OWASP · cpholguera · Sep 6, 2022 · Sep 6, 2022 · Sep 6, 2022 · Sep 6, 2022
diff --git a/.github/workflows/docgenerator.yml b/.github/workflows/docgenerator.yml
@@ -22,24 +22,27 @@ jobs:
       with:
         fetch-depth: 1
 
-    - name: Set VERSION to env 
-      run: echo "VERSION=$(curl  "https://api.github.com/repos/OWASP/owasp-mastg/tags" | jq -r '.[0].name')" >> $GITHUB_ENV
+    - name: Set MASTG_VERSION to env 
+      run: echo "MASTG_VERSION=$(curl  "https://api.github.com/repos/OWASP/owasp-mastg/tags" | jq -r '.[0].name')" >> $GITHUB_ENV
 
-    - name: Set DEV VERSION if it's not a tag
+    - name: Set DEV MASTG_VERSION if it's not a tag
       if: ${{ !startsWith(github.ref, 'refs/tags/') }}
-      run: echo "VERSION=${{env.VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      run: echo "MASTG_VERSION=${{env.MASTG_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+    - name: Get Latest MASVS Release Tag
+      run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
 
     - name: Process Files
       run: python3 tools/scripts/transform_files.py
 
     - name: Generate English PDF
-      run: ./tools/docker/pandoc_makedocs.sh Document ${{env.VERSION}}
+      run: ./tools/docker/pandoc_makedocs.sh Document ${{env.MASTG_VERSION}} ${{env.MASVS_VERSION}}
 
     - name: Upload Artifacts
       uses: actions/upload-artifact@v2
       with:
-        name: OWASP_MASTG-${{env.VERSION}}
-        path: OWASP_MASTG-${{env.VERSION}}*
+        name: OWASP_MASTG-${{env.MASTG_VERSION}}
+        path: OWASP_MASTG-${{env.MASTG_VERSION}}*
 
   Generate-Checklists:
     runs-on: ubuntu-latest

diff --git a/Document/0x02c-Acknowledgements.md b/Document/0x02c-Acknowledgements.md
@@ -51,10 +51,7 @@ If you'd like to apply please contact the project leaders by sending an email to
 
 ## Our MAS Advocates
 
-<br>
-
 <img src="Images/Other/nowsecure-logo.png" width="200px" />
-<br>
 
 [NowSecure](https://www.nowsecure.com) has provided consistent high-impact contributions to the project and has successfully helped spread the word.
 
@@ -102,8 +99,6 @@ In the past, NowSecure has also contributed to the project, has sponsored it bec
   - [Insiders Guide to Mobile AppSec with OWASP MASVS (OWASP Northern Virginia Chapter, Oct 8 2021)](https://www.youtube.com/watch?v=fuLo64WH3SU)
   - and more
 
-<br><br>
-
 ## Contributors
 
 **Note**: This contributor table is generated based on our [GitHub contribution statistics](https://github.com/OWASP/owasp-mastg/graphs/contributors "GitHub contribution statistics"). For more information on these stats, see the [GitHub Repository README](https://github.com/OWASP/owasp-mastg/blob/master/README.md "GitHub Repository README"). We manually update the table, so be patient if you're not listed immediately.
@@ -129,9 +124,6 @@ Top contributors have consistently contributed quality content and have at least
 - Bolot Kerimbaev
 - Lukasz Wierzbicki
 
-<br/>
-<br/>
-
 ### Contributors
 
 Contributors have contributed quality content and have at least 50 additions logged in the GitHub repository. Their Github handle is listed below:

diff --git a/Document/0x04b-Mobile-App-Security-Testing.md b/Document/0x04b-Mobile-App-Security-Testing.md
@@ -61,9 +61,6 @@ The focus of DAST is the testing and evaluation of apps via their real-time exec
 
 Dynamic analysis is usually used to check for security mechanisms that provide sufficient protection against the most prevalent types of attack, such as disclosure of data in transit, authentication and authorization issues, and server configuration errors.
 
