Difference between revisions of "OWASP Testing Guide v4 Table of Contents"

@@ Line 1: / Line 1: @@
+{{OWASP Breakers}}
 __NOTOC__
-'''This is DRAFT of the table of content of the New Testing Guide v4.'''<br>
+'''This is the FINAL table of content of the New Testing Guide v4.'''<br>
-<br>You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br>
+<br>You can download the Guide [https://www.owasp.org/images/1/19/OTGv4.pdf here] <br>
 Back to the OWASP Testing Guide Project:
 http://www.owasp.org/index.php/OWASP_Testing_Project
-'''Updated: 28th August 2012'''
+'''Testing Guide Wiki last Updated: April 2016'''
+[[ OWTGv4 Contributors list|'''Contributors List''']]
+----
-The following are the main improvements we have to realize: <br>
+== Table of Contents ==
-(1) - Add new testing techniques and OWASP Top10 update: <br>
-- Testing for HTTP Verb tampering<br>
-- Testing for HTTP Parameter Pollutions<br>
-- Testing for URL Redirection<br>
-- Testing for Insecure Direct Object References<br>
-- Testing for Insecure Cryptographic Storage<br>
-- Testing for Failure to Restrict URL Access<br>
-- Testing for Insufficient Transport Layer Protection<br>
-- Testing for Unvalidated Redirects and Forwards.<br>
-<br>
-(2) - Review and improve all the sections in v3,<br>
-<br>
-(3) - Create a more readable guide, eliminating some sections that are not
-really useful, Rationalize some sections as Session Management Testing.
-(4) Pavol says: - add new opensource testing tools that appeared during last 3 years
+==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
-(and are missing in the OWASP Testing Guide v3)
-- add few useful and life-scenarios of possible
-vulnerabilities in Bussiness Logic Testing (many testers have no idea what
-vulnerabilities in Business Logic exactly mean)
-- "Brute force testing" of "session ID" is missing in "Session Management
+==[[Testing Guide Frontispiece |1. Frontispiece]]==
-Testing", describe other tools for Session ID entropy analysis
-(e.g. Stompy)
-- in "Data Validation Testing" describe some basic obfuscation methods for
+'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
-malicious code injection including the statements how it is possible to
-detect it (web application obfuscation is quite succesfull in bypassing
-many data validation controls)
-- split the phase Logout and Browser Cache Management" into two sections
+'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
-<br><br><br><br><br>
+==[[Testing Guide Introduction|2. Introduction]]==
-'''T A B L E    o f    C O N T E N T S (DRAFT)'''
-----
-==[[Testing Guide Foreword|Foreword by OWASP Chair]]== [To review--> OWASP Chair]
+'''[[Testing Guide Introduction#The_OWASP_Testing Project|2.1 The OWASP Testing Project]]'''
-==[[Testing Guide Frontispiece |1. Frontispiece]]== [To review--> Mat]
+'''[[Testing Guide Introduction#Principles_of_Testing|2.2 Principles of Testing]]'''
-'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]''' [To review--> Mat]
+'''[[Testing Guide Introduction#Testing_Techniques_Explained|2.3 Testing Techniques Explained]]'''
-'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]''' [To review--> ]
+'''[[Testing Guide Introduction#Manual_Inspections_.26_Reviews|2.4 Manual Inspections & Reviews]]'''
+'''[[Testing Guide Introduction#Threat_Modeling|2.5 Threat Modeling]]'''
-==[[Testing Guide Introduction|2. Introduction]]==
+'''[[Testing Guide Introduction#Source_Code_Review|2.6 Source Code Review]]'''
-'''2.1 The OWASP Testing Project'''
+'''[[Testing Guide Introduction#Penetration_Testing|2.7 Penetration Testing]]'''
-'''2.2 Principles of Testing'''
+'''[[Testing Guide Introduction#The_Need_for_a_Balanced_Approach|2.8 The Need for a Balanced Approach]]'''
-'''2.3 Testing Techniques Explained'''
+'''[[Testing Guide Introduction#Deriving_Security_Test_Requirements|2.9 Deriving Security Test Requirements]]'''
