Add draft MASWE items (#2687)

* add new improved banners and draft information

* improve banners and draft information

* Add remaining weaknesses

docs/hooks/maswe-beta-banner.py

@@ -1,21 +1,126 @@
 import logging
+import yaml
 import mkdocs.plugins
+import glob
+from collections import defaultdict
 
 log = logging.getLogger('mkdocs')
 
+def get_v1_tests_data():
+
+    masvs_v1_tests_metadata = {}
+
+    # Each test has an ID which is the filename
+    for file in glob.glob("tests/**/*.md", recursive=True):
+        with open(file, 'r') as f:
+            content = f.read()
+            frontmatter = next(yaml.load_all(content, Loader=yaml.FullLoader))
+            # masvs category is frontmatter['masvs_v2_id'][0] without the final number. Example: MASVS-STORAGE-2 -> MASVS-STORAGE
+            masvs_category = frontmatter['masvs_v2_id'][0][:-2]
+            platform = frontmatter['platform']
+            # get id from filename without extension
+            id = file.split('/')[-1].split('.')[0]
+            link = f"https://mas.owasp.org/MASTG/tests/{platform}/{masvs_category}/{id}/"
+            frontmatter['link'] = link
+
+            masvs_v1_tests_metadata[id] = frontmatter
+
+    # Populate the defaultdict with MASVS v1 IDs and corresponding MASTG-TEST IDs
+    masvs_v1_mapping = defaultdict(list)
+    for test_id, test_info in masvs_v1_tests_metadata.items():
+        for masvs_id in test_info["masvs_v1_id"]:
+            masvs_v1_mapping[masvs_id].append(f"[{test_id}]({test_info['link']})")
+
+    return masvs_v1_tests_metadata, masvs_v1_mapping
+
 beta_banner = """
-!!! example "BETA"
+??? example "Content in BETA"
     This content is in **beta** and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
     
     [:fontawesome-regular-paper-plane: Send Feedback](https://github.com/OWASP/owasp-mastg/discussions/categories/maswe-mastg-v2-beta-feedback)
 """
 
+def get_mastg_v1_coverage(meta):
+    mappings = meta.get('mappings', '')
+
+    if mappings:
+        mastg_v1_tests_metadata, mastg_v1_mapping = get_v1_tests_data()
+
+        masvs_v1_id = mappings.get('masvs-v1', '')
+        if len(masvs_v1_id) > 1:
+            raise ValueError(f"More than one MASVS v1 ID found: {masvs_v1_id}")
+        masvs_v1_id = masvs_v1_id[0] if masvs_v1_id else ""
+        mastg_v1_tests_map = mastg_v1_mapping.get(masvs_v1_id, [])
+
+        mastg_v1_tests_map_list = [f"{test.split(']')[0].split('[')[1]}" for test in mastg_v1_tests_map]
+        mappings['mastg-v1'] = mastg_v1_tests_map_list
+
+        mastg_v1_tests = "\n".join([f"    - [{test} - {mastg_v1_tests_metadata[test]['title']} ({mastg_v1_tests_metadata[test]['platform']})]({mastg_v1_tests_metadata[test]['link']})" for test in mastg_v1_tests_map_list])
+        if mastg_v1_tests == "":
+            mastg_v1_tests = "    No MASTG v1 tests are related to this weakness."
+    return mastg_v1_tests
+
+def get_info_banner(meta):
+
+    id = meta.get('id')
+
+    refs = meta.get('refs', None)
+    refs_section = ""
+    if refs:
+        refs_section = "    ## References\n\n"
+        refs_section += "\n".join([f"    - <{ref}>" for ref in refs])
+
+    draft_info = meta.get('draft', None)
+
+    description = draft_info.get('description', None)
+
+    if draft_info.get('note', None):
+        description += "\n\n" + "> Note: " + draft_info.get('note', None)
+
+    topics = draft_info.get('topics', None)
+    topics_section = ""
+    if topics:
+        topics_section = "    ## Relevant Topics\n\n"
+        topics_section += "\n".join([f"    - {topic}" for topic in topics])
+
+    mastg_v1_tests = get_mastg_v1_coverage(meta)
+
+    info_banner = f"""
+!!! warning "Draft Weakness"
+
+    This weakness hasn't been created yet and it's in **draft**. But you can check its status or start working on it yourself.
+    If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our [guidelines](https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=sharing).
+
+    <a href="https://github.com/OWASP/owasp-mastg/issues?q=is%3Aissue+is%3Aopen+{id}" target="_blank">:material-github: Check our GitHub Issues for {id}</a>
+    
+    ## Initial Description or Hints
+
+    {description}
+    
+{topics_section}
+    
+{refs_section}
+
+    ## MASTG v1 Coverage
+
+{mastg_v1_tests}
+"""
+    return info_banner
+
 # https://www.mkdocs.org/dev-guide/plugins/#on_page_markdown
 @mkdocs.plugins.event_priority(-50)
 def on_page_markdown(markdown, page, **kwargs):
     path = page.file.src_uri
 