-<br/>
-<br/>
-
 ### Avoiding False Positives
 
 #### Automated Scanning Tools

diff --git a/Document/0x04c-Tampering-and-Reverse-Engineering.md b/Document/0x04c-Tampering-and-Reverse-Engineering.md
@@ -162,9 +162,6 @@ In simple words, an emulator is a much closer imitation of the targeted platform
 
 Running an app in the emulator gives you powerful ways to monitor and manipulate its environment. For some reverse engineering tasks, especially those that require low-level instruction tracing, emulation is the best (or only) choice. Unfortunately, this type of analysis is only viable for Android, because no free or open source emulator exists for iOS (the iOS simulator is not an emulator, and apps compiled for an iOS device don't run on it). The only iOS emulator available is a commercial SaaS solution - [Corellium](0x06c-Reverse-Engineering-and-Tampering.md#corellium). We'll provide an overview of popular emulation-based analysis frameworks for Android in the "Tampering and Reverse Engineering on Android" chapter.
 
-<br/>
-<br/>
-
 ### Custom Tooling with Reverse Engineering Frameworks
 
 Even though most professional GUI-based disassemblers feature scripting facilities and extensibility, they are simply not well-suited to solving particular problems. Reverse engineering frameworks allow you to perform and automate any kind of reversing task without depending on a heavy-weight GUI. Notably, most reversing frameworks are open source and/or available for free. Popular frameworks with support for mobile architectures include [radare2](0x08a-Testing-Tools.md#radare2) and [Angr](0x08a-Testing-Tools.md#angr).
@@ -198,5 +195,5 @@ In the Android section, you'll find a walkthrough for cracking a simple license
 
 ## References
 
-- [#vadla] Ole André Vadla Ravnås, Anatomy of a code tracer - [https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8](https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8)
-- [#salwan] Jonathan Salwan and Romain Thomas, How Triton can help to reverse virtual machine based software protections - [https://drive.google.com/file/d/1EzuddBA61jEMy8XbjQKFF3jyoKwW7tLq/view?usp=sharing](https://drive.google.com/file/d/1EzuddBA61jEMy8XbjQKFF3jyoKwW7tLq/view?usp=sharing)
+- [#vadla] Ole André Vadla Ravnås, Anatomy of a code tracer - <https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8>
+- [#salwan] Jonathan Salwan and Romain Thomas, How Triton can help to reverse virtual machine based software protections - <https://drive.google.com/file/d/1EzuddBA61jEMy8XbjQKFF3jyoKwW7tLq/view?usp=sharing>
diff --git a/Document/0x04e-Testing-Authentication-and-Session-Management.md b/Document/0x04e-Testing-Authentication-and-Session-Management.md
@@ -32,9 +32,6 @@ For sensitive apps ("Level 2"), the MASVS adds the following:
 
 You can find details on how to test for the requirements above in the following sections.
 
-<br/>
-<br/>
-
 ### Stateful vs. Stateless Authentication
 
 You'll usually find that the mobile app uses HTTP as the transport layer. The HTTP protocol itself is stateless, so there must be a way to associate a user's subsequent HTTP requests with that user. Otherwise, the user's log in credentials would have to be sent with every request. Also, both the server and client need to keep track of user data (e.g., the user's privileges or role). This can be done in two different ways:

diff --git a/Document/0x04f-Testing-Network-Communication.md b/Document/0x04f-Testing-Network-Communication.md
@@ -380,9 +380,6 @@ When a Xamarin app is configured to use a proxy (e.g. by using `WebRequest.Defau
 
 <img src="Images/Chapters/0x04f/burp_xamarin.png" width="100%" />
 
-<br/>
-<br/>
-
 #### CA Certificates
 
 If not already done, install the CA certificates in your mobile device which will allow us to intercept HTTPS requests:
@@ -548,25 +545,25 @@ Identify all of the tested application's critical operations (e.g., user enrollm
 
 ### Android
 
-- Android supported Cipher suites - [https://developer.android.com/reference/javax/net/ssl/SSLSocket#Cipher%20suites](https://developer.android.com/reference/javax/net/ssl/SSLSocket#Cipher%20suites)
-- Android documentation: Android 10 Changes - [https://developer.android.com/about/versions/10/behavior-changes-all](https://developer.android.com/about/versions/10/behavior-changes-all)
+- Android supported Cipher suites - <https://developer.android.com/reference/javax/net/ssl/SSLSocket#Cipher%20suites>
+- Android documentation: Android 10 Changes - <https://developer.android.com/about/versions/10/behavior-changes-all>
 
 ### iOS
 
-- iOS supported Cipher suites - [https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values?language=objc](https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values?language=objc)
+- iOS supported Cipher suites - <https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values?language=objc>
 
 ### IANA Transport Layer Security (TLS) Parameters
 
-- TLS Cipher Suites - [https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4)
+- TLS Cipher Suites - <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4>
 
