diff --git a/.github/scripts/update-readme.py b/.github/scripts/update-readme.py
new file mode 100644
index 0000000..b5c9a96
--- /dev/null
+++ b/.github/scripts/update-readme.py
@@ -0,0 +1,88 @@
+import os
+import re
+import math
+
+# Function to find .yaml files recursively in all directories under templates
+def find_yaml_files(root_dir):
+ yaml_files = []
+ for dirpath, _, filenames in os.walk(root_dir):
+ for filename in filenames:
+ if filename.endswith('.yaml') and re.match(r'(\d+\.)+\d+\.yaml', filename):
+ yaml_files.append(os.path.join(dirpath, filename))
+ return yaml_files
+
+# Function to list all templates with a default ❌ mark
+def initialize_template_status(yaml_files):
+ template_status = {}
+ for file in yaml_files:
+ base_name = os.path.splitext(os.path.basename(file))[0]
+ template_status[base_name] = "❌" # Default to ❌
+ return template_status
+
+# Function to check if a related vulnerable page exists and update the status
+def update_vulnerable_status(template_status, vuln_dir):
+ for vuln_file in os.listdir(vuln_dir):
+ if vuln_file.startswith("ASVS_"):
+ base_name = vuln_file.replace("ASVS_", "").replace("_", ".")
+ if base_name in template_status:
+ template_status[base_name] = f'✔️' # Update to ✔️ if found
+
+# Function to update README.md with a table (4 columns: Template Name, Vulnerable Page, Template Name, Vulnerable Page)
+def update_readme(template_status, root_dir):
+ readme_file = 'README.md'
+ github_base_url = "https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/dev/"
+
+ try:
+ with open(readme_file, 'r', encoding='utf-8') as file:
+ readme_content = file.read()
+
+ # Sort templates based on the first two sections of the version number
+ sorted_templates = sorted(template_status.items(), key=lambda x: tuple(map(int, x[0].split(".")[:2])))
+
+ # Create table rows with 4 columns
+ table_rows = ""
+ for i in range(0, len(sorted_templates), 2):
+ # Take two templates at a time
+ row_templates = sorted_templates[i:i + 2]
+ row_html = ""
+ for file_name, status in row_templates:
+ file_path = next(file for file in yaml_files if file_name in file) # Find full file path
+ file_url = github_base_url + file_path.replace(os.sep, '/') # Convert path to GitHub URL
+ file_link = f'{file_name}'
+ row_html += f"| {file_link} | {status} | "
+ table_rows += f"{row_html}
\n"
+
+ table_html = f'''Available Templates
+
+| Template Name | Vulnerable Page | Template Name | Vulnerable Page |
|---|
+{table_rows}
+
+
+'''
+
+ if "Available Templates
" in readme_content:
+ h2_index = readme_content.index("Available Templates
")
+ readme_content = readme_content[:h2_index]
+
+ readme_content += f'{table_html}'
+ with open(readme_file, 'w', encoding='utf-8') as file:
+ file.write(readme_content)
+
+ print("README.md updated successfully.")
+
+ except FileNotFoundError:
+ print(f"{readme_file} not found.")
+ except Exception as e:
+ print(f"An error occurred: {e}")
+
+if __name__ == '__main__':
+ root_dir = 'templates'
+ vuln_dir = 'Vulnerable-Pages'
+ yaml_files = find_yaml_files(root_dir)
+
+ if yaml_files:
+ template_status = initialize_template_status(yaml_files)
+ update_vulnerable_status(template_status, vuln_dir)
+ update_readme(template_status, root_dir)
+ else:
+ print("No matching YAML files found.")
