MASTG Transition Version (#2396)

* remove tests and references * add individual tests * add testing chapter assembler script * add assembler to workflows * fix md headings * fix masvs Ids block * fix new lines in assemble script * fix format in 3 tests * map tests to masvs v1 levels * fix masvs v2 IDs in tests * removed general auth tests that were more server-side * merge privacy tests back to their chapter * rm deprecated CODE tests * create and populate checklists per MASVS group * update gitignore * move tests to tests folder for deployment * add mas chips styles and override main.html template * add new excel style * fix masvs links in web checklist and retrieve MASVS from repo * update pip reqs * fix links to masvs controls * split masvs categories in excel to one sheet per category * update excel generation with new header and new MASVS colors * update checklist page and style menu items dynamically * fix menu item coloring for all controls and categories, restyle controls in web * fix footer * fix nav and tablesorts script * update styles and site navigation * update style in controls pages, add ruler * update levels in tests and remove device binding * fix hide toc or navigation * fix masvs controls folder and restrict run * fix mkdir checklists * fix news navigation hide * fix mastg test links in test overview table * fix checklists pages * fix all md links and md linting errors * fix checklist download links * add masvs controls overview to MASVS page * fix more links in tests * fix md issues ul indent * fix more links * add static tablesor.min * add checklist note and warning * add testing chapters metadata * add theory sections and MASTG tests by platform and masvs category * add platform chip in mastg tests * fix links and wording * add tests per platform and masvs category * update gitignore * fix typos * fix masvs controls link for checklist * fix for wrong paths * rm .md from web links * correct links for non Document urls * fix titles in urls * don't write resources section if empty * cleanup * fix imgs in tests/ * update news * update release notes * improve assemble script * improve populate_dynamic_pages * improve first page for PDF and update doc name to remove version number * update news.md * rm old masvs refs * add masvs group chip * fix MASTG download link and improve advocates text * fixing broken links
OWASP · May 8, 2023 · 1c363bc · 1c363bc
1 parent f29c1ef
commit 1c363bc
Show file tree

Hide file tree

Showing 161 changed files with 11,017 additions and 11,145 deletions.
diff --git a/.github/workflows/build-website.yml b/.github/workflows/build-website.yml
@@ -7,18 +7,27 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    if: github.actor == 'cpholguera' || github.actor == 'sushi2k'
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-python@v2
+        with:
+          fetch-depth: 1
+
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
-      - run: pip install -r requirements.txt
+      - name: Install dependencies
+        run: pip install -r tools/scripts/requirements.txt
 
       - run: ./tools/scripts/structure_mastg.sh
+      - name: Copy MASTG Tests folder
+        run: cp -r tests docs/MASTG/
       - run: python3 tools/scripts/transform_files.py
 
       - run: mv Document/Images/ docs/assets/Images/
-      - run: sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" docs/MASTG/**/*.md
+      - run: find docs/MASTG/tests -name "*.md" -exec sed -i "s#<img src=\"Images/#<img src=\"../../../../../../assets/Images/#g" {} \;
+      - run: find docs/MASTG -name "*.md" -exec sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" {} \;
+
 
       - name: Get Latest MASVS Release Tag
         run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
@@ -30,14 +39,17 @@ jobs:
           path: owasp-masvs/
       - name: Generate MASVS yaml
         run: python3 ./owasp-masvs/tools/generate_masvs_yaml.py -v ${{env.MASVS_VERSION}} -i ./owasp-masvs/Document -c ./owasp-masvs/controls
-      - name: Populate MASVS Categories Markdown Files
-        run: python3 ./owasp-masvs/tools/populate_masvs_categories_md.py -d ./owasp-masvs/Document -w
+      # - name: Populate MASVS Categories Markdown Files
+      #   run: python3 ./owasp-masvs/tools/populate_masvs_categories_md.py -d ./owasp-masvs/Document -w
       - run: ./tools/scripts/structure_masvs.sh
       - run: mkdir docs/assets/Images/MASVS
       - run: mv owasp-masvs/Document/images/* docs/assets/Images/MASVS
       - run: sed -i "s#images/#../../../assets/Images/MASVS/#g" docs/MASVS/**/*.md
       - run: sed -i "s#images/#../../assets/Images/MASVS/#g" docs/MASVS/*.md
-
-      - run: python3 tools/scripts/populate_dynamic_pages.py
+      - name: Generate MASVS Control Markdown Files
+        run: python3 tools/scripts/write_masvs_control_md_files.py
+
+      - name: Populate Dynamic Pages
+        run: python3 tools/scripts/populate_dynamic_pages.py
 
