Merge branch 'OWASP:master' into master

sk3l10x1ng · Aug 20, 2024 · 50f67ec · 50f67ec
2 parents fea0b34 + 187d3b7
commit 50f67ec
Show file tree

Hide file tree

Showing 251 changed files with 2,775 additions and 1,905 deletions.
diff --git a/.github/workflows/build-website.yml b/.github/workflows/build-website.yml
@@ -19,9 +19,7 @@ jobs:
       - name: Install dependencies
         run: pip install -r src/scripts/requirements.txt
 
-      - run: ./src/scripts/structure_mastg.sh
-
-      - run: python3 src/scripts/transform_files.py
+      - run: bash -x ./src/scripts/structure_mastg.sh
 
       - name: Get Latest MASVS Release Tag
         run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
@@ -39,11 +37,5 @@ jobs:
 
       - name: Generate MASVS Control Markdown Files
         run: python3 src/scripts/write_masvs_control_md_files.py
-
-      - name: Populate Dynamic Pages
-        run: python3 src/scripts/populate_dynamic_pages.py
-
-      - name: Generate Cross-References
-        run: python3 src/scripts/generate_cross_references.py
 
       - run: mkdocs gh-deploy --force --clean --verbose
diff --git a/.github/workflows/config/url-checker-config.json b/.github/workflows/config/url-checker-config.json
@@ -9,6 +9,9 @@
         {
             "pattern": "https://github.com/commjoen/contributors-mstg"
         },
+        {
+            "pattern": "https://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
+        },
         {
             "pattern": "http://127.0.0.1:8000"
         },
@@ -78,6 +81,9 @@
         {
             "pattern": "^https://www.netspi.com/blog/technical-blog/"
         },
+        {
+            "pattern": "^https://web.archive.org"
+        },
         {
             "pattern": "^MASTG/"
         },

diff --git a/.github/workflows/docgenerator.yml b/.github/workflows/docgenerator.yml
@@ -41,9 +41,6 @@ jobs:
     - name: Assemble Chapters
       run: python3 src/scripts/assemble_chapters_for_pdf.py
 
-    - name: Process Files
-      run: python3 src/scripts/transform_files.py
-
     - name: Generate English PDF
       run: ./src/pandocker/pandoc_makedocs.sh Document ${{env.MASTG_VERSION}} ${{env.MASVS_VERSION}}
 

diff --git a/.gitignore b/.gitignore
@@ -13,12 +13,6 @@ logs
 *.pdf
 *.docx
 *.epub
-docs/MASVS/**/
-docs/MASVS/*-*.md
-docs/MASTG/**/
-docs/MASTG/0x*.md
-docs/assets/Images
-docs/checklists/MASVS-*.md
 docs/talks.md
 owasp-masvs
 __pycache__
@@ -27,5 +21,10 @@ playground/
 __handlers__
 *.apk
 risks2/
-docs/MASWE/**/
-docs/MASWE/*.md
+docs/MASVS/**/
+docs/MASVS/*-*.md
+docs/MASTG
+docs/MASWE
+docs/assets/Images
+OWASP_MASVS.yaml
+cross_references.yaml
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -21,8 +21,7 @@
             "console": "integratedTerminal",
             "env": {
                 "PYTHONPATH": "${workspaceFolder}/.venv/bin/python3"
-            },
-            "preLaunchTask": "Run populate_dynamic_pages.py"
+            }
         }
     ]
 }
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -6,22 +6,6 @@
             "type": "shell",
             "command": "./src/scripts/structure_mastg.sh",
             "problemMatcher": []
-        },
-        {
-            "label": "Run transform_files.py",
-            "type": "shell",
-            "command": "${workspaceFolder}/.venv/bin/python",
-            "args": ["src/scripts/transform_files.py"],
-            "problemMatcher": [],
-            "dependsOn": "Run structure_mastg.sh"
-        },
-        {
-            "label": "Run populate_dynamic_pages.py",
-            "type": "shell",
-            "command": "${workspaceFolder}/.venv/bin/python",
-            "args": ["src/scripts/populate_dynamic_pages.py"],
-            "problemMatcher": [],
-            "dependsOn": "Run transform_files.py"
         }
     ]
 }
diff --git a/Dockerfile b/Dockerfile
@@ -23,4 +23,4 @@ EXPOSE 8000
 # Start the container with a shell
 CMD ["bash"]
 