-.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]
+'''[[Testing Guide Introduction#Security_Tests_Integrated_in_Development_and_Testing_Workflows|2.10 Security Tests Integrated in Development and Testing Workflows]]'''
-.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]
+'''[[Testing Guide Introduction#Security_Test_Data_Analysis_and_Reporting|2.11 Security Test Data Analysis and Reporting]]'''
 ==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
-'''3.1. Overview'''
+'''[[The_OWASP_Testing_Framework#Overview|3.1 Overview]]'''
+'''[[The_OWASP_Testing_Framework#Phase_1:_Before_Development_Begins|3.2 Phase 1: Before Development Begins]]'''
+'''[[The_OWASP_Testing_Framework#Phase_2:_During_Definition_and_Design|3.3 Phase 2: During Definition and Design]]'''
+'''[[The_OWASP_Testing_Framework#Phase_3:_During_Development|3.4 Phase 3: During Development]]'''
+'''[[The_OWASP_Testing_Framework#Phase_4:_During_Deployment|3.5 Phase 4: During Deployment]]'''
+'''[[The_OWASP_Testing_Framework#Phase_5:_Maintenance_and_Operations|3.6 Phase 5: Maintenance and Operations]]'''
+'''[[The_OWASP_Testing_Framework#A_Typical_SDLC_Testing_Workflow|3.7 A Typical SDLC Testing Workflow]]'''
+'''[[Penetration testing methodologies |3.8 Penetration Testing Methodologies]]'''
+==[[Web Application Penetration Testing |4. Web Application Security Testing]]==
+[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]
+[[Testing Checklist| 4.1.1 Testing Checklist]]
+[[Testing Information Gathering|'''4.2 Information Gathering ''']]
+[[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001) |4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)]]
+[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002)]]
+[[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003) |4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003)]]
+[[Enumerate Applications on Webserver (OTG-INFO-004) |4.2.4 Enumerate Applications on Webserver (OTG-INFO-004)]]
+[[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) |4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)]]
+[[Identify_application_entry_points_(OTG-INFO-006) |4.2.6 Identify application entry points (OTG-INFO-006)]]
+[[Map_execution_paths_through_application_(OTG-INFO-007) |4.2.7 Map execution paths through application (OTG-INFO-007)]]
+[[Fingerprint_Web_Application_Framework_(OTG-INFO-008) |4.2.8 Fingerprint Web Application Framework (OTG-INFO-008)]]
+[[Fingerprint_Web_Application_(OTG-INFO-009) |4.2.9 Fingerprint Web Application (OTG-INFO-009)]]
+[[Map_Application_Architecture_(OTG-INFO-010) |4.2.10 Map Application Architecture (OTG-INFO-010)]]
+[[Testing for configuration management|'''4.3 Configuration and Deployment Management Testing ''']]
+[[Test Network/Infrastructure Configuration (OTG-CONFIG-001)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)]]
+[[Test Application Platform Configuration (OTG-CONFIG-002)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)]]
+[[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)]]
+[[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)]]
+[[Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)]]
+[[Test HTTP Methods (OTG-CONFIG-006)|4.3.6 Test HTTP Methods (OTG-CONFIG-006)]]
+[[Test HTTP Strict Transport Security (OTG-CONFIG-007)|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)]]
+[[Test RIA cross domain policy (OTG-CONFIG-008)|4.3.8 Test RIA cross domain policy (OTG-CONFIG-008)]]
+[[Test File Permission (OTG-CONFIG-009)|4.3.9 Test File Permission (OTG-CONFIG-009)]]
+[[Testing Identity Management|'''4.4 Identity Management Testing''']]
+[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]]
+[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]]
+[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]]
+[[Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)]]
+[[Testing for Weak or unenforced username policy (OTG-IDENT-005)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]]
