Update or remove old www.owasp.org wiki links (OWASP#347)

* OWASP Link Updates Not all of these updates will appear in order. Sorry about that but there was a LOT! - 2 > Removed some dated links, refreshed some relevant links, fixed a typo. - 3 > Removed some dated links, refreshed some relevant links. - 3.8 > Fix link title and refer to www-pdf-archive. - 4.10.1 > Left as-is, they're in tool output samples. - 4.10.4 > Removed some dated links, refreshed some relevant links. - 4.11.1 > Linkify 4.8 added some periods. - 4.11.3 > Linkify 4.8. - 4.11.7 > Updated links. - 4.11.8 > Updated one link, bullet'ify references. - 4.11.9 > Updated one link. - 4.12.1 > Updated links, tweaked one spelling. - 4.12.10 > Updated links. - 4.12.2 > Updated one link. - 4.12.4 > Updated one link. - 4.12.8 > Remove references to the OWASP Flash Security Project. Suggest using web search for tool sourcing. Update WSFIntruder link to use wiki.owasp.org. [** Should we remove 4.12.8 for v5, since Flash is essentially dead? ** - 4.12.9 > Updated one link. - 4.2.4 > Linkify 4.2.1, other www.owasp.org references left as-is (code fenced). - 4.2.9 > Remved dead project ref. - 4.3.3 > Linkify 4.2.1. - 4.3.5 > Replace DirBuster ref. - 4.3.6 > Updated links. - 4.5.3 > Removed ref. - 4.5.4 > Updated ref. - 4.5.7 > Updated one link. - 4.5.9 > Removed dead project ref. - 4.6.4 > Updated one link. - 4.7.1 > Fixed links, added code fencing, removed an old ppt ref (doesn't seem to be on the new site and PowerPoint complains when opening it), removed the whole 'Related Security Activities' section as none of the referenced material has been migrated to the new site (and it doesn't seem to fit our doc template). - 4.7.3 > Updated one link. - 4.7.4 > Updated one link. - 4.7.5 > removed reference to Development Guide (can't find up-to-date content). * More - 2 > Removed code review project reference, can't find up-to-date content. - 4.12.10 > Updated a few internal links. - 4.5.3 > Updated one link. - 4.9.1 > Removed a reference to a seemingly dead project. - README.md > Updated two links. - OWASP_Summit_Outcomes.md > Unlinked one thing. - 999.2_Template_Explanation_WSTG-FOO-002.md > Updated one link. - Appx.C_Fuzz_Vectors.md > Removed two links (projects seem dead), linked "Fuzzing" ref. - Appx.B_Suggested_Reading.md > removed a bunch of seemingly dead project refs. - 4.8.9 > Update one link. - 4.8.8 > Replace one link. - 4.8.8 > Switch to wiki.owasp.org link (should we drop this one?). - 4.8.5.5 > Update two links. - 4.8.5.4 > Update one link. - 4.8.5.3 > Update links. - 4.8.5.2 > Update one link. - 4.8.4 > Update links. - 4.8.5 > Updated a bunch of links. Removed one link. - 4.8.2 > Updated various links. - 4.8.19 > Updated one link. - 4.8.16 > Updated one link. - 4.8.15 > Remove one ref. - 4.8.14 > Update links. (Should this be a README since it has Level 4 items?) - 4.8.13 > Updated one link. - 4.8.12 > Updated two links. - 4.8.10 > Updated 3 links. - 4.8.1 > Remove a bunch of refs to dead projects, update one or two links. - Appx.A> Move a bunch of refs to dead projects, update one or two links. * Lint fixes * Restore Code Review Guide with wiki.owasp.org links * One more line * Address review * Fix ordered list ? * Ordered list to level 4 headings * last lint?
DharmenderRajput · Mar 5, 2020 · 4f8198d · 4f8198d
1 parent 0296b59
commit 4f8198d
Show file tree

Hide file tree

Showing 54 changed files with 125 additions and 179 deletions.
diff --git a/OWASP_Summit_Outcomes.md b/OWASP_Summit_Outcomes.md
@@ -35,7 +35,7 @@ REVIEW:
 - Information and Config management testing
 - Authentication Testing: add oauth testing
 - Reporting: adding how to create security testing case for devs
-- Add [Client Side SQLi](https://www.owasp.org/index.php/Test_Local_Storage_(WSTG-CLIENT-012))
+- Add `Client Side SQLi`
 
