fix links (#2610)

* fix links

apps/ios/MASTG-APP-0025.md

@@ -0,0 +1,9 @@
+---
+title: iOS UnCrackable L1
+platform: ios
+source: https://mas.owasp.org/crackmes/iOS#ios-uncrackable-l1
+---
+
+A secret string is hidden somewhere in this app. Find a way to extract it.
+
+> By [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller")

apps/ios/MASTG-APP-0026.md

@@ -0,0 +1,9 @@
+---
+title: iOS UnCrackable L2
+platform: ios
+source: https://mas.owasp.org/crackmes/iOS#ios-uncrackable-l2
+---
+
+This app holds a secret inside - and this time it won't be tampered with!
+
+> By [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller")

techniques/android/MASTG-TECH-0108.md

@@ -9,9 +9,9 @@ In taint analysis, data flows from a "source" to a "sink". A source is where sen
 
 In large applications, manual information flow analysis can be very time consuming and inaccurate. Taint analysis automates this, with two main methods: static and dynamic. The former examines code without running it, offering broad coverage but potentially yielding false positives. In contrast, dynamic analysis observes real-time application execution, providing actual context but possibly overlooking untriggered issues. A thorough comparison of these techniques is beyond this section's scope.
 
-There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton") and [bincat](https://github.com/airbus-seclab/bincat "bincat"). However, in this section, we'll primarily focus on Android Java code and utilize [FlowDroid](../../apps/android/MASTG-APP-0099.md "FlowDroid") for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA").
+There are multiple tools which perform taint analysis on native code, including [Triton](https://github.com/jonathansalwan/Triton "Triton") and [bincat](https://github.com/airbus-seclab/bincat "bincat"). However, in this section, we'll primarily focus on Android Java code and utilize [FlowDroid](../../../apps/android/MASTG-APP-0099.md "FlowDroid") for the taint analysis. Another notable tool supporting taint analysis for Android apps is [GDA](https://github.com/charles2gan/GDA-android-reversing-Tool/wiki/GDA-Static-Taint-Analysis "GDA").
 
-For our demonstration, we'll use [FlowDroid](../../tools/android/MASTG-TOOL-0099.md)'s command line tool to perform taint analysis on the [InsecureShop v1.0](https://github.com/hax0rgb/InsecureShop/releases/tag/v1.0 "InsecureShop") application.
+For our demonstration, we'll use [FlowDroid](../../../tools/android/MASTG-TOOL-0099.md)'s command line tool to perform taint analysis on the [InsecureShop v1.0](https://github.com/hax0rgb/InsecureShop/releases/tag/v1.0 "InsecureShop") application.
 
 The InsecureShop app accepts a username and password as input and stores them in the app's shared preferences. In our taint analysis, we're interested in how this stored username and password are used. In this context, the username and password are the sensitive information, and reading from shared preferences is the source. The sink in this analysis could be various operations, such as sending info over the network, transmitting info via an `Intent`, or storing info in an external file.
 

techniques/ios/MASTG-TECH-0053.md

@@ -17,7 +17,7 @@ $ scp -P 2222 root@localhost:/tmp/data.tgz .
 
 ## Grapefruit
 
-After starting [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") you can select the app that is in scope for testing. There are various functions available, of which one is called "Finder". When selecting it, you will get a listing of the directories of the app sandbox.
+After starting [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") you can select the app that is in scope for testing. There are various functions available, of which one is called "Finder". When selecting it, you will get a listing of the directories of the app sandbox.
 
 <img src="Images/Chapters/0x06b/grapefruit_data_dir.png" width="100%" />
 

techniques/ios/MASTG-TECH-0057.md

@@ -20,6 +20,6 @@ $ frida-ps -Uai
 
 It also shows which of them are currently running. Take a note of the "Identifier" (bundle identifier) and the PID if any as you'll need them afterwards.
 
-You can also directly open [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") and after selecting your iOS device you'll get the list of installed apps.
+You can also directly open [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") and after selecting your iOS device you'll get the list of installed apps.
 
