Menu
Home
Projects
Groups
Chapters
Events
No events found
View all events
Meetings
No meetings found
View all meetings
News
No news posts found
View all posts
About
About OWASPOur MissionCorporate SupportProject HandbookSubmit Project

OWASP Web Security Testing Guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

About OWASP Web Security Testing Guide

Contributions

Any contributions to the guide itself should be made via the guide’s project repo. Contributions should only be made in the proper repo against the latest content. Please don’t open PRs here for versioned or stable content, they represent point-in-time state.

Stable

View the always-current stable version at stable.

Latest

We are currently developing release version 5.0. You can read the latest development documents in our official GitHub repository or view the bleeding-edge content at latest.

Versioned Releases

v4.2 is currently available as a web-hosted release and PDF. Previous releases are available as PDFs and in some cases web content via the Release Versions tab.

How To Reference WSTG Scenarios

Each scenario has an identifier in the format WSTG--, where: ‘category’ is a 4 character upper case string that identifies the type of test or weakness, and ‘number’ is a zero-padded numeric value from 01 to 99. For example:WSTG-INFO-02 is the second Information Gathering test. The identifiers may change between versions therefore it is preferable that other documents, reports, or tools use the format: WSTG---, where: ‘version’ is the version tag with punctuation removed. For example: WSTG-v41-INFO-02 would be understood to mean specifically the second Information Gathering test from version 4.1. If identifiers are used without including the element then they should be assumed to refer to the latest Web Security Testing Guide content. Obviously as the guide grows and changes this becomes problematic, which is why writers or developers should include the version element.

Linking

Linking to Web Security Testing Guide scenarios should be done using versioned links not stable or latest which will definitely change with time. However, it is the project team’s intention that versioned links not change. For example: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server. Note: the v42 element refers to version 4.2.

Project Resources

Project Leaders

Rick Mitchell

Leader

Email

Elie Saad

Leader

Email

Project Information

Corporate Supporters
OWASP Logo
OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.
Quick Links
ProjectsChaptersCorporate SupportersEventsNewsAboutFinance & governanceFinance (all documents)BoardBoard EUCommunityVisit Store
Legal
Legal
Socials
LinkedInGitHubX (Twitter)FacebookYouTube
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.
© 2026, OWASP Foundation Inc. All rights reserved.