From aa259c919b4a528af15a970a9f3e7f3b59d481ba Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 29 Nov 2024 22:10:24 +0330 Subject: [PATCH 1/6] Create 13.1.3.yaml Based on requirement 13.1.3, this template checks whether the API URLs expose sensitive Information through query strings. Signed-off-by: Hamed Salimian --- templates/headless/13.1.3.yaml | 44 ++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 templates/headless/13.1.3.yaml diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml new file mode 100644 index 0000000..afa2976 --- /dev/null +++ b/templates/headless/13.1.3.yaml @@ -0,0 +1,44 @@ +id: ASVS-4-0-3-V13-1-3 + +info: + name: ASVS 13.1.3 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-598 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html + - https://github.com/danielmiessler/SecLists/blob/master/Discovery/Variables/secret-keywords.txt + - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt + tags: asvs,13.1.3 + description: | + Verify API URLs do not expose sensitive information, such as the API key, session tokens etc. + + +headless: + - steps: + - args: + url: "{{BaseURL}}" + action: navigate + + - action: waitload + + - action: script + name: urls + args: + code: | + () => { + return [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + } + + extractors: + - type: regex + part: urls + regex: + - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ + + matchers: + - type: regex + part: urls + regex: + - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ From 1bdae42e365bb1fc66a4f7a216f8dd3e9d7538fb Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 29 Nov 2024 22:13:41 +0330 Subject: [PATCH 2/6] Update 13.1.3.yaml Signed-off-by: Hamed Salimian --- templates/headless/13.1.3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml index afa2976..e4d3bae 100644 --- a/templates/headless/13.1.3.yaml +++ b/templates/headless/13.1.3.yaml @@ -36,7 +36,7 @@ headless: part: urls regex: - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ - + matchers: - type: regex part: urls From 79c3f49f09af2a1cf54291eb24611cf22e2679ae Mon Sep 17 00:00:00 2001 From: ghost Date: Tue, 3 Dec 2024 10:44:50 +0000 Subject: [PATCH 3/6] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates/9.1.3.yaml | 2 +- templates/code/12.1.1.2.yaml | 3 +-- templates/headless/13.1.3.yaml | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml index 2ca1e88..ffc9be7 100644 --- a/templates/9.1.3.yaml +++ b/templates/9.1.3.yaml @@ -45,4 +45,4 @@ ssl: - type: json json: - " .tls_version" -# digest: 4a0a00473045022065282575a135691de3ce419d2ea546daa99ef87c3fa4742f597f5f081a4b2118022100fbae7e4a55c4493731649f3929a8e1fcd831156092c7e31e0cbc96a76c37d56a:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file +# digest: 4a0a00473045022100e34de4b0d4a4bdd78d15ffb374afdfba154974e9d16af313e53540fd3374d6ee0220624b1167d0a2f31a179503677fc02d1099cded3d831cc475c6b8550a69b63e59:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file diff --git a/templates/code/12.1.1.2.yaml b/templates/code/12.1.1.2.yaml index 413238d..864ddab 100644 --- a/templates/code/12.1.1.2.yaml +++ b/templates/code/12.1.1.2.yaml @@ -56,5 +56,4 @@ http: status: - 500 - 503 - -# digest: 4b0a00483046022100a1a000f9e17a6e0742509f92e5bfc0bff3e4593e92006c1df43768dd84f93a56022100ee377b3ab8e4140a4b89335af54301c3603f629fdb11d7b2bca8f1d93f58342a:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file +# digest: 490a00463044022028a06b48a69139c9fccf8c6eb53a580241f2f1938a086024b52e7a3ca70323f102204a76989a347bb16dbb1d946dfaa0db5bb074cc279cd27f543eec2b4d6c405a51:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml index e4d3bae..955e979 100644 --- a/templates/headless/13.1.3.yaml +++ b/templates/headless/13.1.3.yaml @@ -42,3 +42,4 @@ headless: part: urls regex: - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ +# digest: 4a0a00473045022100d6d5ec0718768bd3b634302eb4661c5f35831427b9d67211949d0df380960688022026d61d1feb506b2d0cc4159cd2bc35cdb5c1cb63e1eee69db6f034bd93157327:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file From 3a0e37deab69d23d4fb9d416073905eb0421f0dc Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 3 Dec 2024 15:18:03 +0330 Subject: [PATCH 4/6] Update template-sign.