OWASP
diff --git a/‎.github/workflows/run-tests-generate-output.yaml‎
Lines changed: 8 additions & 5 deletions b/‎.github/workflows/run-tests-generate-output.yaml‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎.github/workflows/run-tests.yaml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/run-tests.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Pipfile‎
Lines changed: 1 addition & 1 deletion b/‎Pipfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Pipfile.lock‎
Lines changed: 94 additions & 95 deletions b/‎Pipfile.lock‎
Lines changed: 94 additions & 95 deletions
diff --git a/‎cornucopia.owasp.org/data/cards/mobileapp-cards-1.1-en/authentication-&-authorization/AA6/explanation.md‎
Lines changed: 17 additions & 1 deletion b/‎cornucopia.owasp.org/data/cards/mobileapp-cards-1.1-en/authentication-&-authorization/AA6/explanation.md‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎cornucopia.owasp.org/data/website/pages/about/en/index.md‎
Lines changed: 1 addition & 0 deletions b/‎cornucopia.owasp.org/data/website/pages/about/en/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cornucopia.owasp.org/svelte.config.js‎
Lines changed: 160 additions & 0 deletions b/‎cornucopia.owasp.org/svelte.config.js‎
Lines changed: 160 additions & 0 deletions
diff --git a/‎install_cornucopia_deps.txt‎
Lines changed: 1 addition & 1 deletion b/‎install_cornucopia_deps.txt‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎…ucopia_webapp_ver_guide_bridge_lang.docx‎ ‎…nucopia_webapp_ver_guide_bridge_lang.odt‎resources/templates/owasp_cornucopia_webapp_ver_guide_bridge_lang.docx renamed to resources/templates/owasp_cornucopia_webapp_ver_guide_bridge_lang.odt
3.14 MB b/‎…ucopia_webapp_ver_guide_bridge_lang.docx‎ ‎…nucopia_webapp_ver_guide_bridge_lang.odt‎resources/templates/owasp_cornucopia_webapp_ver_guide_bridge_lang.docx renamed to resources/templates/owasp_cornucopia_webapp_ver_guide_bridge_lang.odt
3.14 MB
@@ -1,8 +1,10 @@
 name: Run Tests and generate output files
 # Controls when the workflow will run 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
-  pull_request:
+  # Triggers the workflow on pull request events
+  # Using pull_request_target allows the build artifacts link to be posted as a comment
+  # even for PRs from forked repositories.
+  pull_request_target:
     paths:
       - 'source/**'
       - 'scripts/convert**'
@@ -33,8 +35,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
       # Set the pip environment up
       - name: Get Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -122,7 +125,7 @@ jobs:
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           retention-days: 5
-          name: cornucopia-build-files.${{ github.sha }}.zip
+          name: cornucopia-build-files.${{ github.event.pull_request.head.sha }}.zip
           path: |
             output/cornucopia-build-files.zip
   commentpr:
@@ -144,7 +147,7 @@ jobs:
             
             | Name | Link |
             |------|------|
-            | Output files | [cornucopia-build-files.${{ github.sha }}.zip](${{needs.uploadoutputfiles.outputs.artifact-url}}) |
+            | Output files | [cornucopia-build-files.${{ github.event.pull_request.head.sha }}.zip](${{needs.uploadoutputfiles.outputs.artifact-url}}) |
             
         with:
           script: |
 
@@ -16,8 +16,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
       # Set the pip environment up
       - name: Get Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
 
@@ -31,7 +31,7 @@ USER builder
 ARG workdir
 WORKDIR ${workdir}
 COPY --chown=builder:union Pipfile Pipfile.lock ./
-RUN pipenv --python "$(which python)" install --ignore-pipfile --dev
+RUN pipenv --python "$(which python)" install --no-cache-dir --ignore-pipfile --dev
 ENTRYPOINT ["/usr/local/bin/pipenv"]
 
 FROM mvdan/shfmt@sha256:caa0324bdba08f42452a19e6a8462dda9852a1e43ad16185ec3d1ad66524a504 AS shfmt
 
@@ -5,7 +5,7 @@ verify_ssl = true
 
 [dev-packages]
 black = "==26.1.0"
-coverage = "==7.13.2"
+coverage = "==7.13.3"
 flake8 = "==7.3.0"
 httpretty = "==1.1.4"
 mypy = "==1.19.1"
 
