WSTG - v4.1



Open and collaborative knowledge: that is the OWASP way.

With V4 we realized a new guide that will be the standard de-facto guide to perform Web Application Penetration Testing.

— Matteo Meucci

OWASP thanks the many authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Testing Guide, please feel free to open an Issue or submit a fix/contribution via Pull Request to our GitHub repo.

Version 4.1

This minor release represents a transitional step between the 2014 release of v4 via the OWASP wiki, and the preparation of v5, currently underway on GitHub.

Copyright (c) 2020 The OWASP Foundation.

This document is released under the Creative Commons 4.0 License. Please read and understand the license and copyright conditions.


  • Elie Saad
  • Matteo Meucci
  • Rick Mitchell

Core Team

  • Rejah Rehim
  • Victoria Drake


  • Elie Saad
  • Janos Zold
  • Jeremy Bonghwan Choi
  • Joel Espunya
  • Manh Pham Tien
  • Mark Clayton
  • Rick Mitchell
  • Rubal Jain
  • Tal Argoni
  • Victoria Drake

Graphic Designers

  • Hugo Costa
  • Jishnu Vijayan C K
  • Muhammed Anees

Reviewers or Editors

  • Asharaf Ali
  • Elie Saad
  • Jeremy Bonghwan Choi
  • Lukasz Lubczynski
  • Patrick Santos
  • Rejah Rehim
  • Rick Mitchell
  • Roman Mueller
  • Tom Bowyer
  • Victoria Drake


  • Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
  • Merriam-Webster is a trademark of Merriam-Webster, Inc.
  • Microsoft is a registered trademark of Microsoft Corporation.
  • Octave is a service mark of Carnegie Mellon University.
  • OWASP is a registered trademark of the OWASP Foundation
  • VeriSign and Thawte are registered trademarks of VeriSign, Inc.
  • Visa is a registered trademark of VISA USA.

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Contacting OWASP

Contact details for the OWASP Foundation are available online. If you have a question concerning a particular project, we strongly recommend using the Google Group for that project. Many questions can also be answered by searching the OWASP web site, so please check there first.

Follow Us

Follow OWASP on LinkedIn

Follow @owasp_wstg on twitter