explaingit

owasp/wstg

9,210Audience · ops devopsComplexity · 1/5Setup · easy

TLDR

The official OWASP Web Security Testing Guide, a comprehensive reference for penetration testers and security teams describing structured tests for finding common web application vulnerabilities.

Mindmap

mindmap
  root((repo))
    What it is
      Security testing guide
      Official OWASP resource
      Markdown documentation
    Audience
      Penetration testers
      Security teams
      Bug bounty hunters
    Content
      Test identifiers
      Vulnerability categories
      Structured checklists
    Versions
      v4.2 stable release
      v5.0 in progress
      Multiple translations
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Use the guide as a structured checklist when assessing whether a web application is secure enough to go to production.

USE CASE 2

Reference specific test identifiers like WSTG-INFO-02 in security audit reports or bug bounty submissions for consistent, cross-tool traceability.

USE CASE 3

Plan a web application penetration test by mapping the guide's test categories to your scope and time budget.

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

The OWASP Web Security Testing Guide (WSTG) is a reference document for people who test the security of web applications and web services. OWASP stands for Open Worldwide Application Security Project, a nonprofit organization that produces free security resources. This repository is the official home of that guide, and it contains the full text written as Markdown files. The guide describes how to check whether a web application is vulnerable to common attacks, such as leaking information it should not reveal, accepting inputs it should reject, or allowing users to do things they are not permitted to do. Each test scenario is assigned a short identifier (for example, WSTG-INFO-02) that security reports and tools can reference consistently across versions. The primary audience is penetration testers and security teams who need a structured approach to evaluating a web application before it goes live or as part of an ongoing security program. Organizations use the guide as a checklist or a framework for planning security assessments. Bug bounty hunters also reference it when looking for classes of vulnerabilities to investigate. The current actively developed version is 4.2, which is available online through the OWASP website and as downloadable releases tagged in this repository. Version 5.0 is in progress in the main branch. This is a documentation project, not software. There is no code to run. Contributions are welcomed through GitHub pull requests, and translations into several languages (including Portuguese, Russian, Persian, Turkish, and Spanish) exist as separate repositories linked from the README.

Copy-paste prompts

Prompt 1
I'm running a security assessment on a web app and want to follow OWASP WSTG. Which sections cover authentication weakness testing and session management flaws, and what are the test identifiers I should document?
Prompt 2
I'm writing a penetration test report and want to cite OWASP WSTG findings. Show me the correct format for referencing a test identifier and how to link it to a specific vulnerability I found.
Prompt 3
I'm a bug bounty hunter. Which OWASP WSTG test categories are most likely to surface high-severity findings in a typical web application, and where in the guide do I find them?
Open on GitHub → Explain another repo

← owasp on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.