@@ -1,14 +1,30 @@
 ## Scenario: Anant can perform sensitive operations without additional authentication because authentication requirements are too weak or missing
 
+Anant wants to see his saved "Ultra Secret" note in the app. The app asks for a PIN to "unlock" the note view. Anant bypasses the UI check using instrumentation. Because the note was encrypted with a hardcoded key (or no key bound to the biometric), he successfully views the note without providing the PIN.
+
 ### Example
 
+Anant opens his "Vault" app. He navigates to the "View Secret" page. The app prompts for a fingerprint. Anant uses a script to hook the `onAuthenticationSucceeded` callback or the boolean check `isUnlocked`, forcing it to true. The app, which merely hid the text field behind a view overlap, now reveals the secret text. If the app had used the Android Keystore to encrypt the note, Anant's bypass would have failed because the decryption key would never have been released by the OS.
+
 ## Threat Modeling
 
 ### STRIDE
 
+This scenario falls under the **Tampering** and **Information Disclosure** categories of STRIDE.
+
+Anant performs **Tampering** by modifying the application's runtime logic to bypass the check, leading to **Information Disclosure** of the sensitive note.
+
 ### What can go wrong?
 
+**Logic-Only Gates:** Relying on simple boolean flags (e.g., `if (isUnlocked)`) allows attackers to flip the flag and bypass the check.
+
+**Insecure Storage:** If data is stored in plain text or encrypted with a static key, bypassing the authentication screen grants immediate access to the data.
+
 ### What are we going to do about it?
 
+**Android Keystore / iOS Keychain:** Use cryptographic keys that mandate user authentication (e.g., `setUserAuthenticationRequired(true)`).
+
+**Crypto-Binding:** Ensure the sensitive data can only be decrypted using the key that is released *only* after a successful biometric or PIN verification.
+
 
-https://mas.owasp.org/MASWE/MASVS-AUTH/MASWE-0029/
+https://mas.owasp.org/MASTG/tests/ios/MASVS-AUTH/MASTG-TEST-0064/#static-analysis
@@ -56,6 +56,7 @@ Additionally, Adam Shostack maintains a list of tabletop security games and rela
 
 Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:
 
