What It Is
The definitive reference for web application security testing. WSTG is a comprehensive, categorized catalog of test cases covering every major web attack surface:
- Information Gathering — Fingerprinting, search engine discovery, application mapping
- Configuration & Deployment Management — Default configs, HTTP methods, file extensions
- Identity Management — Account provisioning, user enumeration, role definitions
- Authentication — Credential transport, lockout, bypass, multi-factor
- Authorization — Path traversal, privilege escalation, IDOR
- Session Management — Cookie attributes, fixation, CSRF, timeout
- Input Validation — XSS, SQL injection, command injection, template injection, and the full injection family
- Error Handling — Stack traces, error codes, information leakage
- Cryptography — TLS configuration, weak ciphers, padding oracle
- Business Logic — Workflow bypass, function abuse, race conditions
- Client-Side — DOM XSS, JavaScript execution, clickjacking, WebSockets
Why It Matters
This is the reference you keep open during an engagement, not just before one. Each test case includes clear objectives, step-by-step testing procedures, and remediation guidance. It’s the closest thing to a complete web app pentest playbook that exists in the public domain.
Community-maintained and continuously updated — it evolves with the threat landscape.
When to Use It
Every web application pentest. PTES tells you how to run the engagement; WSTG tells you what to test once you’re in the application layer. They’re complementary, not competing.
The Offensive Angle
The business logic and client-side sections are where automated scanners fall short and manual testing shines. A scanner finds reflected XSS. A pentester using WSTG’s business logic tests finds that you can skip the payment step by replaying a modified workflow request. Scanners test syntax; WSTG tests semantics.
Pairs Well With
- OWASP ASVS — WSTG tests how; ASVS defines what the requirements are
- PTES — Engagement workflow that WSTG test cases plug into (phases 4-5)
- OWASP MASTG — Companion guide for mobile-specific testing