diff --git a/.github/workflows/syntax-checking.yml b/.github/workflows/syntax-checking.yml
index f641b2a..e8c83e9 100644
--- a/.github/workflows/syntax-checking.yml
+++ b/.github/workflows/syntax-checking.yml
@@ -2,6 +2,8 @@ name: ❄️ YAML Lint
on:
push:
+ paths:
+ - '**.yaml'
pull_request:
paths:
- '**.yaml'
diff --git a/.github/workflows/template-sign.yml b/.github/workflows/template-sign.yml
index fb341bb..60b2ff4 100644
--- a/.github/workflows/template-sign.yml
+++ b/.github/workflows/template-sign.yml
@@ -14,8 +14,9 @@ jobs:
if: github.repository == 'OWASP/www-project-asvs-security-evaluation-templates-with-nuclei'
steps:
- uses: actions/checkout@v4
-
- uses: projectdiscovery/actions/setup/nuclei@v1
+ with:
+ token: '${{ secrets.GITHUB_TOKEN }}'
- run: nuclei -lfa -duc -sign -ud $GITHUB_WORKSPACE -t .
env:
NUCLEI_USER_CERTIFICATE: ${{ secrets.NUCLEI_USER_CERTIFICATE }}
diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml
index 213dda0..20bc774 100644
--- a/.github/workflows/template-validate.yml
+++ b/.github/workflows/template-validate.yml
@@ -2,6 +2,8 @@ name: 🛠 Template Validate
on:
push:
+ paths:
+ - '**.yaml'
pull_request:
paths:
- '**.yaml'
@@ -26,5 +28,6 @@ jobs:
- name: Template Validation
run: |
cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates
+ cd /home/runner/nuclei-templates
nuclei -duc -validate -allow-local-file-access
nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows
diff --git a/.github/workflows/update-readme.yml b/.github/workflows/update-readme.yml
new file mode 100644
index 0000000..3bb6489
--- /dev/null
+++ b/.github/workflows/update-readme.yml
@@ -0,0 +1,56 @@
+name: Update README with Templates
+
+on:
+ push:
+ branches:
+ - dev
+ paths:
+ - '**.yaml'
+ pull_request:
+ branches:
+ - dev
+
+jobs:
+ update-readme:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout the repository
+ uses: actions/checkout@v4
+ with:
+ submodules: true # Ensure submodules are initialized and updated
+
+ - name: Initialize and update submodules (if needed)
+ run: git submodule update --init --recursive
+
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: '3.x'
+
+ - name: Run Python script to update README
+ run: python .github/scripts/update-readme.py
+
+ # Set up GPG for commit signing
+ - name: Set up GPG
+ run: |
+ echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
+ git config --global user.name "Signing Bot"
+ git config --global user.email "github-actions@github.com"
+ git config --global commit.gpgSign true
+ git config --global user.signingkey ${{ secrets.GPG_KEY_ID }}
+
+ # Commit changes with GPG signing
+ - name: Commit changes if any
+ run: |
+ git add README.md
+ if ! git diff --cached --quiet; then
+ git commit -S -m "Update README table"
+ else
+ echo "No changes to commit"
+ fi
+
+ # Push changes
+ - name: Push changes
+ run: |
+ git pull origin dev --rebase
+ git push origin dev
diff --git a/README.md b/README.md
index 2b0699e..59e67ad 100644
--- a/README.md
+++ b/README.md
@@ -30,4 +30,32 @@ For detailed information and guidelines about contributing in developing templat
#### Core Team
The project current core team are:
-- [Hamed Salimain](https://github.com/Snbig) (Project Leader)
+- [Hamed Salimian](https://github.com/Snbig) (Project Leader)
+- [AmirHossein Raeisi](https://github.com/Ahsraeisi) (Project Co-Leader)
+- [Masoud Abdaal](https://github.com/MasoudAbdaal) (Contributor)
