DEV.co
Open-Source Security · OWASP

wstg

WSTG is an open-source, community-maintained guide published by OWASP that documents comprehensive web application security testing methodologies and best practices. It serves as a reference framework for penetration testers, security professionals, and development teams to systematically evaluate web application security.

Source: GitHub — github.com/OWASP/wstg
9.6k
GitHub stars
1.6k
Forks
Unknown
Primary language
CC-BY-SA-4.0
License (Requires review (not clearly OSI))

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOWASP/wstg
OwnerOWASP
Primary languageUnknown
LicenseCC-BY-SA-4.0 — Requires review (not clearly OSI)
Stars9.6k
Forks1.6k
Open issues41
Latest releasev4.2 (2020-12-03)
Last updated2026-06-30
Sourcehttps://github.com/OWASP/wstg

What wstg is

The guide provides standardized test scenarios identified by versioned tags (e.g., WSTG-v42-INFO-02) covering information gathering, configuration testing, authentication, session management, authorization, business logic, client-side testing, and other web security domains. Version 4.2 is the latest stable release; version 5.0 is in active development.

Quickstart

Get the wstg source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OWASP/wstg.gitcd wstg# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Penetration Testing Framework Reference

Use WSTG as a structured checklist and methodology guide during web application penetration tests to ensure comprehensive coverage of known attack vectors and test scenarios.

Secure Development Training & Onboarding

Integrate WSTG content into developer training programs and security onboarding to establish shared vocabulary and understanding of web security testing requirements across engineering teams.

Security Audit & Compliance Documentation

Reference WSTG scenario identifiers in security reports, audit findings, and compliance documentation to provide standardized, versionable justifications and test scope definitions.

Implementation considerations

  • Version pinning is critical: always reference scenarios with version tags (e.g., WSTG-v42-INFO-02) to avoid confusion as content evolves between releases.
  • Successful application requires trained security practitioners; the guide assumes familiarity with web technologies, HTTP, and common attack patterns.
  • Organize test scenarios by category (information gathering, authentication, business logic, etc.) and map them to your specific application architecture and risk profile.
  • Integrate WSTG into your documentation and reporting templates to standardize findings language and improve stakeholder communication.
  • Plan for periodic review and updates as v5.0 matures; evaluate whether new or revised scenarios apply to your threat model.

When to avoid it — and what to weigh

  • Seeking Automated Tooling — WSTG is a guide document, not a runnable tool or framework. If you need automated security scanning or test orchestration, you must pair it with separate tools (e.g., Burp Suite, OWASP ZAP).
  • Requiring Hands-Off Compliance — WSTG provides guidance but requires skilled interpretation and manual execution. It is not a plug-and-play compliance engine; your team must understand and apply the scenarios appropriately.
  • Needing Active Vendor Support — WSTG is community-driven with volunteer leadership. There is no commercial SLA, guaranteed response times, or dedicated support contracts available through the project.
  • Time-Sensitive Security Certification — While WSTG v4.2 is stable, it was last released in December 2020. Emerging attack vectors or recent CVEs may not be documented; supplement with current threat intelligence.

License & commercial use

Licensed under CC-BY-SA-4.0 (Creative Commons Attribution Share Alike 4.0 International). This is a permissive, non-software license requiring attribution and any derivative works to be shared under the same license.

CC-BY-SA-4.0 permits commercial use, but you must: (1) attribute OWASP/WSTG, (2) license any derived work under CC-BY-SA-4.0, and (3) include the license text. You cannot proprietary-lock derivative content. Consult legal review if bundling with closed-source products. This is not a software license and is not an OSI-approved license; verify compliance with your legal team.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

WSTG itself is a reference document, not a runtime system, so typical application security concerns (injection, authentication bypass, etc.) do not apply to the guide. However: (1) when integrating WSTG scenarios into your testing tools or CI/CD, ensure those integrations are secure; (2) WSTG documents known attack methods and may be studied by threat actors, so do not assume testing guidance alone provides defense; (3) v4.2 is from 2020, so consult current threat intelligence for emerging web vulnerabilities (e.g., recent API exploits, zero-days). The guide is educational and does not provide real-time exploit information.

Alternatives to consider

NIST SP 800-153 (Guidelines for Testing and Evaluating Information Security Controls)

NIST provides federal/compliance-focused security testing guidance but is broader and less web-application-specific than WSTG. Useful if you need standards alignment (FISMA, federal contracts).

PTES (Penetration Testing Execution Standard)

PTES is another community-driven penetration testing framework. It covers similar ground but emphasizes engagement phases and client communication; less detailed on specific web test scenarios than WSTG.

OWASP Top 10 + Risk Rating Methodology

Lighter-weight alternative if you need rapid risk prioritization for common vulnerabilities. WSTG is more comprehensive; Top 10 is for executive/risk-focused summaries.

Software development agency

Build on wstg with DEV.co software developers

Use WSTG as a standardized reference for web application penetration testing. Pair with security tools and trained practitioners to implement comprehensive testing scenarios.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

wstg FAQ

Can I use WSTG for commercial penetration testing without paying a license fee?
Yes, under CC-BY-SA-4.0, you can use and commercialize WSTG-based services provided you: (1) attribute OWASP/WSTG, (2) share derivative works under CC-BY-SA-4.0, and (3) include the license. Consult your legal team if bundling with proprietary tools.
How current is WSTG? Does it cover modern threats (e.g., GraphQL, API security)?
v4.2 (Dec 2020) is stable and covers core web application testing. v5.0 is in active development on GitHub. Modern threat coverage (APIs, microservices, GraphQL) is being added but not yet released. Supplement v4.2 with current threat reports for emerging vulnerabilities.
Is WSTG a tool or a guide?
WSTG is documentation and methodology guidance. It is not executable software. You must use it alongside separate security tools (Burp Suite, OWASP ZAP, custom scanners) to implement the scenarios in your testing program.
Can we modify WSTG and use our customized version internally?
Yes, under CC-BY-SA-4.0. However, if you distribute your modifications (internally or externally), they must be licensed under CC-BY-SA-4.0 as well. Internal-only modifications are not subject to the share-alike requirement.

Custom software development services

Need help beyond evaluating wstg? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Integrate WSTG into Your Security Testing Program

Use WSTG as a standardized reference for web application penetration testing. Pair with security tools and trained practitioners to implement comprehensive testing scenarios.