-# If running manually: docker run -it --rm -p 8000:8000 -v $(pwd):/workspaces/owasp-mastg mastg
+# If running manually: docker run -it --rm -p 8000:8000 -v $(pwd):/workspaces/owasp-mastg mastg
diff --git a/Document/0x01-Foreword.md b/Document/0x01-Foreword.md
@@ -1,19 +1,19 @@
-# Foreword
-
-Welcome to the OWASP Mobile Application Security Testing Guide. Feel free to explore the existing content, but do note that it may change at any time. New APIs and best practices are introduced in iOS and Android with every major (and minor) release and also vulnerabilities are found every day.
-
-If you have feedback or suggestions, or want to contribute, create an issue on GitHub or ping us on Slack. See the README for instructions:
-
-<https://www.github.com/OWASP/owasp-mastg/>
-
-**squirrel (noun plural): Any arboreal sciurine rodent of the genus Sciurus, such as S. vulgaris (red squirrel) or S. carolinensis (grey squirrel), having a bushy tail and feeding on nuts, seeds, etc.**
-
-On a beautiful summer day, a group of ~7 young men, a woman, and approximately three squirrels met in a Woburn Forest villa during the OWASP Security Summit 2017. So far, nothing unusual. But little did you know, within the next five days, they would redefine not only mobile application security, but the very fundamentals of book writing itself (ironically, the event took place near Bletchley Park, once the residence and work place of the great Alan Turing).
-
-Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Application Security Testing Guide (MASTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.
-
-Because this isn't a normal security book, the introduction doesn't list impressive facts and data proving importance of mobile devices in this day and age. It also doesn't explain how mobile application security is broken, and why a book like this was sorely needed, and the authors don't thank their beloved ones without whom the book wouldn't have been possible.
-
-We do have a message to our readers however! The first rule of the OWASP Mobile Application Security Testing Guide is: Don't just follow the OWASP Mobile Application Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MASTG yourself! Or, as they say: "Do a pull request".
-
-<img src="Images/summit-team.jpg" width="100%" />
+# Foreword
+
+Welcome to the OWASP Mobile Application Security Testing Guide. Feel free to explore the existing content, but do note that it may change at any time. New APIs and best practices are introduced in iOS and Android with every major (and minor) release and also vulnerabilities are found every day.
+
+If you have feedback or suggestions, or want to contribute, create an issue on GitHub or ping us on Slack. See the README for instructions:
+
+<https://www.github.com/OWASP/owasp-mastg/>
+
+**squirrel (noun plural): Any arboreal sciurine rodent of the genus Sciurus, such as S. vulgaris (red squirrel) or S. carolinensis (grey squirrel), having a bushy tail and feeding on nuts, seeds, etc.**
+
+On a beautiful summer day, a group of ~7 young men, a woman, and approximately three squirrels met in a Woburn Forest villa during the OWASP Security Summit 2017. So far, nothing unusual. But little did you know, within the next five days, they would redefine not only mobile application security, but the very fundamentals of book writing itself (ironically, the event took place near Bletchley Park, once the residence and work place of the great Alan Turing).
+
+Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Application Security Testing Guide (MASTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.
+
+Because this isn't a normal security book, the introduction doesn't list impressive facts and data proving importance of mobile devices in this day and age. It also doesn't explain how mobile application security is broken, and why a book like this was sorely needed, and the authors don't thank their beloved ones without whom the book wouldn't have been possible.
+
+We do have a message to our readers however! The first rule of the OWASP Mobile Application Security Testing Guide is: Don't just follow the OWASP Mobile Application Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MASTG yourself! Or, as they say: "Do a pull request".
+
+<img src="Images/summit-team.jpg" width="100%" />
diff --git a/Document/0x02a-Frontispiece.md b/Document/0x02a-Frontispiece.md
@@ -58,7 +58,7 @@ All our Changelogs are available online at the OWASP MASTG GitHub repository, se
 
 Please consult the laws in your country before executing any tests against mobile apps by utilizing the MASTG materials. Refrain from violating the laws with anything described in the MASTG.
 
-Our [Code of Conduct] has further details: <https://github.com/OWASP/owasp-mastg/blob/master/CODE_OF_CONDUCT.md>
+Our [Code of Conduct] has further details: <https://github.com/OWASP/owasp-mastg/blob/master/.github/CODE_OF_CONDUCT.md>
 
 OWASP thanks the many authors, reviewers, and editors for their hard work in developing this guide. If you have any comments or suggestions, please connect with us: <https://mas.owasp.org/contact>
 

diff --git a/Document/0x02c-Acknowledgements.md b/Document/0x02c-Acknowledgements.md
@@ -55,7 +55,7 @@ If you'd like to apply please contact the project leaders by sending an email to
 - Advocate Companies may use the logo and links to MASVS/MASTG resources as part of their communication but cannot use them as an endorsement by OWASP as a preferred provider of software and services.
     - Example of what's ok: list MAS Advocate status on website home page, in "about company" slides in sales presentations, on sales collateral.
     - Example of what's not ok: a MAS Advocate cannot claim they are OWASP certified.
-- The quality of the application of the MASVS/MASTG by these companies [has not been vetted by the MAS team](https://mas.owasp.org/MASVS/Intro/04-Assessment_and_Certification/).
+- The quality of the application of the MASVS/MASTG by these companies [has not been vetted by the MAS team](https://mas.owasp.org/MASVS/04-Assessment_and_Certification/).
 
 > The OWASP Foundation is very grateful for the support by the individuals and organizations listed. However please note, the OWASP Foundation is strictly vendor neutral and does not endorse any of its supporters. MAS Advocates do not influence the content of the MASVS or MASTG in any way.
 
@@ -82,7 +82,7 @@ A special mention goes for the **contribution to the MASVS Refactoring**:
 - Feedback on each category proposal
 - Statistics from internal analysis
 
-In the past, NowSecure has also contributed to the project, has sponsored it becoming a "God Mode Sponsor" and has donated the [UnCrackable App for Android Level 4: Radare2 Pay](0x08b-Reference-Apps.md#android-uncrackable-l4).
+In the past, NowSecure has also contributed to the project, has sponsored it becoming a "God Mode Sponsor" and has donated the @MASTG-APP-0015.
 
 Additionally:
 

diff --git a/Document/0x03-Overview.md b/Document/0x03-Overview.md
@@ -6,7 +6,7 @@ New technology always introduces new security risks, and security concerns for m
 
 First, the Project recommends that your mobile app security strategies should be based on the [OWASP Mobile Application Security _Verification Standard_ (MASVS)](https://mas.owasp.org/MASVS/), which defines a mobile app security model and lists generic security requirements for mobile apps. MASVS is designed to be used by architects, developers, testers, security professionals, and consumers to define and understand the qualities of a secure mobile app. After you have determined how OWASP MASVS applies to your mobile app's security model, the Project suggests that you use the [OWASP Mobile Application Security _Testing Guide_ (MASTG)](https://mas.owasp.org/MASTG/). The Testing Guide maps to the same basic set of security requirements offered by the MASVS and depending on the context, they can be used individually or combined to achieve different objectives.
 
-<img src="Images/Chapters/0x03/owasp-mobile-overview.png" alt="image" width="50%" />
+<img src="Images/Chapters/0x03/owasp-mobile-overview.png" width="50%" />
 
 For example, the MASVS requirements can be used in an app's planning and architecture design stages while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests during or after development. In the ["Mobile App Security Testing"](0x04b-Mobile-App-Security-Testing.md) chapter we'll describe how you can apply the checklist and MASTG to a mobile app penetration test.
 
@@ -32,16 +32,6 @@ Many mobile app penetration testers have a background in network and web app pen
 
 ## OWASP MASVS Overview: Key Areas in Mobile Application Security
 
-This overview discusses how the MASVS defines and describes the key areas of mobile security:
-
-- [Data Storage and Privacy](#masvs-storage-data-storage-and-privacy)
-- [Cryptography](#masvs-crypto-cryptography)
-- [Authentication and Authorization](#masvs-auth-authentication-and-authorization)
-- [Network Communication](#masvs-network-network-communication)
-- [Interaction with the Mobile Platform](#masvs-platform-interaction-with-the-mobile-platform)
-- [Code Quality and Exploit Mitigation](#masvs-code-code-quality-and-exploit-mitigation)
-- [Anti-Tampering and Anti-Reversing](#masvs-resilience-anti-tampering-and-anti-reversing)
-
 ### MASVS-STORAGE: Data Storage and Privacy
 
 The Standard is based on the principle that protecting sensitive data, such as user credentials and private information, is crucial to mobile security. If an app does not use operating system APIs properly, especially those that handle local storage or inter-process communication (IPC), the app could expose sensitive data to other apps running on the same device or may unintentionally leak data to cloud storage, backups, or the keyboard cache. And since mobile devices are more likely to be or lost or stolen, attackers can actually gain physical access to the device, which would make it easier to retrieve the data.

diff --git a/Document/0x04b-Mobile-App-Security-Testing.md b/Document/0x04b-Mobile-App-Security-Testing.md
@@ -53,8 +53,6 @@ Automated analysis tools can be used to speed up the review process of Static Ap
 
 Although some static code analysis tools incorporate a lot of information about the rules and semantics required to analyze mobile apps, they may produce many false positives, particularly if they are not configured for the target environment. A security professional must therefore always review the results.
 
-The chapter ["Testing Tools"](0x08a-Testing-Tools.md) includes a list of static analysis tools, which can be found at the end of this book.
-
 ### Dynamic Analysis
 
 The focus of DAST is the testing and evaluation of apps via their real-time execution. The main objective of dynamic analysis is finding security vulnerabilities or weak spots in a program while it is running. Dynamic analysis is conducted both at the mobile platform layer and against the backend services and APIs, where the mobile app's request and response patterns can be analyzed.