Report order not correct
Include unnecessary files

[A1 - Injection] [ Drop Table ]: Lack of module (Search). Test case descriptions are not specific. Testing data might be something like [a'; Drop Table Patients;" ]. And for expected result, it should found out whether the table is deleted.

[A1 - Injection] [ Tautology ]: Lack of module (Login). Test case descriptions are not specific.

[A2 - BAC] [ Exposed Session IDs ]: Lack of module. Test case descriptions are not specific. URL opened for inspecting session ID could be specific?

[A2 - BAC] [ Session Time Outs ]:Lack of module. Test case descriptions are not specific. Have doubt on this test case. Firstly it's not about "time out". And when reopen the browser and , if the session still exist it should not mean "fail"

We used the jbrofuzz rulesets (introduced in the initial ZAP activity) to perform a fuzzing exercise on OpenMRS with the following vulnerability types: Injection, Buffer Overflow, XSS, and SQL Injection. We pick at least one ruleset for each type of vulnerability listed. The ruleset should be appropriate for the target field and backend. We include the chosen fuzzers for each vulnerability type along with the results, and what we believe the team would need to do to fix any vulnerabilities we find. If we don't find any vulnerabilities, we will provide our reasoning as to why that was the case, and describe how we would adjust the fuzzing rules we used.

I can look up all the modules but is there a smart way?

5 test cases in which we stop user input in OpenMRS with ZAP and change the input string to an attack.
We include the page URL, the input field, the initial user input, and the malicious input, and describe what "filler" information is used for the rest of the fields on the page (if necessar