Look at this example on how to build abuse case testing, from the User or Abuser Cases to the Testng suite of testing.
https://github.com/bruntonspall/security-workshop
Some of the items that should be tested:
...
| Code Block |
|---|
Scenario: Users can view restricted resources for which they are authorised Meta: @id config_authorised_resources Given a new browser instance And the browser is configured to use an intercepting proxy And the proxy logs are cleared And the login page And the username <username> And the password <password> When the user logs in And the proxy logs are cleared And the HTTP requests and responses on recorded And they access the restricted resource: <method> Then the string: <sensitiveData> should be present in one of the HTTP responses Examples: tables/authorised.resources.table Scenario: Users must not be able to view resources for which they are not authorised Meta: @id access_control_restricted @cwe-639 Given the access control map for authorised users has been populated And a new browser instance And the username <username> And the password <password> And the login page When the user logs in And the previously recorded HTTP Requests for <method> are replayed using the current session ID Then the string: <sensitiveData> should not be present in any of the HTTP responses Examples: tables/unauthorised.resources.table |
TestNG
| Code Block |
|---|
@Test
public void http_security_headers_should_be_set () {
webAppSteps.enableLoggingDriver();
webAppSteps.clearProxy();
webAppSteps.openBaseSecureUrl();
webAppSteps.recordFirstHarEntry();
webAppSteps.checkIfHSTSHeaderIsSet();
webAppSteps.checkIfXFrameOptionsHeaderIsSet(Constants.SAMEORIGIN,Constants.DENY);
webAppSteps.checkHeaderValue(Constants.XXSSPROTECTION, Constants.XXSSPROTECTION_VALUE);
webAppSteps.checkThatAccessControlAllowOriginIsNotStar(Constants.STAR);
webAppSteps.checkHeaderValue(Constants.XCONTENTTYPEOPTIONS, Constants.NOSNIFF);
}
|