OWASP Web Security Testing Guide

OWASP Flagship CC BY-SA 4.0 WSTG Github Stars Twitter Follow

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

The WSTG is a comprehensive guide to testing the security of web applications and web services. Created by the collaborative efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations all over the world.

We are currently working on release version 5.0. You can read the current document in our official GitHub repository.

Version 4

17th September, 2014: Release of v4

Download the v4 PDF here.

A printed book is also made available for purchase.

Version 3

16th December, 2008: Release of v3

Download the v3 PDF here.

6th November, 2008: Preview of v3

View a presentation (PPT) previewing the release at the OWASP EU Summit 2008 in Portugal.

Version 2

10th February, 2007: Release of v2

Download the v2 PDF here.

The guide is also available in Word Document format in English (ZIP) as well as Word Document format translation in Spanish (ZIP).

Version 1.1

14th July, 2004: Release of the “OWASP Web Application Penetration Checklist”

Download the v1.1 PDF here.

Version 1

10th December, 2004: Release of v1

Download the v1 PDF here.


Historical archives of the Mailman owasp-testing mailing list are available to view or download.

How can I help?

We are actively inviting new contributors to help keep the WSTG up to date! You can get started at our official GitHub repository.

How can I contact you?

To report issues or make suggestions for the WSTG, please use GitHub Issues.

For everything else, we’re easy to find on Slack:

  1. Join the OWASP Group Slack with this invitation link.
  2. Join this project’s channel, #testing-guide.

You can @ us on Twitter @owasp_wstg.