diff --git a/.brightsec/.gitkeep b/.brightsec/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/.brightsec/tests/delete-logout.test.ts b/.brightsec/tests/delete-logout.test.ts new file mode 100644 index 0000000..5a2a927 --- /dev/null +++ b/.brightsec/tests/delete-logout.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /logout', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'http_method_fuzzing', 'xss', 'unvalidated_redirect'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/logout` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-posts-1-json.test.ts b/.brightsec/tests/delete-posts-1-json.test.ts new file mode 100644 index 0000000..b60bed8 --- /dev/null +++ b/.brightsec/tests/delete-posts-1-json.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /posts/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/posts/1.json`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-posts-1.test.ts b/.brightsec/tests/delete-posts-1.test.ts new file mode 100644 index 0000000..76b5c34 --- /dev/null +++ b/.brightsec/tests/delete-posts-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /posts/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/posts/1`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-users-1-json.test.ts b/.brightsec/tests/delete-users-1-json.test.ts new file mode 100644 index 0000000..6bfa481 --- /dev/null +++ b/.brightsec/tests/delete-users-1-json.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /users/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/users/1.json`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-users-1.test.ts b/.brightsec/tests/delete-users-1.test.ts new file mode 100644 index 0000000..14d834f --- /dev/null +++ b/.brightsec/tests/delete-users-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/users/1`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-login.test.ts b/.brightsec/tests/get-login.test.ts new file mode 100644 index 0000000..b29482d --- /dev/null +++ b/.brightsec/tests/get-login.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /login', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'sqli', 'unvalidated_redirect', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/login` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-1-edit.test.ts b/.brightsec/tests/get-posts-1-edit.test.ts new file mode 100644 index 0000000..08acb0c --- /dev/null +++ b/.brightsec/tests/get-posts-1-edit.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts/1/edit', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts/1/edit` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-1-json.test.ts b/.brightsec/tests/get-posts-1-json.test.ts new file mode 100644 index 0000000..1b9405c --- /dev/null +++ b/.brightsec/tests/get-posts-1-json.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts/1.json`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-1.test.ts b/.brightsec/tests/get-posts-1.test.ts new file mode 100644 index 0000000..4b63b44 --- /dev/null +++ b/.brightsec/tests/get-posts-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts/1`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-json-user-id-1.test.ts b/.brightsec/tests/get-posts-json-user-id-1.test.ts new file mode 100644 index 0000000..1148df9 --- /dev/null +++ b/.brightsec/tests/get-posts-json-user-id-1.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts.json?user_id=1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts.json?user_id=1` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-new.test.ts b/.brightsec/tests/get-posts-new.test.ts new file mode 100644 index 0000000..772ca72 --- /dev/null +++ b/.brightsec/tests/get-posts-new.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts/new', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts/new` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-search.test.ts b/.brightsec/tests/get-posts-search.test.ts new file mode 100644 index 0000000..2c98a25 --- /dev/null +++ b/.brightsec/tests/get-posts-search.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts/search?search_term=example', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'csrf', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts/search?search_term=example` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-posts-user-id-1.test.ts b/.brightsec/tests/get-posts-user-id-1.test.ts new file mode 100644 index 0000000..619dbfa --- /dev/null +++ b/.brightsec/tests/get-posts-user-id-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /posts?user_id=1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'id_enumeration', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/posts?user_id=1`, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-1-edit.test.ts b/.brightsec/tests/get-users-1-edit.test.ts new file mode 100644 index 0000000..9b5d770 --- /dev/null +++ b/.brightsec/tests/get-users-1-edit.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users/1/edit', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users/1/edit` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-1-json.test.ts b/.brightsec/tests/get-users-1-json.test.ts new file mode 100644 index 0000000..7768467 --- /dev/null +++ b/.brightsec/tests/get-users-1-json.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users/1.json` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-1-posts.test.ts b/.brightsec/tests/get-users-1-posts.test.ts new file mode 100644 index 0000000..284a09e --- /dev/null +++ b/.brightsec/tests/get-users-1-posts.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users/1/posts', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'id_enumeration', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users/1/posts` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-1.test.ts b/.brightsec/tests/get-users-1.test.ts new file mode 100644 index 0000000..b3d5c8d --- /dev/null +++ b/.brightsec/tests/get-users-1.