Fix url checker

.github/workflows/config/url-checker-config.json

@@ -1,26 +1,14 @@
 {
     "ignorePatterns": [
-        {
-            "pattern": "https://github.com/Your_Github_Handle/owasp-mstg"
-        },
         {
             "pattern": "changelog"
         },
-        {
-            "pattern": "https://github.com/commjoen/contributors-mstg"
-        },
-        {
-            "pattern": "https://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
-        },
         {
             "pattern": "^http://127.0.0.1"
         },
         {
             "pattern": "^http://localhost"
         },
-        {
-            "pattern": "https://haveibeenpwned.com"
-        },
         {
             "pattern": "https://www.hackingwithswift.com"
         },
@@ -105,9 +93,6 @@
         {
             "pattern": "^https://github.com/sushi2k/MSTG-MASVS-Internal"
         },
-        {
-            "pattern": "^https://fidoalliance.org/"
-        },
         {
             "pattern": "^/MASVS/"
         },
@@ -121,12 +106,17 @@
             "pattern": "^/checklists/"
         },
         {
-            "pattern": "https://techbeacon.com/evolution-devops-new-thinking-gene-kim"
+            "pattern": "^https://stackoverflow.com/"
         },
         {
-            "pattern": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"
+            "pattern": "^https://academy.realm.io/posts/russ-bishop-unsafe-swift/"
+        }
+    ],
+    "replacementPatterns": [
+        {
+            "pattern": "^Images/",
+            "replacement": "{{BASEURL}}/Document/Images/"
         }
-
     ],
     "httpHeaders": [
         {
@@ -135,7 +125,7 @@
                 "http://"
             ],
             "headers": {
-                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
+                "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36"
             }
         }
     ],

.github/workflows/url-checker-pr.yml

@@ -1,21 +1,16 @@
 name: URL Checker (PR)
 
-on:
-  pull_request:
+on: [pull_request]
 
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: link-check
-        uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - name: URL Link Check
+        uses: Diolor/github-action-markdown-link-check@1.3
         with:
           use-quiet-mode: 'yes'
-          use-verbose-mode: 'yes'
           config-file: '.github/workflows/config/url-checker-config.json'
-          folder-path: '.'
-          check-modified-files-only: 'yes'
+          #check-modified-files-only: 'yes'

.github/workflows/url-checker.yml

@@ -12,12 +12,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-      - name: link-check
-        uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - name: URL Link Check
+        uses: Diolor/github-action-markdown-link-check@1.3
         with:
           use-quiet-mode: 'yes'
-          use-verbose-mode: 'yes'
           config-file: '.github/workflows/config/url-checker-config.json'
-          folder-path: '.'

apps/android/MASTG-APP-0014.md

@@ -2,6 +2,7 @@
 title: InsecureShop
 platform: android
 source: https://github.com/hax0rgb/InsecureShop/
+status: deprecated
 ---
 
 InsecureShop is an intentionally designed Android application that showcases vulnerabilities, aiming to educate developers and security experts about common pitfalls within modern Android apps. It serves as a dynamic platform for refining Android pentesting skills.
@@ -15,4 +16,4 @@ The majority of these vulnerabilities can be exploited on non-rooted devices, po
 - **Insecure Broadcast Receiver**: Registration of a broadcast enabling URL injection.
 - **Insecure Content Provider**: Accessible content provider putting user data at risk.
 
-Complementing these learning experiences, InsecureShop provides [documentation](https://docs.insecureshopapp.com/ "InsecureShop Docs") about the implemented vulnerabilities and their associated code. This documentation, however, refrains from offering complete solutions for each vulnerability showcased within the InsecureShop app.
+Complementing these learning experiences, InsecureShop provided documentation about the implemented vulnerabilities and their associated code. This documentation, however, refrains from offering complete solutions for each vulnerability showcased within the InsecureShop app. The documentation website is not accessible anymore.

knowledge/ios/MASVS-PLATFORM/MASTG-KNOW-0079.md

@@ -22,7 +22,7 @@ Supporting a custom URL scheme is done by:
 
 Security issues arise when an app processes calls to its URL scheme without properly validating the URL and its parameters and when users aren't prompted for confirmation before triggering an important action.
 
-One example is the following [bug in the Skype Mobile app](https://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html "Insecure Handling of URL Schemes in Apple's iOS"), discovered in 2010: The Skype app registered the `skype://` protocol handler, which allowed other apps to trigger calls to other Skype users and phone numbers. Unfortunately, Skype didn't ask users for permission before placing the calls, so any app could call arbitrary numbers without the user's knowledge. Attackers exploited this vulnerability by putting an invisible `<iframe src="skype://xxx?call"></iframe>` (where `xxx` was replaced by a premium number), so any Skype user who inadvertently visited a malicious website called the premium number.
+One example is the following [bug in the Skype Mobile app](https://medium.com/section-9-lab/abusing-ios-url-handlers-on-messages-96979e8b12f5 "Insecure Handling of URL Schemes in Apple's iOS"), discovered in 2010: The Skype app registered the `skype://` protocol handler, which allowed other apps to trigger calls to other Skype users and phone numbers. Unfortunately, Skype didn't ask users for permission before placing the calls, so any app could call arbitrary numbers without the user's knowledge. Attackers exploited this vulnerability by putting an invisible `<iframe src="skype://xxx?call"></iframe>` (where `xxx` was replaced by a premium number), so any Skype user who inadvertently visited a malicious website called the premium number.
 
 As a developer, you should carefully validate any URL before calling it. You can allow only certain applications which may be opened via the registered protocol handler. Prompting users to confirm the URL-invoked action is another helpful control.
 

techniques/android/MASTG-TECH-0109.md

@@ -83,4 +83,4 @@ You can either configure @MASTG-TOOL-0120 or create `iptables` rules to redirect
 
 - Use the app, and you should be able to intercept the HTTP traffic of the Flutter app.
 
-Further explanations for this setup can be found in the blog post from [Nviso](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/).
+Further explanations for this setup can be found in the blog post from [Nviso](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/).

techniques/ios/MASTG-TECH-0110.md

@@ -52,7 +52,7 @@ There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TO
 
 ## Intercepting Traffic using Wi-Fi Hotspot / openVPN with Frida
 
-1. Configure using [Wi-Fi hotspot / openVPN](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) method to redirect requests to Burp.
+1. Configure using [Wi-Fi hotspot / openVPN](https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/) method to redirect requests to Burp.
 
 2. Install the @MASTG-APP-0025 on the mobile device.
 

tools/generic/MASTG-TOOL-0134.md

@@ -4,6 +4,6 @@ platform: generic
 source: https://github.com/CycloneDX/cdxgen
 ---
 
-[cdxgen](https://cyclonedx.github.io/cdxgen/) can generate Software Bill of Materials (SBOM) for most applications and container images with a single command. It supports SwiftPM for iOS and Maven for Android. The generated SBOM can then be submitted to analysis tools such as @MASTG-TOOL-0132.
+[cdxgen](https://cdxgen.github.io/cdxgen/#/) can generate Software Bill of Materials (SBOM) for most applications and container images with a single command. It supports SwiftPM for iOS and Maven for Android. The generated SBOM can then be submitted to analysis tools such as @MASTG-TOOL-0132.
 
 While the creation of an SBOM for a compiled Android app (APK or AAB) is supported, it is limited and mostly incomplete. This is mainly due to the removal of metadata from the libraries used in an app. Therefore, it is recommended to execute cdxgen in the Android app project folder to create a complete SBOM.

tools/ios/MASTG-TOOL-0111.md

@@ -7,4 +7,4 @@ hosts: [windows, linux, macOS]
 
 ldid is a Link Identity Editor created by Saurik. It allows you to view and update the entitlements of a MachO binary.
 
-The original source can be found at [https://git.saurik.com/ldid.git](https://git.saurik.com/ldid.git), while precompiled versions are available from the [ProcursusTeam's repo](https://github.com/ProcursusTeam/ldid).
+The original source from [Jay Freeman (saurik)](https://saurik.com/) is not available anymore, while precompiled versions are available from the [ProcursusTeam's repo](https://github.com/ProcursusTeam/ldid).