From 924d4115a814e510abc546b37aef948244410960 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 14:30:09 +0400 Subject: [PATCH 01/12] chore: initialize PR with an empty commit skip-checks:true From 4c8498f22222652a49c490e0f1ea4ccf6acf3817 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 15:18:02 +0400 Subject: [PATCH 02/12] ci: temporarily disable workflows while addressing security issues skip-checks:true --- .github/workflows/ci.yml | 64 ++++++++------------- .github/workflows/codeql-analysis.yml | 37 ++++++------ .github/workflows/lint-fixer.yml | 47 +++++++-------- .github/workflows/rebase.yml | 7 ++- .github/workflows/release.yml | 9 ++- .github/workflows/update-challenges-www.yml | 52 ++++++++--------- .github/workflows/update-news-www.yml | 44 +++++++------- 7 files changed, 125 insertions(+), 135 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f51f1d9..c712655 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,22 +1,25 @@ name: "CI/CD Pipeline" on: - push: - branches-ignore: - - l10n_develop - - gh-pages - paths-ignore: - - '*.md' - - 'LICENSE' - - 'monitoring/grafana-dashboard.json' - - 'screenshots/**' - tags-ignore: - - '*' - pull_request: - paths-ignore: - - '*.md' - - 'LICENSE' - - 'data/static/i18n/*.json' - - 'frontend/src/assets/i18n/*.json' + workflow_dispatch: +# on: +# push: +# branches-ignore: +# - l10n_develop +# - gh-pages +# paths-ignore: +# - '*.md' +# - 'LICENSE' +# - 'monitoring/grafana-dashboard.json' +# - 'screenshots/**' +# tags-ignore: +# - '*' +# pull_request: +# paths-ignore: +# - '*.md' +# - 'LICENSE' +# - 'data/static/i18n/*.json' +# - 'frontend/src/assets/i18n/*.json' + env: NODE_DEFAULT_VERSION: 22 NODE_OPTIONS: "--max_old_space_size=4096" @@ -40,18 +43,8 @@ jobs: run: npm run lint - name: "Lint customization configs" run: > - npm run lint:config -- -f ./config/7ms.yml && - npm run lint:config -- -f ./config/addo.yml && - npm run lint:config -- -f ./config/bodgeit.yml && - npm run lint:config -- -f ./config/ctf.yml && - npm run lint:config -- -f ./config/default.yml && - npm run lint:config -- -f ./config/fbctf.yml && - npm run lint:config -- -f ./config/juicebox.yml && - npm run lint:config -- -f ./config/mozilla.yml && - npm run lint:config -- -f ./config/oss.yml && - npm run lint:config -- -f ./config/quiet.yml && - npm run lint:config -- -f ./config/tutorial.yml && - npm run lint:config -- -f ./config/unsafe.yml + npm run lint:config -- -f ./config/7ms.yml && npm run lint:config -- -f ./config/addo.yml && npm run lint:config -- -f ./config/bodgeit.yml && npm run lint:config -- -f ./config/ctf.yml && npm run lint:config -- -f ./config/default.yml && npm run lint:config -- -f ./config/fbctf.yml && npm run lint:config -- -f ./config/juicebox.yml && npm run lint:config -- -f ./config/mozilla.yml && npm run lint:config -- -f ./config/oss.yml && npm run lint:config -- -f ./config/quiet.yml && npm run lint:config -- -f ./config/tutorial.yml && npm run lint:config -- -f ./config/unsafe.yml + coding-challenge-rsn: runs-on: windows-latest steps: @@ -184,17 +177,8 @@ jobs: timeout_minutes: 30 max_attempts: 3 command: > - NODE_ENV=7ms npm run test:server && - NODE_ENV=addo npm run test:server && - NODE_ENV=bodgeit npm run test:server && - NODE_ENV=ctf npm run test:server && - NODE_ENV=fbctf npm run test:server && - NODE_ENV=juicebox npm run test:server && - NODE_ENV=mozilla npm run test:server && - NODE_ENV=oss npm run test:server && - NODE_ENV=quiet npm run test:server && - NODE_ENV=tutorial npm run test:server && - NODE_ENV=unsafe npm run test:server + NODE_ENV=7ms npm run test:server && NODE_ENV=addo npm run test:server && NODE_ENV=bodgeit npm run test:server && NODE_ENV=ctf npm run test:server && NODE_ENV=fbctf npm run test:server && NODE_ENV=juicebox npm run test:server && NODE_ENV=mozilla npm run test:server && NODE_ENV=oss npm run test:server && NODE_ENV=quiet npm run test:server && NODE_ENV=tutorial npm run test:server && NODE_ENV=unsafe npm run test:server + e2e: runs-on: ${{ matrix.os }} strategy: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fe353eb..df6c22c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,8 +1,9 @@ name: "CodeQL Scan" - on: - push: - pull_request: + workflow_dispatch: +# on: +# push: +# pull_request: jobs: analyze: @@ -15,19 +16,19 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript-typescript' ] + language: ['javascript-typescript'] steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-extended - config: | - paths-ignore: - - 'data/static/codefixes' - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended + config: | + paths-ignore: + - 'data/static/codefixes' + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml index 907f841..73a6204 100644 --- a/.github/workflows/lint-fixer.yml +++ b/.github/workflows/lint-fixer.yml @@ -1,29 +1,30 @@ name: "Let me lint:fix that for you" - -on: [push] +on: + workflow_dispatch: +# on: [push] jobs: LMLFTFY: runs-on: ubuntu-latest steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: 22 - - name: "Install application" - run: | - npm install --ignore-scripts - cd frontend - npm install --ignore-scripts --legacy-peer-deps - - name: "Fix everything which can be fixed" - run: 'npm run lint:fix' - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-fix linting issues" - branch: ${{ github.head_ref }} - commit_options: '--signoff' - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: "Check out Git repository" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - name: "Use Node.js 22" + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version: 22 + - name: "Install application" + run: | + npm install --ignore-scripts + cd frontend + npm install --ignore-scripts --legacy-peer-deps + - name: "Fix everything which can be fixed" + run: 'npm run lint:fix' + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Auto-fix linting issues" + branch: ${{ github.head_ref }} + commit_options: '--signoff' + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index f999d22..d2dea74 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -1,8 +1,9 @@ name: Automatic Rebase - on: - issue_comment: - types: [created] + workflow_dispatch: +# on: +# issue_comment: +# types: [created] jobs: rebase: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5d01008..f66688e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,11 @@ name: "Release Pipeline" on: - push: - tags: - - v* + workflow_dispatch: +# on: +# push: +# tags: +# - v* + env: CYCLONEDX_NPM_VERSION: '^2.0.0||^3.0.0' jobs: diff --git a/.github/workflows/update-challenges-www.yml b/.github/workflows/update-challenges-www.yml index caaa740..53223ac 100644 --- a/.github/workflows/update-challenges-www.yml +++ b/.github/workflows/update-challenges-www.yml @@ -1,34 +1,34 @@ name: "Update challenges on owasp-juice.shop" - on: - push: - branches: [ master ] - paths: - - 'data/static/challenges.yml' + workflow_dispatch: +# on: +# push: +# branches: [master] +# paths: +# - 'data/static/challenges.yml' jobs: UpdateChallengesOnWebsite: if: github.repository == 'juice-shop/juice-shop' runs-on: ubuntu-latest steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - ref: master - - name: Update challenges.yml - run: | - cd _data/ - rm challenges.yml - wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-update challenges.yml from ${{ github.sha }}" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: Check out Git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + token: ${{ secrets.BOT_TOKEN }} + repository: OWASP/www-project-juice-shop + ref: master + - name: Update challenges.yml + run: | + cd _data/ + rm challenges.yml + wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Auto-update challenges.yml from ${{ github.sha }}" + branch: master + commit_options: '--signoff' + # Optional commit user and author settings + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/update-news-www.yml b/.github/workflows/update-news-www.yml index 2675746..3c04b17 100644 --- a/.github/workflows/update-news-www.yml +++ b/.github/workflows/update-news-www.yml @@ -1,29 +1,29 @@ name: "Update news on owasp-juice.shop" - on: - release: - types: [ published ] + workflow_dispatch: +# on: +# release: +# types: [published] jobs: UpdateNewsOnWebsite: runs-on: ubuntu-latest steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - branch: master - - name: Update tab_news.md - run: | - sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: Check out Git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + token: ${{ secrets.BOT_TOKEN }} + repository: OWASP/www-project-juice-shop + branch: master + - name: Update tab_news.md + run: | + sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" + branch: master + commit_options: '--signoff' + # Optional commit user and author settings + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> From eed145ed21e84aeede89613895cab566ea38b653 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 15:44:41 +0400 Subject: [PATCH 03/12] test: add auto-generated e2e security tests skip-checks:true --- .../tests/delete-api-addresss-1.test.ts | 34 ++++++++++++ .brightsec/tests/delete-api-cards-1.test.ts | 35 ++++++++++++ .../tests/delete-api-products-1.test.ts | 34 ++++++++++++ .../tests/delete-api-quantitys-1.test.ts | 35 ++++++++++++ .../tests/delete-api-recycles-1.test.ts | 35 ++++++++++++ .brightsec/tests/delete-api-users-123.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-addresses-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-addresses.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-addresss-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-addresss.test.ts | 35 ++++++++++++ .../tests/get-api-basketitems-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-basketitems.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-cards-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-cards.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-challenges-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-challenges.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-complaints-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-complaints.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-deliverys-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-deliverys.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-docs.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-feedbacks-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-feedbacks.test.ts | 34 ++++++++++++ .../tests/get-api-privacy-requests-1.test.ts | 34 ++++++++++++ .../tests/get-api-privacy-requests.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-products-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-products.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-quantitys-1.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-quantitys.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-recycles-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-recycles.test.ts | 34 ++++++++++++ .../tests/get-api-securityanswers-1.test.ts | 35 ++++++++++++ .../tests/get-api-securityanswers.test.ts | 34 ++++++++++++ .../tests/get-api-securityquestions-1.test.ts | 34 ++++++++++++ .../tests/get-api-securityquestions.test.ts | 35 ++++++++++++ .brightsec/tests/get-api-users-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-api-users.test.ts | 35 ++++++++++++ .brightsec/tests/get-assets-i18n.test.ts | 35 ++++++++++++ .../get-assets-public-images-padding.test.ts | 34 ++++++++++++ .../get-assets-public-images-products.test.ts | 35 ++++++++++++ .../get-assets-public-images-uploads.test.ts | 35 ++++++++++++ .brightsec/tests/get-b2b-v2-orders.test.ts | 35 ++++++++++++ .brightsec/tests/get-dataerasure.test.ts | 35 ++++++++++++ .../get-encryptionkeys-samplefile.test.ts | 34 ++++++++++++ .../get-ftp-quarantine-samplefile-txt.test.ts | 34 ++++++++++++ .brightsec/tests/get-ftp-sample-md.test.ts | 35 ++++++++++++ .../tests/get-ftp-samplefile-md.test.ts | 35 ++++++++++++ .brightsec/tests/get-metrics.test.ts | 35 ++++++++++++ .brightsec/tests/get-profile.test.ts | 35 ++++++++++++ .brightsec/tests/get-promotion.test.ts | 35 ++++++++++++ .brightsec/tests/get-redirect.test.ts | 35 ++++++++++++ .brightsec/tests/get-rest-2fa-status.test.ts | 35 ++++++++++++ ...st-admin-application-configuration.test.ts | 34 ++++++++++++ ...get-rest-admin-application-version.test.ts | 34 ++++++++++++ .../tests/get-rest-basket-1-order.test.ts | 35 ++++++++++++ .brightsec/tests/get-rest-basket-1.test.ts | 34 ++++++++++++ .brightsec/tests/get-rest-captcha.test.ts | 34 ++++++++++++ .../tests/get-rest-chatbot-status.test.ts | 35 ++++++++++++ .../get-rest-continue-code-findit.test.ts | 35 ++++++++++++ .../get-rest-continue-code-fixit.test.ts | 35 ++++++++++++ .../tests/get-rest-continue-code.test.ts | 35 ++++++++++++ .../tests/get-rest-country-mapping.test.ts | 53 +++++++++++++++++++ .../tests/get-rest-deluxe-membership.test.ts | 35 ++++++++++++ .../tests/get-rest-image-captcha.test.ts | 35 ++++++++++++ .brightsec/tests/get-rest-languages.test.ts | 35 ++++++++++++ .brightsec/tests/get-rest-memories.test.ts | 34 ++++++++++++ .../get-rest-order-history-orders.test.ts | 35 ++++++++++++ .../tests/get-rest-order-history.test.ts | 35 ++++++++++++ .../get-rest-products-123-reviews.test.ts | 34 ++++++++++++ .../tests/get-rest-products-search.test.ts | 35 ++++++++++++ .../get-rest-repeat-notification.test.ts | 35 ++++++++++++ .../tests/get-rest-save-login-ip.test.ts | 35 ++++++++++++ .../tests/get-rest-track-order-12345.test.ts | 35 ++++++++++++ ...t-rest-user-authentication-details.test.ts | 35 ++++++++++++ .../get-rest-user-change-password.test.ts | 35 ++++++++++++ .../get-rest-user-security-question.test.ts | 35 ++++++++++++ .brightsec/tests/get-rest-user-whoami.test.ts | 35 ++++++++++++ .../tests/get-rest-wallet-balance.test.ts | 35 ++++++++++++ .../tests/get-rest-web3-nftmintlisten.test.ts | 35 ++++++++++++ .../tests/get-rest-web3-nftunlocked.test.ts | 35 ++++++++++++ .brightsec/tests/get-security-txt.test.ts | 35 ++++++++++++ .brightsec/tests/get-snippets-123.test.ts | 35 ++++++++++++ .../get-snippets-fixes-samplekey.test.ts | 34 ++++++++++++ .../get-solve-challenges-server-side.test.ts | 35 ++++++++++++ .../tests/get-support-logs-access-log.test.ts | 35 ++++++++++++ .brightsec/tests/get-support-logs.test.ts | 40 ++++++++++++++ ...n-easter-egg-within-the-easter-egg.test.ts | 34 ++++++++++++ ...-be-unlocked-by-sending-1btc-to-us.test.ts | 34 ++++++++++++ .brightsec/tests/get-video.test.ts | 34 ++++++++++++ ...easonably-necessary-responsibility.test.ts | 34 ++++++++++++ .../tests/get-well-known-security-txt.test.ts | 35 ++++++++++++ .brightsec/tests/get-well-known.test.ts | 35 ++++++++++++ .brightsec/tests/options-example-com.test.ts | 35 ++++++++++++ .../tests/patch-rest-products-reviews.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-addresss.test.ts | 45 ++++++++++++++++ .../tests/post-api-basket-items.test.ts | 40 ++++++++++++++ .brightsec/tests/post-api-cards.test.ts | 43 +++++++++++++++ .brightsec/tests/post-api-challenges.test.ts | 38 +++++++++++++ .brightsec/tests/post-api-complaints.test.ts | 40 ++++++++++++++ .brightsec/tests/post-api-feedbacks.test.ts | 40 ++++++++++++++ .../tests/post-api-privacy-requests.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-products.test.ts | 42 +++++++++++++++ .brightsec/tests/post-api-quantitys.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-recycles.test.ts | 42 +++++++++++++++ .../tests/post-api-security-questions.test.ts | 38 +++++++++++++ .brightsec/tests/post-api-users.test.ts | 40 ++++++++++++++ .brightsec/tests/post-b2b-v2-orders.test.ts | 39 ++++++++++++++ .brightsec/tests/post-dataerasure.test.ts | 39 ++++++++++++++ .brightsec/tests/post-file-upload.test.ts | 40 ++++++++++++++ .../tests/post-profile-image-file.test.ts | 38 +++++++++++++ .../tests/post-profile-image-url.test.ts | 38 +++++++++++++ .brightsec/tests/post-profile.test.ts | 38 +++++++++++++ .../tests/post-rest-2fa-disable.test.ts | 38 +++++++++++++ .brightsec/tests/post-rest-2fa-setup.test.ts | 40 ++++++++++++++ .brightsec/tests/post-rest-2fa-verify.test.ts | 39 ++++++++++++++ .../tests/post-rest-basket-1-checkout.test.ts | 43 +++++++++++++++ .../tests/post-rest-chatbot-respond.test.ts | 42 +++++++++++++++ .../tests/post-rest-deluxe-membership.test.ts | 40 ++++++++++++++ .brightsec/tests/post-rest-memories.test.ts | 40 ++++++++++++++ .../post-rest-products-123-reviews.test.ts | 42 +++++++++++++++ .../tests/post-rest-user-data-export.test.ts | 38 +++++++++++++ .brightsec/tests/post-rest-user-login.test.ts | 39 ++++++++++++++ .../post-rest-user-reset-password.test.ts | 41 ++++++++++++++ .../tests/post-rest-web3-submitkey.test.ts | 38 +++++++++++++ ...t-rest-web3-wallet-exploit-address.test.ts | 38 +++++++++++++ .../post-rest-web3-walletnftverify.test.ts | 38 +++++++++++++ .brightsec/tests/post-snippets-fixes.test.ts | 39 ++++++++++++++ .../tests/post-snippets-verdict.test.ts | 39 ++++++++++++++ .brightsec/tests/put-api-addresss-1.test.ts | 44 +++++++++++++++ .../tests/put-api-basket-items-1.test.ts | 40 ++++++++++++++ .brightsec/tests/put-api-cards-1.test.ts | 42 +++++++++++++++ .../tests/put-api-feedbacks-123.test.ts | 42 +++++++++++++++ .brightsec/tests/put-api-recycles-1.test.ts | 42 +++++++++++++++ .brightsec/tests/put-api-users-123.test.ts | 38 +++++++++++++ .../put-rest-basket-1-coupon-summer21.test.ts | 38 +++++++++++++ ...ut-rest-continue-code-apply-abc123.test.ts | 38 +++++++++++++ ...e-code-findit-apply-examplecode123.test.ts | 38 +++++++++++++ ...e-fixit-apply-exampleencodedstring.test.ts | 38 +++++++++++++ ...-order-history-123-delivery-status.test.ts | 38 +++++++++++++ .../put-rest-products-123-reviews.test.ts | 39 ++++++++++++++ .../tests/put-rest-wallet-balance.test.ts | 39 ++++++++++++++ 141 files changed, 5153 insertions(+) create mode 100644 .brightsec/tests/delete-api-addresss-1.test.ts create mode 100644 .brightsec/tests/delete-api-cards-1.test.ts create mode 100644 .brightsec/tests/delete-api-products-1.test.ts create mode 100644 .brightsec/tests/delete-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/delete-api-recycles-1.test.ts create mode 100644 .brightsec/tests/delete-api-users-123.test.ts create mode 100644 .brightsec/tests/get-api-addresses-1.test.ts create mode 100644 .brightsec/tests/get-api-addresses.test.ts create mode 100644 .brightsec/tests/get-api-addresss-1.test.ts create mode 100644 .brightsec/tests/get-api-addresss.test.ts create mode 100644 .brightsec/tests/get-api-basketitems-1.test.ts create mode 100644 .brightsec/tests/get-api-basketitems.test.ts create mode 100644 .brightsec/tests/get-api-cards-1.test.ts create mode 100644 .brightsec/tests/get-api-cards.test.ts create mode 100644 .brightsec/tests/get-api-challenges-1.test.ts create mode 100644 .brightsec/tests/get-api-challenges.test.ts create mode 100644 .brightsec/tests/get-api-complaints-1.test.ts create mode 100644 .brightsec/tests/get-api-complaints.test.ts create mode 100644 .brightsec/tests/get-api-deliverys-1.test.ts create mode 100644 .brightsec/tests/get-api-deliverys.test.ts create mode 100644 .brightsec/tests/get-api-docs.test.ts create mode 100644 .brightsec/tests/get-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/get-api-feedbacks.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/get-api-products-1.test.ts create mode 100644 .brightsec/tests/get-api-products.test.ts create mode 100644 .brightsec/tests/get-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/get-api-quantitys.test.ts create mode 100644 .brightsec/tests/get-api-recycles-1.test.ts create mode 100644 .brightsec/tests/get-api-recycles.test.ts create mode 100644 .brightsec/tests/get-api-securityanswers-1.test.ts create mode 100644 .brightsec/tests/get-api-securityanswers.test.ts create mode 100644 .brightsec/tests/get-api-securityquestions-1.test.ts create mode 100644 .brightsec/tests/get-api-securityquestions.test.ts create mode 100644 .brightsec/tests/get-api-users-1.test.ts create mode 100644 .brightsec/tests/get-api-users.test.ts create mode 100644 .brightsec/tests/get-assets-i18n.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-padding.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-products.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-uploads.test.ts create mode 100644 .brightsec/tests/get-b2b-v2-orders.test.ts create mode 100644 .brightsec/tests/get-dataerasure.test.ts create mode 100644 .brightsec/tests/get-encryptionkeys-samplefile.test.ts create mode 100644 .brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts create mode 100644 .brightsec/tests/get-ftp-sample-md.test.ts create mode 100644 .brightsec/tests/get-ftp-samplefile-md.test.ts create mode 100644 .brightsec/tests/get-metrics.test.ts create mode 100644 .brightsec/tests/get-profile.test.ts create mode 100644 .brightsec/tests/get-promotion.test.ts create mode 100644 .brightsec/tests/get-redirect.test.ts create mode 100644 .brightsec/tests/get-rest-2fa-status.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-configuration.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-version.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1-order.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1.test.ts create mode 100644 .brightsec/tests/get-rest-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-chatbot-status.