A Retrieval-Augmented Generation (RAG) system that indexes the OWASP Web Security Testing Guide (WSTG) into a vector database, providing instant access to security testing methodologies via MCP (Model Context Protocol) for Claude Code integration.
Project description
OWASP WSTG RAG
A Retrieval-Augmented Generation (RAG) system that indexes the OWASP Web Security Testing Guide (WSTG) into a vector database, providing instant access to security testing methodologies via REST API and MCP (Model Context Protocol) for Claude Code integration.
Features
- Complete WSTG Coverage - All 12 WSTG testing categories indexed and searchable
- Semantic Search - Find relevant testing methodologies using natural language queries
- MCP Integration - Direct integration with Claude Code for AI-assisted penetration testing
- REST API - HTTP endpoints for programmatic access
- WSTG ID Lookup - Retrieve complete test cases by WSTG identifier (e.g.,
WSTG-INPV-05)
WSTG Categories
| Category | WSTG ID | Description |
|---|---|---|
| Information Gathering | WSTG-INFO | Fingerprinting, enumeration, mapping |
| Configuration | WSTG-CONF | Server/platform configuration testing |
| Identity Management | WSTG-IDNT | User registration, account provisioning |
| Authentication | WSTG-ATHN | Login, password policy, MFA testing |
| Authorization | WSTG-ATHZ | Privilege escalation, IDOR, access control |
| Session Management | WSTG-SESS | Session tokens, cookies, fixation |
| Input Validation | WSTG-INPV | SQLi, XSS, command injection, SSTI |
| Error Handling | WSTG-ERRH | Error messages, stack traces |
| Cryptography | WSTG-CRYP | TLS, encryption, hashing |
| Business Logic | WSTG-BUSL | Workflow bypass, file upload |
| Client-Side | WSTG-CLNT | DOM XSS, clickjacking, WebSockets |
| API Testing | WSTG-APIT | REST, GraphQL, API security |
Quick Start
1. Install Dependencies
cd RAG_runner
pip install -r requirements.txt
2. Build the Database
python3 build_database.py
This will:
- Parse all OWASP WSTG HTML files
- Create semantic chunks for retrieval
- Build the ChromaDB vector database
3. Start the Server
python3 -m server.http_server
Server runs on http://localhost:5004
4. Test the API
# Health check
curl http://localhost:5004/health
# Search for SQL injection testing
curl -X POST http://localhost:5004/search \
-H "Content-Type: application/json" \
-d '{"query": "SQL injection testing methodology"}'
# Get specific WSTG test case
curl http://localhost:5004/wstg/WSTG-INPV-05
REST API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Health check |
/info |
GET | Database statistics |
/list |
GET | List all documents |
/categories |
GET | List categories and WSTG IDs |
/doc/{id} |
GET | Get document by ID |
/wstg/{id} |
GET | Get all chunks for WSTG ID |
/search |
POST | Semantic search |
Search Request Body
{
"query": "SQL injection testing",
"n_results": 5,
"category": "input_validation",
"wstg_id": "WSTG-INPV-05"
}
Claude Code Integration (MCP)
Add to ~/.claude.json:
{
"mcpServers": {
"owasp-wstg-rag": {
"command": "python3",
"args": ["/path/to/OWASP_WSTG_Rag/RAG_runner/server/mcp_client.py"],
"env": {
"WSTG_RAG_URL": "http://localhost:5004"
}
}
}
}
MCP Tools
| Tool | Description |
|---|---|
search_wstg |
Search WSTG for testing methodologies |
search_test_methodology |
Search for how-to testing guides |
search_test_objectives |
Search for test objectives |
get_wstg_test_case |
Get complete test case by WSTG ID |
get_wstg_document |
Get document by ID |
list_wstg_categories |
List all categories and WSTG IDs |
wstg_health |
Health check |
wstg_info |
Database statistics |
Example Usage in Claude Code
# Search for SQL injection testing methodology
search_wstg("SQL injection testing methodology")
# Get specific test case
get_wstg_test_case("WSTG-INPV-05")
# Search within a category
search_wstg("authentication bypass", category_filter="authentication")
# Get test objectives for IDOR
search_test_objectives("IDOR insecure direct object reference")
Project Structure
OWASP_WSTG_Rag/
├── README.md
