Create 3.1.1.yaml

Snbig · web-flow · commit bc56c442f6ba · 2025-03-22T20:40:21.000+03:30
Signed-off-by: Hamed Salimian &lt;hamed.salimian@owasp.org&gt;
diff --git a/templates/3.1.1.yaml b/templates/3.1.1.yaml
@@ -0,0 +1,33 @@
+id: ASVS-4-0-3-V3-1-1
+
+info:
+  name: ASVS 3.1.1 Check
+  author: Hamed Salimian
+  severity: medium
+  classification:
+    cwe-id: CWE-598
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html
+    - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt
+  tags: asvs,3.1.1
+  description: |
+    Verify the application never reveals session tokens in URL parameters.
+
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    redirects: true
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - (i?)((https?|wss?))?(://)?[^\s?]+(?:\?|&)(?:session|sessionID|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - (i?)((https?|wss?))?(://)?[^\s?]+(?:\?|&)(?:session|sessionID|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