+    banners = []
+
     if any(substring in path for substring in ["MASWE/", "MASTG/tests-beta/", "MASTG/demos/"]):
-        markdown = f"{beta_banner}\n\n{markdown}"
+        banners.append(beta_banner)
+
+    if "MASWE/" in path and page.meta.get('status') == 'draft':
+        banners.append(get_info_banner(page.meta))
+
+    if banners:
+        markdown = "\n\n".join(banners) + "\n\n" + markdown
 
     return markdown

weaknesses/MASVS-AUTH/MASWE-0028.md

@@ -0,0 +1,23 @@
+---
+title: MFA Implementation Best Practices Not Followed
+id: MASWE-0028
+alias: mfa-best-practices
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v1: [MSTG-AUTH-9]
+  masvs-v2: [MASVS-AUTH-3]
+
+draft:
+  description: e.g. not using auto-fill
+  topics:
+  - platform auto-fill from SMS
+  - use of Sign-in with Apple
+  - MFA best practices
+  - (IEEE) unreliable channels such as voice mails and phone numbers must be avoided
+  - is not enforced only locally but server-side
+  - check if relies on static responses from the remote endpoint such as `"message":"Success"`
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0029.md

@@ -0,0 +1,31 @@
+---
+title: Step-Up Authentication Not Implemented After Login
+id: MASWE-0029
+alias: step-up-auth
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v1: [MSTG-AUTH-10]
+  masvs-v2: [MASVS-AUTH-3, MASVS-PLATFORM-3]
+  cwe: [306]
+
+refs:
+- https://developer.apple.com/documentation/localauthentication
+- https://auth0.com/blog/what-is-step-up-authentication-when-to-use-it/
+- https://tdcolvin.medium.com/is-firebase-auth-secure-dace0563d41b
+- https://github.com/WICG/trust-token-api
+- https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/
+draft:
+  description: An example of step-up authentication is when a user is logged into
+    their bank account (with or without MFA) and requests an action that is considered
+    sensitive, such as the transfer of a large sum of money. In such cases, the user
+    will be required to provide additional information to authenticate their identity
+    (e.g. using MFA) and ensure only the legitimate user is requesting the action.
+  topics:
+  - (ioXt) UP107 App shall re-authenticate the user when displaying sensitive PII
+    data or conducting sensitive transactions.
+  - null
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0030.md

@@ -0,0 +1,26 @@
+---
+title: Re-Authenticates Not Triggered On Contextual State Changes
+id: MASWE-0030
+alias: reauth-state-changes
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-3]
+
+refs:
+- https://developers.google.com/identity/sign-in/android/disconnect
+draft:
+  description: Re-authentication means forcing a new login after e.g. timeout, changing
+    state from running in the background to running in the foreground, remarkable
+    changes in a user's location, profile, etc.
+  topics:
+  - timeout
+  - changing state from running in the background to running in the foreground
+  - (IEEE) remarkable changes in a user's location
+  - ASVS V3.3 Session Logout and Timeout Requirements
+  - NIST 800-63
+  - etc.
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0031.md

@@ -0,0 +1,19 @@
+---
+title: Insecure use of Android Protected Confirmation
+id: MASWE-0031
+alias: insecure-android-confirmation
+platform: [android]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-3]
+
+draft:
+  description: Android Protected Confirmation doesn't provide a secure information
+    channel for the user. Don't use it to display sensitive information that you wouldn't
+    ordinarily show on the user's device.
+  topics:
+  - Android Protected Confirmation
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0032.md

