OSTGMapper (Open Security Testing Guide Mapper). An automated security testing guide mapper based on pattern. Built to reduce time of manually mapping possible security tests for web applications. Currently support :
- OWASP WSTG Test case.
- libmagic
# mac
brew install libmagic
- python modules
pip install -r requirements.txtgit clone https://github.com/kos0ng/owasp-wstg-mapper.git- Show help
python3 main.py -h- Filter target
python3 main.py -i example/export.xml -u 192.168.1.4- Set output name
python3 main.py -i example/export.xml -o threat_model_target.xlsx- Set level of mapper
python3 main.py -i example/export.xml -l 1| Type | Description |
|---|---|
| 0 (default) | All test case |
| 1 | Common test case |
| [0-9] | Custom test case based on preference |
- Set report type
python3 main.py -i example/export.xml -t 2| Type | Description |
|---|---|
| 1 (default) | Simple |
| 2 | Detail |
| Column | Description |
|---|---|
| ID | Identifier of test case |
| Test Name | Test case name |
| Objectives | Objective of test case |
| Endpoint | List of endpoint that possible to be tested |
| Result | Result of testing, it can be PASSED/VULN/NOT APPLICABLE |
| Screenshot | Screenshot as proof of testing |
| Notes | Additional notes if there is something unusual |
| Column | Description |
|---|---|
| No | Numbering |
| Endpoint | Target URL/endpoint |
| Test Cases | List of possible test case |
| Result | Result of testing, it can be PASSED/VULN/NOT APPLICABLE |
| Screenshot | Screenshot as proof of testing |
| Notes | Additional notes if there is something unusual |
- Can be used with burp community edition (free)
- Filter URL/Endpoint
- Adjustable list of test case (level(
- Adjustable pattern of test
- Flexible report type
- Included possible severity on each test case
- Universal report file (excel)
- Easy-to-fill report
- Support json and form encoded request
- Possible to exclude files url (blacklist)
- Can check reflected value on response
- Pattern matching using regex
- Sanitized url to remove redundancy
- Each files in request and response converted to its mime type for further analyzing process
- OWASP Juice Shop v14.5.1
- Burpsuite Community Edition v2023.3.5
- Python v3.10.0
- Firefox v112.0.2
# Download latest juice shop image
docker pull --platform linux/amd64 bkimminich/juice-shop
# Run the image on port 3000
docker run -d -p 3000:3000 --platform linux/amd64 bkimminich/juice-shop
# Access the juice shop
http://localhost:3000- Run burpsuite
- Access features available on Juice Shop (target)
- Extract the HTTP/HTTPS history on burp
- Run mapper.py
- Open excel report
- Do penetration testing and use excel report as tracker and reference
- Deploy juice shop
- Akses fitur juice shop
- Export burp
- Parsing hasil export burp
- Standardisasi daftar pengujian dan ciri-cirinya
- Mapping pengujian
- Urutkan berdasarkan kebanyakan severity (source : )
- High - Critical (3) , Medium - High (2), Low - Medium (1)
- Bikin report dalam excel
- Custom output name
- Research about regex (wstg.json)
- File check
- If exist overwrite it?
- If xml/input file doesn't exist, output error
- Excel
- URL/IP
- Date
- Freeze column
- Two type (different parsing mechanism)
- Simple, row per endpoint in one test case
- Detail, each endpoint with many test case
- Filter from burp export
- Host
- Endpoint
- Custom test case (add level / choose ID test case)
- Add custom level
- Make filter more precision, "invalid" should not match with "id" parameter , regex ?id= , &id=
- set design excel (row height)
- Some test case doesn't need list endpoint such as Information Gathering,Configuration and Deployment Management Testing (regex : *)
- Duplicate/redundant endpoint
- Add exception for files in json files
- Add parsing mime type for file access
- Try catch on data that has blank response and request
- Remove files from detail mapper
- Check reflected
- Move overwrite first
- Ensure level in format level[0-9]
- Ensure level in list wstg id