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-findit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-fixit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code.test.ts create mode 100644 .brightsec/tests/get-rest-country-mapping.test.ts create mode 100644 .brightsec/tests/get-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/get-rest-image-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-languages.test.ts create mode 100644 .brightsec/tests/get-rest-memories.test.ts create mode 100644 .brightsec/tests/get-rest-order-history-orders.test.ts create mode 100644 .brightsec/tests/get-rest-order-history.test.ts create mode 100644 .brightsec/tests/get-rest-products-123-reviews.test.ts create mode 100644 .brightsec/tests/get-rest-products-search.test.ts create mode 100644 .brightsec/tests/get-rest-repeat-notification.test.ts create mode 100644 .brightsec/tests/get-rest-save-login-ip.test.ts create mode 100644 .brightsec/tests/get-rest-track-order-12345.test.ts create mode 100644 .brightsec/tests/get-rest-user-authentication-details.test.ts create mode 100644 .brightsec/tests/get-rest-user-change-password.test.ts create mode 100644 .brightsec/tests/get-rest-user-security-question.test.ts create mode 100644 .brightsec/tests/get-rest-user-whoami.test.ts create mode 100644 .brightsec/tests/get-rest-wallet-balance.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nftmintlisten.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nftunlocked.test.ts create mode 100644 .brightsec/tests/get-security-txt.test.ts create mode 100644 .brightsec/tests/get-snippets-123.test.ts create mode 100644 .brightsec/tests/get-snippets-fixes-samplekey.test.ts create mode 100644 .brightsec/tests/get-solve-challenges-server-side.test.ts create mode 100644 .brightsec/tests/get-support-logs-access-log.test.ts create mode 100644 .brightsec/tests/get-support-logs.test.ts create mode 100644 .brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts create mode 100644 .brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts create mode 100644 .brightsec/tests/get-video.test.ts create mode 100644 .brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts create mode 100644 .brightsec/tests/get-well-known-security-txt.test.ts create mode 100644 .brightsec/tests/get-well-known.test.ts create mode 100644 .brightsec/tests/options-example-com.test.ts create mode 100644 .brightsec/tests/patch-rest-products-reviews.test.ts create mode 100644 .brightsec/tests/post-api-addresss.test.ts create mode 100644 .brightsec/tests/post-api-basket-items.test.ts create mode 100644 .brightsec/tests/post-api-cards.test.ts create mode 100644 .brightsec/tests/post-api-challenges.test.ts create mode 100644 .brightsec/tests/post-api-complaints.test.ts create mode 100644 .brightsec/tests/post-api-feedbacks.test.ts create mode 100644 .brightsec/tests/post-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/post-api-products.test.ts create mode 100644 .brightsec/tests/post-api-quantitys.test.ts create mode 100644 .brightsec/tests/post-api-recycles.test.ts create mode 100644 .brightsec/tests/post-api-security-questions.test.ts create mode 100644 .brightsec/tests/post-api-users.test.ts create mode 100644 .brightsec/tests/post-b2b-v2-orders.test.ts create mode 100644 .brightsec/tests/post-dataerasure.test.ts create mode 100644 .brightsec/tests/post-file-upload.test.ts create mode 100644 .brightsec/tests/post-profile-image-file.test.ts create mode 100644 .brightsec/tests/post-profile-image-url.test.ts create mode 100644 .brightsec/tests/post-profile.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-disable.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-setup.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-verify.test.ts create mode 100644 .brightsec/tests/post-rest-basket-1-checkout.test.ts create mode 100644 .brightsec/tests/post-rest-chatbot-respond.test.ts create mode 100644 .brightsec/tests/post-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/post-rest-memories.test.ts create mode 100644 .brightsec/tests/post-rest-products-123-reviews.test.ts create mode 100644 .brightsec/tests/post-rest-user-data-export.test.ts create mode 100644 .brightsec/tests/post-rest-user-login.test.ts create mode 100644 .brightsec/tests/post-rest-user-reset-password.test.ts create mode 100644 .brightsec/tests/post-rest-web3-submitkey.test.ts create mode 100644 .brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts create mode 100644 .brightsec/tests/post-rest-web3-walletnftverify.test.ts create mode 100644 .brightsec/tests/post-snippets-fixes.test.ts create mode 100644 .brightsec/tests/post-snippets-verdict.test.ts create mode 100644 .brightsec/tests/put-api-addresss-1.test.ts create mode 100644 .brightsec/tests/put-api-basket-items-1.test.ts create mode 100644 .brightsec/tests/put-api-cards-1.test.ts create mode 100644 .brightsec/tests/put-api-feedbacks-123.test.ts create mode 100644 .brightsec/tests/put-api-recycles-1.test.ts create mode 100644 .brightsec/tests/put-api-users-123.test.ts create mode 100644 .brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-apply-abc123.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts create mode 100644 .brightsec/tests/put-rest-order-history-123-delivery-status.test.ts create mode 100644 .brightsec/tests/put-rest-products-123-reviews.test.ts create mode 100644 .brightsec/tests/put-rest-wallet-balance.test.ts diff --git a/.brightsec/tests/delete-api-addresss-1.test.ts b/.brightsec/tests/delete-api-addresss-1.test.ts new file mode 100644 index 0000000..e15ee74 --- /dev/null +++ b/.brightsec/tests/delete-api-addresss-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Addresss/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-cards-1.test.ts b/.brightsec/tests/delete-api-cards-1.test.ts new file mode 100644 index 0000000..15d2708 --- /dev/null +++ b/.brightsec/tests/delete-api-cards-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Cards/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-products-1.test.ts b/.brightsec/tests/delete-api-products-1.test.ts new file mode 100644 index 0000000..646cc4c --- /dev/null +++ b/.brightsec/tests/delete-api-products-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/products/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-quantitys-1.test.ts b/.brightsec/tests/delete-api-quantitys-1.test.ts new file mode 100644 index 0000000..0f06fe0 --- /dev/null +++ b/.brightsec/tests/delete-api-quantitys-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Quantitys/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-recycles-1.test.ts b/.brightsec/tests/delete-api-recycles-1.test.ts new file mode 100644 index 0000000..b0120b0 --- /dev/null +++ b/.brightsec/tests/delete-api-recycles-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'improper_asset_management', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Recycles/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-users-123.test.ts b/.brightsec/tests/delete-api-users-123.test.ts new file mode 100644 index 0000000..c76d998 --- /dev/null +++ b/.brightsec/tests/delete-api-users-123.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Users/123`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresses-1.test.ts b/.brightsec/tests/get-api-addresses-1.test.ts new file mode 100644 index 0000000..4d1bd20 --- /dev/null +++ b/.brightsec/tests/get-api-addresses-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresses/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresses/1`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresses.test.ts b/.brightsec/tests/get-api-addresses.test.ts new file mode 100644 index 0000000..bb20d16 --- /dev/null +++ b/.brightsec/tests/get-api-addresses.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresses', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresses`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresss-1.test.ts b/.brightsec/tests/get-api-addresss-1.test.ts new file mode 100644 index 0000000..baf7d08 --- /dev/null +++ b/.brightsec/tests/get-api-addresss-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss/1`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresss.test.ts b/.brightsec/tests/get-api-addresss.test.ts new file mode 100644 index 0000000..76b42d2 --- /dev/null +++ b/.brightsec/tests/get-api-addresss.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss?UserId=1`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-basketitems-1.test.ts b/.brightsec/tests/get-api-basketitems-1.test.ts new file mode 100644 index 0000000..9402b29 --- /dev/null +++ b/.brightsec/tests/get-api-basketitems-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitems/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'business_constraint_bypass', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-basketitems.test.ts b/.brightsec/tests/get-api-basketitems.test.ts new file mode 100644 index 0000000..c2248cb --- /dev/null +++ b/.brightsec/tests/get-api-basketitems.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitems', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'jwt', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-cards-1.test.ts b/.brightsec/tests/get-api-cards-1.test.ts new file mode 100644 index 0000000..d31a33c --- /dev/null +++ b/.brightsec/tests/get-api-cards-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/cards/1`, + headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-cards.test.ts b/.brightsec/tests/get-api-cards.test.ts new file mode 100644 index 0000000..d872fe7 --- /dev/null +++ b/.brightsec/tests/get-api-cards.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/cards`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-challenges-1.test.ts b/.brightsec/tests/get-api-challenges-1.test.ts new file mode 100644 index 0000000..a742a63 --- /dev/null +++ b/.brightsec/tests/get-api-challenges-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-challenges.test.ts b/.brightsec/tests/get-api-challenges.test.ts new file mode 100644 index 0000000..91b272c --- /dev/null +++ b/.brightsec/tests/get-api-challenges.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'improper_asset_management', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-complaints-1.test.ts b/.brightsec/tests/get-api-complaints-1.test.ts new file mode 100644 index 0000000..9d6c7ae --- /dev/null +++ b/.brightsec/tests/get-api-complaints-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-complaints.test.ts b/.brightsec/tests/get-api-complaints.test.ts new file mode 100644 index 0000000..c677104 --- /dev/null +++ b/.brightsec/tests/get-api-complaints.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-deliverys-1.test.ts b/.brightsec/tests/get-api-deliverys-1.test.ts new file mode 100644 index 0000000..0aaf101 --- /dev/null +++ b/.brightsec/tests/get-api-deliverys-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-deliverys.test.ts b/.brightsec/tests/get-api-deliverys.test.ts new file mode 100644 index 0000000..53a8452 --- /dev/null +++ b/.brightsec/tests/get-api-deliverys.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-docs.test.ts b/.brightsec/tests/get-api-docs.test.ts new file mode 100644 index 0000000..5226443 --- /dev/null +++ b/.brightsec/tests/get-api-docs.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api-docs', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'xss', 'csrf', 'insecure_tls_configuration', 'http_method_fuzzing'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api-docs`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-feedbacks-1.test.ts b/.brightsec/tests/get-api-feedbacks-1.test.ts new file mode 100644 index 0000000..abc9307 --- /dev/null +++ b/.brightsec/tests/get-api-feedbacks-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'stored_xss', 'sqli', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Feedbacks/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-feedbacks.test.ts b/.brightsec/tests/get-api-feedbacks.test.ts new file mode 100644 index 0000000..8fa70fa --- /dev/null +++ b/.brightsec/tests/get-api-feedbacks.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'improper_asset_management', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Feedbacks`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-privacy-requests-1.test.ts b/.brightsec/tests/get-api-privacy-requests-1.test.ts new file mode 100644 index 0000000..20c5638 --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-privacy-requests.test.ts b/.brightsec/tests/get-api-privacy-requests.test.ts new file mode 100644 index 0000000..b8d9c65 --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'csrf', 'id_enumeration', 'improper_asset_management', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-products-1.test.ts b/.brightsec/tests/get-api-products-1.test.ts new file mode 100644 index 0000000..f139bd3 --- /dev/null +++ b/.brightsec/tests/get-api-products-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'sqli', 'xss', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Products/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-products.test.ts b/.brightsec/tests/get-api-products.test.ts new file mode 100644 index 0000000..20f3c81 --- /dev/null +++ b/.brightsec/tests/get-api-products.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'improper_asset_management', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Products?q=sample`, + headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-quantitys-1.test.ts b/.brightsec/tests/get-api-quantitys-1.test.ts new file mode 100644 index 0000000..2a6a52e --- /dev/null +++ b/.brightsec/tests/get-api-quantitys-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/Quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'csrf', 'xss', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Quantitys/1`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-quantitys.test.ts b/.brightsec/tests/get-api-quantitys.test.ts new file mode 100644 index 0000000..2ba4a1b --- /dev/null +++ b/.brightsec/tests/get-api-quantitys.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Quantitys`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-recycles-1.test.ts b/.brightsec/tests/get-api-recycles-1.test.ts new file mode 100644 index 0000000..1f9f031 --- /dev/null +++ b/.brightsec/tests/get-api-recycles-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Recycles/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-recycles.test.ts b/.brightsec/tests/get-api-recycles.test.ts new file mode 100644 index 0000000..f81151b --- /dev/null +++ b/.brightsec/tests/get-api-recycles.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'csrf', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Recycles`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityanswers-1.test.ts b/.brightsec/tests/get-api-securityanswers-1.test.ts new file mode 100644 index 0000000..883abf6 --- /dev/null +++ b/.brightsec/tests/get-api-securityanswers-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityanswers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityanswers.test.ts b/.brightsec/tests/get-api-securityanswers.test.ts new file mode 100644 index 0000000..3c0c064 --- /dev/null +++ b/.brightsec/tests/get-api-securityanswers.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityanswers', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityquestions-1.test.ts b/.brightsec/tests/get-api-securityquestions-1.test.ts new file mode 100644 index 0000000..c02c72d --- /dev/null +++ b/.brightsec/tests/get-api-securityquestions-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityquestions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'improper_asset_management', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityQuestions/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityquestions.test.ts b/.brightsec/tests/get-api-securityquestions.test.ts new file mode 100644 index 0000000..2fa5294 --- /dev/null +++ b/.brightsec/tests/get-api-securityquestions.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityquestions', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityQuestions?email=user@example.com`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-users-1.test.ts b/.brightsec/tests/get-api-users-1.test.ts new file mode 100644 index 0000000..6e3be1c --- /dev/null +++ b/.brightsec/tests/get-api-users-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-users.test.ts b/.brightsec/tests/get-api-users.test.ts new file mode 100644 index 0000000..997ead4 --- /dev/null +++ b/.brightsec/tests/get-api-users.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-i18n.test.ts b/.brightsec/tests/get-assets-i18n.test.ts new file mode 100644 index 0000000..24073c4 --- /dev/null +++ b/.brightsec/tests/get-assets-i18n.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/i18n', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'improper_asset_management', 'lfi', 'ssrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/i18n`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-padding.test.ts b/.brightsec/tests/get-assets-public-images-padding.test.ts new file mode 100644 index 0000000..5095311 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-padding.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/padding', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'lfi', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/padding`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-products.test.ts b/.brightsec/tests/get-assets-public-images-products.test.ts new file mode 100644 index 0000000..8009ea5 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-products.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'improper_asset_management', 'lfi', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/products`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-uploads.test.ts b/.brightsec/tests/get-assets-public-images-uploads.test.ts new file mode 100644 index 0000000..8a65087 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-uploads.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/uploads', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'xss', 'lfi', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/uploads`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-b2b-v2-orders.test.ts b/.brightsec/tests/get-b2b-v2-orders.test.ts new file mode 100644 index 0000000..de94dcc --- /dev/null +++ b/.brightsec/tests/get-b2b-v2-orders.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'business_constraint_bypass', 'improper_asset_management', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/b2b/v2/orders`, + headers: { 'X-Recruiting': 'https://www.owasp.org/index.php/OWASP_Juice_Shop_Project#tab=Project_About' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-dataerasure.test.ts b/.brightsec/tests/get-dataerasure.test.ts new file mode 100644 index 0000000..6361dad --- /dev/null +++ b/.brightsec/tests/get-dataerasure.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'lfi', 'bopla', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/dataerasure`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts new file mode 100644 index 0000000..f687ac2 --- /dev/null +++ b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /encryptionkeys/samplefile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'lfi', 'open_cloud_storage', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/encryptionkeys/samplefile`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts new file mode 100644 index 0000000..36e013a --- /dev/null +++ b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/quarantine/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'directoryListingChallenge', 'xss', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/quarantine/samplefile.txt`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-ftp-sample-md.test.ts b/.brightsec/tests/get-ftp-sample-md.test.ts new file mode 100644 index 0000000..fee7952 --- /dev/null +++ b/.brightsec/tests/get-ftp-sample-md.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/sample.md', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'xss', 'csrf', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/sample.md`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-ftp-samplefile-md.test.ts b/.brightsec/tests/get-ftp-samplefile-md.test.ts new file mode 100644 index 0000000..41a3ea4 --- /dev/null +++ b/.brightsec/tests/get-ftp-samplefile-md.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/samplefile.md', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'ssrf', 'full_path_disclosure', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/samplefile.md`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-metrics.test.ts b/.brightsec/tests/get-metrics.test.ts new file mode 100644 index 0000000..eb871fb --- /dev/null +++ b/.brightsec/tests/get-metrics.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /metrics', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'ssrf', 'csrf', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/metrics`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-profile.test.ts b/.brightsec/tests/get-profile.test.ts new file mode 100644 index 0000000..3a0d567 --- /dev/null +++ b/.brightsec/tests/get-profile.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssti', 'stored_xss', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/profile`, + headers: { 'X-Recruiting': "We're hiring! Check out our careers page." }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-promotion.test.ts b/.brightsec/tests/get-promotion.test.ts new file mode 100644 index 0000000..ea257f0 --- /dev/null +++ b/.brightsec/tests/get-promotion.