+- [AmirMohammad Ahmadi](https://github.com/) (Contributor)
+Available Templates
+
+
diff --git a/Vulnerable-Pages b/Vulnerable-Pages
index d30c157..478e3d9 160000
--- a/Vulnerable-Pages
+++ b/Vulnerable-Pages
@@ -1 +1 @@
-Subproject commit d30c157b7b6a9685b1b0c54dbf26a9ec57a41a41
+Subproject commit 478e3d9ba8f7dbffe3575d254bcf1cd744ad460e
diff --git a/templates/13.2.3.yaml b/templates/13.2.3.yaml
new file mode 100644
index 0000000..a4fdeb5
--- /dev/null
+++ b/templates/13.2.3.yaml
@@ -0,0 +1,46 @@
+id: ASVS-4-0-3-V13-2-3
+
+info:
+ name: ASVS 13.2.3 Check
+ author: Masoud Abdaal
+ severity: medium
+ classification:
+ cwe-id: CWE-352
+ reference:
+ - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v132-restful-web-service
+ tags: asvs,13.2.3
+ description: |
+ Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks
+
+http:
+ - raw:
+ - |
+ GET {{BaseURL}} HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{origin_schema}}{{origin_host}}{{origin_port}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
+ Accept: */*
+
+ cookie-reuse: true
+ payloads:
+ origin_host:
+ - 127.0.0.1
+ - localhost
+ - '{{resolve("{{FQDN}}")}}'
+ origin_schema:
+ - http://
+ - https://
+ origin_port:
+ -
+ - :80
+ - :443
+ attack: clusterbomb
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ name: 'Access Restriction Bypass Via Origin Spoof'
+ dsl:
+ - status_code < 210 && status_code >= 200
+ - to_number(forbidden_status_code) != status_code
+# digest: 490a00463044022050741006143f221ad95a93394da23c3bd73610d9f22873f039394a22c85958b602205cf0afc9b7f7a0628148c24168902290446034a0a136daab47024b7cd8750ef8:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/3.1.1.yaml b/templates/3.1.1.yaml
new file mode 100644
index 0000000..71ee47c
--- /dev/null
+++ b/templates/3.1.1.yaml
@@ -0,0 +1,34 @@
+id: ASVS-4-0-3-V3-1-1
+
+info:
+ name: ASVS 3.1.1 Check
+ author: Hamed Salimian
+ severity: medium
+ classification:
+ cwe-id: CWE-598
+ reference:
+ - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html
+ - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt
+ tags: asvs,3.1.1
+ description: |
+ Verify the application never reveals session tokens in URL parameters.
+
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ redirects: true
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - (i?)((https?|wss?))?(://)?[^\s?]+(?:\?|&)(?:session|sessionID|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+
+ matchers:
+ - type: regex
+ part: body
+ regex:
+ - (i?)((https?|wss?))?(://)?[^\s?]+(?:\?|&)(?:session|sessionID|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+# digest: 4a0a0047304502200b04f148664841a92e2869491bb697da5a91b249b52641cce2fd21b2af3ed58e022100c90f5e35cb5924de9cc68967dfb48baae881590e336956b906b90e7730ca7bdc:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/3.4.1.yaml b/templates/3.4.1.yaml
new file mode 100644
index 0000000..fb51b02
--- /dev/null
+++ b/templates/3.4.1.yaml
@@ -0,0 +1,45 @@
+id: ASVS-4-0-3-V3-4-1
+
+info:
+ name: ASVS 3.4.1 Check
+ author: AmirHossein Raeisi
+ severity: info
+ classification:
+ cwe-id: CWE-614
+ reference:
+ - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
+ - https://vulnerable-pages.onrender.com/set-cookie
+ - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/cookies-without-secure.yaml
+ tags: asvs,3.4.1
+ description: |
+ Verify that cookie-based session tokens have the 'Secure' attribute set.
