├── OWASP_WSTG_ASVS_en.json
├── OWASP_WSTG_ASVS_es.json
├── README.md
├── Reports
├── en
│ └── .gitkeep
└── fr
│ └── .gitkeep
├── Vulnerabilities
├── en
│ └── .gitkeep
└── fr
│ └── .gitkeep
├── automatic_merge.side
└── parse_wstg.py
/README.md:
--------------------------------------------------------------------------------
1 | # Pwndoc-NG Database
2 |
3 | This repository contain vulnerabilities databases for pwndoc-ng and custom templates.
4 |
5 |
6 |
7 |
8 | # Vulnerabilities
9 |
10 | https://user-images.githubusercontent.com/53094530/217284618-c0b2ad71-465c-40af-87db-1111c33f8490.mp4
11 |
12 |
13 | If you want to pre-populate your pwndoc-ng with vulnerabilities:
14 |
15 | 1. The vulnerabilities are taken from the spreadsheet from https://github.com/JulianGR/OWASP_WSTG_ASVS
16 | 2. To import them,
17 | 1. Create 'es' and 'en' locales. They have to be exactly that, otherwise pwndoc-ng won't recognize the vulns.
18 | 2. Use the two `.json` files and go to Custom data > Import
19 | 3. To merge them automatically, just like in the video, donwload the Selenium extension in your browser. NOTE: for me, it worked only in Firefox (https://addons.mozilla.org/es/firefox/addon/selenium-ide/), NOT in Chrome or Opera.
20 | 4. Open the script and click "Run all test"
21 | 5. Success
22 |
23 |
24 |
25 |
26 | # For developers
27 |
28 | ## Parsing script
29 | If you are an user and want to import vulns, you don't have to use the script. However, if you want more control over what you import, there are a few considerations:
30 |
31 | + If you want a different locale, change the main:
32 |
33 | ```py
34 | # main([NAME OF THE SPREADSHEET FILE], [NAME OF THE SHEET], [LOCALE], [CATEGORY OF VULNS])
35 | ```
36 |
37 | + The script is very much customized to parse the spreadsheet. For example, the spreadsheet is converted to markdown so that when vulns appear with format in pwndoc-ng. If there are future changes to the spreadsheet, I will make the script compatible. More languages are going to be added with time (pull request them =D )
38 | + If you want to add custom fields to vulnerabilities, you have to first export in `.yaml` vulnerabilites that you created by hand with the parameter, then figure out which ID they have, then paste and uncomment the "custom field section" in the script
39 |
40 |
41 | ## Selenium script
42 | + Right now, the loop is executed 118 times since there are exactly 118 vulnerabilities in the spreadsheet. Again, if there are future changes to the spreadsheet, I will make the script compatible. More languages are going to be added with time (pull request them =D )
43 | + This method of automatic merging works because, while the ordering in the "Vulnerabilities" view is alphabetical, the ordering in the merge pop-up is not alphabetical.
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/Reports/en/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwndoc-ng/pwndoc-ng-database/e2c50270c0c3a33337451a00546bb4e6317b04ea/Reports/en/.gitkeep
--------------------------------------------------------------------------------
/Reports/fr/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwndoc-ng/pwndoc-ng-database/e2c50270c0c3a33337451a00546bb4e6317b04ea/Reports/fr/.gitkeep
--------------------------------------------------------------------------------
/Vulnerabilities/en/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwndoc-ng/pwndoc-ng-database/e2c50270c0c3a33337451a00546bb4e6317b04ea/Vulnerabilities/en/.gitkeep
--------------------------------------------------------------------------------
/Vulnerabilities/fr/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pwndoc-ng/pwndoc-ng-database/e2c50270c0c3a33337451a00546bb4e6317b04ea/Vulnerabilities/fr/.gitkeep
--------------------------------------------------------------------------------
/automatic_merge.side:
--------------------------------------------------------------------------------
1 | {
2 | "id": "70079d99-aed2-4766-aab9-9b810cbb0d65",
3 | "version": "2.0",
4 | "name": "merge",
5 | "url": "https://localhost:8443",
6 | "tests": [{
7 | "id": "cd47bd4c-ed3a-4dfc-aae2-88285d38964c",
8 | "name": "automatic_merge",
9 | "commands": [{
10 | "id": "bfdce2af-3f1b-42cc-a314-498c28d065c8",
11 | "comment": "",
12 | "command": "open",
13 | "target": "/vulnerabilities",
14 | "targets": [],
15 | "value": ""
16 | }, {
17 | "id": "5c898346-2ad9-4970-b5f8-152c07465c44",
18 | "comment": "",
19 | "command": "setWindowSize",
20 | "target": "1936x1056",
21 | "targets": [],
22 | "value": ""
23 | }, {
24 | "id": "33233dee-b21b-4f8e-9d8b-66c56020227e",
25 | "comment": "",
26 | "command": "click",
27 | "target": "css=.q-btn:nth-child(5) .block",
28 | "targets": [
29 | ["css=.q-btn:nth-child(5) .block", "css:finder"],
30 | ["xpath=//div[@id='q-app']/div/div/div/div/div/div/div/button/span[2]/span/span", "xpath:idRelative"],
31 | ["xpath=//div/div/button/span[2]/span/span", "xpath:position"]
32 | ],
33 | "value": ""
34 | }, {
35 | "id": "88dfcd6a-9ebf-4c5e-aa7b-8bdd1ef8e65d",
36 | "comment": "",
37 | "command": "mouseOver",
38 | "target": "css=.q-btn:nth-child(5) .block",
39 | "targets": [
40 | ["css=.q-btn:nth-child(5) .block", "css:finder"],
41 | ["xpath=//div[@id='q-app']/div/div/div/div/div/div/div/button/span[2]/span/span", "xpath:idRelative"],
42 | ["xpath=//div/div/button/span[2]/span/span", "xpath:position"]
43 | ],
44 | "value": ""
45 | }, {
46 | "id": "a44bd7b6-f424-405a-b892-5f0f002c0802",
47 | "comment": "",
48 | "command": "mouseOut",
49 | "target": "css=.q-btn:nth-child(5) .block",
50 | "targets": [
51 | ["css=.q-btn:nth-child(5) .block", "css:finder"],
52 | ["xpath=//div[@id='q-app']/div/div/div/div/div/div/div/button/span[2]/span/span", "xpath:idRelative"],
53 | ["xpath=//div/div/button/span[2]/span/span", "xpath:position"]
54 | ],
55 | "value": ""
56 | }, {
57 | "id": "8daa1654-7945-47d5-844c-d4d389ef9622",
58 | "comment": "",
59 | "command": "click",
60 | "target": "css=.col-md-6 .q-field__native",
61 | "targets": [
62 | ["css=.col-md-6 .q-field__native", "css:finder"],
63 | ["xpath=//div[2]/div/div/label/div/div/div/div", "xpath:position"]
64 | ],
65 | "value": ""
66 | }, {
67 | "id": "0ef9a284-1711-430d-b5d1-5d5625e05562",
68 | "comment": "",
69 | "command": "click",
70 | "target": "xpath=//div[4]/div[2]/div[1]/div[2]/div",
71 | "targets": [
72 | ["css=#f_f626ada7-635d-405a-bf18-609fb23665df_0 > .q-item__section", "css:finder"],
73 | ["xpath=//div[@id='f_f626ada7-635d-405a-bf18-609fb23665df_0']/div[2]", "xpath:idRelative"],
74 | ["xpath=//div[4]/div[2]/div/div[2]", "xpath:position"]
75 | ],
76 | "value": ""
77 | }, {
78 | "id": "4b2fbd50-88cf-4040-b3d9-69cbe39fec14",
79 | "comment": "",
80 | "command": "runScript",
81 | "target": "window.scrollTo(0,0)",
82 | "targets": [],
83 | "value": ""
84 | }, {
85 | "id": "9e6ba514-28e1-4dd9-8dcb-cda13f390c00",
86 | "comment": "",
87 | "command": "click",
88 | "target": "css=.col > .q-card__section .q-field__native",
89 | "targets": [
90 | ["css=.col > .q-card__section .q-field__native", "css:finder"],
91 | ["xpath=//div[2]/div/label/div/div/div/div", "xpath:position"]
92 | ],
93 | "value": ""
94 | }, {
95 | "id": "4d2d8856-8dea-436a-852b-ec0b5ea534fb",
96 | "comment": "",
97 | "command": "click",
98 | "target": "xpath=//div[4]/div[2]/div[2]/div[2]/div",
99 | "targets": [
100 | ["css=#f_928dabe5-88aa-4c82-94c4-d7e8058f3db1_1 .q-item__label", "css:finder"],
101 | ["xpath=//div[@id='f_928dabe5-88aa-4c82-94c4-d7e8058f3db1_1']/div[2]/div", "xpath:idRelative"],
102 | ["xpath=//div[4]/div[2]/div[2]/div[2]/div", "xpath:position"]
103 | ],
104 | "value": ""
105 | }, {
106 | "id": "c06eb1f0-6ed1-4945-8a42-cebfe6deaa4a",
107 | "comment": "INTRODUCE HERE NUMBER OF VULNERABILITIES",
108 | "command": "times",
109 | "target": "118",
110 | "targets": [],
111 | "value": ""
112 | }, {
113 | "id": "f4a91776-601d-421b-be2e-df5d14d620c7",
114 | "comment": "",
115 | "command": "click",
116 | "target": "css=.col-md-6 .q-pl-none:nth-child(1) .q-item__label",
117 | "targets": [
118 | ["css=.col-md-6 .q-pl-none:nth-child(1) .q-item__label", "css:finder"],
119 | ["xpath=//label/div[3]/div", "xpath:position"]
120 | ],
121 | "value": ""
122 | }, {
123 | "id": "ba14a85a-2816-44e0-962d-6b37b8a2e79c",
124 | "comment": "",
125 | "command": "click",
126 | "target": "css=.col .q-pl-none:nth-child(1) .q-item__label",
127 | "targets": [
