From ff78a2767ebb06f50e8f5f59e374c4a0d3b07fb2 Mon Sep 17 00:00:00 2001
From: Hamed Salimian <hamed.salimian@owasp.org>
Date: Tue, 3 Dec 2024 15:32:43 +0330
Subject: [PATCH] Create 13.1.3.yaml (#11)

* Create 13.1.3.yaml

Based on requirement 13.1.3, this template checks whether the API URLs expose sensitive Information through query strings.

Signed-off-by: Hamed Salimian <hamed.salimian@owasp.org>
---
 .github/workflows/template-sign.yml | 12 ++++++++
 templates/9.1.3.yaml                |  2 +-
 templates/code/12.1.1.2.yaml        |  3 +-
 templates/headless/13.1.3.yaml      | 45 +++++++++++++++++++++++++++++
 4 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 templates/headless/13.1.3.yaml

diff --git a/.github/workflows/template-sign.yml b/.github/workflows/template-sign.yml
index ceee54d..fb341bb 100644
--- a/.github/workflows/template-sign.yml
+++ b/.github/workflows/template-sign.yml
@@ -14,16 +14,28 @@ jobs:
     if: github.repository == 'OWASP/www-project-asvs-security-evaluation-templates-with-nuclei'
     steps:
       - uses: actions/checkout@v4
+
       - uses: projectdiscovery/actions/setup/nuclei@v1
       - run: nuclei -lfa -duc -sign -ud $GITHUB_WORKSPACE -t .
         env:
           NUCLEI_USER_CERTIFICATE: ${{ secrets.NUCLEI_USER_CERTIFICATE }}
           NUCLEI_USER_PRIVATE_KEY: ${{ secrets.NUCLEI_USER_PRIVATE_KEY }}
+
+      # Set up GPG for automatic commit signing
+      - name: Set up GPG
+        run: |
+          echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
+          git config --global user.name "Signing Bot"
+          git config --global user.email "github-actions@github.com"
+          git config --global commit.gpgSign true
+          git config --global user.signingkey ${{ secrets.GPG_KEY_ID }}
+
       - uses: projectdiscovery/actions/setup/git@v1
       - uses: projectdiscovery/actions/commit@v1
         with:
           files: '.'
           message: 'chore: sign templates 🤖'
+      
       - name: Push changes
         run: |
           git pull origin $GITHUB_REF --rebase
diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml
index 2ca1e88..a71233a 100644
--- a/templates/9.1.3.yaml
+++ b/templates/9.1.3.yaml
@@ -45,4 +45,4 @@ ssl:
       - type: json
         json:
           - " .tls_version"
-# digest: 4a0a00473045022065282575a135691de3ce419d2ea546daa99ef87c3fa4742f597f5f081a4b2118022100fbae7e4a55c4493731649f3929a8e1fcd831156092c7e31e0cbc96a76c37d56a:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 4b0a00483046022100ad668aabd5f22ba949265c214a22dd6393fc9d65118f5551704be20c9791b4fa022100a7d26f7b256f003b8db0d8794e22f7e63f051f5674b5ff4ed8a01b6cfa8787e3:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/code/12.1.1.2.yaml b/templates/code/12.1.1.2.yaml
index 413238d..864ddab 100644
--- a/templates/code/12.1.1.2.yaml
+++ b/templates/code/12.1.1.2.yaml
@@ -56,5 +56,4 @@ http:
         status:
           - 500
           - 503
-
-# digest: 4b0a00483046022100a1a000f9e17a6e0742509f92e5bfc0bff3e4593e92006c1df43768dd84f93a56022100ee377b3ab8e4140a4b89335af54301c3603f629fdb11d7b2bca8f1d93f58342a:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
+# digest: 490a00463044022028a06b48a69139c9fccf8c6eb53a580241f2f1938a086024b52e7a3ca70323f102204a76989a347bb16dbb1d946dfaa0db5bb074cc279cd27f543eec2b4d6c405a51:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file
diff --git a/templates/headless/13.1.3.yaml b/templates/headless/13.1.3.yaml
new file mode 100644
index 0000000..3628c98
--- /dev/null
+++ b/templates/headless/13.1.3.yaml
@@ -0,0 +1,45 @@
+id: ASVS-4-0-3-V13-1-3
+
+info:
+  name: ASVS 13.1.3 Check
+  author: Hamed Salimian
+  severity: medium
+  classification:
+    cwe-id: CWE-598
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html
+    - https://github.com/danielmiessler/SecLists/blob/master/Discovery/Variables/secret-keywords.txt
+    - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt
+  tags: asvs,13.1.3
+  description: |
+    Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
+
+
+headless:
+  - steps:
+      - args:
+          url: "{{BaseURL}}"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: urls
+        args:
+          code: |
+            () => {
+             return [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n')
+            }
+
+    extractors:
+      - type: regex
+        part: urls
+        regex:
+          - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+
+    matchers:
+      - type: regex
+        part: urls
+        regex:
+          - (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+
+# digest: 4a0a0047304502200bb9a7013c8b23ed6d393454ecc8d3490da0969a5941940b992a0d840a4ec6de022100a2ff4b3d7ae8fd710402c65a53e16516fa5b41e02b7655cb678965104a89d3b3:236a7c23afe836fbe231d6e037cff444
\ No newline at end of file