+
+flow: |
+ http()
+ javascript()
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ host-redirects: true
+ max-redirects: 2
+
+javascript:
+ - code: |
+ content = template.http_all_headers
+ const setCookieLines = content
+ .split(/\r\n/)
+ .filter(line => line.trim().toLowerCase().startsWith('set-cookie:'));
+ const nonSecureCookies = setCookieLines.filter(line => !line.toLowerCase().includes('secure'));
+ const cookieNames = nonSecureCookies.map(line => {
+ const match = line.match(/set-cookie:\s*([^=]+)=/i);
+ return match ? match[1] : null;
+ }).filter(Boolean).filter(cookieName => cookieName.toLowerCase().includes('session')); // Check for 'session' in the cookie name
+ cookieNames
+
+ extractors:
+ - type: regex
+ regex:
+ - '[a-zA-Z0-9_-]+'
+# digest: 4b0a00483046022100a9988bb7771384dad914aecf5a0cb5bb6d5325a662e67ad6045ce032c7c1b352022100cbd76a81cb762ba0ff4d5e9641cac769a7518de3680987639e0565c4832496d7:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/3.4.2.yaml b/templates/3.4.2.yaml
new file mode 100644
index 0000000..aabe41c
--- /dev/null
+++ b/templates/3.4.2.yaml
@@ -0,0 +1,47 @@
+id: ASVS-4-0-3-V3-4-2
+
+info:
+ name: ASVS 3.4.2 Check
+ author: AmirHossein Raeisi
+ severity: info
+ classification:
+ cwe-id: CWE-1004
+ reference:
+ - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes
+ - https://vulnerable-pages.onrender.com/set-cookie
+ - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/cookies-without-httponly.yaml
+ tags: asvs,3.4.2
+ description: |
+ Verify that cookie-based session tokens have the 'HttpOnly' attribute set.
+
+flow: |
+ http()
+ javascript()
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ host-redirects: true
+ max-redirects: 2
+
+javascript:
+ - code: |
+ content = template.http_all_headers
+ const setCookieLines = content
+ .split(/\r\n/)
+ .filter(line => line.trim().toLowerCase().startsWith('set-cookie:'));
+
+ const nonHttpOnlyCookies = setCookieLines.filter(line => !line.toLowerCase().includes('httponly'));
+
+ const cookieNames = nonHttpOnlyCookies.map(line => {
+ const match = line.match(/set-cookie:\s*([^=]+)=/i);
+ return match ? match[1] : null;
+ }).filter(Boolean).filter(cookieName => cookieName.toLowerCase().includes('session')); // Check for 'session' in the cookie name;
+ cookieNames
+
+ extractors:
+ - type: regex
+ regex:
+ - '[a-zA-Z0-9_-]+'
+# digest: 4a0a00473045022100c2b42cddd46efda37dc9650ed2f881c6b089ca31b65bcc78d53a21ba41c0a5bc022059b47407bcc48d3ff9e40c71aadb6af658570d839d5cf88388e740cc3fd5bd7b:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/5.1.1.yaml b/templates/5.1.1.yaml
new file mode 100644
index 0000000..7d71778
--- /dev/null
+++ b/templates/5.1.1.yaml
@@ -0,0 +1,79 @@
+id: ASVS-4-0-3-V5-1-1
+
+info:
+ name: ASVS 5.1.1 Check
+ author: Masoud Abdaal
+ severity: medium
+ classification:
+ cwe-id: CWE-235
+ reference:
+ - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
+ - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
+ - https://swisskyrepo.github.io/PayloadsAllTheThings/HTTP%20Parameter%20Pollution/#parameter-pollution-table
+ tags: asvs,5.1.1
+ description: |
+ Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables).
+
+flow: http(1)
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}?{{parameters}}=x&{{parameters}}=Polluted_1"
+ - "{{BaseURL}}?{{parameters}}[]=x&{{parameters}}=Polluted_2"
+ - "{{BaseURL}}?{{parameters}}=x&{{parameters}}[]=Polluted_2"
