WSTG - v4.2



As we focus on incremental improvement, this release introduces numerous updates. We’ve standardized scenario formats to create a better reading experience, added objectives for each testing scenario, merged sections, and added new scenarios on some modern testing topics.

— Rick Mitchell

OWASP thanks the many authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Testing Guide, please feel free to open an Issue or submit a fix/contribution via Pull Request to our GitHub repository.

Copyright (c) 2020 The OWASP Foundation.

This document is released under the Creative Commons 4.0 License. Please read and understand the license and copyright conditions.


  • Elie Saad
  • Rick Mitchell

Core Team

  • Rejah Rehim
  • Victoria Drake


  • Aaron Williams
  • Alessia Michela Di Campi
  • Elie Saad
  • Ismael Goncalves
  • Janos Zold
  • Jeremy Bonghwan Choi
  • Joel Espunya
  • Manh Pham Tien
  • Mark Clayton
  • Or Asaf
  • rbsec
  • Rick Mitchell
  • Rishu Ranjan
  • Rubal Jain
  • Samuele Casarin
  • Stefano Calzavara
  • Tal Argoni
  • Victoria Drake
  • Phu Nguyen (Tony)

Graphic Designers

  • Hugo Costa
  • Jishnu Vijayan C K
  • Muhammed Anees
  • Ramzi Fazah

Reviewers or Editors

  • Abhi M Balakrishnan
  • Asharaf Ali
  • Elie Saad
  • Eoin Murphy
  • Francisco Bustos
  • frozensolid
  • Hsiang-Chih Hsu
  • Jeremy Bonghwan Choi
  • Lukasz Lubczynski
  • Miguel Arevalo
  • Najam Ul Saqib
  • Nikoleta Misheva
  • Patrick Santos
  • Rejah Rehim
  • Rick Mitchell
  • Roman Mueller
  • Thomas Lim
  • Tom Bowyer
  • Victoria Drake


  • Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
  • Merriam-Webster is a trademark of Merriam-Webster, Inc.
  • Microsoft is a registered trademark of Microsoft Corporation.
  • Octave is a service mark of Carnegie Mellon University.
  • Open Web Application Security Project and OWASP are registered trademarks of the OWASP Foundation, Inc.
  • VeriSign and Thawte are registered trademarks of VeriSign, Inc.
  • Visa is a registered trademark of VISA USA.

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Contacting OWASP

Contact details for the OWASP Foundation are available online. If you have a question concerning a particular project, we strongly recommend using the Google Group for that project. Many questions can also be answered by searching the OWASP web site, so please check there first.

Follow Us

Follow OWASP on LinkedIn

Follow @owasp_wstg on twitter