 <img src="Images/Chapters/0x06b/grapefruit_installed_apps.png" width="400px" />

techniques/ios/MASTG-TECH-0058.md

@@ -97,7 +97,7 @@ iOS apps can make their codebase modular by using different elements. In the MAS
 - [Binary Frameworks (`XCFrameworks`)](https://developer.apple.com/videos/play/wwdc2019/416/): Xcode 11 supports distributing binary libraries using the `XCFrameworks` format which is a new way to bundle up multiple variants of a Framework, e.g. for any of the platforms that Xcode supports (including simulator and devices). They can also bundle up static libraries (and their corresponding headers) and support binary distribution of Swift and C-based code. `XCFrameworks` can be [distributed as Swift Packages](https://developer.apple.com/documentation/swift_packages/distributing_binary_frameworks_as_swift_packages).
 - [Swift Packages](https://developer.apple.com/documentation/swift_packages): Xcode 11 add supports for Swift packages, which are reusable components of Swift, Objective-C, Objective-C++, C, or C++ code that developers can use in their projects and are distributed as source code. Since Xcode 12 they can also [bundle resources](https://developer.apple.com/videos/play/wwdc2020/10169/), such as images, storyboards, and other files. Since Package libraries are [static by default](https://developer.apple.com/videos/play/wwdc2019/408/?time=739). Xcode compiles them, and the packages they depend on, and then links and combines everything into the application.
 
-You can view native libraries in [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on the Modules icon in the left menu bar:
+You can view native libraries in [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on the Modules icon in the left menu bar:
 