+ - "{{BaseURL}}?{{parameters}}[]=x&{{parameters}}[]=Polluted_2"
+ - "{{BaseURL}}?{{parameters}}=x, Polluted_1&{{parameters}}=Polluted_2"
+ - "{{BaseURL}}?{{parameters}}=x%26{{parameters}}=Polluted_2"
+ - "{{BaseURL}}?{{parameters}}[1]=x&{{parameters}}[1]=Polluted_2"
+
+ payloads:
+ parameters: 'assets/5.1.1Parameters.txt'
+
+ matchers:
+ - type: status
+ status:
+ - 200
+ - 302
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - '(?i)(?P[a-zA-Z0-9_\[\]]+)=x(?:&|,).*?(?PPolluted[^&\s]+)'
+
+
+ - raw:
+ - |
+ POST HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ {{body_variant}}
+
+ payloads:
+ # [Nuclei BUG] Loading Combination of Payloads Failed, This Flow Has Been Disabled
+ parameters: 'assets/5.1.1Parameters.txt'
+
+ body_variant:
+ - '{{parameters}}=x&{{parameters}}=Polluted_1'
+ - '{{parameters}}[]=x&{{parameters}}=Polluted_2'
+ - '{{parameters}}=x&{{parameters}}[]=Polluted_2'
+ - '{{parameters}}[]=x&{{parameters}}[]=Polluted_2'
+ - '{{parameters}}[]=[x,Polluted_1]&{{parameters}}[]=Polluted_2'
+ - '{{parameters}}=x,Polluted_1&{{parameters}}=Polluted_2'
+ - '{{parameters}}=x%26{{parameters}}=Polluted_2'
+ - |
+ { "{{parameters}}" :"x" , "{{parameters}}": "Polluted_1" }'
+ matchers:
+ - type: status
+ status:
+ - 200
+ - 302
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - '(?i)(?P[a-zA-Z0-9_\[\]]+)=x(?:&|,).*?(?PPolluted[^&\s]+)'
+# digest: 4a0a00473045022100ddb41d69ed02bf3cd2bdf3724de8d7aeb7c22ddfeb508ba5686d4b4e1c8b84ce022026d2b3bb3ca4ef6bfb5bc9c1795204f3ea0e445dae8adb6ffd2fc19415a83acc:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/5.1.2.yaml b/templates/5.1.2.yaml
new file mode 100644
index 0000000..dcc13be
--- /dev/null
+++ b/templates/5.1.2.yaml
@@ -0,0 +1,49 @@
+id: ASVS-4-0-3-V5-1-2
+
+info:
+ name: ASVS 5.1.2 Check
+ author: Masoud Abdaal
+ severity: high
+ classification:
+ cwe-id: CWE-915
+ reference:
+ - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
+ - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment
+ tags: asvs,5.1.2
+ description: |
+ Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar.
+ Require Switch: -lfa (Load File Wordlist)
+
+http:
+ - raw:
+ - |
+ POST {{Path}} HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
+
+ { "{{key}}": {{value}}}
+
+ attack: clusterbomb
+ payloads:
+ key: "assets/keysList.txt"
+ value: "assets/valuesList.txt"
+
+ matchers-condition: or
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "{{key}}"
+
+ - type: word
+ part: body
+ words:
+ - "{{value}}"
+
+ extractors:
+ - type: regex
+ part: body
+ regex:
+ - 'key="(?P[^"]+)",value="(?:\\")?(?P[^"\\]+)(?:\\")?"'
+# digest: 4a0a00473045022100b8429e15ee3873083aaaa213d2a7b4aa9559ae7be720c4d1f47b52499867a1f902202b1a7e5215c6e6e1736b676ad5e664eba44d99a4f154e3c35cced6ea8b76cd0d:236a7c23afe836fbe231d6e037cff444
diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml
index 31facb1..33be3bf 100644
--- a/templates/9.1.3.yaml
+++ b/templates/9.1.3.yaml
@@ -45,4 +45,4 @@ ssl:
- type: json
json:
- " .tls_version"
-# digest: 4b0a00483046022100e28690ed9b4e02b2f1b32d3e5fea4266b8aea6d668d35365ed9e94ad9515ae8e022100e25e0fd48313f9be115c8f93bb91dc18ad74ebf1997576b72c99e810ac804570:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 4a0a00473045022042f1672410949e71eaa8aee71d0fbb1c67db1e96b579e6fbfac0d6851e8e1c8e022100dd3eab50a2051e2c015560c4fbac41ccdffaa1a13fd315a0ec9abe6d41130696:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/assets/5.1.1Parameters.txt b/templates/assets/5.1.1Parameters.txt
