search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.61k stars 2.29k forks source link

[TOOL] NoPE Proxy #2844

Open sk3l10x1ng opened 1 month ago

sk3l10x1ng commented 1 month ago

NoPE Proxy serves as a Burp Suite Extension designed for proxying Non-HTTP Traffic.

Link: https://github.com/summitt/Nope-Proxy

sk3l10x1ng commented 1 month ago

@cpholguera please assign to me . will work on it

cpholguera commented 1 month ago

It's assigned to you now. We also have the corresponding weakness that is still to be completed. Would you like to work on that one at the same time?

https://mas.owasp.org/MASWE/MASVS-NETWORK/MASWE-0048/ https://github.com/OWASP/owasp-mastg/issues/2688

Ideally we'd

  1. Define the weakness MASWE-0048
  2. Create the new technique (MASTG-TECH-XXXX)
  3. Create one test (MASTG-TEST-02XX) referring to the new technique (MASTG-TECH-XXXX).
  4. Create one demo (MASTG-DEMO-XXXX) for that test using this tool NoPE Proxy (MASTG-TOOL-XXX).

We have some minimal content that could be used to create the technique: https://mas.owasp.org/MASTG/0x04f-Testing-Network-Communication/#intercepting-non-http-traffic

Our V1 tests for Android and iOS have a paragraph about this

Interception proxies like Burp and OWASP ZAP will show HTTP(S) traffic only. You can, however, use a Burp plugin such as Burp-non-HTTP-Extension or the tool mitm-relay to decode and visualize communication via XMPP and other protocols.