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /promotion', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'business_constraint_bypass', 'improper_asset_management', 'sqli'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/promotion`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts new file mode 100644 index 0000000..cbb7a55 --- /dev/null +++ b/.brightsec/tests/get-redirect.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'csrf', 'http_method_fuzzing'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-2fa-status.test.ts b/.brightsec/tests/get-rest-2fa-status.test.ts new file mode 100644 index 0000000..a917011 --- /dev/null +++ b/.brightsec/tests/get-rest-2fa-status.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/2fa/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/2fa/status`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-admin-application-configuration.test.ts b/.brightsec/tests/get-rest-admin-application-configuration.test.ts new file mode 100644 index 0000000..0f67a39 --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-configuration.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-configuration', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'improper_asset_management', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-configuration`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-admin-application-version.test.ts b/.brightsec/tests/get-rest-admin-application-version.test.ts new file mode 100644 index 0000000..de09366 --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-version.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-version', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-version`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-basket-1-order.test.ts b/.brightsec/tests/get-rest-basket-1-order.test.ts new file mode 100644 index 0000000..750fc97 --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1-order.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1/order', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1/order`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-basket-1.test.ts b/.brightsec/tests/get-rest-basket-1.test.ts new file mode 100644 index 0000000..5c3f17f --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-captcha.test.ts b/.brightsec/tests/get-rest-captcha.test.ts new file mode 100644 index 0000000..b262279 --- /dev/null +++ b/.brightsec/tests/get-rest-captcha.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/captcha`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-chatbot-status.test.ts b/.brightsec/tests/get-rest-chatbot-status.test.ts new file mode 100644 index 0000000..8a8e8ca --- /dev/null +++ b/.brightsec/tests/get-rest-chatbot-status.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'osi'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/chatbot/status`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code-findit.test.ts b/.brightsec/tests/get-rest-continue-code-findit.test.ts new file mode 100644 index 0000000..d3235a1 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-findit.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-findIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'sqli', 'ssrf', 'open_database', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-findIt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code-fixit.test.ts b/.brightsec/tests/get-rest-continue-code-fixit.test.ts new file mode 100644 index 0000000..534cf7b --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-fixit.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-fixIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'sqli', 'ssrf', 'lfi', 'rfi', 'osi', 'jwt', 'nosql', 'xxe'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-fixIt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code.test.ts b/.brightsec/tests/get-rest-continue-code.test.ts new file mode 100644 index 0000000..2cafe78 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'open_database', 'sqli', 'ssrf', 'xxe'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-country-mapping.test.ts b/.brightsec/tests/get-rest-country-mapping.test.ts new file mode 100644 index 0000000..8dab92a --- /dev/null +++ b/.brightsec/tests/get-rest-country-mapping.test.ts @@ -0,0 +1,53 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/country-mapping', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: [ + 'csrf', + 'bopla', + 'improper_asset_management', + 'xss', + 'sqli', + 'nosql', + 'ldapi', + 'xxe', + 'osi', + 'rfi', + 'lfi', + 'ssrf', + 'ssti', + 'stored_xss', + 'unvalidated_redirect', + 'version_control_systems', + 'secret_tokens' + ], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/country-mapping`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-deluxe-membership.test.ts b/.brightsec/tests/get-rest-deluxe-membership.test.ts new file mode 100644 index 0000000..d72b8d6 --- /dev/null +++ b/.brightsec/tests/get-rest-deluxe-membership.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'improper_asset_management', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/deluxe-membership`, + headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-image-captcha.test.ts b/.brightsec/tests/get-rest-image-captcha.test.ts new file mode 100644 index 0000000..121b516 --- /dev/null +++ b/.brightsec/tests/get-rest-image-captcha.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/image-captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'full_path_disclosure', 'ssrf'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/image-captcha`, + headers: { 'X-Recruiting': 'We are hiring! Check our careers page.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-languages.test.ts b/.brightsec/tests/get-rest-languages.test.ts new file mode 100644 index 0000000..300ee46 --- /dev/null +++ b/.brightsec/tests/get-rest-languages.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/languages', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'csrf', 'xss', 'id_enumeration', 'bopla'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/languages`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-memories.test.ts b/.brightsec/tests/get-rest-memories.test.ts new file mode 100644 index 0000000..35e6590 --- /dev/null +++ b/.brightsec/tests/get-rest-memories.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'xss', 'improper_asset_management', 'sqli', 'nosql', 'open_database', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/memories`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-order-history-orders.test.ts b/.brightsec/tests/get-rest-order-history-orders.test.ts new file mode 100644 index 0000000..e2a7621 --- /dev/null +++ b/.brightsec/tests/get-rest-order-history-orders.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/order-history/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'jwt'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/order-history/orders`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-order-history.test.ts b/.brightsec/tests/get-rest-order-history.test.ts new file mode 100644 index 0000000..aa95c09 --- /dev/null +++ b/.brightsec/tests/get-rest-order-history.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/order-history', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/order-history`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-products-123-reviews.test.ts b/.brightsec/tests/get-rest-products-123-reviews.test.ts new file mode 100644 index 0000000..5a7fad5 --- /dev/null +++ b/.brightsec/tests/get-rest-products-123-reviews.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'xss', 'csrf', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/123/reviews`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-products-search.test.ts b/.brightsec/tests/get-rest-products-search.test.ts new file mode 100644 index 0000000..febab77 --- /dev/null +++ b/.brightsec/tests/get-rest-products-search.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/search', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'csrf', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/search?q=example`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-repeat-notification.test.ts b/.brightsec/tests/get-rest-repeat-notification.test.ts new file mode 100644 index 0000000..3fcfa7b --- /dev/null +++ b/.brightsec/tests/get-rest-repeat-notification.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/repeat-notification', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'unvalidated_redirect', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/repeat-notification?challenge=example-challenge`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-save-login-ip.test.ts b/.brightsec/tests/get-rest-save-login-ip.test.ts new file mode 100644 index 0000000..90c30bd --- /dev/null +++ b/.brightsec/tests/get-rest-save-login-ip.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/saveLoginIp', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/saveLoginIp`, + headers: { 'X-Recruiting': 'We are hiring! Check our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-track-order-12345.test.ts b/.brightsec/tests/get-rest-track-order-12345.test.ts new file mode 100644 index 0000000..a25d94f --- /dev/null +++ b/.brightsec/tests/get-rest-track-order-12345.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/track-order/12345', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/track-order/12345`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-authentication-details.test.ts b/.brightsec/tests/get-rest-user-authentication-details.test.ts new file mode 100644 index 0000000..6710ccc --- /dev/null +++ b/.brightsec/tests/get-rest-user-authentication-details.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'stored_xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/authentication-details`, + headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-change-password.test.ts b/.brightsec/tests/get-rest-user-change-password.test.ts new file mode 100644 index 0000000..82e58fb --- /dev/null +++ b/.brightsec/tests/get-rest-user-change-password.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/change-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'jwt', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/change-password?current=currentPassword123&new=newPassword123&repeat=newPassword123`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-security-question.test.ts b/.brightsec/tests/get-rest-user-security-question.test.ts new file mode 100644 index 0000000..a93138a --- /dev/null +++ b/.brightsec/tests/get-rest-user-security-question.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/security-question', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'xss', 'sqli', 'bopla'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/security-question?email=user@example.com`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-whoami.test.ts b/.brightsec/tests/get-rest-user-whoami.test.ts new file mode 100644 index 0000000..dac1bf5 --- /dev/null +++ b/.brightsec/tests/get-rest-user-whoami.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/whoami', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'jwt'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/whoami`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-wallet-balance.test.ts b/.brightsec/tests/get-rest-wallet-balance.test.ts new file mode 100644 index 0000000..6ad7420 --- /dev/null +++ b/.brightsec/tests/get-rest-wallet-balance.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'nosql', 'xss', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/wallet/balance`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts b/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts new file mode 100644 index 0000000..57fcc98 --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftMintListen', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'ssrf', 'nosql', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftMintListen`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-web3-nftunlocked.test.ts b/.brightsec/tests/get-rest-web3-nftunlocked.test.ts new file mode 100644 index 0000000..bdd19a3 --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nftunlocked.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftUnlocked', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'nosql', 'ssrf'], + attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftUnlocked`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-security-txt.test.ts b/.brightsec/tests/get-security-txt.test.ts new file mode 100644 index 0000000..a3620e6 --- /dev/null +++ b/.brightsec/tests/get-security-txt.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/security.txt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-snippets-123.test.ts b/.brightsec/tests/get-snippets-123.test.ts new file mode 100644 index 0000000..f8e017e --- /dev/null +++ b/.brightsec/tests/get-snippets-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /snippets/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'xss', 'bopla', 'sqli', 'lfi'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/snippets/123`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-snippets-fixes-samplekey.test.ts b/.brightsec/tests/get-snippets-fixes-samplekey.test.ts new file mode 100644 index 0000000..7cd6fbe --- /dev/null +++ b/.brightsec/tests/get-snippets-fixes-samplekey.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /snippets/fixes/sampleKey', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'full_path_disclosure', 'http_method_fuzzing', 'id_enumeration', 'improper_asset_management', 'open_database', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/snippets/fixes/sampleKey`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-solve-challenges-server-side.test.ts b/.brightsec/tests/get-solve-challenges-server-side.test.ts new file mode 100644 index 0000000..b466e37 --- /dev/null +++ b/.brightsec/tests/get-solve-challenges-server-side.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET solve-challenges-server-side', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'ssti', 'ssrf', 'xss', 'lfi'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-support-logs-access-log.test.ts b/.brightsec/tests/get-support-logs-access-log.test.ts new file mode 100644 index 0000000..f61b56d --- /dev/null +++ b/.brightsec/tests/get-support-logs-access-log.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /support/logs/access.log', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'improper_asset_management', 'full_path_disclosure', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/support/logs/access.log`, + headers: { 'X-Recruiting': 'We are hiring! Check our careers page.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-support-logs.test.ts b/.brightsec/tests/get-support-logs.test.ts new file mode 100644 index 0000000..8dcf619 --- /dev/null +++ b/.brightsec/tests/get-support-logs.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /support/logs', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: [ + 'accessLogDisclosureChallenge', + 'directoryListingChallenge', + 'csrf', + 'xss', + 'improper_asset_management' + ], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/support/logs`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts new file mode 100644 index 0000000..8718251 --- /dev/null +++ b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'directoryListingChallenge', 'exposedMetricsChallenge', 'sqli', 'ssrf', 'lfi', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts new file mode 100644 index 0000000..81f15c2 --- /dev/null +++ b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'improper_asset_management', 'full_path_disclosure', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-video.test.ts b/.brightsec/tests/get-video.test.ts new file mode 100644 index 0000000..cb83842 --- /dev/null +++ b/.brightsec/tests/get-video.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /video', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'rfi', 'xss', 'csrf', 'http_method_fuzzing', 'improper_asset_management', 'osi', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/video`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts new file mode 100644 index 0000000..adf5b89 --- /dev/null +++ b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'unvalidated_redirect', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-well-known-security-txt.test.ts b/.brightsec/tests/get-well-known-security-txt.test.ts new file mode 100644 index 0000000..20a94c1 --- /dev/null +++ b/.brightsec/tests/get-well-known-security-txt.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /.well-known/security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'open_database', 'secret_tokens', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/.well-known/security.txt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-well-known.test.ts b/.brightsec/tests/get-well-known.test.ts new file mode 100644 index 0000000..d61d2f9 --- /dev/null +++ b/.brightsec/tests/get-well-known.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /.well-known', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'xss', 'csrf', 'directory_listing'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/.well-known`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/options-example-com.test.ts b/.brightsec/tests/options-example-com.test.ts new file mode 100644 index 0000000..0f0a7de --- /dev/null +++ b/.brightsec/tests/options-example-com.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('OPTIONS example-com', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['http_method_fuzzing', 'csrf', 'improper_asset_management', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.OPTIONS, + url: `${baseUrl}/*`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/patch-rest-products-reviews.test.ts b/.brightsec/tests/patch-rest-products-reviews.test.ts new file mode 100644 index 0000000..6d78688 --- /dev/null +++ b/.brightsec/tests/patch-rest-products-reviews.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'nosql', 'stored_xss', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/rest/products/reviews`, + body: { + id: '60c72b2f9b1d8e001f8e4c8a', + message: 'Updated review message' + }, + headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-addresss.test.ts b/.brightsec/tests/post-api-addresss.test.ts new file mode 100644 index 0000000..256c21b --- /dev/null +++ b/.brightsec/tests/post-api-addresss.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'csrf', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Addresss`, + body: { + UserId: 1, + fullName: 'John Doe', + mobileNum: 1234567890, + zipCode: '12345', + streetAddress: '123 Main St', + city: 'Metropolis', + state: 'NY', + country: 'USA' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-basket-items.test.ts b/.brightsec/tests/post-api-basket-items.test.ts new file mode 100644 index 0000000..a9dbfd8 --- /dev/null +++ b/.brightsec/tests/post-api-basket-items.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/BasketItems`, + body: { + ProductId: 1, + BasketId: 1, + quantity: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-cards.test.ts b/.brightsec/tests/post-api-cards.test.ts new file mode 100644 index 0000000..b3ea3cc --- /dev/null +++ b/.brightsec/tests/post-api-cards.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'date_manipulation', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + skipStaticParams: false + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/cards`, + body: { + UserId: 1, + fullName: 'John Doe', + cardNum: 1234567812345678, + expMonth: 12, + expYear: 2090 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-challenges.test.ts b/.brightsec/tests/post-api-challenges.test.ts new file mode 100644 index 0000000..c346f4f --- /dev/null +++ b/.brightsec/tests/post-api-challenges.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('post-api-challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'sqli', 'ssrf', 'file_upload', 'osi', 'lfi', 'rfi', 'secret_tokens', 'open_database'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Challenges`, + body: { + query: 'POST /api/Challenges' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-complaints.test.ts b/.brightsec/tests/post-api-complaints.test.ts new file mode 100644 index 0000000..b817496 --- /dev/null +++ b/.brightsec/tests/post-api-complaints.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'file_upload', 'stored_xss', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Complaints`, + body: { + UserId: 1, + message: 'This is a sample complaint message.', + file: 'sample-file.txt' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-feedbacks.test.ts b/.brightsec/tests/post-api-feedbacks.test.ts new file mode 100644 index 0000000..d0cd290 --- /dev/null +++ b/.brightsec/tests/post-api-feedbacks.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'sqli', 'stored_xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Feedbacks`, + body: { + UserId: 1, + comment: 'Great service!', + rating: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-privacy-requests.test.ts b/.brightsec/tests/post-api-privacy-requests.test.ts new file mode 100644 index 0000000..b833180 --- /dev/null +++ b/.brightsec/tests/post-api-privacy-requests.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/PrivacyRequests`, + body: { + UserId: 123, + deletionRequested: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-products.test.ts b/.brightsec/tests/post-api-products.test.ts new file mode 100644 index 0000000..dd67311 --- /dev/null +++ b/.brightsec/tests/post-api-products.