Create 13.1.3.yaml

Based on requirement 13.1.3, this template checks whether the API URLs expose sensitive Information through query strings. Signed-off-by: Hamed Salimian <[email protected]>
OWASP · Nov 29, 2024 · aa259c9 · aa259c9
1 parent bfb221d
commit aa259c9
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml
@@ -0,0 +1,44 @@
+id: ASVS-4-0-3-V13-1-3
+
+info:
+  name: ASVS 13.1.3 Check
+  author: Hamed Salimian
+  severity: medium
+  classification:
+    cwe-id: CWE-598
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html
+    - https://github.com/danielmiessler/SecLists/blob/master/Discovery/Variables/secret-keywords.txt
+    - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt
+  tags: asvs,13.1.3
+  description: |
+    Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
+
+
+headless:
+  - steps:
+      - args:
+          url: "{{BaseURL}}"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: urls
+        args:
+          code: |
+            () => {
+             return [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n')
+            }
+
+    extractors:
+      - type: regex
+        part: urls
+        regex:
+          - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+
+    matchers:
+      - type: regex
+        part: urls
+        regex:
+          - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+