+[[Testing for authentication|'''4.5 Authentication Testing ''']]
+[[Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel  (OTG-AUTHN-001)]]
+[[Testing for default credentials (OTG-AUTHN-002)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]]
+[[Testing for Weak lock out mechanism (OTG-AUTHN-003)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]]
+[[Testing for Bypassing Authentication Schema (OTG-AUTHN-004)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]]
+[[Testing for Vulnerable Remember Password (OTG-AUTHN-005)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]]
+[[Testing for Browser cache weakness (OTG-AUTHN-006)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]]
+[[Testing for Weak password policy (OTG-AUTHN-007)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]]
+[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]]
+[[Testing for weak password change or reset functionalities (OTG-AUTHN-009)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]]
+[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]]
+[[Testing for Authorization|'''4.6 Authorization Testing''']]
+[[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) |4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-001)]]
-'''3.2. Phase 1: Before Development Begins '''
+[[Testing for Bypassing Authorization Schema  (OTG-AUTHZ-002)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-002)]]
-'''3.3. Phase 2: During Definition and Design'''
+[[Testing for Privilege escalation  (OTG-AUTHZ-003)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-003)]]
-'''3.4. Phase 3: During Development'''
+[[Testing for Insecure Direct Object References (OTG-AUTHZ-004)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-004)]]
-'''3.5. Phase 4: During Deployment'''
-'''3.6. Phase 5: Maintenance and Operations'''
+[[Testing for Session Management|'''4.7 Session Management Testing''']]
-'''3.7. A Typical SDLC Testing Workflow '''
+[[Testing for Session_Management_Schema (OTG-SESS-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]
-==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==
+[[Testing for cookies attributes  (OTG-SESS-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]
-[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]
+[[Testing for Session Fixation  (OTG-SESS-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]
-[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]
+[[Testing for Exposed Session Variables  (OTG-SESS-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]
-[[Testing: Information Gathering|'''4.2 Information Gathering ''']] [To review--> contributor here]
+[[Testing for CSRF  (OTG-SESS-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
-[[Testing for configuration management|'''4.3 Configuration Management Testing ''']] [To review--> contributor here]
+[[Testing for logout functionality (OTG-SESS-006)|4.7.6 Testing for logout functionality (OTG-SESS-006)]]
-[[Testing for authentication|'''4.4 Authentication Testing ''']] [To review--> contributor here]
+[[Test Session Timeout (OTG-SESS-007)|4.7.7 Test Session Timeout (OTG-SESS-007)]]
-[[Testing for Session Management|'''4.5 Session Management Testing''']] [To review--> contributor here]
+[[Testing for Session puzzling (OTG-SESS-008)|4.7.8 Testing for Session puzzling (OTG-SESS-008)]]
-[[Testing for Authorization|'''4.6 Authorization Testing''']] [To review--> contributor here]
-[[Testing for business logic   (OWASP-BL-001)|'''4.7 Business Logic Testing  (OWASP-BL-001)''']] [To review--> contributor here]
+[[Testing for Input Validation|'''4.8 Input Validation Testing''']]
-[[Testing for Data Validation|'''4.8 Data Validation Testing''']] [To review--> contributor here]
+[[Testing for Reflected Cross site scripting (OTG-INPVAL-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]]
-[[Testing for Denial of Service|'''4.9 Testing for Denial of Service''']] [To review--> contributor here]
