Difference between revisions of "OWASP Testing Guide v3 Table of Contents"

Fuzz Categories
- Recursive fuzzing
- Replasive fuzzing
Cross Site Scripting (XSS)
Buffer Overflows and Format String Errors
- Buffer Overflows (BFO)
- Format String Errors (FSE)
- Integer Overflows (INT)
SQL Injection
- Passive SQL Injection (SQP)
- Active SQL Injection (SQI)
LDAP Injection
XPATH Injection

Appendix D: Encoded Injection

Difference between revisions of "OWASP Testing Guide v3 Table of Contents"

Latest revision as of 22:59, 17 September 2013

Foreword by Eoin Keary - Global Board

1. Frontispiece

2. Introduction

3. The OWASP Testing Framework

4. Web Application Penetration Testing

5. Writing Reports: value the real risk

Appendix A: Testing Tools

Appendix B: Suggested Reading

Appendix C: Fuzz Vectors

Appendix D: Encoded Injection

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 1: / Line 1: @@
+{{OWASP Breakers}}
 __NOTOC__
-'''20th May 2008'''
+This is the table of content of the New Testing Guide v3.<br>
-This is the draft of table of content of the New Testing Guide.
+You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br>
-You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]
+Back to the OWASP Testing Guide Project:
+http://www.owasp.org/index.php/OWASP_Testing_Project
- Testing Guide v3 (draft 20th May 2008)
+Updated: 2nd November 2008
-The core index is the OTG v2. (new): new articles, (toimp): needs to improve
+'''T A B L E    o f    C O N T E N T S'''
+----
-==[[Testing Guide Foreword|(toimp)Foreword by OWASP Chair]]==
+==[[Testing Guide Foreword|Foreword by Eoin Keary - Global Board]]==
-==[[Testing Guide Frontispiece |(toimp)1. Frontispiece]]==
+==[[Testing Guide Frontispiece |1. Frontispiece]]==
-'''[[Testing Guide Frontispiece|(toimp)1.1 About the OWASP Testing Guide Project]]'''
+'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
 '''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
@@ Line 27: / Line 30: @@
 '''2.3 Testing Techniques Explained'''
-''' (new) 2.4 security requirements tests derivazione functional and non functional
+.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]
-test requirements and test cases through use e misuse cases.'''
-''' (new) 2.4.1 security tests integrated in developers and testers workflows:'''
+.4.1 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Tests_Integrated_in_Developers_and_Testers_Workflow Security tests integrated in developers and testers workflows]
-''' (new) 2.4.2 Developers security tests; Unit Tests, component levels tests'''
+.4.2 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Developers.27_Security_Tests Developers' security tests: unit tests and component level tests]
-''' (new) 2.4.3 Functional testers security tests: integrated system tests, tests in UAT
+.4.3 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_Testers.27_Security_Tests Functional testers' security tests: integrated system tests, tests in UAT, and production environment]
-and production environment'''
-''' (new) 2.5 Security test data analysis and reporting: root cause identification and
-business/role case test data reporting'''
+.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]
 ==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
@@ Line 57: / Line 56: @@
 '''3.7. A Typical SDLC Testing Workflow '''
-==[[Web Application Penetration Testing |4. (toimp) Web Application Penetration Testing ]]==
+==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==
 [[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]
-[[Testing: Information Gathering|'''(toimp) 4.2 Information Gathering''']]
+[[Testing Checklist| 4.1.1 Testing Checklist]]
+[[Testing: Information Gathering|'''4.2 Information Gathering''']]
+[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)]]
