wstg
WSTG is an open-source, community-maintained guide published by OWASP that documents comprehensive web application security testing methodologies and best practices. It serves as a reference framework for penetration testers, security professionals, and development teams to systematically evaluate web application security.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | OWASP/wstg |
| Owner | OWASP |
| Primary language | Unknown |
| License | CC-BY-SA-4.0 — Requires review (not clearly OSI) |
| Stars | 9.6k |
| Forks | 1.6k |
| Open issues | 41 |
| Latest release | v4.2 (2020-12-03) |
| Last updated | 2026-06-30 |
| Source | https://github.com/OWASP/wstg |
What wstg is
The guide provides standardized test scenarios identified by versioned tags (e.g., WSTG-v42-INFO-02) covering information gathering, configuration testing, authentication, session management, authorization, business logic, client-side testing, and other web security domains. Version 4.2 is the latest stable release; version 5.0 is in active development.
Get the wstg source
Clone the repository and explore it locally.
git clone https://github.com/OWASP/wstg.gitcd wstg# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Version pinning is critical: always reference scenarios with version tags (e.g., WSTG-v42-INFO-02) to avoid confusion as content evolves between releases.
- Successful application requires trained security practitioners; the guide assumes familiarity with web technologies, HTTP, and common attack patterns.
- Organize test scenarios by category (information gathering, authentication, business logic, etc.) and map them to your specific application architecture and risk profile.
- Integrate WSTG into your documentation and reporting templates to standardize findings language and improve stakeholder communication.
- Plan for periodic review and updates as v5.0 matures; evaluate whether new or revised scenarios apply to your threat model.
When to avoid it — and what to weigh
- Seeking Automated Tooling — WSTG is a guide document, not a runnable tool or framework. If you need automated security scanning or test orchestration, you must pair it with separate tools (e.g., Burp Suite, OWASP ZAP).
- Requiring Hands-Off Compliance — WSTG provides guidance but requires skilled interpretation and manual execution. It is not a plug-and-play compliance engine; your team must understand and apply the scenarios appropriately.
- Needing Active Vendor Support — WSTG is community-driven with volunteer leadership. There is no commercial SLA, guaranteed response times, or dedicated support contracts available through the project.
- Time-Sensitive Security Certification — While WSTG v4.2 is stable, it was last released in December 2020. Emerging attack vectors or recent CVEs may not be documented; supplement with current threat intelligence.
License & commercial use
Licensed under CC-BY-SA-4.0 (Creative Commons Attribution Share Alike 4.0 International). This is a permissive, non-software license requiring attribution and any derivative works to be shared under the same license.
CC-BY-SA-4.0 permits commercial use, but you must: (1) attribute OWASP/WSTG, (2) license any derived work under CC-BY-SA-4.0, and (3) include the license text. You cannot proprietary-lock derivative content. Consult legal review if bundling with closed-source products. This is not a software license and is not an OSI-approved license; verify compliance with your legal team.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
WSTG itself is a reference document, not a runtime system, so typical application security concerns (injection, authentication bypass, etc.) do not apply to the guide. However: (1) when integrating WSTG scenarios into your testing tools or CI/CD, ensure those integrations are secure; (2) WSTG documents known attack methods and may be studied by threat actors, so do not assume testing guidance alone provides defense; (3) v4.2 is from 2020, so consult current threat intelligence for emerging web vulnerabilities (e.g., recent API exploits, zero-days). The guide is educational and does not provide real-time exploit information.
Alternatives to consider
NIST SP 800-153 (Guidelines for Testing and Evaluating Information Security Controls)
NIST provides federal/compliance-focused security testing guidance but is broader and less web-application-specific than WSTG. Useful if you need standards alignment (FISMA, federal contracts).
PTES (Penetration Testing Execution Standard)
PTES is another community-driven penetration testing framework. It covers similar ground but emphasizes engagement phases and client communication; less detailed on specific web test scenarios than WSTG.
OWASP Top 10 + Risk Rating Methodology
Lighter-weight alternative if you need rapid risk prioritization for common vulnerabilities. WSTG is more comprehensive; Top 10 is for executive/risk-focused summaries.
Build on wstg with DEV.co software developers
Use WSTG as a standardized reference for web application penetration testing. Pair with security tools and trained practitioners to implement comprehensive testing scenarios.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
wstg FAQ
Can I use WSTG for commercial penetration testing without paying a license fee?
How current is WSTG? Does it cover modern threats (e.g., GraphQL, API security)?
Is WSTG a tool or a guide?
Can we modify WSTG and use our customized version internally?
Custom software development services
Need help beyond evaluating wstg? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Integrate WSTG into Your Security Testing Program
Use WSTG as a standardized reference for web application penetration testing. Pair with security tools and trained practitioners to implement comprehensive testing scenarios.