Merge branch 'main' into libafl-section

Author: elopez

.github/workflows/hugo.yml

@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: 0.122.0
+      HUGO_VERSION: 0.133.0
     steps:
       - name: Install Hugo CLI
         run: |

.github/workflows/markdown.yml

@@ -11,16 +11,23 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+    - uses: actions/checkout@v4
+    - name: Restore lychee cache
+      uses: actions/cache@v4
       with:
-        use-quiet-mode: 'yes'
+         path: .lycheecache
+         key: cache-lychee-${{ github.sha }}
+         restore-keys: cache-lychee-
+    - uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # for v1.10.0
+      with:
+        args: --base . -a 100..=103,200..=299,429 --verbose --no-progress --cache --max-cache-age 1d --scheme http --scheme https './**/*.md' './layout/shortcodes/fuzzing/*.html'
+        fail: true
   # Lint Markdown files
   # Uses: a custom configuration file
   markdown-linter:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: DavidAnson/markdownlint-cli2-action@v15
       with:
         globs: "**/*.md"
@@ -29,7 +36,7 @@ jobs:
   spellcheck:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: tbroadley/spellchecker-cli-action@v1
       with:
         # No need to use a dictionary file with the disabled spell plugin 

.github/workflows/preview.yml

@@ -24,7 +24,7 @@ jobs:
   build-deploy:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: 0.122.0
+      HUGO_VERSION: 0.133.0
     steps:
       - name: Install Hugo CLI
         run: |
@@ -33,7 +33,7 @@ jobs:
       - name: Install Dart Sass Embedded
         run: sudo snap install dart-sass-embedded
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Install Node.js dependencies

.markdownlint.jsonc

@@ -75,30 +75,30 @@
 
   // MD013/line-length - Line length
 
-  "MD013": {
-    // Number of characters
-    "line_length": 130,
-    // Number of characters for headings
-    "heading_line_length": 120,
-    // Number of characters for code blocks
-    "code_block_line_length": 120,
-    // Include code blocks
-    "code_blocks": true,
-    // Include tables
-    "tables": true,
-    // Include headings
-    "headings": true,
-    // Include headings
-    "headers": true,
-    // Strict length checking
-    "strict": false,
-    // Stern length checking
-    "stern": false
-  },
+  // "MD013": {
+  //   // Number of characters
+  //   "line_length": 130,
+  //   // Number of characters for headings
+  //   "heading_line_length": 120,
+  //   // Number of characters for code blocks
+  //   "code_block_line_length": 120,
+  //   // Include code blocks
+  //   "code_blocks": true,
+  //   // Include tables
+  //   "tables": true,
+  //   // Include headings
+  //   "headings": true,
+  //   // Include headings
+  //   "headers": true,
+  //   // Strict length checking
+  //   "strict": false,
+  //   // Stern length checking
+  //   "stern": false
+  //  },
 
 
   // Disable line length check:
-  // "MD013" : false,
+  "MD013" : false,
 
   // MD014/commands-show-output - Dollar signs used before commands without showing output
   "MD014": true,

README.md

@@ -29,17 +29,19 @@ hope to demystify static and dynamic analysis techniques such as fuzzing and tai
 |[Semgrep](https://appsec.guide/docs/static-analysis/semgrep/)| [Announcing the Trail of Bits Testing Handbook](https://blog.trailofbits.com/2023/07/26/announcing-the-trail-of-bits-testing-handbook/)|2023|
 |[CodeQL](https://appsec.guide/docs/static-analysis/codeql/)| [Say hello to the next chapter of the Testing Handbook!](https://blog.trailofbits.com/2023/12/11/say-hello-to-the-next-chapter-of-the-testing-handbook/)|2023|
 |[Fuzzing](https://appsec.guide/docs/fuzzing/)| [Master fuzzing with our new Testing Handbook chapter](https://blog.trailofbits.com/2024/02/09/master-fuzzing-with-our-new-testing-handbook-chapter/)|2024|
+|[Burp](https://appsec.guide/docs/web/burp/)| [Announcing the Burp Suite Professional chapter in the Testing Handbook](https://blog.trailofbits.com/2024/06/14/announcing-the-burp-suite-professional-chapter-in-the-testing-handbook/)|2024|
+| [Cryptographic testing - Wycheproof and Constant time analysis tooling](https://appsec.guide/docs/crypto/) | TBD | 2024 |
 