 <img src="Images/Chapters/0x06b/grapefruit_modules.png" width="100%" />
 

techniques/ios/MASTG-TECH-0059.md

@@ -124,7 +124,7 @@ Regular           420  None                ...  Info.plist
 Regular           493  None                ...  iGoat-Swift
 ```
 
-You can also visualize the Bundle directory from [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on **Finder** -> **Bundle**:
+You can also visualize the Bundle directory from [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") by clicking on **Finder** -> **Bundle**:
 
 <img src="Images/Chapters/0x06b/grapefruit_bundle_dir.png" width="100%" />
 

techniques/ios/MASTG-TECH-0061.md

@@ -32,7 +32,7 @@ Finally, since the keychain dumper is executed from within the application conte
 
 ## Grapefruit (Jailbroken / non-Jailbroken)
 
-With [Grapefruit](../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") it's possible to access the keychain data of the app you have selected. Inside the **Storage** section, click on **Keychain** and you can see a listing of the stored Keychain information.
+With [Grapefruit](../../../tools/ios/MASTG-TOOL-0061.md "Grapefruit") it's possible to access the keychain data of the app you have selected. Inside the **Storage** section, click on **Keychain** and you can see a listing of the stored Keychain information.
 
 <img src="Images/Chapters/0x06b/grapefruit_keychain.png" width="100%" />
 

techniques/ios/MASTG-TECH-0079.md

@@ -17,7 +17,7 @@ Thanks to Apple's confusing provisioning and code-signing system, re-signing an
 
 We'll use [optool](0x08a-Testing-Tools.md#optool), Apple's build tools, and some shell commands. Our method is inspired by [Vincent Tan's Swizzler project](https://github.com/vtky/Swizzler2/ "Swizzler"). [The NCC group](https://research.nccgroup.com/2016/10/12/ios-instrumentation-without-jailbreak/ "NCC blog - iOS instrumentation without jailbreak") has described an alternative repackaging method.
 
-To reproduce the steps listed below, download [UnCrackable iOS App Level 1](0x08b-Reference-Apps.md#ios-uncrackable-l1) from the OWASP Mobile Testing Guide repository. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida.
+To reproduce the steps listed below, download [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") from the OWASP Mobile Testing Guide repository. Our goal is to make the UnCrackable app load `FridaGadget.dylib` during startup so we can instrument the app with Frida.
 
 > Please note that the following steps apply to macOS only, as Xcode is only available for macOS.
 

techniques/ios/MASTG-TECH-0084.md

@@ -136,7 +136,7 @@ Typing `image list` gives a list of main executable and all dependent libraries.
 
 ## Debugging Release Apps
 
-In the previous section we learned about how to setup a debugging environment on an iOS device using LLDB. In this section we will use this information and learn how to debug a 3rd party release application. We will continue using the [UnCrackable App for iOS Level 1](0x08b-Reference-Apps.md#ios-uncrackable-l1) and solve it using a debugger.
+In the previous section we learned about how to setup a debugging environment on an iOS device using LLDB. In this section we will use this information and learn how to debug a 3rd party release application. We will continue using the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") and solve it using a debugger.
 
 In contrast to a debug build, the code compiled for a release build is optimized to achieve maximum performance and minimum binary build size. As a general best practice, most of the debug symbols are stripped for a release build, adding a layer of complexity when reverse engineering and debugging the binaries.
 
@@ -155,7 +155,7 @@ When a binary is opened in a disassembler like Ghidra, it loads a binary by emul
 
 <img src="Images/Chapters/0x06c/debugging_ghidra_image_base_address.png" width="100%" />
 
-From our previous analysis of the [UnCrackable Level 1 application](0x08b-Reference-Apps.md#ios-uncrackable-l1) in "[Manual (Reversed) Code Review](#manual-reversed-code-review)" section, the value of the hidden string is stored in a label with the `hidden` flag set. In the disassembly, the text value of this label is stored in register `X21`, stored via `mov` from `X0`, at offset 0x100004520. This is our _breakpoint offset_.
+From our previous analysis of the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") in "[Manual (Reversed) Code Review](#manual-reversed-code-review)" section, the value of the hidden string is stored in a label with the `hidden` flag set. In the disassembly, the text value of this label is stored in register `X21`, stored via `mov` from `X0`, at offset 0x100004520. This is our _breakpoint offset_.
 
 <img src="Images/Chapters/0x06c/debugging_ghidra_breakpoint.png" width="100%" />
 

techniques/ios/MASTG-TECH-0088.md

@@ -19,7 +19,7 @@ Note that in order to install an IPA on Corellium devices it has to be unencrypt
 
 ## Unicorn
 
-[Unicorn](http://www.unicorn-engine.org/ "Unicorn") is a lightweight, multi-architecture CPU emulator framework based on [QEMU](https://www.qemu.org/ "QEMU") and [goes beyond it](https://www.unicorn-engine.org/docs/beyond_qemu.html "Beyond QEMU") by adding useful features especially made for CPU emulation. Unicorn provides the basic infrastructure needed to execute processor instructions. In this section we will use [Unicorn's Python bindings](https://github.com/unicorn-engine/unicorn/tree/master/bindings/python "Unicorn Python bindings") to solve the [UnCrackable App for iOS Level 1](0x08b-Reference-Apps.md#ios-uncrackable-l1) challenge.
+[Unicorn](http://www.unicorn-engine.org/ "Unicorn") is a lightweight, multi-architecture CPU emulator framework based on [QEMU](https://www.qemu.org/ "QEMU") and [goes beyond it](https://www.unicorn-engine.org/docs/beyond_qemu.html "Beyond QEMU") by adding useful features especially made for CPU emulation. Unicorn provides the basic infrastructure needed to execute processor instructions. In this section we will use [Unicorn's Python bindings](https://github.com/unicorn-engine/unicorn/tree/master/bindings/python "Unicorn Python bindings") to solve the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge.
 
 To use Unicorn's _full power_, we would need to implement all the necessary infrastructure which generally is readily available from the operating system, e.g. binary loader, linker and other dependencies or use another higher level frameworks such as [Qiling](https://qiling.io "Qiling") which leverages Unicorn to emulate CPU instructions, but understands the OS context. However, this is superfluous for this very localized challenge where only executing a small part of the binary will suffice.
 

techniques/ios/MASTG-TECH-0089.md

@@ -7,7 +7,7 @@ TODO: Currently don't have this, but we do have this section below which does ta
 
 An introduction to binary analysis using binary analysis frameworks has already been discussed in the "[Dynamic Analysis](0x05c-Reverse-Engineering-and-Tampering.md#dynamic-analysis "Dynamic analysis")" section for Android. We recommend you to revisit this section and refresh the concepts on this subject.
 
-For Android, we used Angr's symbolic execution engine to solve a challenge. In this section, we will firstly use Unicorn to solve the [UnCrackable App for iOS Level 1](0x08b-Reference-Apps.md#ios-uncrackable-l1) challenge and then we will revisit the Angr binary analysis framework to analyze the challenge but instead of symbolic execution we will use its concrete execution (or dynamic execution) features.
+For Android, we used Angr's symbolic execution engine to solve a challenge. In this section, we will firstly use Unicorn to solve the [UnCrackable App for iOS Level 1](../../../apps/android/MASTG-APP-0025.md "UnCrackable App for iOS Level 1") challenge and then we will revisit the Angr binary analysis framework to analyze the challenge but instead of symbolic execution we will use its concrete execution (or dynamic execution) features.
 
 
 ## Angr

techniques/ios/MASTG-TECH-0090.md

@@ -17,7 +17,7 @@ IF you want to use Frida on non-jailbroken devices you'll need to include `Frida
 curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib
 ```
 
