Skip main navigation

What is the OWASP Testing Guide?

The OWASP Testing Guide is being developed as part of the OWASP Testing Project of the Open Web Application Security Project (OWASP).

The OWASP Testing Guide is being developed as part of the OWASP Testing Project of the Open Web Application Security Project (OWASP). It is not a complete methodology covering a full penetration test; it is focused only on the core testing phases of web applications security testing.

What is the OWASP guide for?

The guide provides a detailed discussion on the security assessment of web applications as well as their deployment stack, including web server configuration. It follows a black-box pentesting approach and is comprehensive of ‘what’ and ‘when’. There are also some guides on ‘how’, mainly in the form of listing the tools which can be used in each step or task.

The main phases defined by the OWASP Testing Guide (OWASP 2017)

  • Information gathering – covering exposure assessment and deployment fingerprinting
  • Configuration and deployment management testing – assessing the server security configuration
  • Web application security testing – listing a set of steps testing for specific webapps vulnerabilities:
    • Identity management testing – assessing user account management
    • Authentication testing – assessing authentication methods
    • Authorisation testing – testing for vulnerabilities in bypassing authorisation and privilege escalation
    • Session management testing – finding session management flaws such as cross-site request forgery
    • Input validation testing – assessing vulnerabilities such as cross-site scripting and many of the injection flaws
    • Testing for error handling – looking for error message leaks
    • Testing for weak cryptography – assessing the encryption used
    • Business logic testing – covers a number of common flaws in business logic implementation
    • Client-side testing – looks for vulnerabilities such as JavaScript execution, HTML or CSS injection
  • Reporting – the final phase of the testing project as discussed in the guide

The OWASP community is very active, making this methodology one of the best maintained, comprehensive and up-to-date. With many of the pentesting projects now including some form of webapps, the OWASP Testing Guide is definitely one you should be familiar with and be able to take advantage of when required.


Open Web Application Security Project (OWASP) (2017) OWASP Testing Guide 4.0 [online] available from [1 May 2020]

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now