Page Comparison

...

https://github.com/bruntonspall/security-workshop

OSCON 2015 Presentation

Some of the items that should be tested:

...

Code Block

Scenario: Users can view restricted resources for which they are authorised
Meta: @id config_authorised_resources
Given a new browser instance
And the browser is configured to use an intercepting proxy
And the proxy logs are cleared
And the login page
And the username <username>
And the password <password>
When the user logs in
And the proxy logs are cleared
And the HTTP requests and responses on recorded
And they access the restricted resource: <method>
Then the string: <sensitiveData> should be present in one of the HTTP responses
Examples:
tables/authorised.resources.table


Scenario: Users must not be able to view resources for which they are not authorised
Meta: @id access_control_restricted @cwe-639
Given the access control map for authorised users has been populated
And a new browser instance
And the username <username>
And the password <password>
And the login page
When the user logs in
And the previously recorded HTTP Requests for <method> are replayed using the current session ID
Then the string: <sensitiveData> should not be present in any of the HTTP responses
Examples:
tables/unauthorised.resources.table

TestNG

Code Block



@Test
public void http_security_headers_should_be_set () {
    webAppSteps.enableLoggingDriver();
    webAppSteps.clearProxy();
    webAppSteps.openBaseSecureUrl();
    webAppSteps.recordFirstHarEntry();
    webAppSteps.checkIfHSTSHeaderIsSet();
    webAppSteps.checkIfXFrameOptionsHeaderIsSet(Constants.SAMEORIGIN,Constants.DENY);
    webAppSteps.checkHeaderValue(Constants.XXSSPROTECTION, Constants.XXSSPROTECTION_VALUE);
    webAppSteps.checkThatAccessControlAllowOriginIsNotStar(Constants.STAR);
    webAppSteps.checkHeaderValue(Constants.XCONTENTTYPEOPTIONS, Constants.NOSNIFF);
}

Versions Compared

Old Version 2

New Version 3

Key