diff --git a/.github/json/scripts/make-json.sh b/.github/json/scripts/make-json.sh new file mode 100755 index 0000000000..3ff3160d54 --- /dev/null +++ b/.github/json/scripts/make-json.sh @@ -0,0 +1,106 @@ +#!/bin/bash +# Script to create the Json checklist file for WSTG + +function join { local IFS="$1"; shift; echo "$*"; } + +cd document/4-Web_Application_Security_Testing + +# Start the json string +echo "{" > checklist.json +# Open categories +echo " \"categories\": {" >> checklist.json +# Iterate all category folders to get the categories +for d in */ ; do + # Split the folder name to get category and category number + # Select folders start form 01 + while IFS='-' read -ra FOLD; do + if [ ${FOLD[0]} -gt 0 ] + then + # In case of multiple `-` in the category name + # Join the sections other than the first + if [ ${#FOLD[@]} -gt 2 ];then + category=$(join - ${FOLD[@]:1}) + else + category=${FOLD[1]} + fi + # Start category sub section + # Add coma from the second entry of the list + if [ ${FOLD[0]} -gt 1 ];then + echo " ,\"${category%?}\": {" | tr '_' ' ' >> checklist.json + else + echo " \"${category%?}\": {" | tr '_' ' ' >> checklist.json + fi + # Get category ID from the first file + cid=`cat $d/01-* | grep "|WSTG-.*" | cut -d "|" -f 2 | sed 's/-01//'` + # Add category ID and start tests + echo " \"id\":\"${cid}\"," >> checklist.json + echo " \"tests\":[" >> checklist.json + count=0 + for file in $d*.md; do + # Remove README + if [[ $file != *"README.md" ]];then + # Get test ID + tid=`cat $file | grep "|WSTG-.*" | cut -d "|" -f 2` + # If test id exists + if [ ! -z "$tid" ];then + # Add coma from the second entry of the list + if [ $count -gt 0 ];then + echo " ,{" >> checklist.json + else + echo " {" >> checklist.json + fi + # Get Objective of the test from the file + objectiveString=`awk "/## Test Objectives/{flag=1; next} /## /{flag=0} flag" $file | awk 'NF'` + objcount=0 + objectives=() + # Convert Objective string to list of objectives + while read line; + do + objectives[$objcount]=`echo ${line//[$'\t\r\n']} | cut -c 3-` + objcount=$((objcount+1)) + done <<< "$objectiveString" + + # Get test name and reference link from the file + read -r tname < $file + tname=${tname:2} + tref=`echo $file | sed 's/.md//'` + # Add test ID, test name and reference link from the file + echo " \"name\":\"${tname}\"," >> checklist.json + echo " \"id\":\"${tid}\"," >> checklist.json + echo " \"reference\":\"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/$tref\"," >> checklist.json + echo " \"objectives\":[" >> checklist.json + # Add objective array + objcount=0 + for objective in "${objectives[@]}" + do + objcount=$((objcount+1)) + # Check for the last entry of Objective and remove coma + if [ ${#objectives[@]} -eq $objcount ];then + echo " \"${objective}\"" >> checklist.json + else + echo " \"${objective}\"," >> checklist.json + fi + done + # Close Objective list + echo " ]" >> checklist.json + + echo " }" >> checklist.json + count=$((count+1)) + fi + fi + done + # Close tests list + echo " ]" >> checklist.json + # Close category sub section + echo " }" >> checklist.json + fi + done <<< "$d" +done +# Close categories +echo " }" >> checklist.json +# End Json string +echo "}" >> checklist.json +cat checklist.json + +# Move generated file to checklists folder +mv checklist.json ../../checklists/. diff --git a/document/6-Appendix/A-Testing_Tools_Resource.md b/document/6-Appendix/A-Testing_Tools_Resource.md index 4929c57702..c4a4dc5ea8 100644 --- a/document/6-Appendix/A-Testing_Tools_Resource.md +++ b/document/6-Appendix/A-Testing_Tools_Resource.md @@ -81,36 +81,36 @@ The list contains only tools that are freely available to download and use (alth ### Site Mirroring -- [wget](https://www.gnu.org/software/wget/) +- [wget](https://www.gnu.org/software/wget) - [wget for windows](https://gnuwin32.sourceforge.net/packages/wget.htm) -- [cURL](https://curl.haxx.se) +- [cURL](https://curl.se) ### Content Discovery - [Gobuster](https://github.com/OJ/gobuster) - [Waybackurls](https://github.com/tomnomnom/waybackurls) - Waybackurls fetches all URLs known to the Wayback Machine for a given domain, useful for reconnaissance. - - **Usage:** + - **Usage:** -```bash -waybackurls example.com -``` + ```bash + waybackurls example.com + ``` - [GAU (Get All URLs)](https://github.com/lc/gau) - GAU collects URLs from multiple public archives, including the Wayback Machine and Common Crawl. - - **Usage:** + - **Usage:** -```bash -gau example.com -``` + ```bash + gau example.com + ``` - [Unfurl](https://github.com/tomnomnom/unfurl) - Unfurl extracts subdomains, paths, and parameters from URLs for deeper analysis. - - **Usage:** + - **Usage:** -```bash -unfurl "https://example.com/page?query=123" -``` + ```bash + unfurl "https://example.com/page?query=123" + ``` ### Port and Service Discovery @@ -151,8 +151,10 @@ Browser Automation tools are used to validate the functionality of web applicati ### Open Source Tools -- [HtmlUnit](https://htmlunit.sourceforge.io) - HtmlUnit is a GUI-less browser for Java programs. It models HTML documents and provides an API to invoke pages, fill out forms, click links, and interact with JavaScript and complex AJAX libraries. It can simulate Chrome, Firefox, or Edge depending on configuration, and is typically used for automated testing or web scraping. HtmlUnit can also be used as a Selenium-compatible browser via the [htmlunit-driver](https://github.com/SeleniumHQ/htmlunit-driver). The latest stable release is 4.21.0 (`org.htmlunit:htmlunit:4.21.0`). +- [HtmlUnit](https://htmlunit.sourceforge.io) + - HtmlUnit is a GUI-less browser for Java programs. It models HTML documents and provides an API to invoke pages, fill out forms, click links, and interact with JavaScript and complex AJAX libraries. - GitHub Repository: [HtmlUnit/htmlunit](https://github.com/HtmlUnit/htmlunit) + - [Selenium](https://www.selenium.dev) - JavaScript based testing framework, cross-platform and provides a GUI for creating tests. @@ -174,12 +176,8 @@ The following freely available resources provide curated comparisons and evaluat ### ZAP (Zed Attack Proxy) Documentation -Official documentation and learning resources for the ZAP (Zed Attack Proxy) dynamic application security testing tool. - - [ZAP Documentation](https://www.zaproxy.org/docs/) ### Nuclei Templates Project -A large open-source repository of vulnerability detection templates used for automated security scanning. - - [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates)