[pull] master from OWASP:master #50
Open
+16,536
−3,803
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
updated ssl-kill-switch from v2 to v3 (by @appknox)
* fix ios patching technique
Updated copyright from 2023 to 2024 to match ongoing year.
* add codesign * add spellcheck for PR only * excluding problematic file
* fix links
* rm link processing * fix rest of broken md links in apps, tests, tech and tools
…d 0x06d-Testing-Data-Storage (#2570) * Added Realm Database Intercept - Android * Added Realm Database Intercept - iOS * Apply suggestions from code review --------- Co-authored-by: Rezkon <[email protected]> Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: Sven <[email protected]>
* added tool - ios-app-signer * Apply suggestions from code review --------- Co-authored-by: Carlos Holguera <[email protected]>
* Update broken links * Apply suggestions from code review * fix URL checker errors * fix URL checker errors --------- Co-authored-by: Carlos Holguera <[email protected]>
Co-authored-by: pancake <[email protected]>
* update demos * update gitignore * update reversed file names
… SecureRandom (MASTG-TEST-0016) To be specific in the test documentation it would be better to provide a unique clear guideline instead of a suggestion. Instead of preferring a constructor, make it the best and only option to be compliant. During the review, it has also been updated the MSC02-J link from the legacy domain `www.securecoding.cert.org` to the one it redirects to: `wiki.sei.cmu.edu`. Note: the revision has been discussed and supported during the review of the Mobile App Profile security document hosted by the Linux Foundation's App Defense Alliance.
Enhance crypto security allowing only the no-arguments constructor of SecureRandom (MASTG-TEST-0016)
Fixed an issue where the different mobile app types were all on a single line. A list has been added to display the different types of apps.
Add the vulnerable Android app "Finstergram"
…ble. (#2630) Added permissions: - android.permission.PROVIDE_DEFAULT_ENABLED_CREDENTIAL_SERVICE - android.permission.PROVIDE_REMOTE_CREDENTIALS - android.permission.MANAGE_ONGOING_CALLS - android.permission.READ_RESTRICTED_STATS - android.permission.BIND_AUTOFILL_SERVICE - android.permission.MANAGE_EXTERNAL_STORAGE - android.permission.ACCESS_BLOBS_ACROSS_USERS - android.permission.BLUETOOTH_ADVERTISE - android.permission.READ_MEDIA_AUDIO - android.permission.READ_MEDIA_IMAGES - android.permission.READ_MEDIA_VIDEO - android.permission.READ_PRECISE_PHONE_STATE - android.permission.LOG_FOREGROUND_RESOURCE_USE - android.permission.MANAGE_DEFAULT_APPLICATIONS - android.permission.MANAGE_FACE Co-authored-by: Olivier <[email protected]>
Update 0x04a-Mobile-App-Taxonomy.md
* add hooks to replace code files placeholders with code snippets and to prefix components with their type in the titles e.g. Test or Demo. * minor fixes to existing demos to fix missing file references. * fix replace snippets hook
* fix mappings, fix consistency in test and risk sections * fix spelling * add Identifying Security-Relevant Contexts in Code to 4b for now and fix broken links
* Port a static test * Add a deprecation note * fix IDs and titles * Refine logging API test content for clarity and accuracy --------- Co-authored-by: Carlos Holguera <[email protected]>
* Add MASTG-TEST-0231 for weak encryption modes in Android * fix typo * fix ID * Update tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0231.md * Apply suggestions from code review Co-authored-by: Copilot <[email protected]> * Update tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0231.md --------- Co-authored-by: Copilot <[email protected]>
Update MASTG-TEST-0221.md evaluation
* Rename and update mitigations using IDs and add index * Update mitigations to tests metadata * Add support for mitigations in cross-references and metadata generation * Add mitigations section to documentation and update navigation * Remove remediation section from MASTG-TEST-0204.md
* Port MASTG test 0019 * Fix markdown * Review feedback * Add Frida to trace traffic * Apply suggestions from code review * Refine MASTG-TEST-0x19-1.md for clarity on hardcoded HTTP URLs and their usage * Update covered_by references in MASTG-TEST-0019.md to reflect new test cases * Rename MASTG-TEST-0x19 test cases to MASTG-TEST-0233 through MASTG-TEST-0239 * update IDs * Update MASTG-TEST-0233 to modify title, improve evaluation and add related test references * Update MASTG-TEST-0239 note to clarify potential support for multiple weaknesses * Add --- at end of files for MASTG-TEST-0237, MASTG-TEST-0238, and MASTG-TEST-0239 * rm bare URL --------- Co-authored-by: Carlos Holguera <[email protected]>
* Added tool Apkleaks * fix lint * updated changes * updated tool ID * Update techniques/android/MASTG-TECH-0022.md * Update tools/android/MASTG-TOOL-0125.md --------- Co-authored-by: Appknox <[email protected]> Co-authored-by: Carlos Holguera <[email protected]>
Fixed link to Objective C Runtime documentation
Added 14 permissions: android.permission.THREAD_NETWORK_PRIVILEGED android.permission.RECORD_SENSITIVE_CONTENT android.permission.RECEIVE_SENSITIVE_NOTIFICATIONS android.permission.WRITE_VERIFICATION_STATE_E2EE_CONTACT_KEYS android.permission.READ_DROPBOX_DATA android.permission.WRITE_FLAGS android.permission.REPORT_USAGE_STATS android.permission.MANAGE_DISPLAYS android.permission.RESTRICT_DISPLAY_MODES android.permission.ACCESS_HIDDEN_PROFILES_FULL android.permission.GET_BACKGROUND_INSTALLED_PACKAGES android.permission.REGISTER_NSD_OFFLOAD_ENGINE android.permission.ACCESS_LAST_KNOWN_CELL_ID android.permission.USE_COMPANION_TRANSPORTS
* Update MASTG-TOOL-0056.md Updated keychain_dumper to be usable on rootless jb * Fix linting and url * Update tools/ios/MASTG-TOOL-0056.md --------- Co-authored-by: Carlos Holguera <[email protected]>