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-sign.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/template-sign.yml b/.github/workflows/template-sign.yml index ceee54d..fb341bb 100644 --- a/.github/workflows/template-sign.yml +++ b/.github/workflows/template-sign.yml @@ -14,16 +14,28 @@ jobs: if: github.repository == 'OWASP/www-project-asvs-security-evaluation-templates-with-nuclei' steps: - uses: actions/checkout@v4 + - uses: projectdiscovery/actions/setup/nuclei@v1 - run: nuclei -lfa -duc -sign -ud $GITHUB_WORKSPACE -t . env: NUCLEI_USER_CERTIFICATE: ${{ secrets.NUCLEI_USER_CERTIFICATE }} NUCLEI_USER_PRIVATE_KEY: ${{ secrets.NUCLEI_USER_PRIVATE_KEY }} + + # Set up GPG for automatic commit signing + - name: Set up GPG + run: | + echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import + git config --global user.name "Signing Bot" + git config --global user.email "github-actions@github.com" + git config --global commit.gpgSign true + git config --global user.signingkey ${{ secrets.GPG_KEY_ID }} + - uses: projectdiscovery/actions/setup/git@v1 - uses: projectdiscovery/actions/commit@v1 with: files: '.' message: 'chore: sign templates 🤖' + - name: Push changes run: | git pull origin $GITHUB_REF --rebase From 944821c909dc745674fa41e71ef88b09597a5f97 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 3 Dec 2024 15:20:56 +0330 Subject: [PATCH 5/6] Update 13.1.3.yaml Signed-off-by: Hamed Salimian --- templates/headless/13.1.3.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml index 955e979..e4d3bae 100644 --- a/templates/headless/13.1.3.yaml +++ b/templates/headless/13.1.3.yaml @@ -42,4 +42,3 @@ headless: part: urls regex: - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ -# digest: 4a0a00473045022100d6d5ec0718768bd3b634302eb4661c5f35831427b9d67211949d0df380960688022026d61d1feb506b2d0cc4159cd2bc35cdb5c1cb63e1eee69db6f034bd93157327:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file From 7cace6f53f621ea015a1fc023fd0bed86d768151 Mon Sep 17 00:00:00 2001 From: ghost Date: Tue, 3 Dec 2024 11:52:10 +0000 Subject: [PATCH 6/6] =?UTF-8?q?chore:=20sign=20templates=20=F0=9F=A4=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- templates/9.1.3.yaml | 2 +- templates/headless/13.1.3.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml index ffc9be7..a71233a 100644 --- a/templates/9.1.3.yaml +++ b/templates/9.1.3.yaml @@ -45,4 +45,4 @@ ssl: - type: json json: - " .tls_version" -# digest: 4a0a00473045022100e34de4b0d4a4bdd78d15ffb374afdfba154974e9d16af313e53540fd3374d6ee0220624b1167d0a2f31a179503677fc02d1099cded3d831cc475c6b8550a69b63e59:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file +# digest: 4b0a00483046022100ad668aabd5f22ba949265c214a22dd6393fc9d65118f5551704be20c9791b4fa022100a7d26f7b256f003b8db0d8794e22f7e63f051f5674b5ff4ed8a01b6cfa8787e3:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml index e4d3bae..3628c98 100644 --- a/templates/headless/13.1.3.yaml +++ b/templates/headless/13.1.3.yaml @@ -42,3 +42,4 @@ headless: part: urls regex: - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+ +# digest: 4a0a0047304502200bb9a7013c8b23ed6d393454ecc8d3490da0969a5941940b992a0d840a4ec6de022100a2ff4b3d7ae8fd710402c65a53e16516fa5b41e02b7655cb678965104a89d3b3:236a7c23afe836fbe231d6e037cff444 \ No newline at end of file