OWASP · manindar-mohan · Jul 3, 2022 · Jul 3, 2022 · Jul 13, 2022 · Aug 6, 2022
diff --git a/...ing/03-Testing_for_HTTP_Verb_Tampering.md → ...ing/01-Testing_for_HTTP_Verb_Tampering.md b/...ing/03-Testing_for_HTTP_Verb_Tampering.md → ...ing/01-Testing_for_HTTP_Verb_Tampering.md
@@ -2,6 +2,6 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-03|
+|WSTG-INPV-01|
 
 This content has been merged into: [Test HTTP Methods](../02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.md)
diff --git a/...4-Testing_for_HTTP_Parameter_Pollution.md → ...2-Testing_for_HTTP_Parameter_Pollution.md b/...4-Testing_for_HTTP_Parameter_Pollution.md → ...2-Testing_for_HTTP_Parameter_Pollution.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-04|
+|WSTG-INPV-02|
 
 ## Summary
 
@@ -20,7 +20,7 @@ In 2009, immediately after the publication of the first research on HTTP Paramet
 
 One of these flaws, affecting *ModSecurity SQL Injection Core Rules*, represents a perfect example of the impedance mismatch between applications and filters. The ModSecurity filter would correctly apply a deny list for the following string: `select 1,2,3 from table`, thus blocking this example URL from being processed by the web server: `/index.aspx?page=select 1,2,3 from table`. However, by exploiting the concatenation of multiple HTTP parameters, an attacker could cause the application server to concatenate the string after the ModSecurity filter already accepted the input. As an example, the URL `/index.aspx?page=select 1&page=2,3` from table would not trigger the ModSecurity filter, yet the application layer would concatenate the input back into the full malicious string.
 
-Another HPP vulnerability turned out to affect *Apple Cups*, the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: `http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos`. The application validation checkpoint could be bypassed by adding an extra `kerberos` argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first `kerberos` parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in JavaScript code execution under the context of the hosting web site.
+Another HPP vulnerability turned out to affect *Apple Cups*, the well-known printing system used by many UNIX systems. Exploiting HPP, an attacker could easily trigger a Cross-Site Scripting vulnerability using the following URL: `http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos`. The application validation checkpoint could be bypassed by adding an extra `kerberos` argument having a valid string (e.g. empty string). As the validation checkpoint would only consider the second occurrence, the first `kerberos` parameter was not properly sanitized before being used to generate dynamic HTML content. Successful exploitation would result in JavaScript code execution under the context of the hosting site.
 
 ### Authentication Bypass
 
@@ -54,7 +54,7 @@ Given the URL and querystring: `http://example.com/?color=red&color=blue`
   | JSP, Servlet / Jetty  | First occurrence only | color=red |
   | IBM Lotus Domino | Last occurrence only | color=blue |
   | IBM HTTP Server | First occurrence only | color=red |
-  | node.js / express | First occurrence only | color=red |
+  | Node.js / express | First occurrence only | color=red |
   | mod_perl, libapreq2 / Apache | First occurrence only | color=red |
   | Perl CGI / Apache | First occurrence only | color=red |
   | mod_wsgi (Python) / Apache | First occurrence only | color=red |

diff --git a/...n_Testing/05-Testing_for_SQL_Injection.md → ...n_Testing/03-Testing_for_SQL_Injection.md b/...n_Testing/05-Testing_for_SQL_Injection.md → ...n_Testing/03-Testing_for_SQL_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-05|
+|WSTG-INPV-03|
 
 ## Summary
 
@@ -805,14 +805,14 @@ For generic input validation security, refer to the [Input Validation CheatSheet
 
 Technology specific Testing Guide pages have been created for the following DBMSs:
 