* Add deprecation notes for MASTG-TESTs * Add deprecated status to theme and extra sections in mkdocs.yml * Add support for 'deprecated' status in tags for markdown pages * Add status for tests in dynamic tables * Add draft banner for MASTG v2 tests and deprecated banner for MASTG v1 tests
* updated patching IPAs * update lint error * updated ID for fastlane * Extracted Sideloadly to a separate tool and restructured a bit * Fix linting * Reviewed fastlane and moved httptoolkit to different tool nr * Move files around * Fix linting * Fix tool collision * Fix broken link * Fix link * Update MASTG-TECH-0079: Change title and enhance instructions for obtaining a developer provisioning profile * Update MASTG-TECH-0090 and MASTG-TECH-0091: Revise titles and enhance instructions for injecting Frida Gadget and libraries into IPA files * Update MASTG-TECH-0092: Revise title and enhance instructions for repackaging and re-signing IPA files using Fastlane * fix IDs * Add MASTG-TECH-0119: Launching a repackaged app in debug mode * Update MASTG-TECH-0055: Replace previous title and redundant content. Fix IDs * Update MASTG-TECH-0090, MASTG-TECH-0091, and MASTG-TECH-0092: Enhance instructions for injecting Frida Gadget and streamline the installation process --------- Co-authored-by: Sven Schleier <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]> Co-authored-by: Carlos Holguera <[email protected]>
* Update index.md * add r2con
…-0052 (#2919) * Add overview, impact, modes of introduction, and mitigations * inital drafts * Apply suggestions from code review Co-authored-by: Jeroen Beckers <[email protected]> * Apply suggestions from code review Co-authored-by: Sven <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]> * Update weaknesses/MASVS-NETWORK/MASWE-0047.md * Update weaknesses/MASVS-NETWORK/MASWE-0047.md * Refactor MASWE-0048: Update title and description for Insecure Machine-to-Machine Communication; remove content and enhance draft data * Refactor MASWE-0047, MASWE-0049, MASWE-0051 and MASWE-0052: Remove draft sections and update status to new * Refactor MASWE-0050: Update modes of introduction and mitigations for cleartext traffic; merge Platform-provided Settings (global and per-domain), incorporate non-http and remove pinning mitigation * Apply suggestions from code review * Update weaknesses/MASVS-NETWORK/MASWE-0051.md --------- Co-authored-by: Jeroen Beckers <[email protected]> Co-authored-by: Sven <[email protected]> Co-authored-by: Copilot <[email protected]>
* Reverse Engineer Flutter Technique
Hi, My name is Sabina, and I am part of the research team at Datafarm. We have recently developed a tool called Blutter, designed to reverse engineer Flutter mobile application. We believe this tool could be highly beneficial to the cybersecurity community and are excited about the possibility of sharing it through OWASP's page.
To facilitate this, I would like to propose adding a technique document about our tool to your GitHub repository. This document would include:
-A detailed description of Blutter
-Its key features and use cases
If there is any additional information or clarification we can provide about Blutter, or if there are any specific features or improvements you believe would enhance its functionality for your community or organization, please feel free to contact us.
* Update and rename MASTG-TECH-0111.md to MASTG-TECH-0112.md
* Update MASTG-TECH-0112.md
* Update techniques/android/MASTG-TECH-0112.md
Co-authored-by: Carlos Holguera <[email protected]>
* Update techniques/android/MASTG-TECH-0112.md
Co-authored-by: Carlos Holguera <[email protected]>
* Update techniques/android/MASTG-TECH-0112.md
Co-authored-by: Carlos Holguera <[email protected]>
* Update techniques/android/MASTG-TECH-0112.md
Co-authored-by: Carlos Holguera <[email protected]>
* Update techniques/android/MASTG-TECH-0112.md
Co-authored-by: Carlos Holguera <[email protected]>
* Explain code block.
* Update techniques/android/MASTG-TECH-0112.md
* Update techniques/android/MASTG-TECH-0112.md
---------
Co-authored-by: Jeroen Beckers <[email protected]>
Co-authored-by: Carlos Holguera <[email protected]>
Removed 2nd step because was wrong.
* Update MASTG-TOOL-0064.md * Typo * Apply suggestions from code review Co-authored-by: pruDhv! <[email protected]> * Update tools/ios/MASTG-TOOL-0064.md --------- Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: pruDhv! <[email protected]>
* port mastg test 0088 * deprecation note * updated id * added Demo * fix * fix space * fix spell * refactor jailbreak detection to return detailed status and proof * Apply suggestions from code review Co-authored-by: Jeroen Beckers <[email protected]> * fix: correct filename in jailbreak detection script * refactor: update title and instructions for jailbreak detection demo * refactor: update jailbreak detection test descriptions and add new dynamic analysis test * fix: correct evaluation criteria for jailbreak detection test * Update tests/ios/MASVS-RESILIENCE/MASTG-TEST-0088.md * feat: mark jailbreak detection tests as prone to false negatives * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * updated changes * updated demo app, output.asm & r2 script * update test IDs * update demo ID --------- Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]>
* Mark MASTG-TEST-0016 as covered by v2 * Add documentation refs * Apply suggestions from code review Reviewer suggestions Co-authored-by: Carlos Holguera <[email protected]> * Complemented analysis and mitigations * Add links to mitigations * Apply suggestions from code review Co-authored-by: Jeroen Beckers <[email protected]> --------- Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )