bmt 0.4.0 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. metadata +3 -12
  4. data/lib/data/0.1/mappings/templates.json +0 -17
  5. data/lib/data/0.1/mappings/templates.schema.json +0 -62
  6. data/lib/data/0.1/methodologies/binaries.json +0 -252
  7. data/lib/data/0.1/methodologies/mobile_android.json +0 -514
  8. data/lib/data/0.1/methodologies/mobile_ios.json +0 -452
  9. data/lib/data/0.1/methodologies/network.json +0 -207
  10. data/lib/data/0.1/methodologies/template.json +0 -83
  11. data/lib/data/0.1/methodologies/website_testing.json +0 -886
  12. data/lib/data/0.1/schema.json +0 -124
data/lib/data/0.1/methodologies/mobile_ios.json DELETED
@@ -1,452 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "iOS",
4
- "release_date": "2022-01-10T00:00:00+00:00",
5
- "description": "Bugcrowd iOS testing methodology",
6
- "vrt_version": "10.0.1"
7
- },
8
- "content": {
9
- "steps": [
10
- {
11
- "key": "architecture_design_and_threat_modelling",
12
- "title": "Architecture, design and threat modelling",
13
- "description": "",
14
- "type": "checklist",
15
- "items": [
16
- {
17
- "key": "all_app_components_are_identified_and_known_to_be_needed",
18
- "title": "All app components are identified and known to be needed",
19
- "description": "",
20
- "caption": ""
21
- },
22
- {
23
- "key": "security_controls_client_side",
24
- "title": "Security controls are never enforced only on the client side, but on the respective remote endpoints.",
25
- "description": "",
26
- "caption": ""
27
- },
28
- {
29
- "key": "high_level_architecture_for_mobile_app",
30
- "title": "A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture.",
31
- "description": "",
32
- "caption": ""
33
- },
34
- {
35
- "key": "sensitive_identified_data",
36
- "title": "Data considered sensitive in the context of the mobile app is clearly identified.",
37
- "description": "",
38
- "caption": ""
39
- },
40
- {
41
- "key": "business_and_security_functions",
42
- "title": "All app components are defined in terms of the business functions and/or security functions they provide.",
43
- "description": "",
44
- "caption": ""
45
- },
46
- {
47
- "key": "threat_model_for_mobile_app",
48
- "title": "A threat model for the mobile app and the associated remote services has been produced that identifies potential threats and countermeasures.",
49
- "description": "",
50
- "caption": ""
51
- },
52
- {
53
- "key": "security_controls",
54
- "title": "All security controls have a centralized implementation.",
55
- "description": "",
56
- "caption": ""
57
- },
58
- {
59
- "key": "cryptographic_key_policy",
60
- "title": "There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.",
61
- "description": "",
62
- "caption": ""
63
- },
64
- {
65
- "key": "enforce_mobile_app_updates",
66
- "title": "A mechanism for enforcing updates of the mobile app exists.",
67
- "description": "",
68
- "caption": ""
69
- },
70
- {
71
- "key": "address_security",
72
- "title": "Security is addressed within all parts of the software development lifecycle.",
73
- "description": "",
74
- "caption": ""
75
- }
76
- ]
77
- },
78
- {
79
- "key": "data_storage_and_privacy",
80
- "title": "Data Storage and Privacy",
81
- "description": "",
82
- "type": "checklist",
83
- "items": [
84
- {
85
- "key": "system_creentials_storage_facilities",
86
- "title": "System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys.",
87
- "description": "",
88
- "caption": ""
89
- },
90
- {
91
- "key": "sensitive_data_storage",
92
- "title": "No sensitive data should be stored outside of the app container or system credential storage facilities.",
93
- "description": "",
94
- "caption": ""
95
- },
96
- {
97
- "key": "sensitive_data_in_logs",
98
- "title": "No sensitive data is written to application logs.",
99
- "description": "",
100
- "caption": ""
101
- },
102
- {
103
- "key": "sensitive_data_sharing_with_third_party",
104
- "title": "No sensitive data is shared with third parties unless it is a necessary part of the architecture.",
105
- "description": "",
106
- "caption": ""
107
- },
108
- {
109
- "key": "keyboard_cache_disabling",
110
- "title": "The keyboard cache is disabled on text inputs that process sensitive data.",
111
- "description": "",
112
- "caption": ""
113
- },
114
- {
115
- "key": "sensitive_data_ipc_mechanism",
116
- "title": "No sensitive data is exposed via IPC mechanisms.",
117
- "description": "",
118
- "caption": ""
119
- },
120
- {
121
- "key": "sensitive_data_exposure_via_ui",
122
- "title": "No sensitive data, such as passwords or pins, is exposed through the user interface.",
123
- "description": "",
124
- "caption": ""
125
- },
126
- {
127
- "key": "sensitive_data_exposure_via_backup",
128
- "title": "No sensitive data is included in backups generated by the mobile operating system.",
129
- "description": "",
130
- "caption": ""
131
- },
132
- {
133
- "key": "sensitive_data_removal_on_backgrounded",
134
- "title": "The app removes sensitive data from views when backgrounded.",
135
- "description": "",
136
- "caption": ""
137
- },
138
- {
139
- "key": "sensitive_data_holding_in_memory",
140
- "title": "The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.",
141
- "description": "",
142
- "caption": ""
143
- },
144
- {
145
- "key": "minimum_device_access_security_policy",
146
- "title": "The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.",
147
- "description": "",
148
- "caption": ""
149
- },
150
- {
151
- "key": "personal_identifiable_information_identification",
152
- "title": "The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.",
153
- "description": "",
154
- "caption": ""
155
- }
156
- ]
157
- },
158
- {
159
- "key": "cryptography",
160
- "title": "Cryptography",
161
- "description": "",
162
- "type": "checklist",
163
- "items": [
164
- {
165
- "key": "symmetric_cryptography_with_hardcoded_keys",
166
- "title": "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.",
167
- "description": "",
168
- "caption": ""
169
- },
170
- {
171
- "key": "proven_cryptographic_primitives",
172
- "title": "The app uses proven implementations of cryptographic primitives.",
173
- "description": "",
174
- "caption": ""
175
- },
176
- {
177
- "key": "cryptographic_primitive_for_particular_use_case",
178
- "title": "The app uses cryptographic primitives that are appropriate for the particular use-case, configured with parameters that adhere to industry best practices.",
179
- "description": "",
180
- "caption": ""
181
- },
182
- {
183
- "key": "depricated_cryptography_protocols",
184
- "title": "The app does not use cryptographic protocols or algorithms that are widely considered depreciated for security purposes.",
185
- "description": "",
186
- "caption": ""
187
- },
188
- {
189
- "key": "reuse_same_cryptographic_key",
190
- "title": "The app doesnt re-use the same cryptographic key for multiple purposes.",
191
- "description": "",
192
- "caption": ""
193
- },
194
- {
195
- "key": "secure_random_number_generator",
196
- "title": "All random values are generated using a sufficiently secure random number generator.",
197
- "description": "",
198
- "caption": ""
199
- }
200
- ]
201
- },
202
- {
203
- "key": "authentication_and_session_management",
204
- "title": "Authentication and Session Management",
205
- "description": "",
206
- "type": "checklist",
207
- "items": [
208
- {
209
- "key": "remote_service_authentication",
210
- "title": "If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.",
211
- "description": "",
212
- "caption": ""
213
- },
214
- {
215
- "key": "stateful_session_management_authentication",
216
- "title": "If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the users credentials.",
217
- "description": "",
218
- "caption": ""
219
- },
220
- {
221
- "key": "stateless_token_based_management_authentication",
222
- "title": "If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.",
223
- "description": "",
224
- "caption": ""
225
- },
226
- {
227
- "key": "remote_endpoint_terminate",
228
- "title": "The remote endpoint terminates the existing session when the user logs out.",
229
- "description": "",
230
- "caption": ""
231
- },
232
- {
233
- "key": "password_policy_exists",
234
- "title": "A password policy exists and is enforced at the remote endpoint.",
235
- "description": "",
236
- "caption": ""
237
- },
238
- {
239
- "key": "remote_endpoint_implementation_mechanism",
240
- "title": "The remote endpoint implements a mechanism to protect against the submission of credentials an excessive number of times.",
241
- "description": "",
242
- "caption": ""
243
- },
244
- {
245
- "key": "session_invalidated_at_remote_endpoint",
246
- "title": "Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.",
247
- "description": "",
248
- "caption": ""
249
- },
250
- {
251
- "key": "biometric_authentication",
252