 ## Two questions for OWASP
 

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # OWASP Web Security Testing Guide
 
 [![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/OWASP/wstg/issues)
-[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship-brightgreen.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship-brightgreen.svg)](https://owasp.org/projects/)
 ![Twitter Follow](https://img.shields.io/twitter/follow/owasp_wstg?style=social)
 
 [![Creative Commons License](https://licensebuttons.net/l/by-sa/4.0/88x31.png)](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0")
@@ -10,7 +10,7 @@ Welcome to the official repository for the Open Web Application Security Project
 
 We are currently working on release version 5.0. You can [read the current document here on GitHub](https://github.com/OWASP/wstg/tree/master/document).
 
-For the last stable release, [view the previous version 4.0](http://www.owasp.org/index.php/OWASP_Testing_Project).
+For the last stable release, [view the previous version 4.0](https://owasp.org/www-project-web-security-testing-guide/).
 
 - [OWASP Web Security Testing Guide](#owasp-web-security-testing-guide)
   - [Contributions, Feature Requests, and Feedback](#contributions-feature-requests-and-feedback)

diff --git a/document/2_Introduction/2_Introduction.md b/document/2_Introduction/2_Introduction.md
@@ -58,7 +58,7 @@ An effective testing program should have components that test the following:
 
 Unless a holistic approach is adopted, testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present. By testing the people, policies, and processes, an organization can catch issues that would later manifest themselves into defects in the technology, thus eradicating bugs early and identifying the root causes of defects. Likewise, testing only some of the technical issues that can be present in a system will result in an incomplete and inaccurate security posture assessment.
 
-Denis Verdon, Head of Information Security at [Fidelity National Financial](https://www.fnf.com), presented an excellent analogy for this misconception at the [OWASP AppSec 2004 Conference in New York](https://www.owasp.org/index.php/OWASP_AppSec_NYC_2004):
+Denis Verdon, Head of Information Security at [Fidelity National Financial](https://www.fnf.com), presented an excellent analogy for this misconception at the OWASP AppSec 2004 Conference in New York:
 
 > If cars were built like applications ... safety tests would assume frontal impact only. Cars would not be roll tested, or tested for stability in emergency maneuvers, brake effectiveness, side impact, and resistance to theft.
 
@@ -224,7 +224,7 @@ Examples of issues that are particularly conducive to being found through source
 - Cannot detect run-time errors easily
 - The source code actually deployed might differ from the one being analyzed
 
-For more on code review, see the [OWASP code review project](https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project).
+For more on code review, see the [OWASP code review project](https://wiki.owasp.org/index.php/Category:OWASP_Code_Review_Project).
 
 ## Penetration Testing
 
@@ -271,7 +271,7 @@ The following figure shows a typical proportional representation overlaid onto t
 
 Many organizations have started to use automated web application scanners. While they undoubtedly have a place in a testing program, some fundamental issues need to be highlighted about why it is believed that automating black-box testing is not (nor will ever be) completely effective. However, highlighting these issues should not discourage the use of web application scanners. Rather, the aim is to ensure the limitations are understood and testing frameworks are planned appropriately.
 
-It is helpful to understand the efficacy and limitations of automated vulnerability detection tools. To this end, the [OWASP Benchmark Project](https://www.owasp.org/index.php/Benchmark) is a test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services. Benchmarking can help to test the capabilities of these automated tools, and help to make their usefulness explicit.
+It is helpful to understand the efficacy and limitations of automated vulnerability detection tools. To this end, the [OWASP Benchmark Project](https://owasp.org/www-project-benchmark/) is a test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services. Benchmarking can help to test the capabilities of these automated tools, and help to make their usefulness explicit.
 
 The following examples show why automated black-box testing may not be effective.
 
@@ -316,7 +316,7 @@ To have a successful testing program, one must know what the testing objectives
 
 ### Testing Objectives
 
-One of the objectives of security testing is to validate that security controls operate as expected. This is documented via `security requirements` that describe the functionality of the security control. At a high level, this means proving confidentiality, integrity, and availability of the data as well as the service. The other objective is to validate that security controls are implemented with few or no vulnerabilities. These are common vulnerabilities, such as the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), as well as vulnerabilities that have been previously identified with security assessments during the SDLC, such as threat modelling, source code analysis, and penetration test.
+One of the objectives of security testing is to validate that security controls operate as expected. This is documented via `security requirements` that describe the functionality of the security control. At a high level, this means proving confidentiality, integrity, and availability of the data as well as the service. The other objective is to validate that security controls are implemented with few or no vulnerabilities. These are common vulnerabilities, such as the [OWASP Top Ten](https://owasp.org/www-project-top-ten/), as well as vulnerabilities that have been previously identified with security assessments during the SDLC, such as threat modeling, source code analysis, and penetration test.
 
