OWASP Testing Guide v3 Startup

Planning the new OWASP Testing Guide v3
3rd October 2007: Startup v3 The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing. Now we would like to begin a new project that is based on v2 but improve it and complete it. In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
 * Information Gathering
 * Business logic testing
 * Authentication Testing
 * Session Management Testing
 * Data Validation Testing
 * Denial of Service Testing
 * Web Services Testing
 * AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2)	Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode 3)	Business logic testing --> not in report --> Passive mode 4)	Infrastructural test --> new category 5)	Web Services section needs improvement 6)	AJAX Testing section needs improvement 7)	New category: Client side Testing. AJAX and Flash Testing

In this document we analyze the OWASP Testing Guide (OTG) v2 vulnerabilities and a plan for an improving for the v3.