- "title": "Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns true or false). Instead, it is based on unlocking the keychain/keystore.",
253
- "description": "",
254
- "caption": ""
255
- },
256
- {
257
- "key": "second_factor_authentication",
258
- "title": "A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced.",
259
- "description": "",
260
- "caption": ""
261
- },
262
- {
263
- "key": "sensitive_transaction_setup_authentication",
264
- "title": "Sensitive transactions require step-up authentication.",
265
- "description": "",
266
- "caption": ""
267
- },
268
- {
269
- "key": "inform_user_login_activities",
270
- "title": "The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices.",
271
- "description": "",
272
- "caption": ""
273
- }
274
- ]
275
- },
276
- {
277
- "key": "network_communication",
278
- "title": "Network Communication",
279
- "description": "",
280
- "type": "checklist",
281
- "items": [
282
- {
283
- "key": "data_encryption_on_network",
284
- "title": "Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.",
285
- "description": "",
286
- "caption": ""
287
- },
288
- {
289
- "key": "tls_settings_best_practices",
290
- "title": "The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.",
291
- "description": "",
292
- "caption": ""
293
- },
294
- {
295
- "key": "remote_endpoint_certificate",
296
- "title": "The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.",
297
- "description": "",
298
- "caption": ""
299
- },
300
- {
301
- "key": "app_certification",
302
- "title": "The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.",
303
- "description": "",
304
- "caption": ""
305
- },
306
- {
307
- "key": "insecure_communication_channel",
308
- "title": "The app doesnt rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.",
309
- "description": "",
310
- "caption": ""
311
- },
312
- {
313
- "key": "app_dependency_on_connectivity_and_library",
314
- "title": "The app only depends on up-to-date connectivity and security libraries.",
315
- "description": "",
316
- "caption": ""
317
- }
318
- ]
319
- },
320
- {
321
- "key": "platform_interaction",
322
- "title": "Platform Interaction",
323
- "description": "",
324
- "type": "checklist",
325
- "items": [
326
- {
327
- "key": "minimum_set_of_permission",
328
- "title": "The app only requests the minimum set of permissions necessary.",
329
- "description": "",
330
- "caption": ""
331
- },
332
- {
333
- "key": "external_source_input_validation",
334
- "title": "The app only requests the minimum set of permissions necessary.",
335
- "description": "",
336
- "caption": ""
337
- },
338
- {
339
- "key": "sensitive_functionality_via_url_schemes",
340
- "title": "The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected.",
341
- "description": "",
342
- "caption": ""
343
- },
344
- {
345
- "key": "export_sensitive_functionality_through_ipc",
346
- "title": "The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.",
347
- "description": "",
348
- "caption": ""
349
- },
350
- {
351
- "key": "javascript_disabled",
352
- "title": "JavaScript is disabled in WebViews unless explicitly required.",
353
- "description": "",
354
- "caption": ""
355
- },
356
- {
357
- "key": "webview_minimum_set_of_protocol_handlers",
358
- "title": "WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.",
359
- "description": "",
360
- "caption": ""
361
- },
362
- {
363
- "key": "webview_within_app_javascript_render",
364
- "title": "If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.",
365
- "description": "",
366
- "caption": ""
367
- },
368
- {
369
- "key": "object_deserialization",
370
- "title": "Object deserialization, if any, is implemented using safe serialization APIs.",
371
- "description": "",
372
- "caption": ""
373
- }
374
- ]
375
- },
376
- {
377
- "key": "code_quality_and_build_settings",
378
- "title": "Code Quality and Build Settings",
379
- "description": "",
380
- "type": "checklist",
381
- "items": [
382
- {
383
- "key": "valid_certificate_sign",
384
- "title": "The app is signed and provisioned with a valid certificate, of which the private key is properly protected.",
385
- "description": "",
386
- "caption": ""
387
- },
388
- {
389
- "key": "built_in_release_mode",
390
- "title": "The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).",
391
- "description": "",
392
- "caption": ""
393
- },
394
- {
395
- "key": "debugging_symbol",
396
- "title": "Debugging symbols have been removed from native binaries.",
397
- "description": "",
398
