OWASP Web Security Testing Guide

OWASP Flagship CC BY-SA 4.0 WSTG Github Stars Twitter Follow

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.


View the always-current stable version at /stable.


We are currently developing release version 5.0.

You can read the latest development documents in our official GitHub repository or view the bleeding-edge content at /latest.


View the always-current stable version at /stable.

[Unreleased 4.1] - 2020

Version 4.1 serves as a post-migration stable version under the new GitHub repository workflow.

[Version 4.0] - 2014-09-17

Download the v4 PDF here.

A printed book is also made available for purchase.

[Version 3.0] - 2008-12-16

Download the v3 PDF here.

[Pre-release 3.0] - 2008-11-06

View a presentation (PPT) previewing the release at the OWASP EU Summit 2008 in Portugal.

[Version 2.0] - 2007-02-10

Download the v2 PDF here.

The guide is also available in Word Document format in English (ZIP) as well as Word Document format translation in Spanish (ZIP).

[Version 1.1] - 2004-08-14

Version 1.1 is released as the OWASP Web Application Penetration Checklist.

Download the v1.1 PDF here.

[Version 1.0] - 2004-12-10

Download the v1 PDF here.


Historical archives of the Mailman owasp-testing mailing list are available to view or download.

How can I help?

We are actively inviting new contributors to help keep the WSTG up to date! You can get started at our official GitHub repository.

How can I contact you?

To report issues or make suggestions for the WSTG, please use GitHub Issues.

For everything else, we’re easy to find on Slack:

  1. Join the OWASP Group Slack with this invitation link.
  2. Join this project’s channel, #testing-guide.

You can @ us on Twitter @owasp_wstg.