wstg

The OWASP Web Security Testing Guide (WSTG) is a reference document for people who test the security of web applications and web services. OWASP stands for Open Worldwide Application Security Project, a nonprofit organization that produces free security resources. This repository is the official home of that guide, and it contains the full text written as Markdown files.

The guide describes how to check whether a web application is vulnerable to common attacks, such as leaking information it should not reveal, accepting inputs it should reject, or allowing users to do things they are not permitted to do. Each test scenario is assigned a short identifier (for example, WSTG-INFO-02) that security reports and tools can reference consistently across versions.

The primary audience is penetration testers and security teams who need a structured approach to evaluating a web application before it goes live or as part of an ongoing security program. Organizations use the guide as a checklist or a framework for planning security assessments. Bug bounty hunters also reference it when looking for classes of vulnerabilities to investigate.

The current actively developed version is 4.2, which is available online through the OWASP website and as downloadable releases tagged in this repository. Version 5.0 is in progress in the main branch.

This is a documentation project, not software. There is no code to run. Contributions are welcomed through GitHub pull requests, and translations into several languages (including Portuguese, Russian, Persian, Turkish, and Spanish) exist as separate repositories linked from the README.