- "caption": ""
399
- },
400
- {
401
- "key": "debugging_and_verbose_errors",
402
- "title": "Debugging code has been removed, and the app does not log verbose errors or debugging messages.",
403
- "description": "",
404
- "caption": ""
405
- },
406
- {
407
- "key": "third_party_vulnerability_check",
408
- "title": "All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.",
409
- "description": "",
410
- "caption": ""
411
- },
412
- {
413
- "key": "exception_handling",
414
- "title": "The app catches and handles possible exceptions.",
415
- "description": "",
416
- "caption": ""
417
- },
418
- {
419
- "key": "security_controls_error_handling",
420
- "title": "Error handling logic in security controls denies access by default",
421
- "description": "",
422
- "caption": ""
423
- },
424
- {
425
- "key": "memory_allocation",
426
- "title": "In unmanaged code, memory is allocated, freed and used securely.",
427
- "description": "",
428
- "caption": ""
429
- },
430
- {
431
- "key": "free_security_features_offered_by_toolchain",
432
- "title": "Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.",
433
- "description": "",
434
- "caption": ""
435
- }
436
- ]
437
- },
438
- {
439
- "key": "upload_logs",
440
- "title": "Upload logs",
441
- "description": "This should include all associated traffic associated to the in-scope targets.",
442
- "type": "large_upload"
443
- },
444
- {
445
- "key": "executive_summary",
446
- "title": "Executive summary",
447
- "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
448
- "type": "executive_summary"
449
- }
450
- ]
451
- }
452
- }
data/lib/data/0.1/methodologies/network.json DELETED
@@ -1,207 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "Network",
4
- "release_date": "2022-01-10T00:00:00+00:00",
5
- "description": "Bugcrowd network testing methodology",
6
- "vrt_version": "10.0.1"
7
- },
8
- "content": {
9
- "steps": [
10
- {
11
- "key": "information",
12
- "title": "Information Gathering / Recon",
13
- "description": "",
14
- "type": "checklist",
15
- "caption": "Please include any valuable pieces of information found; and the source of said information",
16
- "items": [
17
- {
18
- "key": "credentials_leaked",
19
- "title": "Credentials or keys leaked on Github, Pastebin, etc.",
20
- "caption": "",
21
- "description": ""
22
- },
23
- {
24
- "key": "leaked_as_part_of_past_breaches",
25
- "title": "Usernames, emails, passwords, and other information leaked as part of past breaches.",
26
- "caption": "",
27
- "description": ""
28
- },
29
- {
30
- "key": "internal_subdomain",
31
- "title": "Internal subdomains, known software, etc.",
32
- "caption": "",
33
- "description": ""
34
- },
35
- {
36
- "key": "zone_transfer_in_scope_ip",
37
- "title": "Check for the ability to perform a zone transfer on the in-scope IP addresses",
38
- "caption": "",
39
- "description": ""
40
- }
41
- ]
42
- },
43
- {
44
- "key": "scanning",
45
- "title": "Scanning",
46
- "description": "",
47
- "type": "checklist",
48
- "caption": "Please include your full nmap scan output + banner information in a single file. Similarly, include all other tooling outputs.",
49
- "items": [
50
- {
51
- "key": "scan_in_scope_targets",
52
- "title": "Fully scan the range of in-scope targets (all 65,535 TCP and UDP ports).",
53
- "caption": "",
54
- "description": ""
55
- },
56
- {
57
- "key": "ensure_host_scan",
58
- "title": "Ensure that hosts are still scanned, even if they are not responsive to a ping sweep.",
59
- "caption": "",
60
- "description": ""
61
- },
62
- {
63
- "key": "in_scope_services_and_version_numbers",
64
- "title": "Enumerate and document all in-scope services and version numbers.",
65
- "caption": "",
66
- "description": ""
67
- },
68
- {
69
- "key": "document_services_that_communicate_insecurely",
70
- "title": "Document services that communicate insecurely (e.g. telnet, http).",
71
- "caption": "",
72
- "description": ""
73
- },
74
- {
75
- "key": "subdomain_takeovers",
76
- "title": "Document any services with misconfigured DNS records allowing for subdomain takeovers.",
77
- "caption": "",
78
- "description": ""
79
- },
80
- {
81
- "key": "leverage_available_services",
82
- "title": "Review results and leverage any available services to obtain more information around the targets or users. Examples are RPC, SMB, SMTP, SNMP, etc.",
83
- "caption": "",
84
- "description": ""
85
- }
86
- ]
87
- },
88
- {
89
- "key": "exploitation",
90