+[[Testing for Stored Cross site scripting (OTG-INPVAL-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]]
-[[Testing for Web Services|'''4.10 Web Services Testing''']] [To review--> contributor here]
+[[Testing for HTTP Verb Tampering (OTG-INPVAL-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]]
-[[Testing_for_AJAX:_introduction|'''4.11 AJAX Testing''']] [To review--> contributor here]
+[[Testing for HTTP Parameter pollution (OTG-INPVAL-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004)]]
-==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
+[[Testing for SQL Injection (OTG-INPVAL-005)| 4.8.5 Testing for SQL Injection (OTG-INPVAL-005)]]
-[[How to value the real risk |5.1 How to value the real risk]] [To review--> contributor here]
+[[Testing for Oracle|4.8.5.1 Oracle Testing]]
-[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> contributor here]
+[[Testing for MySQL|4.8.5.2 MySQL Testing]]
-==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
+[[Testing for SQL Server|4.8.5.3 SQL Server Testing]]
-* Black Box Testing Tools [To review--> contributor here]
+[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.5.4 Testing PostgreSQL (from OWASP BSP)]]
-* Source Code Analyzers [To review--> contributor here]
-* Other Tools [To review--> contributor here]
+[[Testing for MS Access |4.8.5.5 MS Access Testing]]
+[[Testing for NoSQL injection|4.8.5.6 Testing for NoSQL injection]]
+[[Testing for LDAP Injection  (OTG-INPVAL-006)|4.8.6 Testing for LDAP Injection  (OTG-INPVAL-006)]]
+[[Testing for ORM Injection   (OTG-INPVAL-007)|4.8.7 Testing for ORM Injection   (OTG-INPVAL-007)]]
+[[Testing for XML Injection (OTG-INPVAL-008)|4.8.8 Testing for XML Injection (OTG-INPVAL-008)]]
+[[Testing for SSI Injection  (OTG-INPVAL-009)|4.8.9 Testing for SSI Injection  (OTG-INPVAL-009)]]
+[[Testing for XPath Injection  (OTG-INPVAL-010)|4.8.10 Testing for XPath Injection  (OTG-INPVAL-010)]]
+[[Testing for IMAP/SMTP Injection  (OTG-INPVAL-011)|4.8.11 IMAP/SMTP Injection  (OTG-INPVAL-011)]]
+[[Testing for Code Injection  (OTG-INPVAL-012)|4.8.12 Testing for Code Injection  (OTG-INPVAL-012)]]
+[[Testing for Local File Inclusion|4.8.12.1 Testing for Local File Inclusion]]
+[[Testing for Remote File Inclusion|4.8.12.2 Testing for Remote File Inclusion]]
+[[Testing for Command Injection   (OTG-INPVAL-013)|4.8.13 Testing for Command Injection   (OTG-INPVAL-013)]]
+[[Testing for Buffer Overflow (OTG-INPVAL-014)|4.8.14 Testing for Buffer overflow (OTG-INPVAL-014)]]
+[[Testing for Heap Overflow|4.8.14.1 Testing for Heap overflow]]
+[[Testing for Stack Overflow|4.8.14.2 Testing for Stack overflow]]
+[[Testing for Format String|4.8.14.3 Testing for Format string]]
+[[Testing for Incubated Vulnerability (OTG-INPVAL-015)|4.8.15 Testing for incubated vulnerabilities (OTG-INPVAL-015)]]
+[[Testing for HTTP Splitting/Smuggling  (OTG-INPVAL-016)|4.8.16 Testing for HTTP Splitting/Smuggling  (OTG-INPVAL-016)]]
+[[Testing for HTTP Incoming requests  (OTG-INPVAL-017)|4.8.17 Testing for HTTP Incoming Requests  (OTG-INPVAL-017)]]
+[[Testing for Error Handling|'''4.9 Testing for Error Handling''']]
+[[Testing for Error Code (OTG-ERR-001)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]]
+[[Testing for Stack Traces (OTG-ERR-002)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]]
+[[Testing for weak Cryptography|'''4.10 Testing for weak Cryptography''']]
+[[Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)| 4.10.1 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)]]
+[[Testing for Padding Oracle (OTG-CRYPST-002)| 4.10.2 Testing for Padding Oracle (OTG-CRYPST-002)]]
+[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)|4.10.3 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)]]
+[[Testing for Weak Encryption (OTG-CRYPST-004)|4.10.4 Testing for Weak Encryption (OTG-CRYPST-004)]]
+[[Testing for business logic|'''4.11 Business Logic Testing''']]