+- Abhijit Sahoo
 - Artim Banyte
 - Simon Bennetts
 - Thomas Berson
 
@@ -31,6 +31,166 @@ export default {
 			 throw new Error(message);
 			},
 			entries: [
+				'/cards/AAA',
+				'/cards/AA2',
+				'/cards/AA3',
+				'/cards/AA4',
+				'/cards/AA5',
+				'/cards/AA6',
+				'/cards/AA7',
+				'/cards/AA8',
+				'/cards/AA9',
+				'/cards/AAX',
+				'/cards/AAJ',
+				'/cards/AAQ',
+				'/cards/AAK',
+				'/cards/PCA',
+				'/cards/PC2',
+				'/cards/PC3',
+				'/cards/PC4',
+				'/cards/PC5',
+				'/cards/PC6',
+				'/cards/PC7',
+				'/cards/PC8',
+				'/cards/PC9',
+				'/cards/PCX',
+				'/cards/PCJ',
+				'/cards/PCQ',
+				'/cards/PCK',
+				'/cards/NSA',
+				'/cards/NS2',
+				'/cards/NS3',
+				'/cards/NS4',
+				'/cards/NS5',
+				'/cards/NS6',
+				'/cards/NS7',
+				'/cards/NS8',
+				'/cards/NS9',
+				'/cards/NSX',
+				'/cards/NSJ',
+				'/cards/NSQ',
+				'/cards/NSK',
+				'/cards/RSA',
+				'/cards/RS2',
+				'/cards/RS3',
+				'/cards/RS4',
+				'/cards/RS5',
+				'/cards/RS6',
+				'/cards/RS7',
+				'/cards/RS8',
+				'/cards/RS9',
+				'/cards/RSX',
+				'/cards/RSJ',
+				'/cards/RSQ',
+				'/cards/RSK',
+				'/cards/CRMA',
+				'/cards/CRM2',
+				'/cards/CRM3',
+				'/cards/CRM4',
+				'/cards/CRM5',
+				'/cards/CRM6',
+				'/cards/CRM7',
+				'/cards/CRM8',
+				'/cards/CRM9',
+				'/cards/CRMX',
+				'/cards/CRMJ',
+				'/cards/CRMQ',
+				'/cards/CRMK',
+				'/cards/CMA',
+				'/cards/CM2',
+				'/cards/CM3',
+				'/cards/CM4',
+				'/cards/CM5',
+				'/cards/CM6',
+				'/cards/CM7',
+				'/cards/CM8',
+				'/cards/CM9',
+				'/cards/CMX',
+				'/cards/CMJ',
+				'/cards/CMQ',
+				'/cards/CMK',
+				'/cards/JOAM',
+				'/cards/JOBM',
+				'/cards/VEA',
+				'/cards/VE2',
+				'/cards/VE3',
+				'/cards/VE4',
+				'/cards/VE5',
+				'/cards/VE6',
+				'/cards/VE7',
+				'/cards/VE8',
+				'/cards/VE9',
+				'/cards/VEX',
+				'/cards/VEJ',
+				'/cards/VEQ',
+				'/cards/VEK',
+				'/cards/ATA',
+				'/cards/AT2',
+				'/cards/AT3',
+				'/cards/AT4',
+				'/cards/AT5',
+				'/cards/AT6',
+				'/cards/AT7',
+				'/cards/AT8',
+				'/cards/AT9',
+				'/cards/ATX',
+				'/cards/ATJ',
+				'/cards/ATQ',
+				'/cards/ATK',
+				'/cards/SMA',
+				'/cards/SM2',
+				'/cards/SM3',
+				'/cards/SM4',
+				'/cards/SM5',
+				'/cards/SM6',
+				'/cards/SM7',
+				'/cards/SM8',
+				'/cards/SM9',
+				'/cards/SMX',
+				'/cards/SMJ',
+				'/cards/SMQ',
+				'/cards/SMK',
+				'/cards/AZA',
+				'/cards/AZ2',
+				'/cards/AZ3',
+				'/cards/AZ4',
+				'/cards/AZ5',
+				'/cards/AZ6',
+				'/cards/AZ7',
+				'/cards/AZ8',
+				'/cards/AZ9',
+				'/cards/AZX',
+				'/cards/AZJ',
+				'/cards/AZQ',
+				'/cards/AZK',
+				'/cards/CRA',
+				'/cards/CR2',
+				'/cards/CR3',
+				'/cards/CR4',
+				'/cards/CR5',
+				'/cards/CR6',
+				'/cards/CR7',
+				'/cards/CR8',
+				'/cards/CR9',
+				'/cards/CRX',
+				'/cards/CRJ',
+				'/cards/CRQ',
+				'/cards/CRK',
+				'/cards/CA',
+				'/cards/C2',
+				'/cards/C3',
+				'/cards/C4',
+				'/cards/C5',
+				'/cards/C6',
+				'/cards/C7',
+				'/cards/C8',
+				'/cards/C9',
+				'/cards/CX',
+				'/cards/CJ',
+				'/cards/CQ',
+				'/cards/CK',
+				'/cards/JOA',
+				'/cards/JOB',
 				'/cards/ACA',
 				'/cards/AC2',
 				'/cards/AC3',
 
@@ -32,7 +32,7 @@ iniconfig == 2.1.0 --hash=sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd2
 pluggy == 1.6.0 --hash=sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3 --hash=sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746
 exceptiongroup == 1.3.0 --hash=sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10 --hash=sha256:b241f5885f560bc56a59ee63ca4c6a8bfa46ae4ad651af316d4e81817bb9fd88
 python-dateutil == 2.9.0.post0 --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3
-tqdm == 4.67.2 --hash=sha256:649aac53964b2cb8dec76a14b405a4c0d13612cb8933aae547dd144eacc99653 --hash=sha256:9a12abcbbff58b6036b2167d9d3853042b9d436fe7330f06ae047867f2f8e0a7
+tqdm == 4.67.3 --hash=sha256:7d825f03f89244ef73f1d4ce193cb1774a8179fd96f31d7e1dcde62092b960bb --hash=sha256:ee1e4c0e59148062281c49d80b25b67771a127c85fc9676d3be5f243206826bf
 attrs == 25.3.0 --hash=sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3 --hash=sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b
 sortedcontainers == 2.4.0 --hash=sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0
 pathvalidate == 3.3.1 --hash=sha256:5263baab691f8e1af96092fa5137ee17df5bdfbd6cff1fcac4d6ef4bc2e1735f --hash=sha256:b18c07212bfead624345bb8e1d6141cdcf15a39736994ea0b94035ad2b1ba177