Replies: 3 comments 11 replies
-
|
Subject: Claiming Card AA5 (Mobile App Edition) Hi team! I'd like to work on Card AA5 ("Eiman can bypass the local authentication..."). My Approach:Scenario: Focus on "Eiman" using dynamic instrumentation (like Frida) to bypass a PIN check because he's too lazy to type it. I will create a PR shortly! |
Beta Was this translation helpful? Give feedback.
-
|
Go ahead! Thank you for your time! |
Beta Was this translation helpful? Give feedback.
-
DescriptionThis PR addresses Card AA5 (Authentication & Authorization) for the Mobile App Edition. I have added a humorous yet technical scenario ("Eiman") that explains local authentication bypass via dynamic instrumentation, consistent with the tone of other cards. Changes
Related IssueFixes #2125 |
Beta Was this translation helpful? Give feedback.
-
|
You closed the pr? |
Beta Was this translation helpful? Give feedback.
-
|
Still figuring it out , asked for some help on LinkedIn too |
Beta Was this translation helpful? Give feedback.
-
|
Subject: Claiming Card AA6 (Mobile App Edition) Hi team! I'd like to work on Card AA6 ("Anant can perform sensitive operations without additional authentication..."). My Approach: I will create a PR shortly! |
Beta Was this translation helpful? Give feedback.
-
|
Your bank app example is valid, but we should probably avoid pulling in server-side authentication here, as it could be confusing in the context of mobile app development. |
Beta Was this translation helpful? Give feedback.
-
|
Subject: Claiming Card AA6 (Mobile App Edition) - Revised Hi team! I'd like to work on Card AA6 ("Anant can perform sensitive operations without additional authentication..."). Based on the feedback, I've refined the approach to focus on client-side controls. My Approach: I will create a PR shortly! |
Beta Was this translation helpful? Give feedback.
-
|
Cool, great! |
Beta Was this translation helpful? Give feedback.
-
|
I really liked your example: https://github.com/OWASP/cornucopia/pull/2143/changes 😆 |
Beta Was this translation helpful? Give feedback.
-
|
Fixes #2145 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
The mobile app edition lacks descriptions for each of the cards in the edition on the website (see issue: #2109).
Work has started on filling out the descriptions for some of the cards based on the MASTG and MASVS mapping and the physical card descriptions:
https://cornucopia.owasp.org/cards/AA2
https://cornucopia.owasp.org/cards/AA3
The descriptions are made humorous on purpose in order to give the game a playful feel, but the remaining cards needs to be filled out in the same way, each with a unique scenario and STRIDE category (e.g: https://cornucopia.owasp.org/cards/ATK#STRIDE).
If you want to contribute please tell us which card you want to work on here , you can only work on one card at the time. Early bird gets the worm!
The text for each card can be found here: https://github.com/OWASP/cornucopia/tree/master/cornucopia.owasp.org/data/cards/mobileapp-cards-1.1-en
The situation falls under the {fill in STRIDE category} category in the STRIDE threat modeling framework.
Beta Was this translation helpful? Give feedback.
All reactions