search

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
https://owasp.org/www-project-web-security-testing-guide/
Creative Commons Attribution Share Alike 4.0 International
7.1k stars 1.31k forks source link

[Feature] JSON format #376

Closed hazcod closed 3 years ago

hazcod commented 4 years ago

Hi, I think it would be awesome if we could compile all WSTGs into a JSON format as part of the CI/CD chain, e.g. https://github.com/bugcrowd/HUNT/blob/master/Burp/conf/owasptg.json

kingthorin commented 4 years ago

Something like:

Generated JSON Example Click the triangle/control to the left to expand ```json [ {"type":"category","name":"01-Information_Gathering","contents":[ {"type":"test","name":"01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md"}, {"type":"test","name":"02-Fingerprint_Web_Server.md"}, {"type":"test","name":"03-Review_Webserver_Metafiles_for_Information_Leakage.md"}, {"type":"test","name":"04-Enumerate_Applications_on_Webserver.md"}, {"type":"test","name":"05-Review_Webpage_Comments_and_Metadata_for_Information_Leakage.md"}, {"type":"test","name":"06-Identify_Application_Entry_Points.md"}, {"type":"test","name":"07-Map_Execution_Paths_Through_Application.md"}, {"type":"test","name":"08-Fingerprint_Web_Application_Framework.md"}, {"type":"test","name":"09-Fingerprint_Web_Application.md"}, {"type":"test","name":"10-Map_Application_Architecture.md"} ]}, {"type":"category","name":"02-Configuration_and_Deployment_Management_Testing","contents":[ {"type":"test","name":"01-Test_Network_Infrastructure_Configuration.md"}, {"type":"test","name":"02-Test_Application_Platform_Configuration.md"}, {"type":"test","name":"03-Test_File_Extensions_Handling_for_Sensitive_Information.md"}, {"type":"test","name":"04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.md"}, {"type":"test","name":"05-Enumerate_Infrastructure_and_Application_Admin_Interfaces.md"}, {"type":"test","name":"06-Test_HTTP_Methods.md"}, {"type":"test","name":"07-Test_HTTP_Strict_Transport_Security.md"}, {"type":"test","name":"08-Test_RIA_Cross_Domain_Policy.md"}, {"type":"test","name":"09-Test_File_Permission.md"}, {"type":"test","name":"10-Test_for_Subdomain_Takeover.md"}, {"type":"test","name":"11-Test_Cloud_Storage.md"} ]}, {"type":"category","name":"03-Identity_Management_Testing","contents":[ {"type":"test","name":"01-Test_Role_Definitions.md"}, {"type":"test","name":"02-Test_User_Registration_Process.md"}, {"type":"test","name":"03-Test_Account_Provisioning_Process.md"}, {"type":"test","name":"04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md"}, {"type":"test","name":"05-Testing_for_Weak_or_Unenforced_Username_Policy.md"} ]}, {"type":"category","name":"04-Authentication_Testing","contents":[ {"type":"test","name":"01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.md"}, {"type":"test","name":"02-Testing_for_Default_Credentials.md"}, {"type":"test","name":"03-Testing_for_Weak_Lock_Out_Mechanism.md"}, {"type":"test","name":"04-Testing_for_Bypassing_Authentication_Schema.md"}, {"type":"test","name":"05-Testing_for_Vulnerable_Remember_Password.md"}, {"type":"test","name":"06-Testing_for_Browser_Cache_Weaknesses.md"}, {"type":"test","name":"07-Testing_for_Weak_Password_Policy.md"}, {"type":"test","name":"08-Testing_for_Weak_Security_Question_Answer.md"}, {"type":"test","name":"09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md"}, {"type":"test","name":"10-Testing_for_Weaker_Authentication_in_Alternative_Channel.md"} ]}, {"type":"category","name":"05-Authorization_Testing","contents":[ {"type":"test","name":"01-Testing_Directory_Traversal_File_Include.md"}, {"type":"test","name":"02-Testing_for_Bypassing_Authorization_Schema.md"}, {"type":"test","name":"03-Testing_for_Privilege_Escalation.md"}, {"type":"test","name":"04-Testing_for_Insecure_Direct_Object_References.md"} ]}, {"type":"category","name":"06-Session_Management_Testing","contents":[ {"type":"test","name":"01-Testing_for_Session_Management_Schema.md"}, {"type":"test","name":"02-Testing_for_Cookies_Attributes.md"}, {"type":"test","name":"03-Testing_for_Session_Fixation.md"}, {"type":"test","name":"04-Testing_for_Exposed_Session_Variables.md"}, {"type":"test","name":"05-Testing_for_Cross_Site_Request_Forgery.md"}, {"type":"test","name":"06-Testing_for_Logout_Functionality.md"}, {"type":"test","name":"07-Testing_Session_Timeout.md"}, {"type":"test","name":"08-Testing_for_Session_Puzzling.md"} ]}, {"type":"category","name":"07-Input_Validation_Testing","contents":[ {"type":"test","name":"01-Testing_for_Reflected_Cross_Site_Scripting.md"}, {"type":"test","name":"02-Testing_for_Stored_Cross_Site_Scripting.md"}, {"type":"test","name":"03-Testing_for_HTTP_Verb_Tampering.md"}, {"type":"test","name":"04-Testing_for_HTTP_Parameter_Pollution.md"}, {"type":"test","name":"05.1-Testing_for_Oracle.md"}, {"type":"test","name":"05.2-Testing_for_MySQL.md"}, {"type":"test","name":"05.3-Testing_for_SQL_Server.md"}, {"type":"test","name":"05.4-Testing_PostgreSQL.md"}, {"type":"test","name":"05.5-Testing_for_MS_Access.md"}, {"type":"test","name":"05.6-Testing_for_NoSQL_Injection.md"}, {"type":"test","name":"05.7-Testing_for_ORM_Injection.md"}, {"type":"test","name":"05.8-Testing_for_Client_Side.md"}, {"type":"test","name":"05-Testing_for_SQL_Injection.md"}, {"type":"test","name":"06-Testing_for_LDAP_Injection.md"}, {"type":"test","name":"07-Testing_for_XML_Injection.md"}, {"type":"test","name":"08-Testing_for_SSI_Injection.md"}, {"type":"test","name":"09-Testing_for_XPath_Injection.md"}, {"type":"test","name":"10-Testing_for_IMAP_SMTP_Injection.md"}, {"type":"test","name":"11.1-Testing_for_Local_File_Inclusion.md"}, {"type":"test","name":"11.2-Testing_for_Remote_File_Inclusion.md"}, {"type":"test","name":"11-Testing_for_Code_Injection.md"}, {"type":"test","name":"12-Testing_for_Command_Injection.md"}, {"type":"test","name":"13.1-Testing_for_Heap_Overflow.md"}, {"type":"test","name":"13.2-Testing_for_Stack_Overflow.md"}, {"type":"test","name":"13.3-Testing_for_Format_String.md"}, {"type":"test","name":"13-Testing_for_Buffer_Overflow.md"}, {"type":"test","name":"14-Testing_for_Incubated_Vulnerability.md"}, {"type":"test","name":"15-Testing_for_HTTP_Splitting_Smuggling.md"}, {"type":"test","name":"16-Testing_for_HTTP_Incoming_Requests.md"}, {"type":"test","name":"17-Testing_for_Host_Header_Injection.md"}, {"type":"test","name":"18-Testing_for_Server_Side_Template_Injection.md"} ]}, {"type":"category","name":"08-Testing_for_Error_Handling","contents":[ {"type":"test","name":"01-Testing_for_Error_Code.md"}, {"type":"test","name":"02-Testing_for_Stack_Traces.md"} ]}, {"type":"category","name":"09-Testing_for_Weak_Cryptography","contents":[ {"type":"test","name":"01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.md"}, {"type":"test","name":"02-Testing_for_Padding_Oracle.md"}, {"type":"test","name":"03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.md"}, {"type":"test","name":"04-Testing_for_Weak_Encryption.md"} ]}, {"type":"category","name":"10-Business_Logic_Testing","contents":[ {"type":"test","name":"01-Test_Business_Logic_Data_Validation.md"}, {"type":"test","name":"02-Test_Ability_to_Forge_Requests.md"}, {"type":"test","name":"03-Test_Integrity_Checks.md"}, {"type":"test","name":"04-Test_for_Process_Timing.md"}, {"type":"test","name":"05-Test_Number_of_Times_a_Function_Can_Be_Used_Limits.md"}, {"type":"test","name":"06-Testing_for_the_Circumvention_of_Work_Flows.md"}, {"type":"test","name":"07-Test_Defenses_Against_Application_Misuse.md"}, {"type":"test","name":"08-Test_Upload_of_Unexpected_File_Types.md"}, {"type":"test","name":"09-Test_Upload_of_Malicious_Files.md"} ]}, {"type":"category","name":"11-Client_Side_Testing","contents":[ {"type":"test","name":"01-Testing_for_DOM-based_Cross_Site_Scripting.md"}, {"type":"test","name":"02-Testing_for_JavaScript_Execution.md"}, {"type":"test","name":"03-Testing_for_HTML_Injection.md"}, {"type":"test","name":"04-Testing_for_Client_Side_URL_Redirect.md"}, {"type":"test","name":"05-Testing_for_CSS_Injection.md"}, {"type":"test","name":"06-Testing_for_Client_Side_Resource_Manipulation.md"}, {"type":"test","name":"07-Testing_Cross_Origin_Resource_Sharing.md"}, {"type":"test","name":"08-Testing_for_Cross_Site_Flashing.md"}, {"type":"test","name":"09-Testing_for_Clickjacking.md"}, {"type":"test","name":"10-Testing_WebSockets.md"}, {"type":"test","name":"11-Testing_Web_Messaging.md"}, {"type":"test","name":"12-Testing_Browser_Storage.md"}, {"type":"test","name":"13-Testing_for_Cross_Site_Script_Inclusion.md"} ]} ] ```

Can be generated pretty simply with tree -J -I 'images|README.md|00-*' --dirsfirst > list.json then using sed to make some replacements (directory > category, file > test). I had to manually trim a few things but I'm sure they're automateable too. The only thing I have left to sort out is extracting or grepping out the test IDs and maybe trimming/removing .md.... anyway something can be done simply enough.

It may also be possible to do something with jq: https://stedolan.github.io/jq/

rejahrehim commented 4 years ago

I can work on it. @kingthorin

ThunderSon commented 4 years ago

@rejahrehim Let's first agree on the structure that this list could hold. Having the IDs as such without anything on top looks to be really basic and raw. For now, I have 2 additional fields in mind. Link to the stable spot of this (or on github, doesn't really matter), and another one which describes the attack. I was thinking that the Test Objective sentences could help with this as they are short and explain what's going to be done in the test scenario.

Open for more suggestions!

rejahrehim commented 4 years ago

Test id like WSTG-ATHN-01 and Test Objective sentences we have to add. Also, what you think of adding cross references to ASVS when its ready?

Can we use WSTG-ATHN as category ID ?

ThunderSon commented 4 years ago

Category IDs can definitely be used. What do you think about this:

{
    "categories": {
        "WSTG-INFO": [
            {
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test 1>",
                "CRE_ID": "<CRE_ID1>"
            },
            {
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test 2>",
                "CRE_ID": "<CRE_ID2>"
            }
        ],
        "WSTG-ATHN": [
            {
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test 1>",
                "CRE_ID": "<CRE_ID1>"
            },
            {
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test 2>",
                "CRE_ID": "<CRE_ID2>"
            }
        ]
    }
}

The arrays X objects is done for easy digestion by tools. It would start at 0, but people taking this into a tool should know that.

CRE (instead of ASVS) is where the references are happening and should be ready by v5 release, hopefully :crossed_fingers:

ThunderSon commented 4 years ago

@RiieCco Do you think the above is needed Vs. what we're doing in the CRE? The input schema is starting to look like this. The inventory schema is still being built (well hopefully, I'll be done with it by tomorrow).

kingthorin commented 4 years ago

The suggested schema seems decent. I think we should set the "category" as the actual folder text or whatever (just because it removes any potential confusion around the acronyms in the identifiers), and then we should include the actual identifiers to remove consumers' need to count properly etc. (Which also gives us some future proofing in retiring or merging IDs etc)

rejahrehim commented 4 years ago

If we put category as actual folder name, then we have to put category Id as WSTG-ATHN What you think ?

kingthorin commented 4 years ago

Sure that'd be fine, however if we're including the actual full test id (WSTG-AUTH-01) do we need it? I dunno, I guess there's no reason not to include it as a categoryId.

In the end, in a text based representation that will compress ridiculously well and be consumed by other programs/projects there's not much reason to exclude details. More really can be more.

rejahrehim commented 4 years ago

I thought of adding some identifier that could programmatically validated if used by some tools or scripts.

kingthorin commented 4 years ago 
{
    "categories": {
        "Information Gathering": {
            "id": "WSTG-INFO",
            "tests": [{
                "name": "Conduct Search Engine Discovery Reconnaissance for Information Leakage",
                "id": "WSTG-INFO-01",
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test 1>",
                "CRE_ID": "<CRE_ID1>"
            }]
        },
        "Authentication Testing": {
            "id": "WSTG-ATHN",
            "tests": [{
                "name": "Testing for Credentials Transported over an Encrypted Channel",
                "id": "WSTG-ATHN-01",
                "Objectives": "<Grab objectives>",
                "Reference": "<URL to test n>",
                "CRE_ID": "<CRE_IDn>"
            }]
        }
    }
}

Formatted by: https://jsonlint.com/

rejahrehim commented 4 years ago

CRE_ID or CRE-ID Can we use hyphen like WSTG-ATHN-01 @ThunderSon

ThunderSon commented 4 years ago

I doubt it's going to be in the first build of this JSON file. It could be cre or cre-id it doesn't really matter. This is used to be consumed. I like the schema as well. Thanks :smile:

kingthorin commented 4 years ago

@rejahrehim are you going to be able to tackle this?

github-actions[bot] commented 4 years ago

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

rejahrehim commented 3 years ago

@rejahrehim are you going to be able to tackle this?

Started working on it

Once we generated the Json what we have to do? commit back to the repo or we can publish in the web (latest) ? I am planning to trigger it with a Github action. @kingthorin @ThunderSon

kingthorin commented 3 years ago

For the time being I'd suggest the job should open a PR against the checklist directory.

ThunderSon commented 3 years ago

Yep. Agreed on the location. I would prefer artifacts to be on GH, and not on the website. We can link to them from the website.

rejahrehim commented 3 years ago

Yep. Agreed on the location. I would prefer artifacts to be on GH, and not on the website. We can link to them from the website.

Do we need to upload JSON file as release ?

ThunderSon commented 3 years ago

We can, yes. It'd be easier for people to grab the XLSX and the JSON files from the release as well.

kingthorin commented 3 years ago

The XLSX can always be attached manually afterwards. I don't want it to delay any of our releases.

It should be possible to attach the JSON to the existing release (which is currently created by the PDF build on tag push [IIRC]).

ThunderSon commented 3 years ago

You're the experts on this, leaving this in your hands :yum: