WSTG – Web Security Testing Guide

WSTG (Web Security Testing Guide) is a standardized methodology for testing the security of web applications, created by the OWASP WSTG initiative. It is intended to provide cybersecurity professionals with a comprehensive guide for testing all areas of a web application – from user inputs, through authentication, to cryptographic controls.

At Haxoris, we use OWASP WSTG as the primary reference for penetration testing of web applications. It helps ensure that nothing is overlooked – we test according to proven procedures that are continually updated to match evolving threats.

This page explains our penetration testing methodology guided by WSTG: the scope we cover, how we execute engagements, and the tangible deliverables you receive. Whether you are preparing for compliance, improving SDLC security, or validating new releases, a WSTG-aligned web application penetration test provides reliable, repeatable results.

  • Covers more than 60 test cases
  • Focuses on real-world exploitation scenarios
  • Increases clients' confidence in the security of their applications
OWASP WSTG Illustration - Web Application Security Testing Methodology

What's Included in WSTG?

OWASP WSTG consists of well-defined testing categories that structure a consistent security testing framework for web applications:

  • WSTG-INFO – Information gathering and reconnaissance to map the attack surface
  • WSTG-ATHN – Authentication testing of login flows, MFA, and session controls
  • WSTG-AUTHZ – Authorization testing for access control and IDOR weaknesses
  • WSTG-INPUT – Input validation and data manipulation (injection, XSS, SSRF, deserialization)
  • WSTG-CRYP – Cryptography, secrets handling, and sensitive data storage
  • WSTG-BUSL – Business logic flaws and abuse of intended workflows
  • WSTG-CONF – Configuration and session management, security headers, error handling

These areas form the backbone of a WSTG-based penetration testing methodology, ensuring comprehensive coverage from discovery to exploitation and verification.

Why Do We Use WSTG?

WSTG provides a consistent and objective penetration testing methodology, making it an ideal framework for assessing web application security. We use it for:

  • Internal and external testing
  • Developing secure applications from the start
  • Compliance testing against standards (e.g., ISO, NIS2)

By aligning with OWASP WSTG, findings are mapped to recognizable categories, aiding prioritization and remediation. The methodology also scales for agile SDLC, CI/CD, and DevSecOps workflows.

How Our WSTG-Aligned Penetration Testing Methodology Works

  1. Scoping & Threat Modeling – Define assets, roles, entry points, abuse cases.
  2. Reconnaissance (WSTG-INFO) – Enumerate endpoints, technologies, attack surface.
  3. Authentication (WSTG-ATHN) – Test auth flows, MFA, password policies, session lifecycle.
  4. Authorization (WSTG-AUTHZ) – Verify access controls, IDOR, vertical/horizontal privilege checks.
  5. Input Handling (WSTG-INPUT) – Probe for injection, XSS, deserialization, SSRF patterns.
  6. Crypto & Storage (WSTG-CRYP) – Assess TLS, secrets handling, at-rest/in-transit protections.
  7. Business Logic (WSTG-BUSL) – Validate workflows, bypasses, rate limits, abuse of trust.
  8. Configuration (WSTG-CONF) – Review headers, hardening, error handling, third-party integrations.
  9. Exploitation & Proof – Safely demonstrate impact with controlled scenarios.
  10. Validation & Retest – Confirm fixes and provide closure evidence.

Tools & Techniques

We combine manual testing with reputable tools to maximize coverage and reduce false positives.

  • Intercepting proxies (Burp Suite), SAST/DAST linters, browser devtools
  • OWASP testing checklists and customized WSTG playbooks
  • Secure, isolated lab environments and responsible exploitation procedures

What You Receive

  • Executive Summary – Risk overview tailored for leadership and non-technical stakeholders.
  • Technical Findings Report – Issues categorized per OWASP WSTG with evidence, CVSS, and remediation guidance.
  • Issue Tracker Export – Ready-to-import CSV/JSON for your workflow (Jira, Azure Boards, etc.).
  • Remediation Workshop – Walkthrough with engineers to accelerate fixes.
  • One Free Retest – Validation after remediation within a defined window.

Benefits of a WSTG-Based Penetration Test

  • Comprehensive coverage mapped to a recognized standard
  • Actionable, reproducible findings with prioritized remediation
  • Alignment with secure SDLC, DevSecOps, and compliance objectives
  • Improved stakeholder confidence and faster release cycles
  • Reduced risk of exploitable vulnerabilities in production
  • Clear evidence for auditors and third parties

Why Choose Haxoris for WSTG-Based Penetration Testing?

Experiences

Our experts have long-standing experience in offensive cybersecurity, red teaming and penetration testing.

Transparency

Every step of the process is transparent and understandable, so you know what to expect. We communicate with you continuously to achieve the best results.

Collaboration

We closely collaborate with your team to achieve the best results. We also provide you with all the necessary information and outputs.

Professionalism

Our work is always performed at the highest level of professionalism. We follow ethics and security principles.

THEY TRUST US

Pixel Federation Logo
DanubePay Logo
Alison Logo
Ditec Logo
Sanaclis Logo
Butteland Logo
Piano Logo
Ultima Payments Logo
Amerge Logo
DS Logo
Wezeo Logo
DTCA Logo

Other services

Penetration testing of infrastructure

Assessment of the security of your internal and external infrastructure.

Penetration testing of cloud

Ensure the security of your cloud services with us.

Penetration testing of applications

Assessment of the security of your web and mobile applications.

Security check of IoT devices

Strengthen the security of IoT devices and embedded systems.

Penetration testing of AI and LLM integrations

Ensure the security of your AI integrations.

Phishing test

Test how your employees react to phishing emails.

Training of employees

Train your employees in the field of cybersecurity and cyber threats.

Not found what you were looking for?

Contact us and preconsult with us your needs.

WSTG & Penetration Testing Methodology – FAQ

OWASP WSTG is the Web Security Testing Guide—a community-maintained security testing framework that defines a practical penetration testing methodology for web applications.

It standardizes coverage and reporting, reduces blind spots, and maps findings to recognizable categories, making remediation clearer for development teams.

WSTG is a guide. We tailor scope to your application, risk appetite, and timelines while preserving methodological rigor.

You receive an executive summary, technical findings with evidence and remediation steps, and a retest to verify fixes.

Secure your application – test with WSTG

Book Now