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'file_upload'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Products`, + body: { + name: 'Sample Product', + description: 'A sample product description.', + price: 19.99, + deluxePrice: 29.99, + image: 'sample-product.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-quantitys.test.ts b/.brightsec/tests/post-api-quantitys.test.ts new file mode 100644 index 0000000..aa1edea --- /dev/null +++ b/.brightsec/tests/post-api-quantitys.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Quantitys`, + body: { + ProductId: 1, + quantity: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts new file mode 100644 index 0000000..cbf53ff --- /dev/null +++ b/.brightsec/tests/post-api-recycles.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'date_manipulation', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + skipStaticParams: false + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Recycles`, + body: { + quantity: 200, + AddressId: "1", + isPickup: true, + date: "2017-05-31" + }, + headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-security-questions.test.ts b/.brightsec/tests/post-api-security-questions.test.ts new file mode 100644 index 0000000..619b068 --- /dev/null +++ b/.brightsec/tests/post-api-security-questions.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/security-questions', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'email_injection', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/SecurityQuestions`, + body: { + email: 'user@example.com' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-users.test.ts b/.brightsec/tests/post-api-users.test.ts new file mode 100644 index 0000000..edffd7f --- /dev/null +++ b/.brightsec/tests/post-api-users.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'sqli', 'email_injection', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Users`, + body: { + email: 'user@example.com', + password: 'securePassword123', + passwordRepeat: 'securePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-b2b-v2-orders.test.ts b/.brightsec/tests/post-b2b-v2-orders.test.ts new file mode 100644 index 0000000..14cd355 --- /dev/null +++ b/.brightsec/tests/post-b2b-v2-orders.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['osi', 'ssrf', 'rfi', 'sqli', 'xss', 'csrf', 'business_constraint_bypass', 'bopla'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/b2b/v2/orders`, + body: { + cid: '12345', + orderLinesData: 'sample order data' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-dataerasure.test.ts b/.brightsec/tests/post-dataerasure.test.ts new file mode 100644 index 0000000..dcef41b --- /dev/null +++ b/.brightsec/tests/post-dataerasure.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'osi', 'lfi', 'stored_xss', 'bopla'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/dataerasure`, + body: { + email: 'user@example.com', + securityAnswer: 'exampleAnswer' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-file-upload.test.ts b/.brightsec/tests/post-file-upload.test.ts new file mode 100644 index 0000000..bf2b756 --- /dev/null +++ b/.brightsec/tests/post-file-upload.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /file-upload', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'xss', 'csrf', 'osi', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/file-upload`, + body: { + UserId: 1, + message: 'Sample complaint message', + file: 'sample.txt' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-profile-image-file.test.ts b/.brightsec/tests/post-profile-image-file.test.ts new file mode 100644 index 0000000..cfc678d --- /dev/null +++ b/.brightsec/tests/post-profile-image-file.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile/image/file', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'xss', 'osi', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile/image/file`, + body: { + file: '' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-profile-image-url.test.ts b/.brightsec/tests/post-profile-image-url.test.ts new file mode 100644 index 0000000..7f0b252 --- /dev/null +++ b/.brightsec/tests/post-profile-image-url.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile/image/url', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'xss', 'unvalidated_redirect', 'file_upload'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile/image/url`, + body: { + imageUrl: 'https://example.com/image.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-profile.test.ts b/.brightsec/tests/post-profile.test.ts new file mode 100644 index 0000000..78dbcf1 --- /dev/null +++ b/.brightsec/tests/post-profile.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile`, + body: { + username: 'new_username' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-disable.test.ts b/.brightsec/tests/post-rest-2fa-disable.test.ts new file mode 100644 index 0000000..c3779ff --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-disable.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/disable', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'business_constraint_bypass', 'xss', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/disable`, + body: { + password: 'examplePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-setup.test.ts b/.brightsec/tests/post-rest-2fa-setup.test.ts new file mode 100644 index 0000000..1cfd671 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-setup.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/setup', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'osi', 'secret_tokens', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/setup`, + body: { + password: 'examplePassword123', + setupToken: 'exampleSetupToken', + initialToken: '123456' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-verify.test.ts b/.brightsec/tests/post-rest-2fa-verify.test.ts new file mode 100644 index 0000000..080daab --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-verify.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/verify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['jwt', 'bopla', 'csrf', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/verify`, + body: { + tmpToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInR5cGUiOiJwYXNzd29yZF92YWxpZF9uZWVkc19zZWNvbmRfZmFjdG9yX3Rva2VuIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c', + totpToken: '123456' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-basket-1-checkout.test.ts b/.brightsec/tests/post-rest-basket-1-checkout.test.ts new file mode 100644 index 0000000..73143fe --- /dev/null +++ b/.brightsec/tests/post-rest-basket-1-checkout.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/basket/1/checkout', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/basket/1/checkout`, + body: { + orderDetails: { + deliveryMethodId: 1, + paymentId: 'wallet', + addressId: 1 + }, + UserId: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-chatbot-respond.test.ts b/.brightsec/tests/post-rest-chatbot-respond.test.ts new file mode 100644 index 0000000..b20df2f --- /dev/null +++ b/.brightsec/tests/post-rest-chatbot-respond.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/chatbot/respond', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'osi', 'nosql'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/chatbot/respond`, + body: { + action: 'query', + query: 'Hello, how are you?' + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': 'true' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-deluxe-membership.test.ts b/.brightsec/tests/post-rest-deluxe-membership.test.ts new file mode 100644 index 0000000..d9da4f5 --- /dev/null +++ b/.brightsec/tests/post-rest-deluxe-membership.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'jwt'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/deluxe-membership`, + body: { + UserId: 1, + paymentMode: 'wallet', + paymentId: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-memories.test.ts b/.brightsec/tests/post-rest-memories.test.ts new file mode 100644 index 0000000..449a532 --- /dev/null +++ b/.brightsec/tests/post-rest-memories.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'stored_xss', 'csrf', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/memories`, + body: { + UserId: 1, + caption: 'A beautiful sunset', + imagePath: 'assets/public/images/uploads/sunset-1697049600000.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-products-123-reviews.test.ts b/.brightsec/tests/post-rest-products-123-reviews.test.ts new file mode 100644 index 0000000..8d2b73f --- /dev/null +++ b/.brightsec/tests/post-rest-products-123-reviews.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'stored_xss', 'bopla', 'nosql', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/products/123/reviews`, + body: { + product: '123', + message: 'Great product!', + author: 'user@example.com', + likesCount: 0, + likedBy: [] + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-data-export.test.ts b/.brightsec/tests/post-rest-user-data-export.test.ts new file mode 100644 index 0000000..e9d401f --- /dev/null +++ b/.brightsec/tests/post-rest-user-data-export.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/data-export', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/data-export`, + body: { + UserId: '1' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-login.test.ts b/.brightsec/tests/post-rest-user-login.test.ts new file mode 100644 index 0000000..9856244 --- /dev/null +++ b/.brightsec/tests/post-rest-user-login.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/login', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss', 'bopla', 'jwt', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/login`, + body: { + email: 'admin@example.com', + password: 'admin123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-reset-password.test.ts b/.brightsec/tests/post-rest-user-reset-password.test.ts new file mode 100644 index 0000000..06fb67f --- /dev/null +++ b/.brightsec/tests/post-rest-user-reset-password.test.ts @@ -0,0 +1,41 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/reset-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'stored_xss', 'secret_tokens', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/reset-password`, + body: { + email: 'user@example.com', + answer: 'correct_answer', + new: 'newPassword123', + repeat: 'newPassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-web3-submitkey.test.ts b/.brightsec/tests/post-rest-web3-submitkey.test.ts new file mode 100644 index 0000000..91b822d --- /dev/null +++ b/.brightsec/tests/post-rest-web3-submitkey.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/submitKey', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['secret_tokens', 'csrf', 'insecure_tls_configuration', 'osi', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/submitKey`, + body: { + privateKey: '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts new file mode 100644 index 0000000..787db2a --- /dev/null +++ b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletExploitAddress', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'nosql', 'xss', 'csrf', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletExploitAddress`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-web3-walletnftverify.test.ts b/.brightsec/tests/post-rest-web3-walletnftverify.test.ts new file mode 100644 index 0000000..7d292ef --- /dev/null +++ b/.brightsec/tests/post-rest-web3-walletnftverify.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletNFTVerify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'nosql', 'osi', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletNFTVerify`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-snippets-fixes.test.ts b/.brightsec/tests/post-snippets-fixes.test.ts new file mode 100644 index 0000000..4278d93 --- /dev/null +++ b/.brightsec/tests/post-snippets-fixes.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /snippets/fixes', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'file_upload', 'lfi', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/snippets/fixes`, + body: { + key: 'exampleKey', + selectedFix: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-snippets-verdict.test.ts b/.brightsec/tests/post-snippets-verdict.test.ts new file mode 100644 index 0000000..557d41a --- /dev/null +++ b/.brightsec/tests/post-snippets-verdict.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /snippets/verdict', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/snippets/verdict`, + body: { + selectedLines: [1, 2, 3], + key: 'restfulXssChallenge' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-addresss-1.test.ts b/.brightsec/tests/put-api-addresss-1.test.ts new file mode 100644 index 0000000..ec4c370 --- /dev/null +++ b/.brightsec/tests/put-api-addresss-1.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Addresss/1`, + body: { + fullName: 'John Doe', + mobileNum: 1234567890, + zipCode: '12345', + streetAddress: '123 Main St', + city: 'Metropolis', + state: 'NY', + country: 'USA' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-basket-items-1.test.ts b/.brightsec/tests/put-api-basket-items-1.test.ts new file mode 100644 index 0000000..a96f372 --- /dev/null +++ b/.brightsec/tests/put-api-basket-items-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/basket-items/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/BasketItems/1`, + body: { + ProductId: 1, + BasketId: 1, + quantity: 2 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-cards-1.test.ts b/.brightsec/tests/put-api-cards-1.test.ts new file mode 100644 index 0000000..8f8f410 --- /dev/null +++ b/.brightsec/tests/put-api-cards-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Cards/1`, + body: { + UserId: 1, + fullName: 'John Doe', + cardNum: '1234567812345678', + expMonth: 12, + expYear: 2025 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-feedbacks-123.test.ts b/.brightsec/tests/put-api-feedbacks-123.test.ts new file mode 100644 index 0000000..9f3d6e2 --- /dev/null +++ b/.brightsec/tests/put-api-feedbacks-123.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Feedbacks/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'stored_xss', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Feedbacks/123`, + body: { + comment: 'This is an updated feedback comment.', + rating: 5 + }, + headers: { + 'Authorization': 'Bearer ', + 'Content-Type': 'application/json' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-recycles-1.test.ts b/.brightsec/tests/put-api-recycles-1.test.ts new file mode 100644 index 0000000..6883c15 --- /dev/null +++ b/.brightsec/tests/put-api-recycles-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Recycles/1`, + body: { + UserId: 1, + AddressId: 2, + quantity: 5, + isPickup: true, + date: '2023-10-01T10:00:00Z' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-users-123.test.ts b/.brightsec/tests/put-api-users-123.test.ts new file mode 100644 index 0000000..6a0c1e7 --- /dev/null +++ b/.brightsec/tests/put-api-users-123.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/users/123`, + body: { + username: 'new_username' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts b/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts new file mode 100644 index 0000000..9dba268 --- /dev/null +++ b/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/basket/1/coupon/SUMMER21', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/basket/1/coupon/SUMMER21`, + body: { + coupon: 'SUMMER21' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts b/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts new file mode 100644 index 0000000..ea15e3d --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code/apply/abc123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code/apply/abc123`, + body: { + continueCode: 'abc123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts b/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts new file mode 100644 index 0000000..7bc21b1 --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code-findIt/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'unvalidated_redirect'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code-findIt/apply/exampleCode123`, + body: { + continueCode: 'exampleCode123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts b/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts new file mode 100644 index 0000000..8a6fca0 --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code-fixIt/apply/exampleEncodedString', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'nosql', 'osi', 'unvalidated_redirect', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code-fixIt/apply/exampleEncodedString`, + body: { + continueCode: 'exampleEncodedString' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts b/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts new file mode 100644 index 0000000..8fa7856 --- /dev/null +++ b/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/order-history/123/delivery-status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/order-history/123/delivery-status`, + body: { + deliveryStatus: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-products-123-reviews.test.ts b/.brightsec/tests/put-rest-products-123-reviews.test.ts new file mode 100644 index 0000000..00f03eb --- /dev/null +++ b/.brightsec/tests/put-rest-products-123-reviews.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'bopla', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/products/123/reviews`, + body: { + message: 'Great product!', + author: 'john.doe@example.com' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-wallet-balance.test.ts b/.brightsec/tests/put-rest-wallet-balance.test.ts new file mode 100644 index 0000000..79eedcf --- /dev/null +++ b/.brightsec/tests/put-rest-wallet-balance.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'business_constraint_bypass', 'sqli', 'nosql', 'xss', 'id_enumeration', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/wallet/balance`, + body: { + paymentId: '123456789', + balance: 100 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); From 2004fc08afa4a109a84b1498e26ae652296ded5b Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 15:44:54 +0400 Subject: [PATCH 04/12] ci: add CI workflow to run e2e security tests --- .github/workflows/bright.yml | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/bright.yml diff --git a/.github/workflows/bright.yml b/.github/workflows/bright.yml new file mode 100644 index 0000000..cbe4117 --- /dev/null +++ b/.github/workflows/bright.yml @@ -0,0 +1,54 @@ +name: Bright + +on: + pull_request: + branches: ['*'] + +permissions: + checks: write + contents: read + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Set up Node.js 22.x + uses: actions/setup-node@v4 + with: + node-version: 22 + + - name: Install application dependencies + run: | + npm install --ignore-scripts + cd frontend + npm install --ignore-scripts --legacy-peer-deps + + - name: Build and run application + run: | + docker build -t juice-shop . + docker run -d -p 3000:3000 juice-shop + + - name: Wait for application to be ready + run: | + for i in {1..30}; do + nc -zv 127.0.0.1 3000 && echo "Application is ready" && exit 0 + echo "Waiting for application..." + sleep 5 + done + echo "Application did not start in time" && exit 1 + + - name: Install SecTesterJS dependencies + run: npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter + + - name: Run security tests + env: + BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }} + BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }} + BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }} + BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRIGHT_TARGET_URL: http://127.0.0.1:3000 + run: node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts From 55c096d6591d0335dc3b805c30c84a55911a5f42 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 16:59:28 +0400 Subject: [PATCH 05/12] test: remove completed test files that are no longer relevant skip-checks:true --- .../tests/delete-api-addresss-1.test.ts | 34 ------------ .brightsec/tests/delete-api-cards-1.test.ts | 35 ------------ .../tests/delete-api-products-1.test.ts | 34 ------------ .../tests/delete-api-quantitys-1.test.ts | 35 ------------ .../tests/delete-api-recycles-1.test.ts | 35 ------------ .brightsec/tests/delete-api-users-123.test.ts | 34 ------------ .brightsec/tests/get-api-addresses-1.test.ts | 35 ------------ .brightsec/tests/get-api-addresses.test.ts | 35 ------------ .brightsec/tests/get-api-addresss-1.test.ts | 35 ------------ .brightsec/tests/get-api-addresss.test.ts | 35 ------------ .brightsec/tests/get-api-cards-1.test.ts | 35 ------------ .brightsec/tests/get-api-cards.test.ts | 35 ------------ .brightsec/tests/get-api-challenges-1.test.ts | 34 ------------ .brightsec/tests/get-api-challenges.test.ts | 34 ------------ .brightsec/tests/get-api-complaints-1.test.ts | 34 ------------ .brightsec/tests/get-api-complaints.test.ts | 35 ------------ .brightsec/tests/get-api-deliverys-1.test.ts | 35 ------------ .brightsec/tests/get-api-deliverys.test.ts | 34 ------------ .brightsec/tests/get-api-docs.test.ts | 35 ------------ .brightsec/tests/get-api-feedbacks-1.test.ts | 34 ------------ .brightsec/tests/get-api-feedbacks.test.ts | 34 ------------ .../tests/get-api-privacy-requests-1.test.ts | 34 ------------ .../tests/get-api-privacy-requests.test.ts | 34 ------------ .brightsec/tests/get-api-products-1.test.ts | 35 ------------ .brightsec/tests/get-api-products.test.ts | 35 ------------ .brightsec/tests/get-api-quantitys-1.test.ts | 35 ------------ .brightsec/tests/get-api-quantitys.test.ts | 35 ------------ .brightsec/tests/get-api-recycles-1.test.ts | 34 ------------ .brightsec/tests/get-api-recycles.test.ts | 34 ------------ .../tests/get-api-securityanswers-1.test.ts | 35 ------------ .../tests/get-api-securityanswers.test.ts | 34 ------------ .../tests/get-api-securityquestions-1.test.ts | 34 ------------ .../tests/get-api-securityquestions.test.ts | 35 ------------ .brightsec/tests/get-api-users-1.test.ts | 34 ------------ .brightsec/tests/get-assets-i18n.test.ts | 35 ------------ .../get-assets-public-images-padding.test.ts | 34 ------------ .../get-assets-public-images-products.test.ts | 35 ------------ .../get-assets-public-images-uploads.test.ts | 35 ------------ .brightsec/tests/get-b2b-v2-orders.test.ts | 35 ------------ .brightsec/tests/get-dataerasure.test.ts | 35 ------------ .../get-encryptionkeys-samplefile.test.ts | 34 ------------ .../get-ftp-quarantine-samplefile-txt.test.ts | 34 ------------ .brightsec/tests/get-ftp-sample-md.test.ts | 35 ------------ .../tests/get-ftp-samplefile-md.test.ts | 35 ------------ .brightsec/tests/get-metrics.test.ts | 35 ------------ .brightsec/tests/get-profile.test.ts | 35 ------------ .brightsec/tests/get-promotion.test.ts | 35 ------------ .brightsec/tests/get-redirect.test.ts | 35 ------------ .brightsec/tests/get-rest-2fa-status.test.ts | 35 ------------ ...st-admin-application-configuration.test.ts | 34 ------------ ...get-rest-admin-application-version.test.ts | 34 ------------ .../tests/get-rest-basket-1-order.test.ts | 35 ------------ .brightsec/tests/get-rest-basket-1.test.ts | 34 ------------ .brightsec/tests/get-rest-captcha.test.ts | 34 ------------ .../get-rest-continue-code-findit.test.ts | 35 ------------ .../get-rest-continue-code-fixit.test.ts | 35 ------------ .../tests/get-rest-continue-code.test.ts | 35 ------------ .../tests/get-rest-country-mapping.test.ts | 53 ------------------- .../tests/get-rest-deluxe-membership.test.ts | 35 ------------ .../tests/get-rest-image-captcha.test.ts | 35 ------------ .brightsec/tests/get-rest-languages.test.ts | 35 ------------ .brightsec/tests/get-rest-memories.test.ts | 34 ------------ .../get-rest-order-history-orders.test.ts | 35 ------------ .../tests/get-rest-order-history.test.ts | 35 ------------ .../get-rest-products-123-reviews.test.ts | 34 ------------ .../tests/get-rest-products-search.test.ts | 35 ------------ .../get-rest-repeat-notification.test.ts | 35 ------------ .../tests/get-rest-save-login-ip.test.ts | 35 ------------ .../tests/get-rest-track-order-12345.test.ts | 35 ------------ ...t-rest-user-authentication-details.test.ts | 35 ------------ .../get-rest-user-change-password.test.ts | 35 ------------ .../get-rest-user-security-question.test.ts | 35 ------------ .brightsec/tests/get-rest-user-whoami.test.ts | 35 ------------ .../tests/get-rest-wallet-balance.test.ts | 35 ------------ .../tests/get-rest-web3-nftmintlisten.test.ts | 35 ------------ .../tests/get-rest-web3-nftunlocked.test.ts | 35 ------------ .brightsec/tests/get-security-txt.test.ts | 35 ------------ .brightsec/tests/get-snippets-123.test.ts | 35 ------------ .../get-snippets-fixes-samplekey.test.ts | 34 ------------ .../get-solve-challenges-server-side.test.ts | 35 ------------ .../tests/get-support-logs-access-log.test.ts | 35 ------------ .brightsec/tests/get-support-logs.test.ts | 40 -------------- ...n-easter-egg-within-the-easter-egg.test.ts | 34 ------------ ...-be-unlocked-by-sending-1btc-to-us.test.ts | 34 ------------ .brightsec/tests/get-video.test.ts | 34 ------------ ...easonably-necessary-responsibility.test.ts | 34 ------------ .../tests/get-well-known-security-txt.test.ts | 35 ------------ .brightsec/tests/get-well-known.test.ts | 35 ------------ .brightsec/tests/options-example-com.test.ts | 35 ------------ .../tests/patch-rest-products-reviews.test.ts | 39 -------------- .../tests/post-api-basket-items.test.ts | 40 -------------- .brightsec/tests/post-api-cards.test.ts | 43 --------------- .brightsec/tests/post-api-challenges.test.ts | 38 ------------- .brightsec/tests/post-api-complaints.test.ts | 40 -------------- .brightsec/tests/post-api-feedbacks.test.ts | 40 -------------- .../tests/post-api-privacy-requests.test.ts | 39 -------------- .brightsec/tests/post-api-products.test.ts | 42 --------------- .brightsec/tests/post-api-quantitys.test.ts | 39 -------------- .../tests/post-api-security-questions.test.ts | 38 ------------- .brightsec/tests/post-api-users.test.ts | 40 -------------- .brightsec/tests/post-b2b-v2-orders.test.ts | 39 -------------- .brightsec/tests/post-dataerasure.test.ts | 39 -------------- .brightsec/tests/post-file-upload.test.ts | 40 -------------- .../tests/post-profile-image-file.test.ts | 38 ------------- .../tests/post-profile-image-url.test.ts | 38 ------------- .brightsec/tests/post-profile.test.ts | 38 ------------- .../tests/post-rest-2fa-disable.test.ts | 38 ------------- .brightsec/tests/post-rest-2fa-setup.test.ts | 40 -------------- .brightsec/tests/post-rest-2fa-verify.test.ts | 39 -------------- .../tests/post-rest-basket-1-checkout.test.ts | 43 --------------- .../tests/post-rest-chatbot-respond.test.ts | 42 --------------- .../tests/post-rest-deluxe-membership.test.ts | 40 -------------- .brightsec/tests/post-rest-memories.test.ts | 40 -------------- .../post-rest-products-123-reviews.test.ts | 42 --------------- .../tests/post-rest-user-data-export.test.ts | 38 ------------- .brightsec/tests/post-rest-user-login.test.ts | 39 -------------- .../post-rest-user-reset-password.test.ts | 41 -------------- .../tests/post-rest-web3-submitkey.test.ts | 38 ------------- ...t-rest-web3-wallet-exploit-address.test.ts | 38 ------------- .../post-rest-web3-walletnftverify.test.ts | 38 ------------- .brightsec/tests/post-snippets-fixes.test.ts | 39 -------------- .../tests/post-snippets-verdict.test.ts | 39 -------------- .brightsec/tests/put-api-addresss-1.test.ts | 44 --------------- .../tests/put-api-basket-items-1.test.ts | 40 -------------- .brightsec/tests/put-api-cards-1.test.ts | 42 --------------- .../tests/put-api-feedbacks-123.test.ts | 42 --------------- .brightsec/tests/put-api-recycles-1.test.ts | 42 --------------- .brightsec/tests/put-api-users-123.test.ts | 38 ------------- .../put-rest-basket-1-coupon-summer21.test.ts | 38 ------------- ...ut-rest-continue-code-apply-abc123.test.ts | 38 ------------- ...e-code-findit-apply-examplecode123.test.ts | 38 ------------- ...e-fixit-apply-exampleencodedstring.test.ts | 38 ------------- ...-order-history-123-delivery-status.test.ts | 38 ------------- .../put-rest-products-123-reviews.test.ts | 39 -------------- .../tests/put-rest-wallet-balance.test.ts | 39 -------------- 135 files changed, 4928 deletions(-) delete mode 100644 .brightsec/tests/delete-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/delete-api-cards-1.test.ts delete mode 100644 .brightsec/tests/delete-api-products-1.test.ts delete mode 100644 .brightsec/tests/delete-api-quantitys-1.test.ts delete mode 100644 .brightsec/tests/delete-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/delete-api-users-123.test.ts delete mode 100644 .brightsec/tests/get-api-addresses-1.test.ts delete mode 100644 .brightsec/tests/get-api-addresses.test.ts delete mode 100644 .brightsec/tests/get-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/get-api-addresss.test.ts delete mode 100644 .brightsec/tests/get-api-cards-1.test.ts delete mode 100644 .brightsec/tests/get-api-cards.test.ts delete mode 100644 .brightsec/tests/get-api-challenges-1.test.ts delete mode 100644 .brightsec/tests/get-api-challenges.test.ts delete mode 100644 .brightsec/tests/get-api-complaints-1.test.ts delete mode 100644 .brightsec/tests/get-api-complaints.test.ts delete mode 100644 .brightsec/tests/get-api-deliverys-1.test.ts delete mode 100644 .brightsec/tests/get-api-deliverys.test.ts delete mode 100644 .brightsec/tests/get-api-docs.test.ts delete mode 100644 .brightsec/tests/get-api-feedbacks-1.test.ts delete mode 100644 .brightsec/tests/get-api-feedbacks.test.ts delete mode 100644 .brightsec/tests/get-api-privacy-requests-1.test.ts delete mode 100644 .brightsec/tests/get-api-privacy-requests.test.ts delete mode 100644 .brightsec/tests/get-api-products-1.test.ts delete mode 100644 .brightsec/tests/get-api-products.test.ts delete mode 100644 .brightsec/tests/get-api-quantitys-1.test.ts delete mode 100644 .brightsec/tests/get-api-quantitys.test.ts delete mode 100644 .brightsec/tests/get-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/get-api-recycles.test.ts delete mode 100644 .brightsec/tests/get-api-securityanswers-1.test.ts delete mode 100644 .brightsec/tests/get-api-securityanswers.test.ts delete mode 100644 .brightsec/tests/get-api-securityquestions-1.test.ts delete mode 100644 .brightsec/tests/get-api-securityquestions.test.ts delete mode 100644 .brightsec/tests/get-api-users-1.test.ts delete mode 100644 .brightsec/tests/get-assets-i18n.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-padding.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-products.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-uploads.test.ts delete mode 100644 .brightsec/tests/get-b2b-v2-orders.test.ts delete mode 100644 .brightsec/tests/get-dataerasure.test.ts delete mode 100644 .brightsec/tests/get-encryptionkeys-samplefile.test.ts delete mode 100644 .brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts delete mode 100644 .brightsec/tests/get-ftp-sample-md.test.ts delete mode 100644 .brightsec/tests/get-ftp-samplefile-md.test.ts delete mode 100644 .brightsec/tests/get-metrics.test.ts delete mode 100644 .brightsec/tests/get-profile.test.ts delete mode 100644 .brightsec/tests/get-promotion.test.ts delete mode 100644 .brightsec/tests/get-redirect.test.ts delete mode 100644 .brightsec/tests/get-rest-2fa-status.test.ts delete mode 100644 .brightsec/tests/get-rest-admin-application-configuration.test.ts delete mode 100644 .brightsec/tests/get-rest-admin-application-version.test.ts delete mode 100644 .brightsec/tests/get-rest-basket-1-order.test.ts delete mode 100644 .brightsec/tests/get-rest-basket-1.test.ts delete mode 100644 .brightsec/tests/get-rest-captcha.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code-findit.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code-fixit.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code.test.ts delete mode 100644 .brightsec/tests/get-rest-country-mapping.test.ts delete mode 100644 .brightsec/tests/get-rest-deluxe-membership.test.ts delete mode 100644 .brightsec/tests/get-rest-image-captcha.test.ts delete mode 100644 .brightsec/tests/get-rest-languages.test.ts delete mode 100644 .brightsec/tests/get-rest-memories.test.ts delete mode 100644 .brightsec/tests/get-rest-order-history-orders.test.ts delete mode 100644 .brightsec/tests/get-rest-order-history.test.ts delete mode 100644 .brightsec/tests/get-rest-products-123-reviews.test.ts delete mode 100644 .brightsec/tests/get-rest-products-search.test.ts delete mode 100644 .brightsec/tests/get-rest-repeat-notification.test.ts delete mode 100644 .brightsec/tests/get-rest-save-login-ip.test.ts delete mode 100644 .brightsec/tests/get-rest-track-order-12345.test.ts delete mode 100644 .brightsec/tests/get-rest-user-authentication-details.test.ts delete mode 100644 .brightsec/tests/get-rest-user-change-password.test.ts delete mode 100644 .brightsec/tests/get-rest-user-security-question.test.ts delete mode 100644 .brightsec/tests/get-rest-user-whoami.test.ts delete mode 100644 .brightsec/tests/get-rest-wallet-balance.test.ts delete mode 100644 .brightsec/tests/get-rest-web3-nftmintlisten.test.ts delete mode 100644 .brightsec/tests/get-rest-web3-nftunlocked.test.ts delete mode 100644 .brightsec/tests/get-security-txt.test.ts delete mode 100644 .brightsec/tests/get-snippets-123.test.ts delete mode 100644 .brightsec/tests/get-snippets-fixes-samplekey.test.ts delete mode 100644 .brightsec/tests/get-solve-challenges-server-side.test.ts delete mode 100644 .brightsec/tests/get-support-logs-access-log.test.ts delete mode 100644 .brightsec/tests/get-support-logs.test.ts delete mode 100644 .brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts delete mode 100644 .brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts delete mode 100644 .brightsec/tests/get-video.test.ts delete mode 100644 .brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts delete mode 100644 .brightsec/tests/get-well-known-security-txt.test.ts delete mode 100644 .brightsec/tests/get-well-known.test.ts delete mode 100644 .brightsec/tests/options-example-com.test.ts delete mode 100644 .brightsec/tests/patch-rest-products-reviews.test.ts delete mode 100644 .brightsec/tests/post-api-basket-items.test.ts delete mode 100644 .brightsec/tests/post-api-cards.test.ts delete mode 100644 .brightsec/tests/post-api-challenges.test.ts delete mode 100644 .brightsec/tests/post-api-complaints.test.ts delete mode 100644 .brightsec/tests/post-api-feedbacks.test.ts delete mode 100644 .brightsec/tests/post-api-privacy-requests.test.ts delete mode 100644 .brightsec/tests/post-api-products.test.ts delete mode 100644 .brightsec/tests/post-api-quantitys.test.ts delete mode 100644 .brightsec/tests/post-api-security-questions.test.ts delete mode 100644 .brightsec/tests/post-api-users.test.ts delete mode 100644 .brightsec/tests/post-b2b-v2-orders.test.ts delete mode 100644 .brightsec/tests/post-dataerasure.test.ts delete mode 100644 .brightsec/tests/post-file-upload.test.ts delete mode 100644 .brightsec/tests/post-profile-image-file.test.ts delete mode 100644 .brightsec/tests/post-profile-image-url.test.ts delete mode 100644 .brightsec/tests/post-profile.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-disable.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-setup.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-verify.test.ts delete mode 100644 .brightsec/tests/post-rest-basket-1-checkout.test.ts delete mode 100644 .brightsec/tests/post-rest-chatbot-respond.test.ts delete mode 100644 .brightsec/tests/post-rest-deluxe-membership.test.ts delete mode 100644 .brightsec/tests/post-rest-memories.test.ts delete mode 100644 .brightsec/tests/post-rest-products-123-reviews.test.ts delete mode 100644 .brightsec/tests/post-rest-user-data-export.test.ts delete mode 100644 .brightsec/tests/post-rest-user-login.test.ts delete mode 100644 .brightsec/tests/post-rest-user-reset-password.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-submitkey.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-walletnftverify.test.ts delete mode 100644 .brightsec/tests/post-snippets-fixes.test.ts delete mode 100644 .brightsec/tests/post-snippets-verdict.test.ts delete mode 100644 .brightsec/tests/put-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/put-api-basket-items-1.test.ts delete mode 100644 .brightsec/tests/put-api-cards-1.test.ts delete mode 100644 .brightsec/tests/put-api-feedbacks-123.test.ts delete mode 100644 .brightsec/tests/put-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/put-api-users-123.test.ts delete mode 100644 .brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-apply-abc123.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts delete mode 100644 .brightsec/tests/put-rest-order-history-123-delivery-status.test.ts delete mode 100644 .brightsec/tests/put-rest-products-123-reviews.test.ts delete mode 100644 .brightsec/tests/put-rest-wallet-balance.test.ts diff --git a/.brightsec/tests/delete-api-addresss-1.test.ts b/.brightsec/tests/delete-api-addresss-1.test.ts deleted file mode 100644 index e15ee74..0000000 --- a/.brightsec/tests/delete-api-addresss-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Addresss/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/delete-api-cards-1.test.ts b/.brightsec/tests/delete-api-cards-1.test.ts deleted file mode 100644 index 15d2708..0000000 --- a/.brightsec/tests/delete-api-cards-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Cards/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/delete-api-products-1.test.ts b/.brightsec/tests/delete-api-products-1.test.ts deleted file mode 100644 index 646cc4c..0000000 --- a/.brightsec/tests/delete-api-products-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/products/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/delete-api-quantitys-1.test.ts b/.brightsec/tests/delete-api-quantitys-1.test.ts deleted file mode 100644 index 0f06fe0..0000000 --- a/.brightsec/tests/delete-api-quantitys-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Quantitys/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/delete-api-recycles-1.test.ts b/.brightsec/tests/delete-api-recycles-1.test.ts deleted file mode 100644 index b0120b0..0000000 --- a/.brightsec/tests/delete-api-recycles-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'improper_asset_management', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Recycles/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/delete-api-users-123.test.ts b/.brightsec/tests/delete-api-users-123.test.ts deleted file mode 100644 index c76d998..0000000 --- a/.brightsec/tests/delete-api-users-123.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Users/123`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-addresses-1.test.ts b/.brightsec/tests/get-api-addresses-1.test.ts deleted file mode 100644 index 4d1bd20..0000000 --- a/.brightsec/tests/get-api-addresses-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresses/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresses/1`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-addresses.test.ts b/.brightsec/tests/get-api-addresses.test.ts deleted file mode 100644 index bb20d16..0000000 --- a/.brightsec/tests/get-api-addresses.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresses', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresses`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-addresss-1.test.ts b/.brightsec/tests/get-api-addresss-1.test.ts deleted file mode 100644 index baf7d08..0000000 --- a/.brightsec/tests/get-api-addresss-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresss/1`, - headers: { 'X-Recruiting': 'undefined' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-addresss.test.ts b/.brightsec/tests/get-api-addresss.test.ts deleted file mode 100644 index 76b42d2..0000000 --- a/.brightsec/tests/get-api-addresss.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresss?UserId=1`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-cards-1.test.ts b/.brightsec/tests/get-api-cards-1.test.ts deleted file mode 100644 index d31a33c..0000000 --- a/.brightsec/tests/get-api-cards-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/cards/1`, - headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-cards.test.ts b/.brightsec/tests/get-api-cards.test.ts deleted file mode 100644 index d872fe7..0000000 --- a/.brightsec/tests/get-api-cards.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/cards`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-challenges-1.test.ts b/.brightsec/tests/get-api-challenges-1.test.ts deleted file mode 100644 index a742a63..0000000 --- a/.brightsec/tests/get-api-challenges-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'xss', 'csrf', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Challenges/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-challenges.test.ts b/.brightsec/tests/get-api-challenges.test.ts deleted file mode 100644 index 91b272c..0000000 --- a/.brightsec/tests/get-api-challenges.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'improper_asset_management', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Challenges`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-complaints-1.test.ts b/.brightsec/tests/get-api-complaints-1.test.ts deleted file mode 100644 index 9d6c7ae..0000000 --- a/.brightsec/tests/get-api-complaints-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Complaints/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-complaints.test.ts b/.brightsec/tests/get-api-complaints.test.ts deleted file mode 100644 index c677104..0000000 --- a/.brightsec/tests/get-api-complaints.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Complaints`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-deliverys-1.test.ts b/.brightsec/tests/get-api-deliverys-1.test.ts deleted file mode 100644 index 0aaf101..0000000 --- a/.brightsec/tests/get-api-deliverys-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Deliverys/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-deliverys.test.ts b/.brightsec/tests/get-api-deliverys.test.ts deleted file mode 100644 index 53a8452..0000000 --- a/.brightsec/tests/get-api-deliverys.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/deliverys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Deliverys`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-docs.test.ts b/.brightsec/tests/get-api-docs.test.ts deleted file mode 100644 index 5226443..0000000 --- a/.brightsec/tests/get-api-docs.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api-docs', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'xss', 'csrf', 'insecure_tls_configuration', 'http_method_fuzzing'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api-docs`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-feedbacks-1.test.ts b/.brightsec/tests/get-api-feedbacks-1.test.ts deleted file mode 100644 index abc9307..0000000 --- a/.brightsec/tests/get-api-feedbacks-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'stored_xss', 'sqli', 'csrf', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Feedbacks/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-feedbacks.test.ts b/.brightsec/tests/get-api-feedbacks.test.ts deleted file mode 100644 index 8fa70fa..0000000 --- a/.brightsec/tests/get-api-feedbacks.