├── CLAUDE.md # Claude Code project guide
├── raw_data/ # OWASP WSTG HTML source files
│ ├── 01-Information_Gathering/
│ ├── 02-Configuration_and_Deployment_Management_Testing/
│ ├── 03-Identity_Management_Testing/
│ ├── 04-Authentication_Testing/
│ ├── 05-Authorization_Testing/
│ ├── 06-Session_Management_Testing/
│ ├── 07-Input_Validation_Testing/
│ ├── 08-Testing_for_Error_Handling/
│ ├── 09-Testing_for_Weak_Cryptography/
│ ├── 10-Business_Logic_Testing/
│ ├── 11-Client-side_Testing/
│ └── 12-API_Testing/
└── RAG_runner/
├── build_database.py # Main build pipeline
├── requirements.txt
├── parsers/
│ └── wstg_parser.py # HTML parser for WSTG
├── chunking/
│ └── chunker.py # Semantic chunking
├── server/
│ ├── vector_store.py # ChromaDB wrapper
│ ├── http_server.py # REST API server
│ └── mcp_client.py # MCP tools for Claude Code
└── data/
├── processed/ # Intermediate JSON files
└── chroma_db/ # Vector database
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ OWASP WSTG HTML Files │
│ (raw_data/*.html) │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ wstg_parser.py │
│ Parse HTML → Structured JSON │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ chunker.py │
│ Create Semantic Chunks for RAG │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ ChromaDB Vector Store │
│ (data/chroma_db/) │
└────────────────────────────┬────────────────────────────────────┘
│
┌──────────────┴──────────────┐
▼ ▼
┌──────────────────────────┐ ┌──────────────────────────┐
│ http_server.py │ │ mcp_client.py │
│ REST API :5004 │ │ MCP for Claude Code │
│ │ │ │
│ GET /health │ │ search_wstg() │
│ GET /info │ │ get_wstg_test_case() │
│ GET /wstg/{id} │ │ search_test_methodology │
│ POST /search │ │ list_wstg_categories() │
└──────────────────────────┘ └──────────────────────────┘
Use Cases
AI-Assisted Penetration Testing
Integrate with Claude Code to get instant access to OWASP testing methodologies during security assessments:
User: "How do I test for SQL injection?"
Claude: [Queries WSTG RAG]
→ Returns WSTG-INPV-05 methodology with:
- Test objectives
- Step-by-step testing procedures
- Example payloads
- Tools to use
Automated Security Testing
Use the REST API to integrate WSTG methodologies into automated security pipelines:
import requests
# Get testing methodology for current test
response = requests.post('http://localhost:5004/search', json={
'query': 'session fixation testing',
'n_results': 3
})
methodology = response.json()['results']
Security Training
Quick reference for security testing methodologies during training or CTF challenges.
Requirements
- Python 3.8+
- ChromaDB
- BeautifulSoup4
- httpx
- MCP SDK (for Claude Code integration)
License
This project uses content from the OWASP Web Security Testing Guide, which is licensed under Creative Commons Attribution-ShareAlike 4.0.
Related Projects
- OWASP WSTG - Source material
- Claude Code - AI coding assistant with MCP support
- ChromaDB - Vector database for embeddings
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iflow_mcp_zilbonn_owasp_wstg_rag-0.1.0.tar.gz.
File metadata
- Download URL: iflow_mcp_zilbonn_owasp_wstg_rag-0.1.0.tar.gz
- Upload date:
- Size: 17.5 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"13","id":"trixie","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
11cd300258901f0639a0ed33eb943595f2c4f81dfd5564e62364d952056ed5ee
|
|
| MD5 |
4630b77251e2faa7dc37de6d9678d823
|
|
| BLAKE2b-256 |
06056d2f56aa726b9677311c03f544575e9f54a7e60629f085fab40b4a830849
|
File details
Details for the file iflow_mcp_zilbonn_owasp_wstg_rag-0.1.0-py3-none-any.whl.
File metadata
- Download URL: iflow_mcp_zilbonn_owasp_wstg_rag-0.1.0-py3-none-any.whl
- Upload date:
- Size: 17.5 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"13","id":"trixie","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d78bc3e5b9013e620cbf3170f9dc231d57b2f8953cb71bf9cc26d0afd447a423
|
|
| MD5 |
78d5114f982c7e7a03319de79aa81308
|
|
| BLAKE2b-256 |
7c71af398ba603fb8b9cd81848e82da1ba34ab2619587ac4d93eff5c03888800
|
