Web Security Testing Guide

The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide to testing the security of web applications and web services.

The WSTG documentation project is an OWASP Flagship Project and can be accessed as a web based document.

What is WSTG?

The Web Security Testing Guide (WSTG) document is a comprehensive guide to testing the security of web applications and web services. The WSTG provides a framework of best practices commonly used by external penetration testers and organizations conducting in-house testing.

The WSTG document describes a suggested web application test framework and also provides general information on how to test web applications with good testing practice.

The tests are split out into domains:

1. Configuration and Deployment Management
2. Identity Management
3. Authentication
4. Authorization
5. Session Management
6. Input Validation
7. Error Handling
8. Weak Cryptography
9. Business Logic
10. Client-side
11. API

Each test in each domain has enough information to understand and run the test including:

• Summary
• Test objectives
• How to test
• Suggested remediation
• Recommended tools and references

The tests are identified with a unique reference number, for example ‘WSTG-APIT-01’ refers to the first test in the ‘API Testing’ domain provided in the WSTG document. These references are widely used and understood by the test and security communities.

The WSTG also provides a suggested Web Security Testing Framework which can be tailored for a particular organization’s processes or can provide a generally accepted reference framework.

Why use it?

The WSTG document is widely used and has become the defacto standard on what is required for comprehensive web application testing. An organization’s security testing process should consider the contents of the WSTG, or have equivalents, which help the organization conform to general expectation of the security community. The WSTG reference document can be adopted completely, partially or not at all; according to an organization’s needs and requirements.

How to use it

The OWASP Spotlight series provides an overview of how to use the WSTG: ‘Project 1 - Applying OWASP Testing Guide’.

The WSTG is accessed via the online web document. The section on principles and techniques of testing provides foundational knowledge, along with advice on testing within typical Secure Development Lifecycle (SDLC) and penetration testing methodologies.

The individual tests described in the various testing domains should be selected or discarded as necessary; not every test will be relevant to every web application or organizational requirement, and the tests should be tailored to provide at least the minimum test coverage while not expending too much test effort.

References

• OWASP Web Security Testing Guide (WSTG) project
• WSTG downloads

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

Developer Guide

• 1. Introduction
• 2. Foundations
• 2.1 Security fundamentals
• 2.2 Secure development and integration
• 2.3 Principles of security
• 2.4 Principles of cryptography
• 2.5 OWASP Top 10
• 3. Requirements
• 3.1 Requirements in practice
• 3.2 Risk profile
• 3.3 OpenCRE and Integration Standards
• 3.4 SecurityRAT
• 3.5 Application Security Verification Standard
• 3.6 Mobile Application Security
• 3.7 Security Knowledge Framework
• 4. Design
• 4.1 Threat modeling
• 4.1.1 Threat modeling in practice
• 4.1.2 pytm
• 4.1.3 Threat Dragon
• 4.1.4 Cornucopia
• 4.1.5 LINDDUN GO
• 4.1.6 Threat Modeling toolkit
• 4.2 Web application checklist
• 4.2.1 Checklist: Define Security Requirements
• 4.2.2 Checklist: Leverage Security Frameworks and Libraries
• 4.2.3 Checklist: Secure Database Access
• 4.2.4 Checklist: Encode and Escape Data
• 4.2.5 Checklist: Validate All Inputs
• 4.2.6 Checklist: Implement Digital Identity
• 4.2.7 Checklist: Enforce Access Controls
• 4.2.8 Checklist: Protect Data Everywhere
• 4.2.9 Checklist: Implement Security Logging and Monitoring
• 4.2.10 Checklist: Handle all Errors and Exceptions
• 4.3 Mobile application checklist
• 5. Implementation
• 5.1 Documentation
• 5.1.1 Top 10 Proactive Controls
• 5.1.2 Go Secure Coding Practices
• 5.1.3 Cheatsheet Series
• 5.2 Dependencies
• 5.2.1 Dependency_Check
• 5.2.2 Dependency_Track
• 5.2.3 CycloneDX
• 5.3 Secure Libraries
• 5.3.1 Enterprise Security API library
• 5.3.2 CSRFGuard library
• 5.3.3 OWASP Secure Headers Project
• 5.4 Implementation Do's and Don'ts
• 5.4.1 Container security
• 5.4.2 Secure coding
• 5.4.3 Cryptographic practices
• 5.4.4 Application spoofing
• 5.4.5 Content Security Policy (CSP)
• 5.4.6 Exception and error handling
• 5.4.7 File management
• 5.4.8 Memory management
• 6. Verification
• 6.1 Guides
• 6.1.1 Web Security Testing Guide
• 6.1.2 MAS Testing Guide
• 6.1.3 Application Security Verification Standard
• 6.2 Tools
• 6.2.1 Zed Attack Proxy
• 6.2.2 Amass
• 6.2.3 Offensive Web Testing Framework
• 6.2.4 Nettacker
• 6.2.5 OWASP Secure Headers Project
• 6.3 Frameworks
• 6.3.1 secureCodeBox
• 6.4 Vulnerability management
• 6.4.1 DefectDojo
• 6.5 Verification Do's and Don'ts
• 6.5.1 Secure environment
• 6.5.2 System hardening
• 6.5.3 Open Source software
• 7. Training and Education
• 7.1 Vulnerable Applications
• 7.1.1 Juice Shop
• 7.1.2 WebGoat
• 7.1.3 PyGoat
• 7.1.4 Security Shepherd
• 7.2 Secure Coding Dojo
• 7.3 Security Knowledge Framework
• 7.4 SamuraiWTF
• 7.5 OWASP Top 10 project
• 7.6 Mobile Top 10
• 7.7 API Top 10
• 7.8 WrongSecrets
• 7.9 OWASP Snakes and Ladders
• 8. Culture building and Process maturing
• 8.1 Security Culture
• 8.2 Security Champions
• 8.2.1 Security champions program
• 8.2.2 Security Champions Guide
• 8.2.3 Security Champions Playbook
• 8.3 Software Assurance Maturity Model
• 8.4 Application Security Verification Standard
• 8.5 Mobile Application Security
• 9. Operations
• 9.1 DevSecOps Guideline
• 9.2 Coraza Web Application Firewall
• 9.3 ModSecurity Web Application Firewall
• 9.4 OWASP CRS
• 10. Metrics
• 11. Security gap analysis
• 11.1 Guides
• 11.1.1 Software Assurance Maturity Model
• 11.1.2 Application Security Verification Standard
• 11.1.3 Mobile Application Security
• 11.2 Bug Logging Tool

Upcoming OWASP Global Events

Corporate Supporters

OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.