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'improper_asset_management', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Feedbacks`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-privacy-requests-1.test.ts b/.brightsec/tests/get-api-privacy-requests-1.test.ts deleted file mode 100644 index 20c5638..0000000 --- a/.brightsec/tests/get-api-privacy-requests-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/PrivacyRequests/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-privacy-requests.test.ts b/.brightsec/tests/get-api-privacy-requests.test.ts deleted file mode 100644 index b8d9c65..0000000 --- a/.brightsec/tests/get-api-privacy-requests.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'csrf', 'id_enumeration', 'improper_asset_management', 'jwt', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/PrivacyRequests`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-products-1.test.ts b/.brightsec/tests/get-api-products-1.test.ts deleted file mode 100644 index f139bd3..0000000 --- a/.brightsec/tests/get-api-products-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'sqli', 'xss', 'csrf', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Products/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-products.test.ts b/.brightsec/tests/get-api-products.test.ts deleted file mode 100644 index 20f3c81..0000000 --- a/.brightsec/tests/get-api-products.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'improper_asset_management', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Products?q=sample`, - headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-quantitys-1.test.ts b/.brightsec/tests/get-api-quantitys-1.test.ts deleted file mode 100644 index 2a6a52e..0000000 --- a/.brightsec/tests/get-api-quantitys-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/Quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'csrf', 'xss', 'sqli', 'osi'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Quantitys/1`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-quantitys.test.ts b/.brightsec/tests/get-api-quantitys.test.ts deleted file mode 100644 index 2ba4a1b..0000000 --- a/.brightsec/tests/get-api-quantitys.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Quantitys`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-recycles-1.test.ts b/.brightsec/tests/get-api-recycles-1.test.ts deleted file mode 100644 index 1f9f031..0000000 --- a/.brightsec/tests/get-api-recycles-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Recycles/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-recycles.test.ts b/.brightsec/tests/get-api-recycles.test.ts deleted file mode 100644 index f81151b..0000000 --- a/.brightsec/tests/get-api-recycles.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'xss', 'csrf', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Recycles`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-securityanswers-1.test.ts b/.brightsec/tests/get-api-securityanswers-1.test.ts deleted file mode 100644 index 883abf6..0000000 --- a/.brightsec/tests/get-api-securityanswers-1.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/securityanswers/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityAnswers/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-securityanswers.test.ts b/.brightsec/tests/get-api-securityanswers.test.ts deleted file mode 100644 index 3c0c064..0000000 --- a/.brightsec/tests/get-api-securityanswers.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/securityanswers', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityAnswers`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-securityquestions-1.test.ts b/.brightsec/tests/get-api-securityquestions-1.test.ts deleted file mode 100644 index c02c72d..0000000 --- a/.brightsec/tests/get-api-securityquestions-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/securityquestions/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'improper_asset_management', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityQuestions/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-securityquestions.test.ts b/.brightsec/tests/get-api-securityquestions.test.ts deleted file mode 100644 index 2fa5294..0000000 --- a/.brightsec/tests/get-api-securityquestions.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/securityquestions', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityQuestions?email=user@example.com`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-api-users-1.test.ts b/.brightsec/tests/get-api-users-1.test.ts deleted file mode 100644 index 6e3be1c..0000000 --- a/.brightsec/tests/get-api-users-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Users/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-assets-i18n.test.ts b/.brightsec/tests/get-assets-i18n.test.ts deleted file mode 100644 index 24073c4..0000000 --- a/.brightsec/tests/get-assets-i18n.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/i18n', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'improper_asset_management', 'lfi', 'ssrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/i18n`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-assets-public-images-padding.test.ts b/.brightsec/tests/get-assets-public-images-padding.test.ts deleted file mode 100644 index 5095311..0000000 --- a/.brightsec/tests/get-assets-public-images-padding.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/padding', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'lfi', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/padding`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-assets-public-images-products.test.ts b/.brightsec/tests/get-assets-public-images-products.test.ts deleted file mode 100644 index 8009ea5..0000000 --- a/.brightsec/tests/get-assets-public-images-products.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'improper_asset_management', 'lfi', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/products`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-assets-public-images-uploads.test.ts b/.brightsec/tests/get-assets-public-images-uploads.test.ts deleted file mode 100644 index 8a65087..0000000 --- a/.brightsec/tests/get-assets-public-images-uploads.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/uploads', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'xss', 'lfi', 'csrf', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/uploads`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-b2b-v2-orders.test.ts b/.brightsec/tests/get-b2b-v2-orders.test.ts deleted file mode 100644 index de94dcc..0000000 --- a/.brightsec/tests/get-b2b-v2-orders.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'business_constraint_bypass', 'improper_asset_management', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/b2b/v2/orders`, - headers: { 'X-Recruiting': 'https://www.owasp.org/index.php/OWASP_Juice_Shop_Project#tab=Project_About' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-dataerasure.test.ts b/.brightsec/tests/get-dataerasure.test.ts deleted file mode 100644 index 6361dad..0000000 --- a/.brightsec/tests/get-dataerasure.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'lfi', 'bopla', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/dataerasure`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts deleted file mode 100644 index f687ac2..0000000 --- a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /encryptionkeys/samplefile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'lfi', 'open_cloud_storage', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/encryptionkeys/samplefile`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts deleted file mode 100644 index 36e013a..0000000 --- a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/quarantine/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'directoryListingChallenge', 'xss', 'csrf', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/quarantine/samplefile.txt`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-ftp-sample-md.test.ts b/.brightsec/tests/get-ftp-sample-md.test.ts deleted file mode 100644 index fee7952..0000000 --- a/.brightsec/tests/get-ftp-sample-md.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/sample.md', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'xss', 'csrf', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/sample.md`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-ftp-samplefile-md.test.ts b/.brightsec/tests/get-ftp-samplefile-md.test.ts deleted file mode 100644 index 41a3ea4..0000000 --- a/.brightsec/tests/get-ftp-samplefile-md.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/samplefile.md', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'ssrf', 'full_path_disclosure', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/samplefile.md`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-metrics.test.ts b/.brightsec/tests/get-metrics.test.ts deleted file mode 100644 index eb871fb..0000000 --- a/.brightsec/tests/get-metrics.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /metrics', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'ssrf', 'csrf', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/metrics`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-profile.test.ts b/.brightsec/tests/get-profile.test.ts deleted file mode 100644 index 3a0d567..0000000 --- a/.brightsec/tests/get-profile.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /profile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssti', 'stored_xss', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/profile`, - headers: { 'X-Recruiting': "We're hiring! Check out our careers page." }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-promotion.test.ts b/.brightsec/tests/get-promotion.test.ts deleted file mode 100644 index ea257f0..0000000 --- a/.brightsec/tests/get-promotion.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /promotion', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'business_constraint_bypass', 'improper_asset_management', 'sqli'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/promotion`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts deleted file mode 100644 index cbb7a55..0000000 --- a/.brightsec/tests/get-redirect.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['unvalidated_redirect', 'xss', 'csrf', 'http_method_fuzzing'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/redirect?to=https://example.com`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-2fa-status.test.ts b/.brightsec/tests/get-rest-2fa-status.test.ts deleted file mode 100644 index a917011..0000000 --- a/.brightsec/tests/get-rest-2fa-status.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/2fa/status', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/2fa/status`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-admin-application-configuration.test.ts b/.brightsec/tests/get-rest-admin-application-configuration.test.ts deleted file mode 100644 index 0f67a39..0000000 --- a/.brightsec/tests/get-rest-admin-application-configuration.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/admin/application-configuration', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'improper_asset_management', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/admin/application-configuration`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-admin-application-version.test.ts b/.brightsec/tests/get-rest-admin-application-version.test.ts deleted file mode 100644 index de09366..0000000 --- a/.brightsec/tests/get-rest-admin-application-version.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/admin/application-version', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/admin/application-version`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-basket-1-order.test.ts b/.brightsec/tests/get-rest-basket-1-order.test.ts deleted file mode 100644 index 750fc97..0000000 --- a/.brightsec/tests/get-rest-basket-1-order.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/basket/1/order', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/basket/1/order`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-basket-1.test.ts b/.brightsec/tests/get-rest-basket-1.test.ts deleted file mode 100644 index 5c3f17f..0000000 --- a/.brightsec/tests/get-rest-basket-1.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/basket/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/basket/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-captcha.test.ts b/.brightsec/tests/get-rest-captcha.test.ts deleted file mode 100644 index b262279..0000000 --- a/.brightsec/tests/get-rest-captcha.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/captcha', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/captcha`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-continue-code-findit.test.ts b/.brightsec/tests/get-rest-continue-code-findit.test.ts deleted file mode 100644 index d3235a1..0000000 --- a/.brightsec/tests/get-rest-continue-code-findit.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code-findIt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'sqli', 'ssrf', 'open_database', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code-findIt`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-continue-code-fixit.test.ts b/.brightsec/tests/get-rest-continue-code-fixit.test.ts deleted file mode 100644 index 534cf7b..0000000 --- a/.brightsec/tests/get-rest-continue-code-fixit.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code-fixIt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'sqli', 'ssrf', 'lfi', 'rfi', 'osi', 'jwt', 'nosql', 'xxe'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code-fixIt`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-continue-code.test.ts b/.brightsec/tests/get-rest-continue-code.test.ts deleted file mode 100644 index 2cafe78..0000000 --- a/.brightsec/tests/get-rest-continue-code.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'open_database', 'sqli', 'ssrf', 'xxe'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-country-mapping.test.ts b/.brightsec/tests/get-rest-country-mapping.test.ts deleted file mode 100644 index 8dab92a..0000000 --- a/.brightsec/tests/get-rest-country-mapping.test.ts +++ /dev/null @@ -1,53 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/country-mapping', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: [ - 'csrf', - 'bopla', - 'improper_asset_management', - 'xss', - 'sqli', - 'nosql', - 'ldapi', - 'xxe', - 'osi', - 'rfi', - 'lfi', - 'ssrf', - 'ssti', - 'stored_xss', - 'unvalidated_redirect', - 'version_control_systems', - 'secret_tokens' - ], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/country-mapping`, - headers: { 'X-Recruiting': 'undefined' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-deluxe-membership.test.ts b/.brightsec/tests/get-rest-deluxe-membership.test.ts deleted file mode 100644 index d72b8d6..0000000 --- a/.brightsec/tests/get-rest-deluxe-membership.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'improper_asset_management', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/deluxe-membership`, - headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-image-captcha.test.ts b/.brightsec/tests/get-rest-image-captcha.test.ts deleted file mode 100644 index 121b516..0000000 --- a/.brightsec/tests/get-rest-image-captcha.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/image-captcha', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'full_path_disclosure', 'ssrf'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/image-captcha`, - headers: { 'X-Recruiting': 'We are hiring! Check our careers page.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-languages.test.ts b/.brightsec/tests/get-rest-languages.test.ts deleted file mode 100644 index 300ee46..0000000 --- a/.brightsec/tests/get-rest-languages.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/languages', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'csrf', 'xss', 'id_enumeration', 'bopla'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/languages`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-memories.test.ts b/.brightsec/tests/get-rest-memories.test.ts deleted file mode 100644 index 35e6590..0000000 --- a/.brightsec/tests/get-rest-memories.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'xss', 'improper_asset_management', 'sqli', 'nosql', 'open_database', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/memories`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-order-history-orders.test.ts b/.brightsec/tests/get-rest-order-history-orders.test.ts deleted file mode 100644 index e2a7621..0000000 --- a/.brightsec/tests/get-rest-order-history-orders.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/order-history/orders', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'jwt'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/order-history/orders`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-order-history.test.ts b/.brightsec/tests/get-rest-order-history.test.ts deleted file mode 100644 index aa95c09..0000000 --- a/.brightsec/tests/get-rest-order-history.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/order-history', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/order-history`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-products-123-reviews.test.ts b/.brightsec/tests/get-rest-products-123-reviews.test.ts deleted file mode 100644 index 5a7fad5..0000000 --- a/.brightsec/tests/get-rest-products-123-reviews.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['nosql', 'xss', 'csrf', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/products/123/reviews`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-products-search.test.ts b/.brightsec/tests/get-rest-products-search.test.ts deleted file mode 100644 index febab77..0000000 --- a/.brightsec/tests/get-rest-products-search.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/products/search', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'xss', 'csrf', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/products/search?q=example`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-repeat-notification.test.ts b/.brightsec/tests/get-rest-repeat-notification.test.ts deleted file mode 100644 index 3fcfa7b..0000000 --- a/.brightsec/tests/get-rest-repeat-notification.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/repeat-notification', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'unvalidated_redirect', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/repeat-notification?challenge=example-challenge`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-save-login-ip.test.ts b/.brightsec/tests/get-rest-save-login-ip.test.ts deleted file mode 100644 index 90c30bd..0000000 --- a/.brightsec/tests/get-rest-save-login-ip.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/saveLoginIp', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'bopla', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/saveLoginIp`, - headers: { 'X-Recruiting': 'We are hiring! Check our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-track-order-12345.test.ts b/.brightsec/tests/get-rest-track-order-12345.test.ts deleted file mode 100644 index a25d94f..0000000 --- a/.brightsec/tests/get-rest-track-order-12345.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/track-order/12345', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['nosql', 'xss', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/track-order/12345`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-user-authentication-details.test.ts b/.brightsec/tests/get-rest-user-authentication-details.test.ts deleted file mode 100644 index 6710ccc..0000000 --- a/.brightsec/tests/get-rest-user-authentication-details.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'stored_xss', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/authentication-details`, - headers: { 'X-Recruiting': 'https://owasp.org/www-project-juice-shop/' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-user-change-password.test.ts b/.brightsec/tests/get-rest-user-change-password.test.ts deleted file mode 100644 index 82e58fb..0000000 --- a/.brightsec/tests/get-rest-user-change-password.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/change-password', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'bopla', 'jwt', 'sqli', 'osi'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/change-password?current=currentPassword123&new=newPassword123&repeat=newPassword123`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-user-security-question.test.ts b/.brightsec/tests/get-rest-user-security-question.test.ts deleted file mode 100644 index a93138a..0000000 --- a/.brightsec/tests/get-rest-user-security-question.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/security-question', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'xss', 'sqli', 'bopla'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/security-question?email=user@example.com`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-user-whoami.test.ts b/.brightsec/tests/get-rest-user-whoami.test.ts deleted file mode 100644 index dac1bf5..0000000 --- a/.brightsec/tests/get-rest-user-whoami.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/whoami', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'jwt'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/whoami`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-wallet-balance.test.ts b/.brightsec/tests/get-rest-wallet-balance.test.ts deleted file mode 100644 index 6ad7420..0000000 --- a/.brightsec/tests/get-rest-wallet-balance.