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users/1` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-json.test.ts b/.brightsec/tests/get-users-json.test.ts new file mode 100644 index 0000000..8d96c7c --- /dev/null +++ b/.brightsec/tests/get-users-json.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'business_constraint_bypass', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users.json` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users-new.test.ts b/.brightsec/tests/get-users-new.test.ts new file mode 100644 index 0000000..653e4cc --- /dev/null +++ b/.brightsec/tests/get-users-new.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users/new', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'html_injection'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users/new` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-users.test.ts b/.brightsec/tests/get-users.test.ts new file mode 100644 index 0000000..eb3018c --- /dev/null +++ b/.brightsec/tests/get-users.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'business_constraint_bypass', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/users` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-posts-1.test.ts b/.brightsec/tests/patch-posts-1.test.ts new file mode 100644 index 0000000..3845901 --- /dev/null +++ b/.brightsec/tests/patch-posts-1.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /posts/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/posts/1`, + body: { + title: 'Updated Title', + content: 'Updated content of the post.', + public: true + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-users-1-json.test.ts b/.brightsec/tests/patch-users-1-json.test.ts new file mode 100644 index 0000000..9a2243f --- /dev/null +++ b/.brightsec/tests/patch-users-1-json.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /users/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/users/1.json`, + body: { + user: { + email: 'newemail@example.com', + password: 'newpassword', + password_digest: 'newpassworddigest', + admin: false + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-users-1.test.ts b/.brightsec/tests/patch-users-1.test.ts new file mode 100644 index 0000000..d60af6e --- /dev/null +++ b/.brightsec/tests/patch-users-1.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/users/1`, + body: { + user: { + email: 'example@example.com', + password: 'securepassword', + password_digest: 'digestvalue', + admin: false + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-users-123.test.ts b/.brightsec/tests/patch-users-123.test.ts new file mode 100644 index 0000000..064642a --- /dev/null +++ b/.brightsec/tests/patch-users-123.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/users/123`, + body: { + email: 'user@example.com', + password: 'securepassword', + password_digest: '$2a$12$KIXQ1Y1rZ1u1', + admin: false + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-login.test.ts b/.brightsec/tests/post-login.test.ts new file mode 100644 index 0000000..f050385 --- /dev/null +++ b/.brightsec/tests/post-login.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /login', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'unvalidated_redirect', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/login`, + body: { + email: 'user@example.com', + password: 'securepassword' + }, + headers: { 'Content-Type': 'application/x-www-form-urlencoded' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-posts-json.test.ts b/.brightsec/tests/post-posts-json.test.ts new file mode 100644 index 0000000..414ffc6 --- /dev/null +++ b/.brightsec/tests/post-posts-json.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /posts.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'bopla'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/posts.json`, + body: { + post: { + title: 'Sample Title', + content: 'This is a sample post content.', + public: true + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-users-1-posts.test.ts b/.brightsec/tests/post-users-1-posts.test.ts new file mode 100644 index 0000000..161bba1 --- /dev/null +++ b/.brightsec/tests/post-users-1-posts.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /users/1/posts', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'bopla', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/users/1/posts`, + body: { + post: { + title: 'Sample Title', + content: 'This is a sample post content.', + public: true + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-users-123-posts.test.ts b/.brightsec/tests/post-users-123-posts.test.ts new file mode 100644 index 0000000..59b332c --- /dev/null +++ b/.brightsec/tests/post-users-123-posts.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /users/123/posts', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'bopla', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/users/123/posts`, + body: { + title: 'Sample Post Title', + content: 'This is a sample post content.', + public: true + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-users-json.test.ts b/.brightsec/tests/post-users-json.test.ts new file mode 100644 index 0000000..59be2e4 --- /dev/null +++ b/.brightsec/tests/post-users-json.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /users.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'email_injection'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/users.json`, + body: { + user: { + email: 'example@example.com', + password: 'password123', + password_digest: '$2a$12$KIXQ1Y1rZ1u1J1u1J1u1J.1J1u1J1u1J1u1J1u1J1u1J1u1J1u1J1u', + admin: false + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-users.test.ts b/.brightsec/tests/post-users.test.ts new file mode 100644 index 0000000..1384a74 --- /dev/null +++ b/.brightsec/tests/post-users.