Domain-Specific Testing

OWASP WSTG

Web Security Testing Guide

OWASP (Open Worldwide Application Security Project) Source Document →

What It Is

The definitive reference for web application security testing. WSTG is a comprehensive, categorized catalog of test cases covering every major web attack surface:

  • Information Gathering — Fingerprinting, search engine discovery, application mapping
  • Configuration & Deployment Management — Default configs, HTTP methods, file extensions
  • Identity Management — Account provisioning, user enumeration, role definitions
  • Authentication — Credential transport, lockout, bypass, multi-factor
  • Authorization — Path traversal, privilege escalation, IDOR
  • Session Management — Cookie attributes, fixation, CSRF, timeout
  • Input ValidationXSS, SQL injection, command injection, template injection, and the full injection family
  • Error Handling — Stack traces, error codes, information leakage
  • CryptographyTLS configuration, weak ciphers, padding oracle
  • Business Logic — Workflow bypass, function abuse, race conditions
  • Client-Side — DOM XSS, JavaScript execution, clickjacking, WebSockets

Why It Matters

This is the reference you keep open during an engagement, not just before one. Each test case includes clear objectives, step-by-step testing procedures, and remediation guidance. It’s the closest thing to a complete web app pentest playbook that exists in the public domain.

Community-maintained and continuously updated — it evolves with the threat landscape.

When to Use It

Every web application pentest. PTES tells you how to run the engagement; WSTG tells you what to test once you’re in the application layer. They’re complementary, not competing.

The Offensive Angle

The business logic and client-side sections are where automated scanners fall short and manual testing shines. A scanner finds reflected XSS. A pentester using WSTG’s business logic tests finds that you can skip the payment step by replaying a modified workflow request. Scanners test syntax; WSTG tests semantics.

Pairs Well With

  • OWASP ASVS — WSTG tests how; ASVS defines what the requirements are
  • PTES — Engagement workflow that WSTG test cases plug into (phases 4-5)
  • OWASP MASTG — Companion guide for mobile-specific testing