-[[Testing for Web Application Fingerprint|4.2.1 (toimp) Testing Web Application Fingerprint]]
+[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)]]
-[[Testing for Application Discovery|4.2.2 Application Discovery]]
+[[Testing: Identify application entry points (OWASP-IG-003)|4.2.3 Identify application entry points (OWASP-IG-003)]]
-[[Testing: Spiders Robots and Crawlers|(new:Christian Heinrich)4.2.3 Spiders, Robots and Crawlers]]
+[[Testing for Web Application Fingerprint (OWASP-IG-004)|4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004)]]
-[[Testing: Search engine discovery|(new:Christian Heinrich)4.2.4 Search Engine Discovery/Reconnaissance"]]
+[[Testing for Application Discovery (OWASP-IG-005)|4.2.5 Application Discovery (OWASP-IG-005)]]
-[[Testing for Error Code|(toimp)4.2.5 Analysis of Error Codes]]
+[[Testing for Error Code (OWASP-IG-006)|4.2.6 Analysis of Error Codes (OWASP-IG-006)]]
-[[Testing for infrastructure configuration management|4.2.6 Infrastructure
+[[Testing for configuration management|'''4.3 Configuration Management Testing''']]
-Configuration Management Testing]]
-[[Testing for SSL-TLS|4.2.6.1 SSL/TLS Testing]]
+[[Testing for SSL-TLS  (OWASP-CM-001)| 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) (OWASP-CM-001)]]<br>
-[[Testing for DB Listener|4.2.6.2 DB Listener Testing]]
+[[Testing for DB Listener  (OWASP-CM-002)|4.3.2 DB Listener Testing (OWASP-CM-002)]]
-[[Testing for application configuration management|4.2.7 Application Configuration Management Testing]]
+[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)]]
-[[Testing for file extensions handling|4.2.7.1 Testing for File Extensions Handling]]
+[[Testing for application configuration management (OWASP-CM-004)|4.3.4 Application Configuration Management Testing (OWASP-CM-004)]]
-[[Testing for old_file|4.2.7.2 Old, backup and unreferenced files]]
+[[Testing for file extensions handling  (OWASP-CM-005)|4.3.5 Testing for File Extensions Handling  (OWASP-CM-005)]]
-[[Testing for business logic|'''(toimp)4.3 Business Logic Testing''']]
+[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006) ]]
-[[Testing for authentication|'''(toimp)4.4 Authentication Testing''']]
+[[Testing for Admin Interfaces  (OWASP-CM-007)|4.3.7 Infrastructure and Application Admin Interfaces  (OWASP-CM-007)]]
-[[Testing for credentials transport|(new)4.4.1 Credentials transport over an encrypted channel]]
+[[Testing for HTTP Methods and XST  (OWASP-CM-008)|4.3.8 Testing for HTTP Methods and Cross Site Tracing (XST)  (OWASP-CM-008)]]
-[[Testing for Default or Guessable User Account|4.4.2 Testing for Guessable (Dictionary) User Account]]
+[[Testing for authentication|'''4.4 Authentication Testing''']]
-[[Testing for Brute Force|4.4.3 Brute Force Testing]]
+[[Testing for credentials transport (OWASP-AT-001)|4.4.1 Credentials transport over an encrypted channel  (OWASP-AT-001)]]
-[[Testing for Bypassing Authentication Schema|4.4.4 Testing for bypassing authentication schema]]
+[[Testing for user enumeration  (OWASP-AT-002)|4.4.2 Testing for user enumeration  (OWASP-AT-002)]]
-[[Testing for Directory Traversal|4.4.5 Testing for directory traversal/file include]]
+[[Testing for Default or Guessable User Account (OWASP-AT-003)|4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)]]
-[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.6 Testing for vulnerable remember
+[[Testing for Brute Force (OWASP-AT-004)|4.4.4 Brute Force Testing (OWASP-AT-004)]]
-password and pwd reset]]
-[[Testing for Logout and Browser Cache Management|4.4.7 Testing for Logout and Browser Cache Management Testing]]
+[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)]]
-[[Testing for Authorization|'''(new) 4.x Authorization testing''']]
