OSTG Mapper

OSTGMapper (Open Security Testing Guide Mapper). An automated security testing guide mapper based on pattern. Built to reduce time of manually mapping possible security tests for web applications. Currently support :

• OWASP WSTG Test case.

Requirements

• libmagic

# mac
brew install libmagic

• python modules

pip install -r requirements.txt

Installation

git clone https://github.com/kos0ng/owasp-wstg-mapper.git

Usage

• Show help

python3 main.py -h

• Filter target

python3 main.py -i example/export.xml -u 192.168.1.4

• Set output name

python3 main.py -i example/export.xml -o threat_model_target.xlsx

• Set level of mapper

python3 main.py -i example/export.xml -l 1

Type	Description
0 (default)	All test case
1	Common test case
[0-9]	Custom test case based on preference

• Set report type

python3 main.py -i example/export.xml -t 2

Type	Description
1 (default)	Simple
2	Detail

Report Type (excel)

Simple

Column	Description
ID	Identifier of test case
Test Name	Test case name
Objectives	Objective of test case
Endpoint	List of endpoint that possible to be tested
Result	Result of testing, it can be PASSED/VULN/NOT APPLICABLE
Screenshot	Screenshot as proof of testing
Notes	Additional notes if there is something unusual

Detail

Column	Description
No	Numbering
Endpoint	Target URL/endpoint
Test Cases	List of possible test case
Result	Result of testing, it can be PASSED/VULN/NOT APPLICABLE
Screenshot	Screenshot as proof of testing
Notes	Additional notes if there is something unusual

Features

• Can be used with burp community edition (free)
• Filter URL/Endpoint
• Adjustable list of test case (level(
• Adjustable pattern of test
• Flexible report type
• Included possible severity on each test case
• Universal report file (excel)
• Easy-to-fill report
• Support json and form encoded request
• Possible to exclude files url (blacklist)
• Can check reflected value on response
• Pattern matching using regex
• Sanitized url to remove redundancy
• Each files in request and response converted to its mime type for further analyzing process

Example Worflow

Specification

• OWASP Juice Shop v14.5.1
• Burpsuite Community Edition v2023.3.5
• Python v3.10.0
• Firefox v112.0.2

Run Juice Shop on Docker

# Download latest juice shop image
docker pull --platform linux/amd64 bkimminich/juice-shop

# Run the image on port 3000
docker run -d -p 3000:3000 --platform linux/amd64 bkimminich/juice-shop

# Access the juice shop
http://localhost:3000

Testing Phase

• Run burpsuite
• Access features available on Juice Shop (target)
• Extract the HTTP/HTTPS history on burp
• Run mapper.py
• Open excel report
• Do penetration testing and use excel report as tracker and reference

Todo List

• Deploy juice shop
• Akses fitur juice shop
• Export burp
• Parsing hasil export burp
• Standardisasi daftar pengujian dan ciri-cirinya
• Mapping pengujian
• Urutkan berdasarkan kebanyakan severity (source : )
  • High - Critical (3) , Medium - High (2), Low - Medium (1)
• Bikin report dalam excel

Idea

• Custom output name
• Research about regex (wstg.json)
• File check
  • If exist overwrite it?
  • If xml/input file doesn't exist, output error
• Excel
  • URL/IP
  • Date
  • Freeze column
• Two type (different parsing mechanism)
  • Simple, row per endpoint in one test case
  • Detail, each endpoint with many test case
• Filter from burp export
  • Host
  • Endpoint
• Custom test case (add level / choose ID test case)
• Add custom level

Issue

• Make filter more precision, "invalid" should not match with "id" parameter , regex ?id= , &id=
• set design excel (row height)
• Some test case doesn't need list endpoint such as Information Gathering,Configuration and Deployment Management Testing (regex : *)
• Duplicate/redundant endpoint
• Add exception for files in json files
• Add parsing mime type for file access
• Try catch on data that has blank response and request
• Remove files from detail mapper
• Check reflected
• Move overwrite first
• Ensure level in format level[0-9]
• Ensure level in list wstg id