+[[Test business logic data validation (OTG-BUSLOGIC-001)|4.11.1 Test Business Logic Data Validation (OTG-BUSLOGIC-001)]]
+[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.11.2 Test Ability to Forge Requests (OTG-BUSLOGIC-002)]]
+[[Test integrity checks (OTG-BUSLOGIC-003)|4.11.3 Test Integrity Checks (OTG-BUSLOGIC-003)]]
+[[Test for Process Timing (OTG-BUSLOGIC-004)|4.11.4 Test for Process Timing (OTG-BUSLOGIC-004)]]
+[[Test number of times a function can be used limits (OTG-BUSLOGIC-005)|4.11.5 Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)]]
+[[Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)|4.11.6 Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)]]
+[[Test defenses against application mis-use (OTG-BUSLOGIC-007)|4.11.7 Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)]]
+[[Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)|4.11.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)]]
+[[Test Upload of Malicious Files (OTG-BUSLOGIC-009)|4.11.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)]]
+[[Client Side Testing|'''4.12 Client Side Testing''']]<br>
+[[Testing for DOM-based Cross site scripting  (OTG-CLIENT-001)|4.12.1 Testing for DOM based Cross Site Scripting  (OTG-CLIENT-001)]]
+[[Testing for JavaScript Execution (OTG-CLIENT-002)|4.12.2 Testing for JavaScript Execution (OTG-CLIENT-002)]]
+[[Testing for HTML Injection (OTG-CLIENT-003)|4.12.3 Testing for HTML Injection (OTG-CLIENT-003)]]
+[[Testing for Client Side URL Redirect (OTG-CLIENT-004)|4.12.4 Testing for Client Side URL Redirect (OTG-CLIENT-004)]]
+[[Testing_for_CSS_Injection (OTG-CLIENT-005)|4.12.5 Testing for CSS Injection (OTG-CLIENT-005)]]
+[[Testing_for_Client_Side_Resource_Manipulation (OTG-CLIENT-006)|4.12.6 Testing for Client Side Resource Manipulation (OTG-CLIENT-006)]]
+[[Test Cross Origin Resource Sharing (OTG-CLIENT-007)|4.12.7 Test Cross Origin Resource Sharing (OTG-CLIENT-007)]]
+[[Testing for Cross site flashing (OTG-CLIENT-008)|4.12.8 Testing for Cross Site Flashing (OTG-CLIENT-008)]]
+[[Testing for Clickjacking (OTG-CLIENT-009)|4.12.9 Testing for Clickjacking (OTG-CLIENT-009)]]
+[[Testing WebSockets (OTG-CLIENT-010)|4.12.10 Testing WebSockets (OTG-CLIENT-010)]]
+[[Test Web Messaging (OTG-CLIENT-011)|4.12.11 Test Web Messaging (OTG-CLIENT-011)]]
+[[Test Local Storage (OTG-CLIENT-012)|4.12.12 Test Local Storage (OTG-CLIENT-012)]]
+==[[Reporting |5. Reporting]]==
+==[[Appendix A: Testing Tools |Appendix A: Testing Tools Resource]]==
+Security Testing Tools
+* http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
+* http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
+* http://sectools.org/
+* https://www.kali.org/
+* http://www.blackarch.org/tools.html
+Security Testing Tools in Virtual Image
+* https://tools.pentestbox.com/
+* https://sourceforge.net/p/samurai/wiki/Home/
+* https://sourceforge.net/projects/santoku/
+* https://sourceforge.net/projects/parrotsecurity/?source=navbar
+* https://sourceforge.net/projects/matriux/?source=navbar
+* http://www.blackarch.org/downloads.html
+* https://www.kali.org/
+* http://cyborg.ztrela.com/tools/
+* http://www.caine-live.net/index.html
+* http://www.pentoo.ch/download/
+* http://bugtraq-team.com/
 ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
-* Whitepapers [To review--> contributor here]
-* Books [To review--> contributor here]
-* Useful Websites [To review--> contributor here]
-==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
+* Whitepapers
+* Books
+* Useful Websites
-* Fuzz Categories [To review--> contributor here]
+==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
-==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
+* Fuzz Categories
+==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
+* Input Encoding
+* Output Encoding
-[To review--> contributor here]
 ----
 [[Category:OWASP Testing Project]]
+[[Category:Popular]]