+[[Testing for Vulnerable Remember Password and Pwd Reset  (OWASP-AT-006)|4.4.6 Testing for vulnerable remember
+password and pwd reset  (OWASP-AT-006)]]
-[[Testing for Path Traversal|(new) 4.x.x Testing for Path Traversal]]
+[[Testing for Logout and Browser Cache Management (OWASP-AT-007)|4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)]]
-[[Testing for Bypassing Authorization Schema|(new)4.x.x Testing for bypassing authorization schema]]
+[[Testing for Captcha  (OWASP-AT-008)|4.4.8 Testing for CAPTCHA (OWASP-AT-008)]]
-[[Testing fot Privilege escalation|(new)4.x.x Testing for Privilege Escalation]]
+[[Testing Multiple Factors Authentication (OWASP-AT-009)|4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)]]
+[[Testing for Race Conditions  (OWASP-AT-010)|4.4.10 Testing for Race Conditions  (OWASP-AT-010)]]
 [[Testing for Session Management|'''4.5 Session Management Testing''']]
-[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]
+[[Testing for Session_Management_Schema (OWASP-SM-001)|4.5.1 Testing for Session Management Schema (OWASP-SM-001)]]
-[[Testing for Cookie and Session Token Manipulation|(new)4.5.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)]]
+[[Testing for cookies attributes  (OWASP-SM-002)|4.5.2 Testing for Cookies attributes  (OWASP-SM-002)]]
-[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]
+[[Testing for Session Fixation  (OWASP-SM-003)|4.5.3 Testing for Session Fixation  (OWASP-SM-003)]]
-[[Testing for CSRF|4.5.4 Testing for CSRF]]
+[[Testing for Exposed Session Variables  (OWASP-SM-004)|4.5.4 Testing for Exposed Session Variables   (OWASP-SM-004)]]
-[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]
+[[Testing for CSRF  (OWASP-SM-005)|4.5.5 Testing for Cross Site Request Forgery (CSRF)  (OWASP-SM-005)]]
-[[Testing for Data Validation|'''4.6 Data Validation Testing''']]
+[[Testing for Authorization|'''4.6 Authorization Testing''']]
-[[Testing for Reflected Cross site scripting|(new)4.6.1 Testing for Cross Site Scripting]]
+[[Testing for Path Traversal  (OWASP-AZ-001)|4.6.1 Testing for path traversal  (OWASP-AZ-001)]]
-[[Testing for Stored Cross site scripting|(new)4.6.2 Testing for Stored Cross Site Scripting]]
+[[Testing for Bypassing Authorization Schema  (OWASP-AZ-002)|4.6.2 Testing for bypassing authorization schema  (OWASP-AZ-002)]]
-[[Testing for DOM-based Cross site scripting|4.6.3 Testing for DOM based Cross Site Scripting]]
+[[Testing for Privilege escalation  (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation  (OWASP-AZ-003)]]
-[[Testing for Cross site flashing|(new)4.6.4 Testing for Cross Site Flashing]]
+[[Testing for business logic   (OWASP-BL-001)|'''4.7 Business Logic Testing  (OWASP-BL-001)''']]
-[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]
+[[Testing for Data Validation|'''4.8 Data Validation Testing''']]
-[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]
+[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001) ]]
-[[Testing for Oracle|4.6.2.1 Oracle Testing ]]
+[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002) ]]
-[[Testing for MySQL|4.6.2.2 MySQL Testing ]]
+[[Testing for DOM-based Cross site scripting  (OWASP-DV-003)|4.8.3 Testing for DOM based Cross Site Scripting  (OWASP-DV-003)]]
-[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]
+[[Testing for Cross site flashing   (OWASP-DV-004)|4.8.4 Testing for Cross Site Flashing   (OWASP-DV-004)]]
-[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]
+[[Testing for SQL Injection (OWASP-DV-005)| 4.8.5 Testing for SQL Injection (OWASP-DV-005)]]
-[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]
+[[Testing for Oracle|4.8.5.1 Oracle Testing]]
-[[Testing for XML Injection|4.6.5 Testing for XML Injection]]
+[[Testing for MySQL|4.8.5.2 MySQL Testing]]
-[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]