       - run: mkdocs gh-deploy --force --clean --verbose
diff --git a/.github/workflows/config/url-checker-config.json b/.github/workflows/config/url-checker-config.json
@@ -15,6 +15,12 @@
         {
             "pattern": "https://haveibeenpwned.com"
         },
+        {
+            "pattern": "https://www.hackingwithswift.com"
+        },
+        {
+            "pattern": "https://www.raywenderlich.com"
+        },
         {
             "pattern": "http://apt.thebigboss.org/repofiles/cydia/"
         },

diff --git a/.github/workflows/docgenerator.yml b/.github/workflows/docgenerator.yml
@@ -17,14 +17,20 @@ permissions:
   contents: read
 
 jobs:
-
   Generate-MASTG-Documents:
     runs-on: ubuntu-latest
     steps:
+
     - uses: actions/checkout@v3
       with:
         fetch-depth: 1
 
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: pip install -r tools/scripts/requirements.txt
+
     - name: Set MASTG_VERSION to env 
       run: echo "MASTG_VERSION=$(curl  "https://api.github.com/repos/OWASP/owasp-mastg/tags" | jq -r '.[0].name')" >> $GITHUB_ENV
 
@@ -35,6 +41,9 @@ jobs:
     - name: Get Latest MASVS Release Tag
       run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
 
+    - name: Assemble Testing Chapters
+      run: python3 tools/scripts/assemble_test_chapters.py
+
     - name: Process Files
       run: python3 tools/scripts/transform_files.py
 
@@ -44,20 +53,22 @@ jobs:
     - name: Upload Artifacts
       uses: actions/upload-artifact@v3
       with:
-        name: OWASP_MASTG-${{env.MASTG_VERSION}}
-        path: OWASP_MASTG-${{env.MASTG_VERSION}}*
+        name: OWASP_MASTG
+        path: OWASP_MASTG*
 
   Generate-Checklists:
     runs-on: ubuntu-latest
-
     steps:
 
     - uses: actions/checkout@v3
       with:
         fetch-depth: 1
 
-    - name: Listing repo recursive
-      run: ls -lR
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: pip install -r tools/scripts/requirements.txt
 
     - name: Set MASTG_VERSION to env 
       # run: echo "MASTG_VERSION=$(git describe --tags `git rev-list --tags --max-count=1`)" >> $GITHUB_ENV
@@ -93,35 +104,20 @@ jobs:
     - name: Confirm MASTG Current Commit ID
       run: echo ${{env.MASVS_COMMIT}}
 
-    - name: Listing of scripts directory
-      run: ls -l tools/scripts/
+    - name: Generate Excel
+      run: python3 tools/scripts/yaml_to_excel.py --mastgversion ${{env.MASTG_VERSION}} --mastgcommit ${{env.MASTG_COMMIT}} --masvsversion ${{env.MASVS_VERSION}} --masvscommit ${{env.MASVS_COMMIT}}
 
-    - name: Install pip Requirements
-      run: pip3 install -r tools/scripts/requirements.txt
-
-    - name: Show openpyxl Version
-      run: pip3 show openpyxl
-
-    - name: Convert MASTG Testing Chapters to HTML
-      run: . tools/scripts/mstg_to_html.sh
-
-    - name: List MASTG HTML
-      run: ls -l tools/scripts/generated/html/
-
-    - name: Export YAML, enhance with MASTG and generate Excel
-      run: cd tools/scripts && ./gen_all_excel.sh ${{env.MASTG_VERSION}} ${{env.MASTG_COMMIT}} ${{env.MASVS_VERSION}} ${{env.MASVS_COMMIT}}
-
-    - name: Upload Enhanced MASVS YAML
-      uses: actions/upload-artifact@v3
-      with:
-        name: Enhanced-MASVS-YAML-Files
-        path: tools/scripts/masvs_full_*.yaml
+    # - name: Upload Enhanced MASVS YAML
+    #   uses: actions/upload-artifact@v3
+    #   with:
+    #     name: Enhanced-MASVS-YAML-Files
+    #     path: tools/scripts/masvs_full_*.yaml
 
     - name: Upload Checklists
       uses: actions/upload-artifact@v3
       with:
         name: Checklists
-        path: tools/scripts/*.xlsx
+        path: OWASP_MAS_Checklist*.xlsx
 
   release:
     runs-on: ubuntu-latest
@@ -145,8 +141,8 @@ jobs:
           generate_release_notes: true
           discussion_category_name: Announcements
           files: |
-            OWASP_MASTG-*/OWASP_MASTG-*.pdf
-            OWASP_MASTG-*/OWASP_MASTG-*.epub
+            OWASP_MASTG-*/OWASP_MASTG.pdf
+            OWASP_MASTG-*/OWASP_MASTG.epub
             Checklists/*.xlsx
             Enhanced-MASVS-YAML-Files/*.yaml
         env:

diff --git a/.gitignore b/.gitignore
@@ -8,10 +8,16 @@ tmp_*
 build
 *-temp
 OWASP_MSTG-SNAPSHOT-*
+OWASP_MAS_Checklist.xlsx
 logs
 *.pdf
 *.docx
 *.epub
 launch.json
 docs/MASVS
-docs/MASTG
+docs/MASTG
+docs/checklists/
+owasp-masvs
+__pycache__
+venv/
+playground/
diff --git a/Document/0x02c-Acknowledgements.md b/Document/0x02c-Acknowledgements.md
@@ -43,9 +43,9 @@ If you'd like to apply please contact the project leaders by sending an email to
 - [Financial donations](https://mas.owasp.org/donate/) are not part of the eligibility criteria but will be listed for completion.
 - Re-shared publications and blog posts linked in MASTG text must be **educational** and focus on mobile security or MASVS/MASTG and **not endorse company products/services**.
 - Advocate Companies may use the logo and links to MASVS/MASTG resources as part of their communication but cannot use them as an endorsement by OWASP as a preferred provider of software and services.
-  - Example of what's ok: list MAS Advocate status on website home page, in "about company" slides in sales presentations, on sales collateral.
-  - Example of what's not ok: a MAS Advocate cannot claim they are OWASP certified.
-- The quality of the application of the MASVS/MASTG by these companies [has not been vetted by the MAS team](https://mas.owasp.org/MASVS/Intro/0x04-Assessment_and_Certification/#owasps-stance-on-masvs-certifications-and-trust-marks).
+    - Example of what's ok: list MAS Advocate status on website home page, in "about company" slides in sales presentations, on sales collateral.
+    - Example of what's not ok: a MAS Advocate cannot claim they are OWASP certified.
+- The quality of the application of the MASVS/MASTG by these companies [has not been vetted by the MAS team](https://mas.owasp.org/MASVS/Intro/04-Assessment_and_Certification/).
 
 > The OWASP Foundation is very grateful for the support by the individuals and organizations listed. However please note, the OWASP Foundation is strictly vendor neutral and does not endorse any of its supporters. MAS Advocates do not influence the content of the MASVS or MASTG in any way.
 

diff --git a/Document/0x04c-Tampering-and-Reverse-Engineering.md b/Document/0x04c-Tampering-and-Reverse-Engineering.md
@@ -1,3 +1,8 @@
+---
+masvs_category: MASVS-RESILIENCE
+platform: all
+---
+
 # Mobile App Tampering and Reverse Engineering
 
 Reverse engineering and tampering techniques have long belonged to the realm of crackers, modders, malware analysts, etc. For "traditional" security testers and researchers, reverse engineering has been more of a complementary skill. But the tides are turning: mobile app black-box testing increasingly requires disassembling compiled apps, applying patches, and tampering with binary code or even live processes. The fact that many mobile apps implement defenses against unwelcome tampering doesn't make things easier for security testers.
@@ -116,7 +121,7 @@ This technique replaces standard binary operators like addition or subtraction w
 
 Control flow flattening replaces original code with a more complex representation. The transformation breaks the body of a function into basic blocks and puts them all inside a single infinite loop with a switch statement that controls the program flow. This makes the program flow significantly harder to follow because it removes the natural conditional constructs that usually make the code easier to read.
 
-![control-flow-flattening](./Images/Chapters/0x06j/control-flow-flattening.png) \
+<img src="Images/Chapters/0x06j/control-flow-flattening.png" width="100%" />
 
 The image shows how control flow flattening alters code (see "[Obfuscating C++ programs via control flow flattening](http://ac.inf.elte.hu/Vol_030_2009/003.pdf)")