 ### Security Requirements Documentation
 

diff --git a/document/3_The_OWASP_Testing_Framework/3.8_Penetration_Testing_Methodologies.md b/document/3_The_OWASP_Testing_Framework/3.8_Penetration_Testing_Methodologies.md
@@ -149,7 +149,8 @@ OSSTMM includes the following key sections:
 - [NIST - SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final)
 - [HIPAA 2012](http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-6_kscarfone-rmetzer_security-testing-assessment.pdf)
 - [Penetration Testing Framework 0.59](http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html)
-- [Security Testing Guidelinesfor mobile Apps](https://www.owasp.org/images/0/04/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf)
+- [OWASP Mobile Security Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/)
+- [Security Testing Guidelines for Mobile Apps](https://owasp.org/www-pdf-archive/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf)
 - [Kali](https://www.kali.org/)
 - [ISSTF](https://sourceforge.net/projects/isstf/files/issaf%20document/issaf0.1/)
 - [Information Supplement: Requirement 11.3 Penetration Testing](https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf)
diff --git a/document/3_The_OWASP_Testing_Framework/3_The_OWASP_Testing_Framework.md b/document/3_The_OWASP_Testing_Framework/3_The_OWASP_Testing_Framework.md
@@ -98,7 +98,7 @@ Static code reviews validate the code against a set of checklists, including:
 
 In terms of return on resources invested (mostly time), static code reviews produce far higher quality returns than any other security review method and rely least on the skill of the reviewer. However, they are not a silver bullet and need to be considered carefully within a full-spectrum testing regime.
 
-For more details on OWASP checklists, please refer to [OWASP Guide for Secure Web Applications](https://www.owasp.org/index.php/OWASP_Guide_Project), or the latest edition of the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
+For more details on OWASP checklists, please refer to the latest edition of the [OWASP Top 10](https://owasp.org/www-project-top-ten/).
 
 ## Phase 4: During Deployment
 

diff --git a/...ing_for_Weak_Cryptography/4.10.4_Testing_for_Weak_Encryption_WSTG-CRYPST-004.md b/...ing_for_Weak_Cryptography/4.10.4_Testing_for_Weak_Encryption_WSTG-CRYPST-004.md
@@ -128,14 +128,13 @@ CWE-780 Use of RSA Algorithm without OAEP
 - [Wikipedia: Initialization Vector](https://en.wikipedia.org/wiki/Initialization_vector)
 - [Secure Coding - Generating Strong Random Numbers](https://www.securecoding.cert.org/confluence/display/java/MSC02-J.+Generate+strong+random+numbers)
 - [Optimal Asymmetric Encryption Padding](https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding)
-- [Cryptographic Storage Cheat Sheet](https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet)
-- [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet)
+- [Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)
+- [Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
 - [Secure Coding - Do not use insecure or weak cryptographic algorithms](https://www.securecoding.cert.org/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms)
-- [Insecure Randomness](https://www.owasp.org/index.php/Insecure_Randomness)
-- [Insufficient Entropy](https://www.owasp.org/index.php/Insufficient_Entropy)
-- [Insufficient Session-ID Length](https://www.owasp.org/index.php/Insufficient_Session-ID_Length)
-- [Use of hard-coded cryptographic key](https://www.owasp.org/index.php/Use_of_hard-coded_cryptographic_key)
-- [Using a broken or risky cryptographic algorithm](https://www.owasp.org/index.php/Using_a_broken_or_risky_cryptographic_algorithm)
+- [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness)
+- [Insufficient Entropy](https://owasp.org/www-community/vulnerabilities/Insufficient_Entropy)
+- [Insufficient Session-ID Length](https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length)
+- [Using a broken or risky cryptographic algorithm](https://owasp.org/www-community/vulnerabilities/Using_a_broken_or_risky_cryptographic_algorithm)
 - [Javax.crypto.cipher API](https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html)
 - ISO 18033-1:2015 – Encryption Algorithms
 - ISO 18033-2:2015 – Asymmetric Ciphers

diff --git a/...s_Logic_Testing/4.11.1_Test_Business_Logic_Data_Validation_WSTG-BUSLOGIC-001.md b/...s_Logic_Testing/4.11.1_Test_Business_Logic_Data_Validation_WSTG-BUSLOGIC-001.md
@@ -38,13 +38,13 @@ Specific Testing Method:
 
 ## Related Test Cases
 
-All [Input Validation](https://www.owasp.org/index.php/Testing_for_Input_Validation) test cases
+All [Input Validation](../4.8_Input_Validation_Testing/README.md) test cases.
 