-Copy `FridaGadget.dylib` into the app directory and use [optool](../../tools/ios/MASTG-TOOL-0059.md "optool") to add a load command to the "UnCrackable Level 1" binary.
+Copy `FridaGadget.dylib` into the app directory and use [optool](../../../tools/ios/MASTG-TOOL-0059.md "optool") to add a load command to the "UnCrackable Level 1" binary.
 
 ```bash
 $ unzip UnCrackable_Level1.ipa

techniques/ios/MASTG-TECH-0092.md

@@ -36,7 +36,7 @@ $ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --en
 Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature
 ```
 
-Now you should be ready to run the modified app. Deploy and run the app on the device using [ios-deploy](../../tools/ios/MASTG-TOOL-0054.md "ios-deploy"):
+Now you should be ready to run the modified app. Deploy and run the app on the device using [ios-deploy](../../../tools/ios/MASTG-TOOL-0054.md "ios-deploy"):
 
 ```bash
 ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/

tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md

@@ -30,7 +30,7 @@ For each identified instance verify if the used symmetric keys:
 
 For each hardcoded symmetric key, verify that is not used in security-sensitive contexts as the only method of encryption.
 
-As an example we illustrate how to locate the use of a hardcoded encryption key. First [disassemble and decompile](../../../Document/0x05c-Reverse-Engineering-and-Tampering.md#disassembling-and-decompiling) the app to obtain Java code, e.g. by using [jadx](../../../tools/android/MASTG-TOOL-0018.md#resources).
+As an example we illustrate how to locate the use of a hardcoded encryption key. First [disassemble and decompile](../../../Document/0x05c-Reverse-Engineering-and-Tampering.md#disassembling-and-decompiling) the app to obtain Java code, e.g. by using [jadx](../../../../tools/android/MASTG-TOOL-0018.md#resources).
 
 Now search the files for the usage of the `SecretKeySpec` class, e.g. by simply recursively grepping on them or using jadx search function:
 

tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md

@@ -13,7 +13,7 @@ masvs_v1_levels:
 
 ## Static Analysis
 
-You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
+You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
 
 After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be.
 

tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md

@@ -15,7 +15,7 @@ masvs_v1_levels:
 
 Inspect the app entitlements and check the value of `get-task-allow` key. If it is set to `true`, the app is debuggable.
 
-Using [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
+Using [codesign](../../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
 
 ```bash
 $ codesign -d --entitlements - iGoat-Swift.app