 ### 🎥 Webinars
 
 | Topic | Link |
 |---|---|
 | Introduction to Semgrep | https://www.youtube.com/watch?v=yKQlTbVlf0Q |
 | Introduction to CodeQL: Examples, Tools and CI Integration | https://www.youtube.com/watch?v=rQRlnUQPXDw |
+| Mastering Web Research with Burp Suite | https://www.youtube.com/watch?v=0PV5QEQTmPg |
 
 ### 🚧 Under construction
 
-- Burp Suite Professional
 - Formal verification and Tamarin
 - Rust
 
@@ -111,7 +113,7 @@ Your browser will be automatically refreshed with changes whenever you save a fi
 
 - The GitHub workflow in this repository verifies the correctness of Markdown files through three checks:
   1. **Markdown Link Check**: This step extracts links from Markdown files and verifies if they are valid and accessible.
-    It uses the [github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) action.
+    It uses the [lychee link checking action](https://github.com/lycheeverse/lychee-action).
   2. **Markdown Linter**: This step ensures that Markdown files adhere to the desired style and formatting rules.
     It uses a custom configuration file (`.github/workflows/.markdownlint.jsonc`) and the
      [markdownlint-cli2-action](https://github.com/DavidAnson/markdownlint-cli2-action) action.
@@ -135,22 +137,7 @@ since it is the title of a document. But if you'd like to avoid the capitalizati
 
 ### Workflow: From Google Docs
 
-1. Make your document viewable via a link share.
-2. Create a Google account or use your private one (If you use this method, your document should be considered public but unpublished).
-3. Install [Docs to Markdown](https://workspace.google.com/marketplace/app/docs_to_markdown/700168918607).
-This addon works better than the pandoc.
-4. Open the document and make a copy.
-5. Open the copy and run the Addon.
-6. Export the markdown and apply fixes:
-   - Search for occurrences of `<code>` or `<strong>` or any other html tags
-   - Replace HTML tables with markdown ones (<https://jmalarcon.github.io/markdowntables/>)
-   - If you split your document, fix internal links.
-   - Add missing images.
-   - Fix `&lt;`, …, “, ’
-   - Adjust markdown captions ## -> #
-   - Verify missing formatting in PRO TIPs
-   - . at the end of fig captions?
-   - Note that index bundles do not use the "slug"
+You can export the document from Google Docs as Markdown. Open the document in Google Docs. Click `File` > `Download`, and then select `Markdown (.md)`.
 
 ### Custom environments
 

assets/_custom.scss

@@ -160,4 +160,4 @@ html {
 ::-webkit-scrollbar-thumb {
   background: var(--gray-500);
   border-radius: $padding-8;
-}
+}

config.toml

@@ -10,6 +10,7 @@ enableEmoji = true
   # Comment to make pages uneditable with a github link ("Edit this page" in the footer):
   BookRepo = "https://github.com/trailofbits/testing-handbook"
   BookEditBranch = "main"
+  math = false
 
 [params.render_hooks.link]
   errorLevel = 'warning' # ignore (default), warning, or error (fails the build)
@@ -30,4 +31,12 @@ enableEmoji = true
   [markup.goldmark.renderer]
     unsafe = false
   [markup.goldmark.parser.attribute]
-    block = true
+    block = true
+  [markup.goldmark]
+    [markup.goldmark.extensions]
+      [markup.goldmark.extensions.passthrough]
+        enable = true
+        [markup.goldmark.extensions.passthrough.delimiters]
+          block = [['$$', '$$']]
+          inline = [['\(', '\)']]
+ 

content/_index.md

@@ -65,11 +65,21 @@ We currently cover the following tools and techniques:
 ### Dynamic analysis
 
 - [Fuzzing]({{< relref "fuzzing" >}})
+- [Burp Suite Professional]({{< relref "/docs/web/burp/" >}})
 
 {{< /columns >}}
 
 We are working on expanding the tools we cover here. We are also planning to
-cover several dynamic analysis tools. Stay tuned for updates from our team!
+cover several other security-related topics. Stay tuned for updates from our team!
+
+### Upcoming (!)
+
+- Formal verification and Tamarin
+- Rust security
+- How to apply taint analysis in a directed fuzzing loop or/and for results verification
+- Taking effective notes for security engagements
+- mitmproxy
+- Leveraging grep in security audits
 
 ## Custom queries for static analysis tools
 

content/docs/crypto/_index.md

@@ -0,0 +1,16 @@
+---
+weight: 2
+bookFlatSection: true
+title: "Cryptographic testing"
+---
+
+# Cryptographic testing
+
+This section presents testing tools to verify implementations of cryptographic algorithms.  
+For each tool, we cover topics such as:
+
+- Explain the workings of these tools
+- Installation and basic use
+- Provide examples
+
+{{< section >}}