OWASP Developer Guide

Web Security Testing Guide

6.1.1 Web Security Testing Guide

The Web Security Testing Guide (WSTG) is a comprehensive guide to testing the security of web applications and web services.

The WSTG documentation project is an OWASP Flagship Project and can be accessed as a web based document.

What is WSTG?

The Web Security Testing Guide (WSTG) document is a comprehensive guide to testing the security of web applications and web services. The WSTG provides a framework of best practices commonly used by external penetration testers and organizations conducting in-house testing.

The WSTG document describes a suggested web application test framework and also provides general information on how to test web applications with good testing practice.

The tests are split out into domains:

  1. Configuration and Deployment Management
  2. Identity Management
  3. Authentication
  4. Authorization
  5. Session Management
  6. Input Validation
  7. Error Handling
  8. Weak Cryptography
  9. Business Logic
  10. Client-side
  11. API

Each test in each domain has enough information to understand and run the test including:

  • Summary
  • Test objectives
  • How to test
  • Suggested remediation
  • Recommended tools and references

The tests are identified with a unique reference number, for example ‘WSTG-APIT-01’ refers to the first test in the ‘API Testing’ domain provided in the WSTG document. These references are widely used and understood by the test and security communities.

The WSTG also provides a suggested Web Security Testing Framework which can be tailored for a particular organization’s processes or can provide a generally accepted reference framework.

Why use it?

The WSTG document is widely used and has become the defacto standard on what is required for comprehensive web application testing. An organization’s security testing process should consider the contents of the WSTG, or have equivalents, which help the organization conform to general expectation of the security community. The WSTG reference document can be adopted completely, partially or not at all; according to an organization’s needs and requirements.

How to use it

The OWASP Spotlight series provides an overview of how to use the WSTG: ‘Project 1 - Applying OWASP Testing Guide’.

The WSTG is accessed via the online web document. The section on principles and techniques of testing provides foundational knowledge, along with advice on testing within typical Secure Development Lifecycle (SDLC) and penetration testing methodologies.

The individual tests described in the various testing domains should be selected or discarded as necessary; not every test will be relevant to every web application or organizational requirement, and the tests should be tailored to provide at least the minimum test coverage while not expending too much test effort.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.