-- [Oracle](05.1-Testing_for_Oracle.md)
-- [MySQL](05.2-Testing_for_MySQL.md)
-- [SQL Server](05.3-Testing_for_SQL_Server.md)
-- [PostgreSQL](05.4-Testing_PostgreSQL.md)
-- [MS Access](05.5-Testing_for_MS_Access.md)
-- [NoSQL](05.6-Testing_for_NoSQL_Injection.md)
-- [ORM](05.7-Testing_for_ORM_Injection.md)
-- [Client-side](05.8-Testing_for_Client-side.md)
+- [Oracle](03.1-Testing_for_Oracle.md)
+- [MySQL](03.2-Testing_for_MySQL.md)
+- [SQL Server](03.3-Testing_for_SQL_Server.md)
+- [PostgreSQL](03.4-Testing_PostgreSQL.md)
+- [MS Access](03.5-Testing_for_MS_Access.md)
+- [NoSQL](03.6-Testing_for_NoSQL_Injection.md)
+- [ORM](03.7-Testing_for_ORM_Injection.md)
+- [Client-side](03.8-Testing_for_Client-side.md)
 
 ### Whitepapers
 

diff --git a/...dation_Testing/05.1-Testing_for_Oracle.md → ...dation_Testing/03.1-Testing_for_Oracle.md b/...dation_Testing/05.1-Testing_for_Oracle.md → ...dation_Testing/03.1-Testing_for_Oracle.md
@@ -106,7 +106,7 @@ On older versions of the PL/SQL Gateway, it is possible to directly access the p
 
 `http://www.example.com/pls/dad/owa_util.signature`
 
-returns the following output on the webpage
+returns the following output on the web page
 
 `"This page was produced by the PL/SQL Web Toolkit on date"`
 
@@ -334,10 +334,6 @@ returns an error or a `404`, then there might be a SQL injection flaw. This can
 
 If this request returns books by Charles Dickens, you've confirmed the presence of the SQL injection vulnerability.
 
-## Tools
-
-- [Orascan (Oracle Web Application VA scanner), NGS SQuirreL (Oracle RDBMS VA Scanner)](https://www.nccgroup.trust/globalassets/service-pages/documents/security-consulting/information-security-software/ncc-squirrel-suite.pdf)
-
 ## References
 
 ### Whitepapers

diff --git a/...idation_Testing/05.2-Testing_for_MySQL.md → ...idation_Testing/03.2-Testing_for_MySQL.md b/...idation_Testing/05.2-Testing_for_MySQL.md → ...idation_Testing/03.2-Testing_for_MySQL.md
@@ -19,7 +19,7 @@ MySQL comes with at least four versions which are used in production worldwide,
 
 It should be noted that for MySQL versions before 4.0.x, only Boolean or time-based Blind Injection attacks could be used, since the subquery functionality or `UNION` statements were not implemented.
 
-From now on, we will assume that there is a classic SQL injection vulnerability, which can be triggered by a request similar to the one described in the Section on [Testing for SQL Injection](05-Testing_for_SQL_Injection.md).
+From now on, we will assume that there is a classic SQL injection vulnerability, which can be triggered by a request similar to the one described in the Section on [Testing for SQL Injection](03-Testing_for_SQL_Injection.md).
 
 `http://www.example.com/page.php?id=2`
 
@@ -60,7 +60,7 @@ For example the following injection will result in an error:
 
 #### Fingerprinting MySQL
 
-Of course, the first thing to know is if there's MySQL DBMS as a back end database. MySQL server has a feature that is used to let other DBMS ignore a clause in MySQL dialect. When a comment block `'/**/'` contains an exclamation mark `'/*! sql here*/'` it is interpreted by MySQL, and is considered as a normal comment block by other DBMS as explained in [MySQL manual](https://dev.mysql.com/doc/refman/8.0/en/comments.html).
+Of course, the first thing to know is if there's MySQL DBMS as a backend database. MySQL server has a feature that is used to let other DBMS ignore a clause in MySQL dialect. When a comment block `'/**/'` contains an exclamation mark `'/*! sql here*/'` it is interpreted by MySQL, and is considered as a normal comment block by other DBMS as explained in [MySQL manual](https://dev.mysql.com/doc/refman/8.0/en/comments.html).
 