 ### OWASP TLS Cipher String Cheat Sheet
 
-- Recommendations for a cipher string - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md)
+- Recommendations for a cipher string - <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md>
 
 ### SIM Swapping attacks
 
-- The SIM Hijackers - [https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin](https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin)
-- SIM swapping: how the mobile security feature can lead to a hacked bank account - [https://www.fintechnews.org/sim-swapping-how-the-mobile-security-feature-can-lead-to-a-hacked-bank-account/](https://www.fintechnews.org/sim-swapping-how-the-mobile-security-feature-can-lead-to-a-hacked-bank-account/)
+- The SIM Hijackers - <https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin>
+- SIM swapping: how the mobile security feature can lead to a hacked bank account - <https://www.fintechnews.org/sim-swapping-how-the-mobile-security-feature-can-lead-to-a-hacked-bank-account/>
 
 ### NIST
 
@@ -575,36 +572,33 @@ Identify all of the tested application's critical operations (e.g., user enrollm
 ### SIM Swap Fraud
 
 - <https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin>
-- How to protect yourself against a SIM swap attack - [https://www.wired.com/story/sim-swap-attack-defend-phone/](https://www.wired.com/story/sim-swap-attack-defend-phone/)
-
-<br/>
-<br/>
+- How to protect yourself against a SIM swap attack - <https://www.wired.com/story/sim-swap-attack-defend-phone/>
 
 ### IETF
 
-- RFC 6176 - [https://tools.ietf.org/html/rfc6176](https://tools.ietf.org/html/rfc6176)
-- RFC 6101 - [https://tools.ietf.org/html/rfc6101](https://tools.ietf.org/html/rfc6101)
-- RFC 2246 - [https://www.ietf.org/rfc/rfc2246](https://www.ietf.org/rfc/rfc2246)
-- RFC 4346 - [https://tools.ietf.org/html/rfc4346](https://tools.ietf.org/html/rfc4346)
-- RFC 5246 - [https://tools.ietf.org/html/rfc5246](https://tools.ietf.org/html/rfc5246)
-- RFC 8446 - [https://tools.ietf.org/html/rfc8446](https://tools.ietf.org/html/rfc8446)
-- RFC 6979 - [https://tools.ietf.org/html/rfc6979](https://tools.ietf.org/html/rfc6979)
-- RFC 8017 - [https://tools.ietf.org/html/rfc8017](https://tools.ietf.org/html/rfc8017)
-- RFC 2631 - [https://tools.ietf.org/html/rfc2631](https://tools.ietf.org/html/rfc2631)
-- RFC 7919 - [https://tools.ietf.org/html/rfc7919](https://tools.ietf.org/html/rfc7919)
-- RFC 4492 - [https://tools.ietf.org/html/rfc4492](https://tools.ietf.org/html/rfc4492)
-- RFC 4279 - [https://tools.ietf.org/html/rfc4279](https://tools.ietf.org/html/rfc4279)
-- RFC 2631 - [https://tools.ietf.org/html/rfc2631](https://tools.ietf.org/html/rfc2631)
-- RFC 8422 - [https://tools.ietf.org/html/rfc8422](https://tools.ietf.org/html/rfc8422)
-- RFC 5489 - [https://tools.ietf.org/html/rfc5489](https://tools.ietf.org/html/rfc5489)
-- RFC 4772 - [https://tools.ietf.org/html/rfc4772](https://tools.ietf.org/html/rfc4772)
-- RFC 1829 - [https://tools.ietf.org/html/rfc1829](https://tools.ietf.org/html/rfc1829)
-- RFC 2420 - [https://tools.ietf.org/html/rfc2420](https://tools.ietf.org/html/rfc2420)
-- RFC 3268 - [https://tools.ietf.org/html/rfc3268](https://tools.ietf.org/html/rfc3268)
-- RFC 5288 - [https://tools.ietf.org/html/rfc5288](https://tools.ietf.org/html/rfc5288)
-- RFC 7465 - [https://tools.ietf.org/html/rfc7465](https://tools.ietf.org/html/rfc7465)
-- RFC 7905 - [https://tools.ietf.org/html/rfc7905](https://tools.ietf.org/html/rfc7905)
-- RFC 7539 - [https://tools.ietf.org/html/rfc7539](https://tools.ietf.org/html/rfc7539)
-- RFC 6151 - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)
-- RFC 6234 - [https://tools.ietf.org/html/rfc6234](https://tools.ietf.org/html/rfc6234)
-- RFC 8447 - [https://tools.ietf.org/html/rfc8447#section-8](https://tools.ietf.org/html/rfc8447#section-8)
+- RFC 6176 - <https://tools.ietf.org/html/rfc6176>
+- RFC 6101 - <https://tools.ietf.org/html/rfc6101>
+- RFC 2246 - <https://www.ietf.org/rfc/rfc2246>
+- RFC 4346 - <https://tools.ietf.org/html/rfc4346>
+- RFC 5246 - <https://tools.ietf.org/html/rfc5246>
+- RFC 8446 - <https://tools.ietf.org/html/rfc8446>
+- RFC 6979 - <https://tools.ietf.org/html/rfc6979>
+- RFC 8017 - <https://tools.ietf.org/html/rfc8017>
+- RFC 2631 - <https://tools.ietf.org/html/rfc2631>
+- RFC 7919 - <https://tools.ietf.org/html/rfc7919>
+- RFC 4492 - <https://tools.ietf.org/html/rfc4492>
+- RFC 4279 - <https://tools.ietf.org/html/rfc4279>
+- RFC 2631 - <https://tools.ietf.org/html/rfc2631>
+- RFC 8422 - <https://tools.ietf.org/html/rfc8422>
+- RFC 5489 - <https://tools.ietf.org/html/rfc5489>
+- RFC 4772 - <https://tools.ietf.org/html/rfc4772>
+- RFC 1829 - <https://tools.ietf.org/html/rfc1829>
+- RFC 2420 - <https://tools.ietf.org/html/rfc2420>
+- RFC 3268 - <https://tools.ietf.org/html/rfc3268>
+- RFC 5288 - <https://tools.ietf.org/html/rfc5288>
+- RFC 7465 - <https://tools.ietf.org/html/rfc7465>
+- RFC 7905 - <https://tools.ietf.org/html/rfc7905>
+- RFC 7539 - <https://tools.ietf.org/html/rfc7539>
+- RFC 6151 - <https://tools.ietf.org/html/rfc6151>
+- RFC 6234 - <https://tools.ietf.org/html/rfc6234>
+- RFC 8447 - <https://tools.ietf.org/html/rfc8447#section-8>
diff --git a/Document/0x04g-Testing-Cryptography.md b/Document/0x04g-Testing-Cryptography.md
@@ -20,10 +20,6 @@ Encryption algorithms converts plaintext data into cipher text that conceals the
 