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/users`, + body: { + user: { + email: 'example@example.com', + password: 'password123', + password_digest: '$2a$12$KIXQ1Y1rZ1u1', + admin: false + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-posts-1-json.test.ts b/.brightsec/tests/put-posts-1-json.test.ts new file mode 100644 index 0000000..c7ec67c --- /dev/null +++ b/.brightsec/tests/put-posts-1-json.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /posts/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/posts/1.json`, + body: { + title: 'Sample Title', + content: 'Sample content for the post.', + public: true + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-posts-1.test.ts b/.brightsec/tests/put-posts-1.test.ts new file mode 100644 index 0000000..5443a3d --- /dev/null +++ b/.brightsec/tests/put-posts-1.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /posts/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/posts/1`, + body: { + title: 'Updated Post Title', + content: 'Updated content of the post.', + public: true + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-users-1-json.test.ts b/.brightsec/tests/put-users-1-json.test.ts new file mode 100644 index 0000000..c4d7af8 --- /dev/null +++ b/.brightsec/tests/put-users-1-json.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /users/1.json', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/users/1.json`, + body: { + user: { + email: 'example@example.com', + password: 'securepassword', + password_digest: '$2a$12$KIXQ1Y1l1F1', + admin: false + } + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-users-1.test.ts b/.brightsec/tests/put-users-1.test.ts new file mode 100644 index 0000000..f24af0d --- /dev/null +++ b/.brightsec/tests/put-users-1.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/users/1`, + body: { + email: 'user@example.com', + password: 'securepassword', + password_digest: '$2a$12$KIXQ1Y1l1F1', + admin: false + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-users-123.test.ts b/.brightsec/tests/put-users-123.test.ts new file mode 100644 index 0000000..f4a76e6 --- /dev/null +++ b/.brightsec/tests/put-users-123.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'NeuraLegion/ruby-example-app:master', + databases: ['PostgreSQL'], + user_roles: ['admin'] + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/users/123`, + body: { + email: 'user@example.com', + password: 'securepassword', + password_digest: '$2a$12$KIXQ1Y1I1F1', + admin: false + }, + headers: { 'Content-Type': 'application/json' } + }); +}); \ No newline at end of file diff --git a/.github/workflows/bright.yml b/.github/workflows/bright.yml new file mode 100644 index 0000000..74f123f --- /dev/null +++ b/.github/workflows/bright.yml @@ -0,0 +1,71 @@ +name: Bright + +on: + pull_request: + branches: + - '**' + +permissions: + checks: write + contents: read + id-token: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.2' # Based on Rails 4.2.4 compatibility + + - name: Install dependencies + run: | + bundle install + + - name: Set up database + run: | + rake db:create + rake db:migrate + rake db:seed + + - name: Start application + env: + secret_key_base: secret + run: | + rails server & + + - name: Wait for application to be ready + run: | + for i in {1..30}; do curl -sS -o /dev/null http://127.0.0.1:3000 && exit 0 || sleep 5; done; exit 1 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '22.x' + + - name: Install SecTesterJS dependencies + run: | + npm i --save=false --prefix .brightsec @sectester/core@0.49.0 @sectester/repeater@0.49.0 @sectester/scan@0.49.0 @sectester/runner@0.49.0 @sectester/reporter@0.49.0 + + - name: Authenticate with Bright + uses: ./.github/workflows/composite/configure-bright-credentials + with: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: q7zsm7K4EQKmJHbmRUFnTH + BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }} + + - name: Run security tests + env: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: q7zsm7K4EQKmJHbmRUFnTH + BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRIGHT_TOKEN: ${{ env.BRIGHT_TOKEN }} + BRIGHT_TARGET_URL: http://127.0.0.1:3000 + SECTESTER_SCAN_POOL_SIZE: ${{ vars.SECTESTER_SCAN_POOL_SIZE }} + run: | + node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts diff --git a/.github/workflows/composite/configure-bright-credentials/action.yaml b/.github/workflows/composite/configure-bright-credentials/action.yaml new file mode 100644 index 0000000..8498384 --- /dev/null +++ b/.github/workflows/composite/configure-bright-credentials/action.yaml @@ -0,0 +1,53 @@ +name: 'Configure BrightSec credentials' + +inputs: + BRIGHT_HOSTNAME: + description: 'Hostname for the BrightSec environment' + required: true + BRIGHT_PROJECT_ID: + description: 'Project ID for BrightSec' + required: true + BRIGHT_TOKEN: + description: 'Pre-configured token' + required: false + +runs: + using: 'composite' + steps: + - id: configure_env_from_input + name: 'Set existing token in env' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN != '' }} + env: + BRIGHT_TOKEN: ${{ inputs.BRIGHT_TOKEN }} + run: | + echo "BRIGHT_TOKEN=${BRIGHT_TOKEN}" >> $GITHUB_ENV + + - id: configure_bright_credentials_through_oidc + name: 'Exchange OIDC credentials for Bright token' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN == '' }} + env: + BRIGHT_HOSTNAME: ${{ inputs.BRIGHT_HOSTNAME }} + BRIGHT_PROJECT_ID: ${{ inputs.BRIGHT_PROJECT_ID }} + run: | + # Retrieve OIDC token from GitHub + OIDC_TOKEN=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value') + + # Post the token to BrightSec + RESPONSE=$(curl -s -X POST "https://${BRIGHT_HOSTNAME}/api/v1/projects/${BRIGHT_PROJECT_ID}/api-keys/oidc" \ + -H "Content-Type: application/json" \ + -d "{\"token\": \"${OIDC_TOKEN}\"}") + + if ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then + echo "Error: $RESPONSE" 1>&2 + exit 1 + fi + + # Extract the pureKey + PURE_KEY=$(echo "$RESPONSE" | jq -r '.pureKey') + + # Mask and store in environment + echo "::add-mask::$PURE_KEY" + echo "BRIGHT_TOKEN=$PURE_KEY" >> $GITHUB_ENV