- "title": "Exploitation",
91
- "description": "",
92
- "type": "checklist",
93
- "caption": "Include any screenshots as proof of successful exploitation. For unsuccessful attacks, please document the commands/tools executed.",
94
- "items": [
95
- {
96
- "key": "lack_of_auth",
97
- "title": "Check for lack of auth or default creds to any available services. e.g. auth portals, anonymous FTP, SSH, RDP, mail relays, etc.",
98
- "caption": "",
99
- "description": ""
100
- },
101
- {
102
- "key": "service_bypass",
103
- "title": "Check for any auth bypasses on any available services.",
104
- "caption": "",
105
- "description": ""
106
- },
107
- {
108
- "key": "cross_reference_software_version",
109
- "title": "Cross reference software version numbers against known vulnerable versions or exploits (exploit db, CVEs, etc. often facilitated by the use of nessus/nikto/openvas/etc).",
110
- "caption": "",
111
- "description": ""
112
- },
113
- {
114
- "key": "attempt_to_exploit_known_vulnerabilities",
115
- "title": "Configure and attempt to exploit any known vulnerabilities (existing scripts with custom shellcode, metasploit modules, etc).",
116
- "caption": "",
117
- "description": ""
118
- },
119
- {
120
- "key": "presence_of_sensitive_information_publicly",
121
- "title": "Check for the presence of sensitive information that is publicly available on any service (e.g. documents available via anonymous FTP).",
122
- "caption": "",
123
- "description": ""
124
- },
125
- {
126
- "key": "server_side_vulnerability_auth_bypass",
127
- "title": "Test any available webservers for server-side vulnerabilities including Auth bypasses",
128
- "caption": "",
129
- "description": ""
130
- },
131
- {
132
- "key": "server_side_vulnerability_default_credentials",
133
- "title": "Test any available webservers for server-side vulnerabilities including Default credentials",
134
- "caption": "",
135
- "description": ""
136
- },
137
- {
138
- "key": "server_side_vulnerability_known_exploits",
139
- "title": "Test any available webservers for server-side vulnerabilities including Known exploits based on running vulnerable software",
140
- "caption": "",
141
- "description": ""
142
- },
143
- {
144
- "key": "server_side_vulnerability_sql_injection",
145
- "title": "Test any available webservers for server-side vulnerabilities including SQL Injection (SQLi)",
146
- "caption": "",
147
- "description": ""
148
- },
149
- {
150
- "key": "server_side_rce",
151
- "title": "Test any available webservers for server-side vulnerabilities including Remote Code Execution (RCE)",
152
- "caption": "",
153
- "description": ""
154
- },
155
- {
156
- "key": "server_side_xxe",
157
- "title": "Test any available webservers for server-side vulnerabilities including XML Entity Injection (XXE)",
158
- "caption": "",
159
- "description": ""
160
- },
161
- {
162
- "key": "server_side_ssrf",
163
- "title": "Test any available webservers for server-side vulnerabilities including Server Side Request Forgery (SSRF)",
164
- "caption": "",
165
- "description": ""
166
- },
167
- {
168
- "key": "server_side_lfi_afi",
169
- "title": "Test any available webservers for server-side vulnerabilities including Local/Arbitrary File Inclusion (LFI/AFI)",
170
- "caption": "",
171
- "description": ""
172
- },
173
- {
174
- "key": "server_side_hidden_directory_pages",
175
- "title": "Test any available webservers for server-side vulnerabilities including Hidden directories or pages with sensitive information",
176
- "caption": "",
177
- "description": ""
178
- },
179
- {
180
- "key": "basic_web_app_scanner",
181
- "title": "Run a basic web application scanner over the app, and report any valid issues. (nikto, burp, zap, et al)",
182
- "caption": "",
183
- "description": ""
184
- },
185
- {
186
- "key": "attempt_bruteforcing",
187
- "title": "Attempt moderate, informed/educated brute-forcing on available services - based on information gathered earlier in the assessment.",
188
- "caption": "",
189
- "description": ""
190
- }
191
- ]
192
- },
193
- {
194
- "key": "upload_logs",
195
- "title": "Upload logs",
196
- "description": "This should include all associated traffic associated to the in-scope targets.",
197
- "type": "large_upload"
198
- },
199
- {
200
- "key": "executive_summary",
201
- "title": "Executive summary",
202
- "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
203
- "type": "executive_summary"
204
- }
205
- ]
206
- }
207
- }