 Example:
 
@@ -224,4 +224,4 @@ For a complete list, refer to the [MySQL manual](https://dev.mysql.com/doc/refma
 
 ### Case Studies
 
-- [Zeelock: Blind Injection in MySQL Databases](https://archive.cert.uni-stuttgart.de/bugtraq/2005/02/msg00289.html)
+- [All Your Databases Belong To Me! A Blind SQLi Case Study](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study)
diff --git a/...on_Testing/05.3-Testing_for_SQL_Server.md → ...on_Testing/03.3-Testing_for_SQL_Server.md b/...on_Testing/05.3-Testing_for_SQL_Server.md → ...on_Testing/03.3-Testing_for_SQL_Server.md
diff --git a/...dation_Testing/05.4-Testing_PostgreSQL.md → ...dation_Testing/03.4-Testing_PostgreSQL.md b/...dation_Testing/05.4-Testing_PostgreSQL.md → ...dation_Testing/03.4-Testing_PostgreSQL.md
diff --git a/...ion_Testing/05.5-Testing_for_MS_Access.md → ...ion_Testing/03.5-Testing_for_MS_Access.md b/...ion_Testing/05.5-Testing_for_MS_Access.md → ...ion_Testing/03.5-Testing_for_MS_Access.md
diff --git a/...sting/05.6-Testing_for_NoSQL_Injection.md → ...sting/03.6-Testing_for_NoSQL_Injection.md b/...sting/05.6-Testing_for_NoSQL_Injection.md → ...sting/03.6-Testing_for_NoSQL_Injection.md
diff --git a/...Testing/05.7-Testing_for_ORM_Injection.md → ...Testing/03.7-Testing_for_ORM_Injection.md b/...Testing/05.7-Testing_for_ORM_Injection.md → ...Testing/03.7-Testing_for_ORM_Injection.md
diff --git a/...n_Testing/05.8-Testing_for_Client-side.md → ...n_Testing/03.8-Testing_for_Client-side.md b/...n_Testing/05.8-Testing_for_Client-side.md → ...n_Testing/03.8-Testing_for_Client-side.md
diff --git a/..._Testing/06-Testing_for_LDAP_Injection.md → ..._Testing/04-Testing_for_LDAP_Injection.md b/..._Testing/06-Testing_for_LDAP_Injection.md → ..._Testing/04-Testing_for_LDAP_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-06|
+|WSTG-INPV-04|
 
 ## Summary
 

diff --git a/...n_Testing/07-Testing_for_XML_Injection.md → ...n_Testing/05-Testing_for_XML_Injection.md b/...n_Testing/07-Testing_for_XML_Injection.md → ...n_Testing/05-Testing_for_XML_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-07|
+|WSTG-INPV-05|
 
 ## Summary
 

diff --git a/...n_Testing/08-Testing_for_SSI_Injection.md → ...n_Testing/06-Testing_for_SSI_Injection.md b/...n_Testing/08-Testing_for_SSI_Injection.md → ...n_Testing/06-Testing_for_SSI_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-08|
+|WSTG-INPV-06|
 
 ## Summary
 
@@ -72,8 +72,8 @@ User-Agent: <!--#include virtual="/proc/version"-->
 
 - [Nginx SSI module](http://nginx.org/en/docs/http/ngx_http_ssi_module.html)
 - [Apache: Module mod_include](https://httpd.apache.org/docs/current/mod/mod_include.html)
-- [IIS: Server Side Includes directives](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525185%28v=vs.90%29)
-- [Apache Tutorial: Introduction to Server Side Includes](https://httpd.apache.org/docs/current/howto/ssi.html)
+- [IIS: server-side Includes directives](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525185%28v=vs.90%29)
+- [Apache Tutorial: Introduction to server-side Includes](https://httpd.apache.org/docs/current/howto/ssi.html)
 - [Apache: Security Tips for Server Configuration](https://httpd.apache.org/docs/current/misc/security_tips.html#ssi)
 - [SSI Injection instead of JavaScript Malware](https://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html)
 - [IIS: Notes on Server-Side Includes (SSI) syntax](https://blogs.iis.net/robert_mcmurray/archive/2010/12/28/iis-notes-on-server-side-includes-ssi-syntax-kb-203064-revisited.aspx)

diff --git a/...Testing/09-Testing_for_XPath_Injection.md → ...Testing/07-Testing_for_XPath_Injection.md b/...Testing/09-Testing_for_XPath_Injection.md → ...Testing/07-Testing_for_XPath_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-09|
+|WSTG-INPV-07|
 
 ## Summary
 

diff --git a/...ing/10-Testing_for_IMAP_SMTP_Injection.md → ...ing/08-Testing_for_IMAP_SMTP_Injection.md b/...ing/10-Testing_for_IMAP_SMTP_Injection.md → ...ing/08-Testing_for_IMAP_SMTP_Injection.md
@@ -2,20 +2,20 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-10|
+|WSTG-INPV-08|
 
 ## Summary
 
 This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
 
-The IMAP/SMTP Injection technique is more effective if the mail server is not directly accessible from Internet. Where full communication with the backend mail server is possible, it is recommended to conduct direct testing.
+The IMAP/SMTP Injection technique is more effective if the mail server is not directly accessible from internet. Where full communication with the backend mail server is possible, it is recommended to conduct direct testing.
 
-An IMAP/SMTP Injection makes it possible to access a mail server which otherwise would not be directly accessible from the Internet. In some cases, these internal systems do not have the same level of infrastructure security and hardening that is applied to the front-end web servers. Therefore, mail server results may be more vulnerable to attacks by end users (see the scheme presented in Figure 1).
+An IMAP/SMTP Injection makes it possible to access a mail server which otherwise would not be directly accessible from the internet. In some cases, these internal systems do not have the same level of infrastructure security and hardening that is applied to the frontend web servers. Therefore, mail server results may be more vulnerable to attacks by end users (see the scheme presented in Figure 1).
 
 ![IMAP SMTP Injection](images/Imap-smtp-injection.png)\
 *Figure 4.7.10-1: Communication with the mail servers using the IMAP/SMTP Injection technique*
 
-Figure 1 depicts the flow of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2 is the tester bypassing the webmail client and interacting with the back-end mail servers directly.
+Figure 1 depicts the flow of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2 is the tester bypassing the webmail client and interacting with the backend mail servers directly.
 
 This technique allows a wide variety of actions and attacks. The possibilities depend on the type and scope of injection and the mail server technology being tested.
 
@@ -37,7 +37,7 @@ Some examples of attacks using the IMAP/SMTP Injection technique are:
 
 ### Identifying Vulnerable Parameters
 
-In order to detect vulnerable parameters, the tester has to analyze the application's ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the server and analyse the response. In a secure application, the response should be an error with some corresponding action telling the client that something has gone wrong. In a vulnerable application, the malicious request may be processed by the back-end application that will answer with a `HTTP 200 OK` response message.
+In order to detect vulnerable parameters, the tester has to analyze the application's ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the server and analyse the response. In a secure application, the response should be an error with some corresponding action telling the client that something has gone wrong. In a vulnerable application, the malicious request may be processed by the backend application that will answer with a `HTTP 200 OK` response message.
 
 It is important to note that the requests being sent should match the technology being tested. Sending SQL injection strings for Microsoft SQL server when a MySQL server is being used will result in false positive responses. In this case, sending malicious IMAP commands is modus operandi since IMAP is the underlying protocol being tested.
 

diff --git a/..._Testing/11-Testing_for_Code_Injection.md → ..._Testing/09-Testing_for_Code_Injection.md b/..._Testing/11-Testing_for_Code_Injection.md → ..._Testing/09-Testing_for_Code_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-11|
+|WSTG-INPV-09|
 
 ## Summary
 

diff --git a/...esting/11.1-Testing_for_File_Inclusion.md → ...esting/09.1-Testing_for_File_Inclusion.md b/...esting/11.1-Testing_for_File_Inclusion.md → ...esting/09.1-Testing_for_File_Inclusion.md
@@ -85,22 +85,22 @@ The wrapper can be used like `php://filter/convert.base64-encode/resource=FILE`
 
 In PHP 7.2.0, the `zip://` wrapper was introduced to manipulate `zip` compressed files. This wrapper expects the following parameter structure: `zip:///filename_path#internal_filename`. The `filename_path` is the path to the malicious zip archive and `internal_filename` is the path of the malicious file placed inside the processed ZIP file. During the exploitation, it's common that the `#` would be encoded with its URL encoded value `%23`.
 
-Abuse of this wrapper could allow an attacker to design a malicious ZIP file that could be uploaded to the server, for example as an avatar image or using any file upload system available on the target website (the `php:zip://` wrapper does not require the zip file to have any specific extension) to be executed by the LFI vulnerability.
+Abuse of this wrapper could allow an attacker to design a malicious ZIP file that could be uploaded to the server, for example as an avatar image or using any file upload system available on the target site (the `php:zip://` wrapper does not require the zip file to have any specific extension) to be executed by the LFI vulnerability.
 