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'nosql', 'xss', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/wallet/balance`, - headers: { 'X-Recruiting': 'true' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts b/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts deleted file mode 100644 index 57fcc98..0000000 --- a/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/web3/nftMintListen', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'ssrf', 'nosql', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/web3/nftMintListen`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-rest-web3-nftunlocked.test.ts b/.brightsec/tests/get-rest-web3-nftunlocked.test.ts deleted file mode 100644 index bdd19a3..0000000 --- a/.brightsec/tests/get-rest-web3-nftunlocked.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/web3/nftUnlocked', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'nosql', 'ssrf'], - attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/web3/nftUnlocked`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-security-txt.test.ts b/.brightsec/tests/get-security-txt.test.ts deleted file mode 100644 index a3620e6..0000000 --- a/.brightsec/tests/get-security-txt.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/security.txt`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-snippets-123.test.ts b/.brightsec/tests/get-snippets-123.test.ts deleted file mode 100644 index f8e017e..0000000 --- a/.brightsec/tests/get-snippets-123.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /snippets/123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'xss', 'bopla', 'sqli', 'lfi'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/snippets/123`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-snippets-fixes-samplekey.test.ts b/.brightsec/tests/get-snippets-fixes-samplekey.test.ts deleted file mode 100644 index 7cd6fbe..0000000 --- a/.brightsec/tests/get-snippets-fixes-samplekey.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /snippets/fixes/sampleKey', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'full_path_disclosure', 'http_method_fuzzing', 'id_enumeration', 'improper_asset_management', 'open_database', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/snippets/fixes/sampleKey`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-solve-challenges-server-side.test.ts b/.brightsec/tests/get-solve-challenges-server-side.test.ts deleted file mode 100644 index b466e37..0000000 --- a/.brightsec/tests/get-solve-challenges-server-side.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET solve-challenges-server-side', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'ssti', 'ssrf', 'xss', 'lfi'], - attackParamLocations: [AttackParamLocation.QUERY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-support-logs-access-log.test.ts b/.brightsec/tests/get-support-logs-access-log.test.ts deleted file mode 100644 index f61b56d..0000000 --- a/.brightsec/tests/get-support-logs-access-log.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /support/logs/access.log', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'improper_asset_management', 'full_path_disclosure', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/support/logs/access.log`, - headers: { 'X-Recruiting': 'We are hiring! Check our careers page.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-support-logs.test.ts b/.brightsec/tests/get-support-logs.test.ts deleted file mode 100644 index 8dcf619..0000000 --- a/.brightsec/tests/get-support-logs.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /support/logs', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: [ - 'accessLogDisclosureChallenge', - 'directoryListingChallenge', - 'csrf', - 'xss', - 'improper_asset_management' - ], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/support/logs`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts deleted file mode 100644 index 8718251..0000000 --- a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'directoryListingChallenge', 'exposedMetricsChallenge', 'sqli', 'ssrf', 'lfi', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts deleted file mode 100644 index 81f15c2..0000000 --- a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['unvalidated_redirect', 'improper_asset_management', 'full_path_disclosure', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-video.test.ts b/.brightsec/tests/get-video.test.ts deleted file mode 100644 index cb83842..0000000 --- a/.brightsec/tests/get-video.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /video', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'rfi', 'xss', 'csrf', 'http_method_fuzzing', 'improper_asset_management', 'osi', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/video`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts deleted file mode 100644 index adf5b89..0000000 --- a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts +++ /dev/null @@ -1,34 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'unvalidated_redirect', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-well-known-security-txt.test.ts b/.brightsec/tests/get-well-known-security-txt.test.ts deleted file mode 100644 index 20a94c1..0000000 --- a/.brightsec/tests/get-well-known-security-txt.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /.well-known/security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'open_database', 'secret_tokens', 'xss'], - attackParamLocations: [AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/.well-known/security.txt`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/get-well-known.test.ts b/.brightsec/tests/get-well-known.test.ts deleted file mode 100644 index d61d2f9..0000000 --- a/.brightsec/tests/get-well-known.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /.well-known', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'xss', 'csrf', 'directory_listing'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/.well-known`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/options-example-com.test.ts b/.brightsec/tests/options-example-com.test.ts deleted file mode 100644 index 0f0a7de..0000000 --- a/.brightsec/tests/options-example-com.test.ts +++ /dev/null @@ -1,35 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('OPTIONS example-com', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['http_method_fuzzing', 'csrf', 'improper_asset_management', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.OPTIONS, - url: `${baseUrl}/*`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/patch-rest-products-reviews.test.ts b/.brightsec/tests/patch-rest-products-reviews.test.ts deleted file mode 100644 index 6d78688..0000000 --- a/.brightsec/tests/patch-rest-products-reviews.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'nosql', 'stored_xss', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PATCH, - url: `${baseUrl}/rest/products/reviews`, - body: { - id: '60c72b2f9b1d8e001f8e4c8a', - message: 'Updated review message' - }, - headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-basket-items.test.ts b/.brightsec/tests/post-api-basket-items.test.ts deleted file mode 100644 index a9dbfd8..0000000 --- a/.brightsec/tests/post-api-basket-items.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/BasketItems`, - body: { - ProductId: 1, - BasketId: 1, - quantity: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-cards.test.ts b/.brightsec/tests/post-api-cards.test.ts deleted file mode 100644 index b3ea3cc..0000000 --- a/.brightsec/tests/post-api-cards.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'date_manipulation', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - skipStaticParams: false - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/cards`, - body: { - UserId: 1, - fullName: 'John Doe', - cardNum: 1234567812345678, - expMonth: 12, - expYear: 2090 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-challenges.test.ts b/.brightsec/tests/post-api-challenges.test.ts deleted file mode 100644 index c346f4f..0000000 --- a/.brightsec/tests/post-api-challenges.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('post-api-challenges', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'sqli', 'ssrf', 'file_upload', 'osi', 'lfi', 'rfi', 'secret_tokens', 'open_database'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Challenges`, - body: { - query: 'POST /api/Challenges' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-complaints.test.ts b/.brightsec/tests/post-api-complaints.test.ts deleted file mode 100644 index b817496..0000000 --- a/.brightsec/tests/post-api-complaints.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'file_upload', 'stored_xss', 'bopla', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Complaints`, - body: { - UserId: 1, - message: 'This is a sample complaint message.', - file: 'sample-file.txt' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-feedbacks.test.ts b/.brightsec/tests/post-api-feedbacks.test.ts deleted file mode 100644 index d0cd290..0000000 --- a/.brightsec/tests/post-api-feedbacks.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'bopla', 'sqli', 'stored_xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Feedbacks`, - body: { - UserId: 1, - comment: 'Great service!', - rating: 5 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-privacy-requests.test.ts b/.brightsec/tests/post-api-privacy-requests.test.ts deleted file mode 100644 index b833180..0000000 --- a/.brightsec/tests/post-api-privacy-requests.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/PrivacyRequests`, - body: { - UserId: 123, - deletionRequested: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-products.test.ts b/.brightsec/tests/post-api-products.test.ts deleted file mode 100644 index dd67311..0000000 --- a/.brightsec/tests/post-api-products.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'sqli', 'xss', 'file_upload'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Products`, - body: { - name: 'Sample Product', - description: 'A sample product description.', - price: 19.99, - deluxePrice: 29.99, - image: 'sample-product.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-quantitys.test.ts b/.brightsec/tests/post-api-quantitys.test.ts deleted file mode 100644 index aa1edea..0000000 --- a/.brightsec/tests/post-api-quantitys.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Quantitys`, - body: { - ProductId: 1, - quantity: 5 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-security-questions.test.ts b/.brightsec/tests/post-api-security-questions.test.ts deleted file mode 100644 index 619b068..0000000 --- a/.brightsec/tests/post-api-security-questions.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/security-questions', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'email_injection', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/SecurityQuestions`, - body: { - email: 'user@example.com' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-api-users.test.ts b/.brightsec/tests/post-api-users.test.ts deleted file mode 100644 index edffd7f..0000000 --- a/.brightsec/tests/post-api-users.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'bopla', 'sqli', 'email_injection', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Users`, - body: { - email: 'user@example.com', - password: 'securePassword123', - passwordRepeat: 'securePassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-b2b-v2-orders.test.ts b/.brightsec/tests/post-b2b-v2-orders.test.ts deleted file mode 100644 index 14cd355..0000000 --- a/.brightsec/tests/post-b2b-v2-orders.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['osi', 'ssrf', 'rfi', 'sqli', 'xss', 'csrf', 'business_constraint_bypass', 'bopla'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/b2b/v2/orders`, - body: { - cid: '12345', - orderLinesData: 'sample order data' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-dataerasure.test.ts b/.brightsec/tests/post-dataerasure.test.ts deleted file mode 100644 index dcef41b..0000000 --- a/.brightsec/tests/post-dataerasure.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'osi', 'lfi', 'stored_xss', 'bopla'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/dataerasure`, - body: { - email: 'user@example.com', - securityAnswer: 'exampleAnswer' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-file-upload.test.ts b/.brightsec/tests/post-file-upload.test.ts deleted file mode 100644 index bf2b756..0000000 --- a/.brightsec/tests/post-file-upload.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /file-upload', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'xss', 'csrf', 'osi', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/file-upload`, - body: { - UserId: 1, - message: 'Sample complaint message', - file: 'sample.txt' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-profile-image-file.test.ts b/.brightsec/tests/post-profile-image-file.test.ts deleted file mode 100644 index cfc678d..0000000 --- a/.brightsec/tests/post-profile-image-file.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile/image/file', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'xss', 'osi', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile/image/file`, - body: { - file: '' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-profile-image-url.test.ts b/.brightsec/tests/post-profile-image-url.test.ts deleted file mode 100644 index 7f0b252..0000000 --- a/.brightsec/tests/post-profile-image-url.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile/image/url', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssrf', 'xss', 'unvalidated_redirect', 'file_upload'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile/image/url`, - body: { - imageUrl: 'https://example.com/image.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-profile.test.ts b/.brightsec/tests/post-profile.test.ts deleted file mode 100644 index 78dbcf1..0000000 --- a/.brightsec/tests/post-profile.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'sqli', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile`, - body: { - username: 'new_username' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-2fa-disable.test.ts b/.brightsec/tests/post-rest-2fa-disable.test.ts deleted file mode 100644 index c3779ff..0000000 --- a/.brightsec/tests/post-rest-2fa-disable.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/disable', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'business_constraint_bypass', 'xss', 'sqli', 'osi'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/disable`, - body: { - password: 'examplePassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-2fa-setup.test.ts b/.brightsec/tests/post-rest-2fa-setup.test.ts deleted file mode 100644 index 1cfd671..0000000 --- a/.brightsec/tests/post-rest-2fa-setup.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/setup', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'osi', 'secret_tokens', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/setup`, - body: { - password: 'examplePassword123', - setupToken: 'exampleSetupToken', - initialToken: '123456' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-2fa-verify.test.ts b/.brightsec/tests/post-rest-2fa-verify.test.ts deleted file mode 100644 index 080daab..0000000 --- a/.brightsec/tests/post-rest-2fa-verify.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/verify', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['jwt', 'bopla', 'csrf', 'xss', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/verify`, - body: { - tmpToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInR5cGUiOiJwYXNzd29yZF92YWxpZF9uZWVkc19zZWNvbmRfZmFjdG9yX3Rva2VuIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c', - totpToken: '123456' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-basket-1-checkout.test.ts b/.brightsec/tests/post-rest-basket-1-checkout.test.ts deleted file mode 100644 index 73143fe..0000000 --- a/.brightsec/tests/post-rest-basket-1-checkout.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/basket/1/checkout', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/basket/1/checkout`, - body: { - orderDetails: { - deliveryMethodId: 1, - paymentId: 'wallet', - addressId: 1 - }, - UserId: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-chatbot-respond.test.ts b/.brightsec/tests/post-rest-chatbot-respond.test.ts deleted file mode 100644 index b20df2f..0000000 --- a/.brightsec/tests/post-rest-chatbot-respond.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/chatbot/respond', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'osi', 'nosql'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/chatbot/respond`, - body: { - action: 'query', - query: 'Hello, how are you?' - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': 'true' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-deluxe-membership.test.ts b/.brightsec/tests/post-rest-deluxe-membership.test.ts deleted file mode 100644 index d9da4f5..0000000 --- a/.brightsec/tests/post-rest-deluxe-membership.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'jwt'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/deluxe-membership`, - body: { - UserId: 1, - paymentMode: 'wallet', - paymentId: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-memories.test.ts b/.brightsec/tests/post-rest-memories.test.ts deleted file mode 100644 index 449a532..0000000 --- a/.brightsec/tests/post-rest-memories.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'stored_xss', 'csrf', 'bopla', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/memories`, - body: { - UserId: 1, - caption: 'A beautiful sunset', - imagePath: 'assets/public/images/uploads/sunset-1697049600000.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-products-123-reviews.test.ts b/.brightsec/tests/post-rest-products-123-reviews.test.ts deleted file mode 100644 index 8d2b73f..0000000 --- a/.brightsec/tests/post-rest-products-123-reviews.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'stored_xss', 'bopla', 'nosql', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/products/123/reviews`, - body: { - product: '123', - message: 'Great product!', - author: 'user@example.com', - likesCount: 0, - likedBy: [] - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-user-data-export.test.ts b/.brightsec/tests/post-rest-user-data-export.test.ts deleted file mode 100644 index e9d401f..0000000 --- a/.brightsec/tests/post-rest-user-data-export.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/data-export', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/data-export`, - body: { - UserId: '1' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-user-login.test.ts b/.brightsec/tests/post-rest-user-login.test.ts deleted file mode 100644 index 9856244..0000000 --- a/.brightsec/tests/post-rest-user-login.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/login', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'sqli', 'xss', 'bopla', 'jwt', 'osi'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/login`, - body: { - email: 'admin@example.com', - password: 'admin123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-user-reset-password.test.ts b/.brightsec/tests/post-rest-user-reset-password.test.ts deleted file mode 100644 index 06fb67f..0000000 --- a/.brightsec/tests/post-rest-user-reset-password.test.ts +++ /dev/null @@ -1,41 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/reset-password', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'sqli', 'stored_xss', 'secret_tokens', 'osi'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/reset-password`, - body: { - email: 'user@example.com', - answer: 'correct_answer', - new: 'newPassword123', - repeat: 'newPassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-web3-submitkey.test.ts b/.brightsec/tests/post-rest-web3-submitkey.test.ts deleted file mode 100644 index 91b822d..0000000 --- a/.brightsec/tests/post-rest-web3-submitkey.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/submitKey', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['secret_tokens', 'csrf', 'insecure_tls_configuration', 'osi', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/submitKey`, - body: { - privateKey: '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts deleted file mode 100644 index 787db2a..0000000 --- a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/walletExploitAddress', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssrf', 'nosql', 'xss', 'csrf', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/walletExploitAddress`, - body: { - walletAddress: '0x1234567890abcdef1234567890abcdef12345678' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-rest-web3-walletnftverify.test.ts b/.brightsec/tests/post-rest-web3-walletnftverify.test.ts deleted file mode 100644 index 7d292ef..0000000 --- a/.brightsec/tests/post-rest-web3-walletnftverify.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/walletNFTVerify', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'nosql', 'osi', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/walletNFTVerify`, - body: { - walletAddress: '0x1234567890abcdef1234567890abcdef12345678' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-snippets-fixes.test.ts b/.brightsec/tests/post-snippets-fixes.test.ts deleted file mode 100644 index 4278d93..0000000 --- a/.brightsec/tests/post-snippets-fixes.