Open nealep opened 4 years ago
I didn't see any XSS attack tests in the test suite. Would it be possible to add such tests?
What is the recommended way to add such tests that would satisfy V-70257
? Are there particular test runners? For example, is this something that a unit test would be insufficient, and rather a test using Selenium, for example, would be desired? Or is something like Rails integration tests good enough (where the tests do not actually execute client side javascript through the browser but may exercise the server API and inspect returned HTML).
In the same way, for having tests for user input in web forms, I wonder generally speaking if we should be itemizing all of the possible ways in a systematic fashion that user input can be provided to the system (through URLs, form submissions, etc.) and then having some type of report on test coverage of that? Obviously it is much easier to do something like that for unit tests - lots of tools provide estimation and its easy if most of the code is refactored into separate functions to identify which ones have no tests.
They don't really specify an automated test runner. They do say that if automated tests are not available:
"If scan results are not available, perform manual testing in various data entry fields to determine if XSS exist. Navigate through the web application as a regular user and identify any data entry fields where data can be input. Input the following strings:
<img src=x onerror="alert(document.cookie);"
If the script pop up box is displayed, or if scan reports show unremediated XSS results and no mitigating steps have been taken, this is a finding."
They do reference OWASP ZAP in a few places. I believe there's a Github Action for running tests that'll include both XSS and other input validations. This blog has a good rundown I think.
discussion needed before proceeding, how can this be automated?
Howdy Folks!
I've taken the liberty of reviewing the CAT 1 STIG vulnerabilities in the Vaulted app. Can you verify my findings? When I was going through the list, I made the following assumptions:
My outstanding questions are:
┆Issue is synchronized with this Asana task by Unito