new file mode 100644
index 0000000..d3f5a12
--- /dev/null
+++ b/templates/assets/5.1.1Parameters.txt
@@ -0,0 +1 @@
+
diff --git a/templates/assets/keysList.txt b/templates/assets/keysList.txt
new file mode 100644
index 0000000..6dea403
--- /dev/null
+++ b/templates/assets/keysList.txt
@@ -0,0 +1,19 @@
+is_admin
+role
+approved
+balance
+status
+email_verified
+created_at
+updated_at
+IsAdmin
+Confirmed
+uid
+uuid
+guid
+is_verified
+user_id
+administrator
+admin
+isAdministrator
+isAdministrator
diff --git a/templates/assets/valuesList.txt b/templates/assets/valuesList.txt
new file mode 100644
index 0000000..f8bc88a
--- /dev/null
+++ b/templates/assets/valuesList.txt
@@ -0,0 +1,41 @@
+true
+false
+"true"
+"false"
+0
+1
+42
+-7
+100
+-250
+1000.50
+-250.75
+3.14
+-0.001
+"yes"
+"no"
+"active"
+"inactive"
+"pending"
+"verified"
+"unverified"
+"confirmed"
+"unconfirmed"
+"2023-01-01T12:00:00Z"
+"2024-12-31T23:59:59Z"
+"01/01/2023 12:00 PM"
+1672531200
+"550e8400-e29b-41d4-a716-446655440000"
+"123e4567-e89b-12d3-a456-426614174000"
+"user_12345"
+"john_doe"
+"admin"
+"user"
+"moderator"
+"guest"
+"superuser"
+{"admin": 1}
+{"isActive": true, "user": "admin"}
+{"balance": 99999.50, "currency": "USD"}
+{"role": "moderator", "approved": false}
+{"created_at": "2023-01-01T12:00:00Z", "updated_at": 1672531200}
diff --git a/templates/dast/12.3.3.yaml b/templates/dast/12.3.3.yaml
index 740b852..27b4ede 100644
--- a/templates/dast/12.3.3.yaml
+++ b/templates/dast/12.3.3.yaml
@@ -45,4 +45,4 @@ http:
words:
- "http"
- "dns"
-# digest: 4b0a00483046022100e9049e13075ecd5bbc8127b9f96d1a53760d33467da662895cb19e61dd707cbe02210083d94e0c052abf24a0fad0ef9c48830fac642abaacc5acc42aa239e00b313237:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 490a00463044022035b6f9539276bd3c6a058b1402e01032e0b692dbe8a3323841ad05b6e507888f02203b3f6b4dba281eab84cf5606e79a25bf147d6f6424a1efba5cea2a9727cb1521:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/12.6.1.yaml b/templates/dast/12.6.1.yaml
similarity index 86%
rename from templates/12.6.1.yaml
rename to templates/dast/12.6.1.yaml
index 3ed9c5d..070c4e8 100644
--- a/templates/12.6.1.yaml
+++ b/templates/dast/12.6.1.yaml
@@ -52,8 +52,8 @@ http:
stop-at-first-match: true
matchers:
- type: word
- part: interactsh_protocol # Confirms the HTTP Interaction
+ part: interactsh_protocol
words:
- "http"
- "dns"
-# digest: 4b0a00483046022100c660a7e46a1f17eed707c5912df531e5f2938feba4be175f24f20b0ecb229fde022100a79f952331843fab8d0705fd10d56db51e59bdd935d65ad3a557357129527964:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 4a0a00473045022100df54f16772e7070065be0f76b4a0729bd9aaceb11093982424ad29dd4d13056f022026b642707e4b17641c3029a8d20b0b9d968353e6f425e29980b535a77c3e06f7:236a7c23afe836fbe231d6e037cff444
diff --git a/templates/dast/5.2.1.yaml b/templates/dast/5.2.1.yaml
new file mode 100644
index 0000000..b274401
--- /dev/null
+++ b/templates/dast/5.2.1.yaml
@@ -0,0 +1,69 @@
+id: ASVS-4-0-3-V5-2-1
+
+info:
+ name: ASVS 5.2.1 Check
+ author: Masoud Abdaal,AmirHossein Raeisi
+ severity: high
+ classification:
+ cwe-id: CWE-116
+ reference:
+ - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection
+ - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing
+ tags: asvs,5.2.1
+ description: |
+ Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature.