-[Testing for Account Enumeration and Guessable User Account (WSTG-IDENT-004)](../4.4_Identity_Management_Testing/4.4.4_Testing_for_Account_Enumeration_and_Guessable_User_Account_WSTG-IDENT-004.md)
+[Testing for Account Enumeration and Guessable User Account (WSTG-IDENT-004)](../4.4_Identity_Management_Testing/4.4.4_Testing_for_Account_Enumeration_and_Guessable_User_Account_WSTG-IDENT-004.md).
 
-[Testing for Bypassing Session Management Schema (WSTG-SESS-001)](../4.7_Session_Management_Testing/4.7.1_Testing_for_Session_Management_Schema_WSTG-SESS-001.md)
+[Testing for Bypassing Session Management Schema (WSTG-SESS-001)](../4.7_Session_Management_Testing/4.7.1_Testing_for_Session_Management_Schema_WSTG-SESS-001.md).
 
-[Testing for Exposed Session Variables (WSTG-SESS-004)](../4.7_Session_Management_Testing/4.7.4_Testing_for_Exposed_Session_Variables_WSTG-SESS-004.md)
+[Testing for Exposed Session Variables (WSTG-SESS-004)](../4.7_Session_Management_Testing/4.7.4_Testing_for_Exposed_Session_Variables_WSTG-SESS-004.md).
 
 ## Tools
 

diff --git a/...g/4.11_Business_Logic_Testing/4.11.3_Test_Integrity_Checks_WSTG-BUSLOGIC-003.md b/...g/4.11_Business_Logic_Testing/4.11.3_Test_Integrity_Checks_WSTG-BUSLOGIC-003.md
@@ -58,7 +58,7 @@ Many systems include logging for auditing and troubleshooting purposes. But, how
 
 ## Related Test Cases
 
-All [Input Validation](https://www.owasp.org/index.php/Testing_for_Input_Validation) test cases.
+All [Input Validation](../4.8_Input_Validation_Testing/README.md) test cases.
 
 ## Tools
 

diff --git a/...c_Testing/4.11.7_Test_Defenses_Against_Application_Mis-use_WSTG-BUSLOGIC-007.md b/...c_Testing/4.11.7_Test_Defenses_Against_Application_Mis-use_WSTG-BUSLOGIC-007.md
@@ -70,8 +70,8 @@ The tester can use many of the tools used for the other test cases.
 - [Resilient Software](https://buildsecurityin.us-cert.gov/swa/resilient.html), Software Assurance, US Department Homeland Security
 - [IR 7684](https://csrc.nist.gov/publications/detail/nistir/7864/final) Common Misuse Scoring System (CMSS), NIST
 - [Common Attack Pattern Enumeration and Classification](https://capec.mitre.org/) (CAPEC), The Mitre Corporation
-- [OWASP AppSensor Project](https://www.owasp.org/index.php/OWASP_AppSensor_Project)
-- [AppSensor Guide v2](https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc), OWASP
+- [OWASP AppSensor Project](https://owasp.org/www-project-appsensor/)
+- [AppSensor Guide v2](https://owasp.org/www-pdf-archive/Owasp-appsensor-guide-v2.pdf), OWASP
 - Watson C, Coates M, Melton J and Groves G, [Creating Attack-Aware Software Applications with Real-Time Defenses](https://pdfs.semanticscholar.org/0236/5631792fa6c953e82cadb0e7268be35df905.pdf), CrossTalk The Journal of Defense Software Engineering, Vol. 24, No. 5, Sep/Oct 2011
 
 ## Remediation

diff --git a/..._Logic_Testing/4.11.8_Test_Upload_of_Unexpected_File_Types_WSTG-BUSLOGIC-008.md b/..._Logic_Testing/4.11.8_Test_Upload_of_Unexpected_File_Types_WSTG-BUSLOGIC-008.md
@@ -52,13 +52,10 @@ Specific Testing Method
 