128 | ["css=.col .q-pl-none:nth-child(1) .q-item__label", "css:finder"],
129 | ["xpath=//div[2]/div[2]/div/div/div/div/label/div[3]/div", "xpath:position"]
130 | ],
131 | "value": ""
132 | }, {
133 | "id": "53213240-fba8-45bf-9537-07d8d8163347",
134 | "comment": "",
135 | "command": "click",
136 | "target": "css=.q-card__actions .q-btn__content",
137 | "targets": [
138 | ["css=.q-card__actions .q-btn__content", "css:finder"],
139 | ["xpath=//div[3]/button/span[2]/span", "xpath:position"]
140 | ],
141 | "value": ""
142 | }, {
143 | "id": "0e5930b2-b688-420a-8659-563570f4503e",
144 | "comment": "",
145 | "command": "end",
146 | "target": "",
147 | "targets": [],
148 | "value": ""
149 | }]
150 | }],
151 | "suites": [{
152 | "id": "8167e4c4-85d6-40e1-acef-287d7593d8de",
153 | "name": "Default Suite",
154 | "persistSession": false,
155 | "parallel": false,
156 | "timeout": 300,
157 | "tests": ["cd47bd4c-ed3a-4dfc-aae2-88285d38964c"]
158 | }],
159 | "urls": ["https://localhost:8443/"],
160 | "plugins": []
161 | }
--------------------------------------------------------------------------------
/parse_wstg.py:
--------------------------------------------------------------------------------
1 | import pandas
2 | import json
3 | import markdown
4 |
5 |
6 |
7 |
8 | def main(file, sheet_name, locale, vuln_type):
9 |
10 | # ===============
11 | # Read Excel
12 | # ===============
13 |
14 | excel_data_df = pandas.read_excel(file, sheet_name)
15 | thisisjson = excel_data_df.to_json(orient='records')
16 | thisisjson_dict = json.loads(thisisjson)
17 |
18 |
19 | # ===============
20 | # Parsing
21 | # ===============
22 |
23 | final_json = []
24 |
25 | for i in range(len(excel_data_df.index)):
26 | line = thisisjson_dict[i]
27 |
28 | dict_to_write={}
29 | details = []
30 | details_dict = {}
31 |
32 |
33 | references = []
34 |
35 |
36 |
37 | tmp = line.get('References').strip().split('\n')
38 | for j in range(len(tmp)):
39 |
40 | references.append(tmp[j].replace('- https', 'https').strip())
41 |
42 | details_dict['references']= references
43 |
44 |
45 | '''
46 | # If you want to populate vulns with existing custom
47 | # field, you have first to export a sample vuln with
48 | # created custom field and obtain its reference.
49 | #
50 | # TODO
51 | # See Custom Fields in documentation
52 |
53 | custom_fields_dict = {
54 | "customField": "63d264980841f2001194541c",
55 | "text": "N/A"
56 | }
57 | custom_fields=[custom_fields_dict]
58 | details_dict['customFields']= custom_fields
59 | '''
60 |
61 | details_dict['locale']= locale
62 | details_dict['title']= line.get('Title')
63 | details_dict['vulnType']= vuln_type
64 |
65 |
66 | details_dict['description'] = markdown.markdown(line.get('Description').strip())
67 | details_dict['observation']= markdown.markdown(line.get('Impact').strip())
68 | details_dict['remediation']= markdown.markdown(line.get('Remediation').strip())
69 |
70 |
71 | dict_to_write={}
72 |
73 | dict_to_write['cvssv3']= line.get('Recommended CVSSv3')
74 | dict_to_write['category']= line.get('Category')
75 | details=[details_dict]
76 | dict_to_write['details']= details
77 |
78 | final_json.append(dict_to_write)
79 |
80 |
81 |
82 |
83 | # ===============
84 | # Writing to Excel
85 | # ===============
86 | filename_to_write = file.replace('.xlsx','').replace('.xls','')+"_"+locale+'.json'
87 | with open(filename_to_write, 'w', encoding='utf8') as json_file:
88 | json.dump(final_json, json_file, indent = 4, ensure_ascii = False)
89 |
90 |
91 |
92 | # ===============
93 | # Replacing
94 | # ===============
95 |
96 | # read produced file
97 | with open(filename_to_write, 'r', encoding='utf8') as file :
98 | filedata = file.read()
99 | filedata = filedata.replace('', '')
100 | filedata = filedata.replace('
', '')
101 | filedata = filedata.replace(r'\n', '')
102 |
103 | # Write the file out again
104 | with open(filename_to_write, 'w', encoding='utf8') as file:
105 | file.write(filedata)
106 |
107 |
108 |
109 | if __name__ == '__main__':
110 |
111 | main("OWASP_WSTG_ASVS.xlsx", "vulns_ESP", "es", "OWASP WSTG")
112 | main("OWASP_WSTG_ASVS.xlsx", "vulns_ENG", "en", "OWASP WSTG")
113 |
114 |
--------------------------------------------------------------------------------