@@ -0,0 +1,36 @@
+---
+title: Platform-provided Authentication APIs Not Used
+id: MASWE-0032
+alias: platform-auth-apis
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-1, MASVS-CODE-3]
+
+refs:
+- https://developer.android.com/privacy-and-security/security-tips#Credentials
+- https://developer.apple.com/documentation/security/password_autofill
+- https://developer.apple.com/videos/play/wwdc2017/206
+- https://developer.android.com/guide/topics/text/autofill-optimize
+draft:
+  description: AKA don't roll your own authentication security. Platform-provided
+    APIs are designed and implemented by experts who have deep knowledge of the platform's
+    security features and considerations. These APIs often incorporate security best
+    practices and are regularly updated to address new threats and vulnerabilities.
+    Not using platform-provided authentication APIs in mobile apps can result in security
+    vulnerabilities, inconsistent user experience, missed integration opportunities,
+    and increased development and maintenance efforts.
+  topics:
+  - credential auto-fill to avoid copy/paste
+  - correct use of Android AccountManager (e.g. invoke a cloud-based service and don't
+    store passwords on the device). AccountManager data stored in clear in some Android
+    versions.
+  - use of CREATOR afterretrieving an account with AccountManager
+  - use of Authentication Services framework on iOS
+  - iOS Password AutoFill streamlines logging into web services at your domain. However,
+    if you need to log into a third-party service, use ASWebAuthenticationSession
+    instead
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0033.md

@@ -0,0 +1,33 @@
+---
+title: Authentication or Authorization Protocol Security Best Practices Not Followed
+id: MASWE-0033
+alias: auth-protocol-best-practices
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-1]
+
+refs:
+- https://mobidev.biz/blog/single-sign-on-sso-implementation-benefits-enterprise
+- https://developers.google.com/identity/protocols/risc
+- https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio?language=objc
+- https://developer.apple.com/videos/play/tech-talks/301
+- https://developers.google.com/identity/protocols/oauth2
+draft:
+  description: For example, when using oauth2, the app does not use PKCE, etc. See
+    RFC-8252. Focus on client-side best practices.
+  topics:
+  - best practices from RFC-8252
+  - SSO -> OpenID Connect (OIDC)
+  - use of Google Service Accounts
+  - use of RISC
+  - use of Apple Redirect extensions for Enterprise
+  - using use SFAuthenticationSession (deprecated) instead of ASWebAuthenticationSession
+  - secure mutual authentication using X.509v3 certificates
+  - use of context to add security to authentication e.g. via IP or location data
+  - set prefersEphemeralWebBrowserSession to true before calling start for a session
+    on iOS
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0034.md

@@ -0,0 +1,17 @@
+---
+title: Insecure Implementation of Confirm Credentials
+id: MASWE-0034
+alias: insecure-confirm-credentials
+platform: [android]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-1]
+
+draft:
+  description: https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0017/
+  topics:
+  - Confirm Credentials
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0035.md

@@ -0,0 +1,33 @@
+---
+title: Passwordless Authentication Not Implemented
+id: MASWE-0035
+alias: no-passwordless-auth
+platform: [android, ios]
+profiles: [L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-1, MASVS-STORAGE-1]
+
+refs:
+- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication
+- https://www.w3.org/TR/webauthn-2/
+- https://fidoalliance.org/white-paper-multi-device-fido-credentials/
+- https://developers.google.com/identity/fido
+- https://developers.google.com/identity/fido#what_are_passkeys
+- https://fidoalliance.org/developers/
+- https://fidoalliance.org/product-category/android-client/
+- https://fidoalliance.org/product-category/ios-client/
+- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys
+- https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633
+- https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys
+- https://developer.apple.com/videos/play/wwdc2021/10106/
+draft:
+  description: there's no use of passwordless authentication mechanisms e.g. passkeys
+  topics:
+  - passkeys or multi-device FIDO credentials
+  - WebAuthn/ASAuthorization
+  - use of Physical Security Keys which stored the public-private key pair on a physical
+    medium, such as a security card or a USB key
+status: draft
+
+---
+

weaknesses/MASVS-AUTH/MASWE-0036.md

@@ -0,0 +1,28 @@
+---
+title: Authentication Material Stored Unencrypted on the Device
+id: MASWE-0036
+alias: auth-material-unencrypted
+platform: [android, ios]
+profiles: [L1, L2]
+mappings:
+  masvs-v2: [MASVS-AUTH-1, MASVS-STORAGE-1]
+
+refs:
+- https://developers.google.com/identity/blockstore/android?hl=en
+- https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key
+- https://cloud.google.com/docs/authentication/api-keys#adding_application_restrictions
+- https://cloud.google.com/docs/authentication/best-practices-applications#semi-trusted_or_restricted_environments
+- https://cloud.google.com/docs/authentication/best-practices-applications#security_considerations
+- https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple/
+draft:
+  description: General authentication best practice.
+  topics:
+  - session IDs
+  - tokens
+  - passwords
+  - API keys
+  - use of sign-in with Apple/Google
+status: draft
+
+---
+