.
Summary
WSTG is a comprehensive testing guide with detailed methodologies, while Top10 focuses on the most critical security risks. WSTG is more suitable for in-depth security testing, whereas Top10 serves as a quick reference for prioritizing security efforts.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
OWASP Web Security Testing Guide
Welcome to the official repository for the Open Web Application Security Project® (OWASP®) Web Security Testing Guide (WSTG). The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of security professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.
We are currently working on release version 5.0. You can read the current document here on GitHub.
For the last stable release, check release 4.2. Also available online.
- How To Reference WSTG Scenarios
- Contributions, Feature Requests, and Feedback
- Chat With Us
- Project Leaders
- Core Team
- Translations
How To Reference WSTG Scenarios
Each scenario has an identifier in the format WSTG-<category>-<number>
, where: 'category' is a 4 character upper case string that identifies the type of test or weakness, and 'number' is a zero-padded numeric value from 01 to 99. For example:WSTG-INFO-02
is the second Information Gathering test.
The identifiers may change between versions. Therefore, it is preferable that other documents, reports, or tools use the format: WSTG-<version>-<category>-<number>
, where: 'version' is the version tag with punctuation removed. For example: WSTG-v42-INFO-02
would be understood to mean specifically the second Information Gathering test from version 4.2.
If identifiers are used without including the <version>
element, they should be assumed to refer to the latest Web Security Testing Guide content. As the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.
Linking
Linking to Web Security Testing Guide scenarios should be done using versioned links not stable
or latest
, which will change with time. However, it is the project team's intention that versioned links do not change. For example: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html
. Note: the v42
element refers to version 4.2.
Contributions, Feature Requests, and Feedback
We are actively inviting new contributors! To start, read the contribution guide.
First time here? Here are GitHub's suggestions for first-time contributors to this repository.
This project is only possible thanks to the work of many dedicated volunteers. Everyone is encouraged to help in ways large and small. Here are a few ways you can help:
- Read the current content and help us fix any spelling mistakes or grammatical errors.
- Help with translation efforts.
- Choose an existing issue and submit a pull request to fix it.
- Open a new issue to report an opportunity for improvement.
To learn how to contribute successfully, read the contribution guide.
Successful contributors appear on the project's list of authors, reviewers, or editors.
Chat With Us
We're easy to find on Slack:
- Join the OWASP Group Slack with this invitation link.
- Join this project's channel, #testing-guide.
Feel free to ask questions, suggest ideas, or share your best recipes.
You can @ us on Twitter @owasp_wstg.
You can also join our Google Group.
Project Leaders
Core Team
Translations
Open Web Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc.
Top Related Projects
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Application Security Verification Standard
Official OWASP Top 10 Document Repository
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot