Added V5.1.2 Template And It's Assets

MasoudAbdaal · MasoudAbdaal · commit a2e91f3b98a4 · 2025-03-25T17:57:43.000+03:30
diff --git a/templates/dast/5.1.2.yaml b/templates/dast/5.1.2.yaml
@@ -0,0 +1,48 @@
+id: ASVS-4-0-3-V5-1-2
+
+info:
+  name: ASVS 5.1.2 Check
+  author: Masoud Abdaal
+  severity: high
+  classification:
+    cwe-id: CWE-915
+  reference:
+    - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
+    - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment
+  tags: asvs,5.1.2
+  description: |
+    Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar.
+    Require Switch: -lfa (Load File Wordlist)
+
+http:
+  - raw: 
+    - |
+      POST {{Path}} HTTP/1.1
+      Host: {{Host}}
+      Content-Type: application/json
+      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
+
+      { "{{key}}": {{value}}}
+
+    attack: clusterbomb
+    payloads:
+      key: "assets/keysList.txt"
+      value: "assets/valuesList.txt"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{key}}"
+
+      - type: word
+        part: body
+        words:
+          - "{{value}}"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - 'key="(?P<key>[^"]+)",value="(?:\\")?(?P<value>[^"\\]+)(?:\\")?"'
diff --git a/templates/dast/assets/keysList.txt b/templates/dast/assets/keysList.txt
@@ -0,0 +1,19 @@
+is_admin
+role
+approved
+balance
+status
+email_verified
+created_at
+updated_at
+IsAdmin
+Confirmed
+uid
+uuid
+guid
+is_verified
+user_id
+administrator
+admin
+isAdministrator
+isAdministrator
diff --git a/templates/dast/assets/valuesList.txt b/templates/dast/assets/valuesList.txt
@@ -0,0 +1,41 @@
+true
+false
+"true"
+"false"
+0
+1
+42
+-7
+100
+-250
+1000.50
+-250.75
+3.14
+-0.001
+"yes"
+"no"
+"active"
+"inactive"
+"pending"
+"verified"
+"unverified"
+"confirmed"
+"unconfirmed"
+"2023-01-01T12:00:00Z"
+"2024-12-31T23:59:59Z"
+"01/01/2023 12:00 PM"
+1672531200
+"550e8400-e29b-41d4-a716-446655440000"
+"123e4567-e89b-12d3-a456-426614174000"
+"user_12345"
+"john_doe"
+"admin"
+"user"
+"moderator"
+"guest"
+"superuser"
+{"admin": 1}
+{"isActive": true, "user": "admin"}
+{"balance": 99999.50, "currency": "USD"}
+{"role": "moderator", "approved": false}
+{"created_at": "2023-01-01T12:00:00Z", "updated_at": 1672531200}