 In order to test this vulnerability, the following procedure could be followed to attack the previous code example provided.
 
 1. Create the PHP file to be executed, for example with the content `<?php phpinfo(); ?>` and save it as `code.php`.
 2. Compress it as a new ZIP file called `target.zip`.
-3. Rename the `target.zip` file to `target.jpg` to bypass the extension validation and upload it to the target website as your avatar image.
+3. Rename the `target.zip` file to `target.jpg` to bypass the extension validation and upload it to the target site as your avatar image.
 4. Supposing that the `target.jpg` file is stored locally on the server to the `../avatar/target.jpg` path, exploit the vulnerability with the PHP ZIP wrapper by injecting the following payload to the vulnerable URL: `zip://../avatar/target.jpg%23code` (remember that `%23` corresponds to `#`).
 
 Since on our sample the `.php` extension is concatenated to our payload, the request to `http://vulnerable_host/preview.php?file=zip://../avatar/target.jpg%23code` will result in the execution of the `code.php` file existing in the malicious ZIP file.
 
 ##### PHP Data
 
-Available since PHP 5.2.0, this wrapper expects the following usage: `data://text/plain;base64,BASE64_STR` where `BASE64_STR` is expected to be the Base64 encoded content of the file to be processed. It's important to consider that this wrapper would only be available if the option `allow_url_include` would be enabled.
+Available since PHP 5.2.0, this wrapper expects the following usage: `data://text/plain;base64,BASE64_STR` where `BASE64_STR` is expected to be the base64 encoded content of the file to be processed. It's important to consider that this wrapper would only be available if the option `allow_url_include` would be enabled.
 
-In order to test for LFI using this wrapper, the code to be executed should be Base64 encoded. For example, `<?php phpinfo(); ?>` would be encoded as: `PD9waHAgcGhwaW5mbygpOyA/Pg==` and the payload would be represented as: `data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==`.
+In order to test for LFI using this wrapper, the code to be executed should be base64 encoded. For example, `<?php phpinfo(); ?>` would be encoded as: `PD9waHAgcGhwaW5mbygpOyA/Pg==` and the payload would be represented as: `data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==`.
 
 ##### PHP Expect
 

diff --git a/...sting/12-Testing_for_Command_Injection.md → ...sting/10-Testing_for_Command_Injection.md b/...sting/12-Testing_for_Command_Injection.md → ...sting/10-Testing_for_Command_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-12|
+|WSTG-INPV-10|
 
 ## Summary
 
@@ -36,7 +36,7 @@ Example:
 
 ### Example
 
-Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up a personal proxy (such as ZAP or Burp Suite), you can obtain a POST HTTP like the following (`http://www.example.com/public/doc`):
+Consider the case of an application that contains a set of documents that you can browse from the internet. If you fire up a personal proxy (such as ZAP or Burp Suite), you can obtain a POST HTTP like the following (`http://www.example.com/public/doc`):
 
 ```txt
 POST /public/doc HTTP/1.1

diff --git a/...Testing/13-Testing_for_Buffer_Overflow.md → ...Testing/11-Testing_for_Buffer_Overflow.md b/...Testing/13-Testing_for_Buffer_Overflow.md → ...Testing/11-Testing_for_Buffer_Overflow.md
@@ -2,6 +2,6 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-13|
+|WSTG-INPV-11|
 
 This content has been removed
diff --git a/...13-Testing_for_Format_String_Injection.md → ...12-Testing_for_Format_String_Injection.md b/...13-Testing_for_Format_String_Injection.md → ...12-Testing_for_Format_String_Injection.md
@@ -2,7 +2,7 @@
 
 |ID          |
 |------------|
-|WSTG-INPV-13|
+|WSTG-INPV-12|
 
 ## Summary
 
@@ -82,7 +82,7 @@ Testers can perform a manual test using a web browser or other web API debugging
 
 `https://vulnerable_host/userinfo?username=%25s%25s%25s%25n`
 
-If the web site is vulnerable, the browser or tool should receive an error, which may include a timeout or an HTTP return code 500.
+If the site is vulnerable, the browser or tool should receive an error, which may include a timeout or an HTTP return code 500.
 
 The Java code returns the error