Fix URLs in Markdown (Gitbook)

[sushi2k]

Some URLs in Markdown are not shown properly in Gitbook, due to the usage of special characters in the URL, especially due to brackets.

[TheDauntless]

This is probably the list of culprits:

grep -roi "(https://[^)]*(.*)" ./                                                                                                                                                                                             [15:46:12]
.//Document/0x05i-Testing-Code-Quality-and-Build-Settings.md:(https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=18581047 "Exceptional Behavior (ERR)")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_%27OTG-AUTHN-004%29 "Testing for Bypassing Authentication Schema (OTG-AUTHN-004)")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.timeout(v=vs.110).aspx)
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://www.owasp.org/index.php/Testing_for_Session_Management "OWASP Testing Guide V4 (Testing for Session Management)")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://www.owasp.org/index.php/JSON_Web_Token_\(JWT\)_Cheat_Sheet_for_Java)
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java "OWASP JWT Cheat Sheet")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://tools.ietf.org/html/rfc6749 "RFC6749: The OAuth 2.0 Authorization Framework (October 2012)")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12 "draft_ietf-oauth-native-apps-12: OAuth 2.0 for Native Apps (June 2017)")
.//Document/0x04e-Testing-Authentication-and-Session-Management.md:(https://tools.ietf.org/html/rfc6819 "RFC6819: OAuth 2.0 Threat Model and Security Considerations (January 2013)")
.//Document/0x06e-Testing-Cryptography.md:(https://developer.apple.com/reference/security/1399291-secrandomcopybytes "SecRandomCopyBytes (Swift)")
.//Document/0x06e-Testing-Cryptography.md:(https://developer.apple.com/reference/security/1399291-secrandomcopybytes?language=objc "SecRandomCopyBytes (Objective-C)")
.//Document/0x04h-Testing-Code-Quality.md:(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) attack, and cause a denial-of-service condition. The OWASP web testing guide contains the [following example for XXE](https://www.owasp.org/index.php/Testing_for_XML_Injection_(OTG-INPVAL-008))
.//Document/0x04h-Testing-Code-Quality.md:(https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet "OWASP XSS Prevention Cheat Sheet")
.//Document/0x04h-Testing-Code-Quality.md:(https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)) refers to an exploit where malicious code is injected via a malicious link. To test for these attacks, automated input fuzzing is considered to be an effective method. For example, the [BURP Scanner](https://portswigger.net/burp/)
.//Document/0x04g-Testing-Cryptography.md:(https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29 "Electronic Codebook (ECB)")
.//Document/0x06h-Testing-Platform-Interaction.md:(https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting\)\_Prevention_Cheat_Sheet "XSS (Cross Site Scripting) Prevention Cheat Sheet")
.//Document/0x06b-Basic-Security-Testing.md:(https://github.com/MobSF/Mobile-Security-Framework-MobSF "Mobile Security Framework (MobSF)") and [Needle](https://github.com/mwrlabs/needle "Needle")
.//Document/0x06b-Basic-Security-Testing.md:(https://www.eff.org/files/colour_map_of_CAs.pdf "Map of the 650-odd organizations that function as Certificate Authorities trusted (directly or indirectly) by Mozilla or Microsoft")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/content/Intent.html#toUri%28int%29 "Intent.toUri()")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/content/Context.html#sendBroadcast(android.content.Intent\ "SendBroadcast")). You can also set an explicit application package name that limits the components this Intent will resolve to. If left as the default value (null)
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled(boolean\) "setJavaScriptEnabled in WebViews")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/webkit/WebView.html#clearCache(boolean\) "clearCache() in WebViews")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002\) "Stored Cross-Site Scripting")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/webkit/WebView.html#loadUrl(java.lang.String\) "loadURL() in WebView")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29 "Method addJavascriptInterface()")
.//Document/0x05h-Testing-Platform-Interaction.md:(https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 "DRD13 addJavascriptInterface()")
.//Document-ru/0x06e-Testing-Cryptography.md:(https://developer.apple.com/reference/security/1399291-secrandomcopybytes "SecRandomCopyBytes (Swift)")
.//Document-ru/0x06e-Testing-Cryptography.md:(https://developer.apple.com/reference/security/1399291-secrandomcopybytes?language=objc "SecRandomCopyBytes (Objective-C)")
.//Document-ru/0x06h-Testing-Platform-Interaction.md:(https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting\)\_Prevention_Cheat_Sheet "XSS (Cross Site Scripting) Prevention Cheat Sheet")
.//Document-ru/0x06b-Basic-Security-Testing.md:(https://github.com/MobSF/Mobile-Security-Framework-MobSF "Система мобильной безопасности (MobSF)") и [Needle] (https://github.com/mwrlabs/needle "Needle")
.//Document-ru/0x06b-Basic-Security-Testing.md:(https://www.eff.org/files/colour_map_of_CAs.pdf "Map of the 650-odd organizations that function as Certificate Authorities trusted (directly or indirectly) by Mozilla or Microsoft")

Which link shortener should we use?

[sushi2k]

I was using goo.gl, but its EOL soon. Do you know any other?

[sushi2k]

The items you found with grep sometimes have brackets in the description of the URL. It seems the URLs that need to be fixed are much less and usually links to the Android dev documentation

[TheDauntless]

Yes, it was just an initial cursory grep :). The parenthesis in titles apparently don't cause issues, so that's good. I'll update them with goo.gl, but probably best to accept #982 first, as this will most likely give conflicts.

[commjoen]

I am not very sure whether we should use goo.gl here, unless we can make it public? Because i rather make sure that the target of the shortlink is really the intended url..otherwise we might allow for weird issues (not the first time that a shortlink served malware...)

[TheDauntless]

What do you mean with making them public? While I wasn't aware that they would be coupled to my Google account, the analytics are public: https://goo.gl/#analytics/goo.gl/4vdSQM/all_time

It's also not possible to change the target URL of goo.gl urls.

[commjoen]

I know it is not possible to change the target URL. What i meant is the following:

• writer writes wrong goo.gl url in text (e.g. no proper copy-paste)
• attacker creates new goo.gl. link using wrong put text as the actual url to his own benefit.

As long as it is clear for anyone what the actual url will be and how to see that, then I am fine 👍

[TheDauntless]

But shouldn't URLs be checked during the review process?

You'll have the same issue with any url shortener, and at least for this one, we know they can't change.

[commjoen]

I guess we can now close this issue right? or are there any urls left?

[commjoen]

Agreed on using this shortener :). Thanks a lot!