+[[Testing for SQL Server|4.8.5.3 SQL Server Testing]]
-[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]
+[[Testing for MS Access |4.8.5.4 MS Access Testing]]
-[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]
+[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.5.5 Testing PostgreSQL (from OWASP BSP) ]]
-[[Testing for Code Injection|4.6.9 Testing for Code Injection]]
+[[Testing for LDAP Injection  (OWASP-DV-006)|4.8.6 Testing for LDAP Injection  (OWASP-DV-006)]]
-[[Testing for Command Injection|4.6.10 Testing for Command Injection]]
+[[Testing for ORM Injection   (OWASP-DV-007)|4.8.7 Testing for ORM Injection   (OWASP-DV-007)]]
-[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]
+[[Testing for XML Injection (OWASP-DV-008)|4.8.8 Testing for XML Injection (OWASP-DV-008)]]
-[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]
+[[Testing for SSI Injection  (OWASP-DV-009)|4.8.9 Testing for SSI Injection  (OWASP-DV-009)]]
-[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]
+[[Testing for XPath Injection  (OWASP-DV-010)|4.8.10 Testing for XPath Injection  (OWASP-DV-010)]]
-[[Testing for Format String|4.6.11.3 Testing for Format string]]
+[[Testing for IMAP/SMTP Injection  (OWASP-DV-011)|4.8.11 IMAP/SMTP Injection  (OWASP-DV-011)]]
-[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]
+[[Testing for Code Injection  (OWASP-DV-012)|4.8.12 Testing for Code Injection  (OWASP-DV-012)]]
-[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]
+[[Testing for Command Injection   (OWASP-DV-013)|4.8.13 Testing for Command Injection   (OWASP-DV-013)]]
-[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]
+[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.14 Testing for Buffer overflow (OWASP-DV-014)]]
-[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]
+[[Testing for Heap Overflow|4.8.14.1 Testing for Heap overflow]]
-[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]
+[[Testing for Stack Overflow|4.8.14.2 Testing for Stack overflow]]
-[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]
+[[Testing for Format String|4.8.14.3 Testing for Format string]]
-[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]
+[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.15 Testing for incubated vulnerabilities (OWASP-DV-015)]]
-[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]
+[[Testing for HTTP Splitting/Smuggling  (OWASP-DV-016)|4.8.16 Testing for HTTP Splitting/Smuggling  (OWASP-DV-016) ]]
-[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]
+[[Testing for Denial of Service|'''4.9 Testing for Denial of Service''']]
-[[Testing for Web Services|'''4.8 Web Services Testing''']]
+[[Testing for SQL Wildcard Attacks  (OWASP-DS-001)|4.9.1 Testing for SQL Wildcard Attacks  (OWASP-DS-001)]]
-[[Testing for XML Structural|4.8.1 XML Structural Testing]]
+[[Testing for DoS Locking Customer Accounts  (OWASP-DS-002)|4.9.2 Testing for DoS Locking Customer Accounts (OWASP-DS-002)]]
-[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]
+[[Testing for DoS Buffer Overflows (OWASP-DS-003)|4.9.3 Testing for DoS Buffer Overflows (OWASP-DS-003)]]
-[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]
+[[Testing for DoS User Specified Object Allocation (OWASP-DS-004)|4.9.4 Testing for DoS User Specified Object Allocation (OWASP-DS-004)]]
-[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]
+[[Testing for User Input as a Loop Counter  (OWASP-DS-005)|4.9.5 Testing for User Input as a Loop Counter  (OWASP-DS-005)]]
-[[Testing for WS Replay|4.8.5 WS Replay Testing]]
+[[Testing for Writing User Provided Data to Disk   (OWASP-DS-006)|4.9.6 Testing for Writing User Provided Data to Disk  (OWASP-DS-006)]]
-[[Client-Side Testing|(new)4.10 Client site testing]]
+[[Testing for DoS Failure to Release Resources (OWASP-DS-007)|4.9.7 Testing for DoS Failure to Release Resources (OWASP-DS-007)]]