 ## References
 
-[OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload)
-
-[File upload security best practices: Block a malicious file upload](https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload)
-
-[Stop people uploading malicious PHP files via forms](https://stackoverflow.com/questions/602539/stop-people-uploading-malicious-php-files-via-forms)
-
-[CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html)
+- [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+- [File upload security best practices: Block a malicious file upload](https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload)
+- [Stop people uploading malicious PHP files via forms](https://stackoverflow.com/questions/602539/stop-people-uploading-malicious-php-files-via-forms)
+- [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html)
 
 ## Remediation
 

diff --git a/...siness_Logic_Testing/4.11.9_Test_Upload_of_Malicious_Files_WSTG-BUSLOGIC-009.md b/...siness_Logic_Testing/4.11.9_Test_Upload_of_Malicious_Files_WSTG-BUSLOGIC-009.md
@@ -130,7 +130,7 @@ Upload the [ZIP bomb](https://github.com/AbhiAgarwal/notes/wiki/Zip-bomb) file t
 
 ## References
 
-[OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload)
+[OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
 
 [Why File Upload Forms are a Major Security Threat](https://www.acunetix.com/websitesecurity/upload-forms-threat/)
 

diff --git a/..._Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_WSTG-CLIENT-010.md b/..._Testing/4.12_Client_Side_Testing/4.12.10_Testing_WebSockets_WSTG-CLIENT-010.md
@@ -8,15 +8,15 @@ Traditionally, the HTTP protocol only allows one request/response per TCP connec
 
 ## Origin
 
-It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control).
+It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control).
 
 ## Confidentiality and Integrity
 
-WebSockets can be used over unencrypted TCP or over encrypted TLS. To use unencrypted WebSockets the `ws://` URI scheme is used (default port 80), to use encrypted (TLS) WebSockets the `wss://` URI scheme is used (default port 443). See also [Top 10-2017 A3-Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).
+WebSockets can be used over unencrypted TCP or over encrypted TLS. To use unencrypted WebSockets the `ws://` URI scheme is used (default port 80), to use encrypted (TLS) WebSockets the `wss://` URI scheme is used (default port 443). See also [Top 10-2017 A3-Sensitive Data Exposure](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure).
 
 ## Input Sanitization
 
-As with any data originating from untrusted sources, the data should be properly sanitized and encoded. See also [Top 10-2017 A1-Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection) and [Top 10-2017 A7-Cross-Site Scripting (XSS)](https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)).
+As with any data originating from untrusted sources, the data should be properly sanitized and encoded. See also [Top 10-2017 A1-Injection](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection) and [Top 10-2017 A7-Cross-Site Scripting (XSS)](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)).
 
 ## How to Test
 
@@ -35,13 +35,13 @@ As with any data originating from untrusted sources, the data should be properly
    - Check the SSL Implementation for security issues (Valid Certificate, BEAST, CRIME, RC4, etc). Refer to the [Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (WSTG-CRYPST-001)](../4.10_Testing_for_Weak_Cryptography/4.10.1_Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection_WSTG-CRYPST-001.md) section of this guide.
 
 4. Authentication.
-   - WebSockets do not handle authentication, normal black-box authentication tests should be carried out. Refer to the [Authentication Testing](https://www.owasp.org/index.php/Testing_for_authentication) sections of this guide.
+   - WebSockets do not handle authentication, normal black-box authentication tests should be carried out. Refer to the [Authentication Testing](../4.5_Authentication_Testing/README.md) sections of this guide.
 
 5. Authorization.
-   - WebSockets do not handle authorization, normal black-box authorization tests should be carried out. Refer to the [Authorization Testing](https://www.owasp.org/index.php/Testing_for_Authorization) sections of this guide.
+   - WebSockets do not handle authorization, normal black-box authorization tests should be carried out. Refer to the [Authorization Testing](../4.6_Authorization_Testing/README.md) sections of this guide.
 
 6. Input Sanitization.
-   - Use [ZAP's](https://www.zaproxy.org) WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the [Testing for Data Validation](https://www.owasp.org/index.php/Testing_for_Data_Validation) sections of this guide.
+   - Use [ZAP's](https://www.zaproxy.org) WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the [Testing for Data Validation](../4.8_Input_Validation_Testing/README.md) sections of this guide.
 
 #### Example 1