OWASP Testing Guide v3 Startup

Planning the new OWASP Testing Guide v3
3rd October 2007: Startup v3 The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing. Now we would like to begin a new project that is based on v2 but improve it and complete it. In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
 * Information Gathering
 * Business logic testing
 * Authentication Testing
 * Session Management Testing
 * Data Validation Testing
 * Denial of Service Testing
 * Web Services Testing
 * AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing 3)	Web Services section needs improvement 4)	AJAX Testing section needs improvement 5)	New category: Client side Testing  Di Paola & PdP (new category). Particular focus on flash testing

Information Gathering
v2:
 * Application Fingerprint
 * Application Discovery
 * Spidering and googling
 * Collection of error code
 * SSL/TLS Testing
 * DB Listener Testing
 * File extensions handling
 * Old, backup and unreferenced files