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /snippets/fixes', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'file_upload', 'lfi', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/snippets/fixes`, - body: { - key: 'exampleKey', - selectedFix: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/post-snippets-verdict.test.ts b/.brightsec/tests/post-snippets-verdict.test.ts deleted file mode 100644 index 557d41a..0000000 --- a/.brightsec/tests/post-snippets-verdict.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /snippets/verdict', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'bopla', 'sqli', 'osi'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/snippets/verdict`, - body: { - selectedLines: [1, 2, 3], - key: 'restfulXssChallenge' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-addresss-1.test.ts b/.brightsec/tests/put-api-addresss-1.test.ts deleted file mode 100644 index ec4c370..0000000 --- a/.brightsec/tests/put-api-addresss-1.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Addresss/1`, - body: { - fullName: 'John Doe', - mobileNum: 1234567890, - zipCode: '12345', - streetAddress: '123 Main St', - city: 'Metropolis', - state: 'NY', - country: 'USA' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-basket-items-1.test.ts b/.brightsec/tests/put-api-basket-items-1.test.ts deleted file mode 100644 index a96f372..0000000 --- a/.brightsec/tests/put-api-basket-items-1.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/basket-items/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/BasketItems/1`, - body: { - ProductId: 1, - BasketId: 1, - quantity: 2 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-cards-1.test.ts b/.brightsec/tests/put-api-cards-1.test.ts deleted file mode 100644 index 8f8f410..0000000 --- a/.brightsec/tests/put-api-cards-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Cards/1`, - body: { - UserId: 1, - fullName: 'John Doe', - cardNum: '1234567812345678', - expMonth: 12, - expYear: 2025 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-feedbacks-123.test.ts b/.brightsec/tests/put-api-feedbacks-123.test.ts deleted file mode 100644 index 9f3d6e2..0000000 --- a/.brightsec/tests/put-api-feedbacks-123.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/Feedbacks/123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'stored_xss', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Feedbacks/123`, - body: { - comment: 'This is an updated feedback comment.', - rating: 5 - }, - headers: { - 'Authorization': 'Bearer ', - 'Content-Type': 'application/json' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-recycles-1.test.ts b/.brightsec/tests/put-api-recycles-1.test.ts deleted file mode 100644 index 6883c15..0000000 --- a/.brightsec/tests/put-api-recycles-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Recycles/1`, - body: { - UserId: 1, - AddressId: 2, - quantity: 5, - isPickup: true, - date: '2023-10-01T10:00:00Z' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-api-users-123.test.ts b/.brightsec/tests/put-api-users-123.test.ts deleted file mode 100644 index 6a0c1e7..0000000 --- a/.brightsec/tests/put-api-users-123.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/users/123`, - body: { - username: 'new_username' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts b/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts deleted file mode 100644 index 9dba268..0000000 --- a/.brightsec/tests/put-rest-basket-1-coupon-summer21.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/basket/1/coupon/SUMMER21', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/basket/1/coupon/SUMMER21`, - body: { - coupon: 'SUMMER21' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts b/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts deleted file mode 100644 index ea15e3d..0000000 --- a/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code/apply/abc123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code/apply/abc123`, - body: { - continueCode: 'abc123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts b/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts deleted file mode 100644 index 7bc21b1..0000000 --- a/.brightsec/tests/put-rest-continue-code-findit-apply-examplecode123.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code-findIt/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'unvalidated_redirect'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code-findIt/apply/exampleCode123`, - body: { - continueCode: 'exampleCode123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts b/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts deleted file mode 100644 index 8a6fca0..0000000 --- a/.brightsec/tests/put-rest-continue-code-fixit-apply-exampleencodedstring.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code-fixIt/apply/exampleEncodedString', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'sqli', 'nosql', 'osi', 'unvalidated_redirect', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code-fixIt/apply/exampleEncodedString`, - body: { - continueCode: 'exampleEncodedString' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts b/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts deleted file mode 100644 index 8fa7856..0000000 --- a/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts +++ /dev/null @@ -1,38 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/order-history/123/delivery-status', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/order-history/123/delivery-status`, - body: { - deliveryStatus: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-products-123-reviews.test.ts b/.brightsec/tests/put-rest-products-123-reviews.test.ts deleted file mode 100644 index 00f03eb..0000000 --- a/.brightsec/tests/put-rest-products-123-reviews.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['nosql', 'bopla', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/products/123/reviews`, - body: { - message: 'Great product!', - author: 'john.doe@example.com' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); diff --git a/.brightsec/tests/put-rest-wallet-balance.test.ts b/.brightsec/tests/put-rest-wallet-balance.test.ts deleted file mode 100644 index 79eedcf..0000000 --- a/.brightsec/tests/put-rest-wallet-balance.test.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'business_constraint_bypass', 'sqli', 'nosql', 'xss', 'id_enumeration', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY] - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/wallet/balance`, - body: { - paymentId: '123456789', - balance: 100 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); From 227b7bc5d9acce11fd31e1f5fd54500804389698 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 16:59:55 +0400 Subject: [PATCH 06/12] test: optimize security tests to focus on specific vulnerabilities skip-checks:true --- .brightsec/tests/get-api-basketitems-1.test.ts | 2 +- .brightsec/tests/get-api-basketitems.test.ts | 2 +- .brightsec/tests/get-api-users.test.ts | 2 +- .brightsec/tests/get-rest-chatbot-status.test.ts | 2 +- .brightsec/tests/post-api-addresss.test.ts | 2 +- .brightsec/tests/post-api-recycles.test.ts | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.brightsec/tests/get-api-basketitems-1.test.ts b/.brightsec/tests/get-api-basketitems-1.test.ts index 9402b29..3c701f8 100644 --- a/.brightsec/tests/get-api-basketitems-1.test.ts +++ b/.brightsec/tests/get-api-basketitems-1.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /api/basketitems/1', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['id_enumeration', 'bopla', 'business_constraint_bypass', 'jwt', 'sqli', 'xss'], + tests: ['jwt'], attackParamLocations: [AttackParamLocation.PATH] }) .threshold(Severity.CRITICAL) diff --git a/.brightsec/tests/get-api-basketitems.test.ts b/.brightsec/tests/get-api-basketitems.test.ts index c2248cb..6a57617 100644 --- a/.brightsec/tests/get-api-basketitems.test.ts +++ b/.brightsec/tests/get-api-basketitems.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /api/basketitems', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'jwt', 'sqli'], + tests: ['jwt'], attackParamLocations: [AttackParamLocation.HEADER] }) .threshold(Severity.CRITICAL) diff --git a/.brightsec/tests/get-api-users.test.ts b/.brightsec/tests/get-api-users.test.ts index 997ead4..52ba809 100644 --- a/.brightsec/tests/get-api-users.test.ts +++ b/.brightsec/tests/get-api-users.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['bopla', 'id_enumeration', 'jwt', 'sqli', 'xss'], + tests: ['jwt'], attackParamLocations: [AttackParamLocation.HEADER] }) .threshold(Severity.CRITICAL) diff --git a/.brightsec/tests/get-rest-chatbot-status.test.ts b/.brightsec/tests/get-rest-chatbot-status.test.ts index 8a8e8ca..26bdc2c 100644 --- a/.brightsec/tests/get-rest-chatbot-status.test.ts +++ b/.brightsec/tests/get-rest-chatbot-status.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'osi'], + tests: ['jwt'], attackParamLocations: [AttackParamLocation.HEADER] }) .threshold(Severity.CRITICAL) diff --git a/.brightsec/tests/post-api-addresss.test.ts b/.brightsec/tests/post-api-addresss.test.ts index 256c21b..ca5560f 100644 --- a/.brightsec/tests/post-api-addresss.test.ts +++ b/.brightsec/tests/post-api-addresss.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['bopla', 'sqli', 'csrf', 'xss', 'id_enumeration'], + tests: ['id_enumeration'], attackParamLocations: [AttackParamLocation.BODY] }) .threshold(Severity.CRITICAL) diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts index cbf53ff..3a1a08b 100644 --- a/.brightsec/tests/post-api-recycles.test.ts +++ b/.brightsec/tests/post-api-recycles.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['csrf', 'bopla', 'sqli', 'xss', 'date_manipulation', 'id_enumeration'], + tests: ['id_enumeration'], attackParamLocations: [AttackParamLocation.BODY], skipStaticParams: false }) From 36908625354b8600716c87275bda437d4907aced Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:03:41 +0400 Subject: [PATCH 07/12] fix: apply automated fixes for detected vulnerabilities --- lib/insecurity.ts | 4 ++-- routes/address.ts | 18 +++++++++++++++--- routes/chatbot.ts | 2 +- routes/recycles.ts | 9 +++++++-- routes/verify.ts | 2 +- 5 files changed, 26 insertions(+), 9 deletions(-) diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 08ee8ad..8e0f791 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -54,7 +54,7 @@ export const cutOffPoisonNullByte = (str: string) => { export const isAuthorized = () => expressJwt(({ secret: publicKey }) as any) export const denyAll = () => expressJwt({ secret: '' + Math.random() } as any) export const authorize = (user = {}) => jwt.sign(user, privateKey, { expiresIn: '6h', algorithm: 'RS256' }) -export const verify = (token: string) => token ? (jws.verify as ((token: string, secret: string) => boolean))(token, publicKey) : false +export const verify = (token: string) => token ? jwt.verify(token, publicKey, { algorithms: ['RS256'] }) : false export const decode = (token: string) => { return jws.decode(token)?.payload } export const sanitizeHtml = (html: string) => sanitizeHtmlLib(html) @@ -188,7 +188,7 @@ export const appendUserId = () => { export const updateAuthenticatedUsers = () => (req: Request, res: Response, next: NextFunction) => { const token = req.cookies.token || utils.jwtFrom(req) if (token) { - jwt.verify(token, publicKey, (err: Error | null, decoded: any) => { + jwt.verify(token, publicKey, { algorithms: ['RS256'] }, (err: Error | null, decoded: any) => { if (err === null) { if (authenticatedUsers.get(token) === undefined) { authenticatedUsers.put(token, decoded) diff --git a/routes/address.ts b/routes/address.ts index 9d552a6..c4df6c5 100644 --- a/routes/address.ts +++ b/routes/address.ts @@ -8,14 +8,22 @@ import { AddressModel } from '../models/address' export function getAddress () { return async (req: Request, res: Response) => { - const addresses = await AddressModel.findAll({ where: { UserId: req.body.UserId } }) + const userId = req.body.UserId + if (!userId) { + return res.status(401).json({ status: 'error', data: 'Unauthorized access.' }) + } + const addresses = await AddressModel.findAll({ where: { UserId: userId } }) res.status(200).json({ status: 'success', data: addresses }) } } export function getAddressById () { return async (req: Request, res: Response) => { - const address = await AddressModel.findOne({ where: { id: req.params.id, UserId: req.body.UserId } }) + const userId = req.body.UserId + if (!userId) { + return res.status(401).json({ status: 'error', data: 'Unauthorized access.' }) + } + const address = await AddressModel.findOne({ where: { id: req.params.id, UserId: userId } }) if (address != null) { res.status(200).json({ status: 'success', data: address }) } else { @@ -26,7 +34,11 @@ export function getAddressById () { export function delAddressById () { return async (req: Request, res: Response) => { - const address = await AddressModel.destroy({ where: { id: req.params.id, UserId: req.body.UserId } }) + const userId = req.body.UserId + if (!userId) { + return res.status(401).json({ status: 'error', data: 'Unauthorized access.' }) + } + const address = await AddressModel.destroy({ where: { id: req.params.id, UserId: userId } }) if (address) { res.status(200).json({ status: 'success', data: 'Address deleted successfully.' }) } else { diff --git a/routes/chatbot.ts b/routes/chatbot.ts index ff12ea3..0c57d13 100644 --- a/routes/chatbot.ts +++ b/routes/chatbot.ts @@ -236,7 +236,7 @@ export function process () { async function getUserFromJwt (token: string): Promise { return await new Promise((resolve) => { - jwt.verify(token, security.publicKey, (err: VerifyErrors | null, decoded: JwtPayload | string | undefined) => { + jwt.verify(token, security.publicKey, { algorithms: ['RS256'] }, (err: VerifyErrors | null, decoded: JwtPayload | string | undefined) => { if (err !== null || !decoded || isString(decoded)) { resolve(null) } else { diff --git a/routes/recycles.ts b/routes/recycles.ts index 4eafd96..a71b9d8 100644 --- a/routes/recycles.ts +++ b/routes/recycles.ts @@ -9,14 +9,19 @@ import { RecycleModel } from '../models/recycle' import * as utils from '../lib/utils' export const getRecycleItem = () => (req: Request, res: Response) => { + const userId = req.user?.id; // Assuming req.user is populated with the authenticated user's info RecycleModel.findAll({ where: { - id: JSON.parse(req.params.id) + id: JSON.parse(req.params.id), + UserId: userId // Ensure the recycle item belongs to the authenticated user } }).then((Recycle) => { + if (Recycle.length === 0) { + return res.status(404).send('Recycle item not found or you do not have access to it.'); + } return res.send(utils.queryResultToJson(Recycle)) }).catch((_: unknown) => { - return res.send('Error fetching recycled items. Please try again') + return res.status(500).send('Error fetching recycled items. Please try again') }) } diff --git a/routes/verify.ts b/routes/verify.ts index 6338868..21401fa 100644 --- a/routes/verify.ts +++ b/routes/verify.ts @@ -114,7 +114,7 @@ function jwtChallenge (challenge: Challenge, req: Request, algorithm: string, em return } - jwt.verify(token, security.publicKey, (err: jwt.VerifyErrors | null) => { + jwt.verify(token, security.publicKey, { algorithms: ['HS256', 'RS256'] }, (err: jwt.VerifyErrors | null) => { if (err === null) { challengeUtils.solveIf(challenge, () => { return hasAlgorithm(token, algorithm) && hasEmail(decoded as { data: { email: string } }, email) From ffd917227be5463952c82ad9840a7cd62c78a15d Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:16:31 +0400 Subject: [PATCH 08/12] test: optimize security tests to focus on specific vulnerabilities skip-checks:true --- .brightsec/tests/post-api-recycles.test.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts index 3a1a08b..82b076b 100644 --- a/.brightsec/tests/post-api-recycles.test.ts +++ b/.brightsec/tests/post-api-recycles.test.ts @@ -1,3 +1,4 @@ +``` import { test, before, after } from 'node:test'; import { SecRunner } from '@sectester/runner'; import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; @@ -40,3 +41,4 @@ test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => auth: process.env.BRIGHT_AUTH_ID }); }); +``` \ No newline at end of file From f621d811762bbddfb09507576894e1555dc00431 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:20:34 +0400 Subject: [PATCH 09/12] fix: apply automated fixes for detected vulnerabilities --- lib/insecurity.ts | 2 +- routes/address.ts | 4 ++-- routes/verify.ts | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 8e0f791..1d80a49 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -51,7 +51,7 @@ export const cutOffPoisonNullByte = (str: string) => { return str } -export const isAuthorized = () => expressJwt(({ secret: publicKey }) as any) +export const isAuthorized = () => expressJwt(({ secret: publicKey, algorithms: ['RS256'] }) as any) export const denyAll = () => expressJwt({ secret: '' + Math.random() } as any) export const authorize = (user = {}) => jwt.sign(user, privateKey, { expiresIn: '6h', algorithm: 'RS256' }) export const verify = (token: string) => token ? jwt.verify(token, publicKey, { algorithms: ['RS256'] }) : false diff --git a/routes/address.ts b/routes/address.ts index c4df6c5..e9ca4f9 100644 --- a/routes/address.ts +++ b/routes/address.ts @@ -27,7 +27,7 @@ export function getAddressById () { if (address != null) { res.status(200).json({ status: 'success', data: address }) } else { - res.status(400).json({ status: 'error', data: 'Malicious activity detected.' }) + res.status(404).json({ status: 'error', data: 'Address not found or unauthorized access.' }) } } } @@ -42,7 +42,7 @@ export function delAddressById () { if (address) { res.status(200).json({ status: 'success', data: 'Address deleted successfully.' }) } else { - res.status(400).json({ status: 'error', data: 'Malicious activity detected.' }) + res.status(404).json({ status: 'error', data: 'Address not found or unauthorized access.' }) } } } diff --git a/routes/verify.ts b/routes/verify.ts index 21401fa..2efc625 100644 --- a/routes/verify.ts +++ b/routes/verify.ts @@ -114,7 +114,7 @@ function jwtChallenge (challenge: Challenge, req: Request, algorithm: string, em return } - jwt.verify(token, security.publicKey, { algorithms: ['HS256', 'RS256'] }, (err: jwt.VerifyErrors | null) => { + jwt.verify(token, security.publicKey, { algorithms: ['RS256'] }, (err: jwt.VerifyErrors | null) => { if (err === null) { challengeUtils.solveIf(challenge, () => { return hasAlgorithm(token, algorithm) && hasEmail(decoded as { data: { email: string } }, email) From e381544a5e10d1d15554cd45a912759966908682 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:28:35 +0400 Subject: [PATCH 10/12] test: remove completed test files that are no longer relevant skip-checks:true --- .brightsec/tests/post-api-recycles.test.ts | 44 ---------------------- 1 file changed, 44 deletions(-) delete mode 100644 .brightsec/tests/post-api-recycles.test.ts diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts deleted file mode 100644 index 82b076b..0000000 --- a/.brightsec/tests/post-api-recycles.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -``` -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY], - skipStaticParams: false - }) - .threshold(Severity.CRITICAL) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Recycles`, - body: { - quantity: 200, - AddressId: "1", - isPickup: true, - date: "2017-05-31" - }, - headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); -``` \ No newline at end of file From a6cc9b4c52b334f590b0e4edf1638488cd42ba97 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:31:42 +0400 Subject: [PATCH 11/12] fix: apply automated fixes for detected vulnerabilities --- routes/authenticatedUsers.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/routes/authenticatedUsers.ts b/routes/authenticatedUsers.ts index 9ea35d8..a2fadba 100644 --- a/routes/authenticatedUsers.ts +++ b/routes/authenticatedUsers.ts @@ -4,7 +4,7 @@ */ import { type Request, type Response, type NextFunction } from 'express' import { UserModel } from '../models/user' -import { decode } from 'jsonwebtoken' +import { decode, verify } from 'jsonwebtoken' import * as security from '../lib/insecurity' async function retrieveUserList (req: Request, res: Response, next: NextFunction) { @@ -17,8 +17,12 @@ async function retrieveUserList (req: Request, res: Response, next: NextFunction const userToken = security.authenticatedUsers.tokenOf(user) let lastLoginTime: number | null = null if (userToken) { - const parsedToken = decode(userToken, { json: true }) - lastLoginTime = parsedToken ? Math.floor(new Date(parsedToken?.iat ?? 0 * 1000).getTime()) : null + try { + const parsedToken = verify(userToken, 'your-secret-key', { algorithms: ['HS256'] }) + lastLoginTime = parsedToken ? Math.floor(new Date(parsedToken.iat * 1000).getTime()) : null + } catch (err) { + console.error('Invalid token:', err) + } } return { From e460c6a6e7778ddd1cddb0e56911f69c1db5d63a Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Wed, 25 Jun 2025 17:43:50 +0400 Subject: [PATCH 12/12] fix: apply automated fixes for detected vulnerabilities --- lib/insecurity.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 1d80a49..42298d4 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -11,7 +11,7 @@ import expressJwt from 'express-jwt' import jwt from 'jsonwebtoken' import jws from 'jws' import sanitizeHtmlLib from 'sanitize-html' -import sanitizeFilenameLib from 'sanitize-filename' +sanitizeFilenameLib from 'sanitize-filename' import * as utils from './utils' /* jslint node: true */