+
+variables:
+ first: "{{rand_int(10000, 99999)}}"
+
+http:
+ - pre-condition:
+ - type: dsl
+ dsl:
+ - method == POST
+ - len(body) > 0
+
+ payloads:
+ reflection:
+ - "'\"><{{first}}>"
+ - "'><{{first}}>"
+ - "\"><{{first}}>"
+
+ fuzzing:
+ - part: body
+ type: postfix
+ mode: multiple
+ keys:
+ - "ops"
+ - "insert"
+ - "ops"
+ - "insert"
+ - "attributes"
+ - "bold"
+ - "italic"
+ - "link"
+ - "time"
+ - "blocks"
+ - "type"
+ - "data"
+ - "text"
+ - "level"
+ - "style"
+ - "items"
+ - "version"
+ fuzz:
+ - "{{reflection}}"
+
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "{{reflection}}"
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+# digest: 490a004630440220382129ed0d9359f3fbb430662f58537107baa513eb858fb933614b42bf36531002201b4698da5b6958c2bf5a691ff6659eb79592fe34f43deda74843b93001618ae3:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml
index 3628c98..91ee155 100644
--- a/templates/headless/13.1.3.yaml
+++ b/templates/headless/13.1.3.yaml
@@ -42,4 +42,4 @@ headless:
part: urls
regex:
- (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
-# digest: 4a0a0047304502200bb9a7013c8b23ed6d393454ecc8d3490da0969a5941940b992a0d840a4ec6de022100a2ff4b3d7ae8fd710402c65a53e16516fa5b41e02b7655cb678965104a89d3b3:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 4a0a00473045022100a6c13a2d3c3f6022b65ee4a2befbc5ed8b508adaacb00d4cd021850e7684d68402200457b9687680ef120175c025f49e2ae323fb19d7763a537ed250484d19ebfb7a:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/headless/2.1.11.yaml b/templates/headless/2.1.11.yaml
new file mode 100644
index 0000000..5c78f61
--- /dev/null
+++ b/templates/headless/2.1.11.yaml
@@ -0,0 +1,65 @@
+id: ASVS-4-0-3-V2-1-11
+
+info:
+ name: ASVS 2.1.11 Check
+ author: Hamed Salimian
+ severity: low
+ classification:
+ cwe-id: CWE-521
+ reference:
+ - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html
+ - https://snbig.github.io/Vulnerable-Pages/ASVS_2_1_11/
+ tags: asvs,2.1.11
+ description: |
+ Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
+ Run with `-show-browser` switch.
+
+variables:
+ password_field_name: "password"
+
+headless:
+ - steps:
+ - args:
+ url: "{{BaseURL}}"
+ action: navigate
+
+ - action: waitload
+
+ - action: script
+ name: anyFieldsFunctional
+ args:
+ code: |
+ () => {
+ return (function verifyPasteFunction(testValue = "{{rand_text_alphanumeric(14)}}") {
+ const passwordFields = document.querySelectorAll('input[name="{{password_field_name}}"]');
+
+ if (passwordFields.length === 0) {
+ return false; // No password fields found
+ }
+
+ let isAnyPasteFunctional = false; // Flag to track if any field is functional
+
+ passwordFields.forEach((field) => {
+ // Verify paste functionality
+ field.value = ""; // Clear the field
+
+ // Simulate paste by directly setting the value
+ field.focus();
+ document.execCommand("insertText", false, testValue); // Programmatic paste
+
+ const pastedValue = field.value;
+ if (pastedValue === testValue) {
+ isAnyPasteFunctional = true; // Set the flag to true if paste works
+ }
+ });
+
+ // Return true if any field was functional, otherwise false
+ return isAnyPasteFunctional;
+ })();
+ }
+
+ matchers:
+ - type: dsl
+ dsl:
+ - anyFieldsFunctional == "true"
+# digest: 4a0a00473045022100c74aedc8edd1b389d7a60d6ec0d897e107db389e572bfd66fa769afa06b0306b02204b6ff6f459c0338e15b1265f608fa55b533d6f13f808776e4ca95a55642535d1:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file