-[[Testing for AJAX|(new) 4.10.1 AJAX Testing]]
+[[Testing for Storing too Much Data in Session (OWASP-DS-008)|4.9.8 Testing for Storing too Much Data in Session  (OWASP-DS-008)]]
-[[Flash Testing|(new)4.10.2 Flash Testing]]
+[[Testing for Web Services|'''4.10 Web Services Testing''']]
-[[RIA Testing|(new)4.10.3 RIA Testing]]
+[[Testing: WS Information Gathering  (OWASP-WS-001)|4.10.1 WS Information Gathering  (OWASP-WS-001)]]
+[[Testing WSDL   (OWASP-WS-002)|4.10.2 Testing WSDL   (OWASP-WS-002)]]
+[[Testing for XML Structural  (OWASP-WS-003)|4.10.3 XML Structural Testing  (OWASP-WS-003) ]]
-==[[Writing Reports: value the real risk |(toimp)5. Writing Reports: value the real risk ]]==
+[[Testing for XML Content-Level  (OWASP-WS-004)|4.10.4 XML Content-level Testing  (OWASP-WS-004)]]
+[[Testing for WS HTTP GET parameters/REST attacks  (OWASP-WS-005)|4.10.5 HTTP GET parameters/REST Testing  (OWASP-WS-005) ]]
+[[Testing for Naughty SOAP Attachments   (OWASP-WS-006)|4.10.6 Naughty SOAP attachments   (OWASP-WS-006) ]]
+[[Testing for WS Replay   (OWASP-WS-007)|4.10.7 Replay Testing   (OWASP-WS-007) ]]
+[[Testing_for_AJAX:_introduction|'''4.11 AJAX Testing''']]
+[[Testing for AJAX Vulnerabilities (OWASP-AJ-001)|4.11.1 AJAX Vulnerabilities (OWASP-AJ-001)]]
+[[Testing for AJAX   (OWASP-AJ-002)|4.11.2 How to test AJAX   (OWASP-AJ-002)]]
+==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
 [[How to value the real risk |5.1 How to value the real risk]]
@@ Line 215: / Line 235: @@
 [[How to write the report of the testing |5.2 How to write the report of the testing]]
+==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
- OTGv3 team Discussion
+* Black Box Testing Tools
+* Source Code Analyzers
-Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].
+* Other Tools
-<br>The new OWASP testing Guidev3:
-<br>This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.
+==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
+* Whitepapers
+* Books
+* Useful Websites
-* 1) Methodical Testing (new category) <-- (Mat) needs explanation
+==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
-* 2) Authorization testing missing. (new category)
-* 3) Information gathering is not a vulnerability
-* 4) Business logic testing
-* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
-* 6) Web Services section needs improvement
-* 7) AJAX Testing section needs improvement
-* 8) Testing Methodology section updates (requirements, plans, levels and environments)
-* 9) New category: Client side Testing
-* 10) New category: Thick Client Testing
-* 11) New category: Flash/Silverlight Applications
-* 12) New category: Assessing Financial Applications
-* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)
-Proposed new categories for the OTG v3:
+* Fuzz Categories
-* OTG Form Templates
+** Recursive fuzzing
-** OTG Request for Quote (RFQ) (new)
+** Replasive fuzzing
-** OTG 3rd Party Assessment Authorization Form (new)
+* Cross Site Scripting (XSS)
-** OTG Sample Report (new)
+* Buffer Overflows and Format String Errors
-* Passive Mode
+** Buffer Overflows (BFO)
-* Information Gathering
+** Format String Errors (FSE)
-* Business logic testing
+** Integer Overflows (INT)
-* Web Application Penetration Testing
+* SQL Injection
-** Infrastructural testing
+** Passive SQL Injection (SQP)
-** Authentication Testing
+** Active SQL Injection (SQI)
-** Authorization Testing (new)
+* LDAP Injection
-** Session Management Testing
+* XPATH Injection
-** Data Validation Testing
-** Denial of Service Testing
-** Web Services Testing
-** Client-Side Testing
-*** AJAX Testing
-*** Flash Testing (new)
-*** RIA stuff (new)
+==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
+----
 [[Category:OWASP Testing Project]]