 **Key Derivation Functions** (KDFs) derive secret keys from a secret value (such as a password) and are used to turn keys into other formats or to increase their length. KDFs are similar to hashing functions but have other uses as well (for example, they are used as components of multi-party key-agreement protocols). While both hashing functions and KDFs must be difficult to reverse, KDFs have the added requirement that the keys they produce must have a level of randomness.
 
-<br/>
-<br/>
-<br/>
-
 ## Identifying Insecure and/or Deprecated Cryptographic Algorithms (MSTG-CRYPTO-4)
 
 When assessing a mobile app, you should make sure that it does not use cryptographic algorithms and protocols that have significant known weaknesses or are otherwise insufficient for modern security requirements. Algorithms that were considered secure in the past may become insecure over time; therefore, it's important to periodically check current best practices and adjust configurations accordingly.

diff --git a/Document/0x04i-Testing-User-Privacy-Protection.md b/Document/0x04i-Testing-User-Privacy-Protection.md
@@ -146,10 +146,10 @@ Testing this might be especially challenging if you intend to automate it. We re
 
 ## References
 
-- Open-Source Licenses and Android - [https://www.bignerdranch.com/blog/open-source-licenses-and-android/](https://www.bignerdranch.com/blog/open-source-licenses-and-android/)
-- Software Licenses in Plain English - [https://tldrlegal.com/](https://tldrlegal.com/)
-- Apple Human Interface Guidelines - [https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/](https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/)
-- Android App permissions best practices - [https://developer.android.com/training/permissions/requesting.html#explain](https://developer.android.com/training/permissions/requesting.html#explain)
+- Open-Source Licenses and Android - <https://www.bignerdranch.com/blog/open-source-licenses-and-android/>
+- Software Licenses in Plain English - <https://tldrlegal.com/>
+- Apple Human Interface Guidelines - <https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/>
+- Android App permissions best practices - <https://developer.android.com/training/permissions/requesting.html#explain>
 
 ### OWASP MASVS