From 56a3ca718f8b715b8188cc034ca5944523fc23e4 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 8 Jul 2025 17:03:26 +0400 Subject: [PATCH 1/4] chore: initialize PR with an empty commit skip-checks:true From 3263065a0ce470141601515bc7be43e8daef567e Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 8 Jul 2025 18:50:02 +0400 Subject: [PATCH 2/4] ci: temporarily disable workflows while addressing security issues skip-checks:true --- .github/workflows/ci.yml | 64 ++++++++------------- .github/workflows/codeql-analysis.yml | 37 ++++++------ .github/workflows/lint-fixer.yml | 47 +++++++-------- .github/workflows/rebase.yml | 7 ++- .github/workflows/release.yml | 9 ++- .github/workflows/update-challenges-www.yml | 52 ++++++++--------- .github/workflows/update-news-www.yml | 44 +++++++------- 7 files changed, 125 insertions(+), 135 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f51f1d9..c712655 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,22 +1,25 @@ name: "CI/CD Pipeline" on: - push: - branches-ignore: - - l10n_develop - - gh-pages - paths-ignore: - - '*.md' - - 'LICENSE' - - 'monitoring/grafana-dashboard.json' - - 'screenshots/**' - tags-ignore: - - '*' - pull_request: - paths-ignore: - - '*.md' - - 'LICENSE' - - 'data/static/i18n/*.json' - - 'frontend/src/assets/i18n/*.json' + workflow_dispatch: +# on: +# push: +# branches-ignore: +# - l10n_develop +# - gh-pages +# paths-ignore: +# - '*.md' +# - 'LICENSE' +# - 'monitoring/grafana-dashboard.json' +# - 'screenshots/**' +# tags-ignore: +# - '*' +# pull_request: +# paths-ignore: +# - '*.md' +# - 'LICENSE' +# - 'data/static/i18n/*.json' +# - 'frontend/src/assets/i18n/*.json' + env: NODE_DEFAULT_VERSION: 22 NODE_OPTIONS: "--max_old_space_size=4096" @@ -40,18 +43,8 @@ jobs: run: npm run lint - name: "Lint customization configs" run: > - npm run lint:config -- -f ./config/7ms.yml && - npm run lint:config -- -f ./config/addo.yml && - npm run lint:config -- -f ./config/bodgeit.yml && - npm run lint:config -- -f ./config/ctf.yml && - npm run lint:config -- -f ./config/default.yml && - npm run lint:config -- -f ./config/fbctf.yml && - npm run lint:config -- -f ./config/juicebox.yml && - npm run lint:config -- -f ./config/mozilla.yml && - npm run lint:config -- -f ./config/oss.yml && - npm run lint:config -- -f ./config/quiet.yml && - npm run lint:config -- -f ./config/tutorial.yml && - npm run lint:config -- -f ./config/unsafe.yml + npm run lint:config -- -f ./config/7ms.yml && npm run lint:config -- -f ./config/addo.yml && npm run lint:config -- -f ./config/bodgeit.yml && npm run lint:config -- -f ./config/ctf.yml && npm run lint:config -- -f ./config/default.yml && npm run lint:config -- -f ./config/fbctf.yml && npm run lint:config -- -f ./config/juicebox.yml && npm run lint:config -- -f ./config/mozilla.yml && npm run lint:config -- -f ./config/oss.yml && npm run lint:config -- -f ./config/quiet.yml && npm run lint:config -- -f ./config/tutorial.yml && npm run lint:config -- -f ./config/unsafe.yml + coding-challenge-rsn: runs-on: windows-latest steps: @@ -184,17 +177,8 @@ jobs: timeout_minutes: 30 max_attempts: 3 command: > - NODE_ENV=7ms npm run test:server && - NODE_ENV=addo npm run test:server && - NODE_ENV=bodgeit npm run test:server && - NODE_ENV=ctf npm run test:server && - NODE_ENV=fbctf npm run test:server && - NODE_ENV=juicebox npm run test:server && - NODE_ENV=mozilla npm run test:server && - NODE_ENV=oss npm run test:server && - NODE_ENV=quiet npm run test:server && - NODE_ENV=tutorial npm run test:server && - NODE_ENV=unsafe npm run test:server + NODE_ENV=7ms npm run test:server && NODE_ENV=addo npm run test:server && NODE_ENV=bodgeit npm run test:server && NODE_ENV=ctf npm run test:server && NODE_ENV=fbctf npm run test:server && NODE_ENV=juicebox npm run test:server && NODE_ENV=mozilla npm run test:server && NODE_ENV=oss npm run test:server && NODE_ENV=quiet npm run test:server && NODE_ENV=tutorial npm run test:server && NODE_ENV=unsafe npm run test:server + e2e: runs-on: ${{ matrix.os }} strategy: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fe353eb..df6c22c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,8 +1,9 @@ name: "CodeQL Scan" - on: - push: - pull_request: + workflow_dispatch: +# on: +# push: +# pull_request: jobs: analyze: @@ -15,19 +16,19 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript-typescript' ] + language: ['javascript-typescript'] steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-extended - config: | - paths-ignore: - - 'data/static/codefixes' - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended + config: | + paths-ignore: + - 'data/static/codefixes' + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml index 907f841..73a6204 100644 --- a/.github/workflows/lint-fixer.yml +++ b/.github/workflows/lint-fixer.yml @@ -1,29 +1,30 @@ name: "Let me lint:fix that for you" - -on: [push] +on: + workflow_dispatch: +# on: [push] jobs: LMLFTFY: runs-on: ubuntu-latest steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: 22 - - name: "Install application" - run: | - npm install --ignore-scripts - cd frontend - npm install --ignore-scripts --legacy-peer-deps - - name: "Fix everything which can be fixed" - run: 'npm run lint:fix' - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-fix linting issues" - branch: ${{ github.head_ref }} - commit_options: '--signoff' - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: "Check out Git repository" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - name: "Use Node.js 22" + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 + with: + node-version: 22 + - name: "Install application" + run: | + npm install --ignore-scripts + cd frontend + npm install --ignore-scripts --legacy-peer-deps + - name: "Fix everything which can be fixed" + run: 'npm run lint:fix' + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Auto-fix linting issues" + branch: ${{ github.head_ref }} + commit_options: '--signoff' + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index f999d22..d2dea74 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -1,8 +1,9 @@ name: Automatic Rebase - on: - issue_comment: - types: [created] + workflow_dispatch: +# on: +# issue_comment: +# types: [created] jobs: rebase: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5d01008..f66688e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,11 @@ name: "Release Pipeline" on: - push: - tags: - - v* + workflow_dispatch: +# on: +# push: +# tags: +# - v* + env: CYCLONEDX_NPM_VERSION: '^2.0.0||^3.0.0' jobs: diff --git a/.github/workflows/update-challenges-www.yml b/.github/workflows/update-challenges-www.yml index caaa740..53223ac 100644 --- a/.github/workflows/update-challenges-www.yml +++ b/.github/workflows/update-challenges-www.yml @@ -1,34 +1,34 @@ name: "Update challenges on owasp-juice.shop" - on: - push: - branches: [ master ] - paths: - - 'data/static/challenges.yml' + workflow_dispatch: +# on: +# push: +# branches: [master] +# paths: +# - 'data/static/challenges.yml' jobs: UpdateChallengesOnWebsite: if: github.repository == 'juice-shop/juice-shop' runs-on: ubuntu-latest steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - ref: master - - name: Update challenges.yml - run: | - cd _data/ - rm challenges.yml - wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-update challenges.yml from ${{ github.sha }}" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: Check out Git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + token: ${{ secrets.BOT_TOKEN }} + repository: OWASP/www-project-juice-shop + ref: master + - name: Update challenges.yml + run: | + cd _data/ + rm challenges.yml + wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Auto-update challenges.yml from ${{ github.sha }}" + branch: master + commit_options: '--signoff' + # Optional commit user and author settings + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/update-news-www.yml b/.github/workflows/update-news-www.yml index 2675746..3c04b17 100644 --- a/.github/workflows/update-news-www.yml +++ b/.github/workflows/update-news-www.yml @@ -1,29 +1,29 @@ name: "Update news on owasp-juice.shop" - on: - release: - types: [ published ] + workflow_dispatch: +# on: +# release: +# types: [published] jobs: UpdateNewsOnWebsite: runs-on: ubuntu-latest steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - branch: master - - name: Update tab_news.md - run: | - sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> + - name: Check out Git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + token: ${{ secrets.BOT_TOKEN }} + repository: OWASP/www-project-juice-shop + branch: master + - name: Update tab_news.md + run: | + sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md + - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 + with: + commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" + branch: master + commit_options: '--signoff' + # Optional commit user and author settings + commit_user_name: JuiceShopBot + commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> From 05b35d47707201add1b89a5aea1a8a376fe637b3 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 8 Jul 2025 19:18:27 +0400 Subject: [PATCH 3/4] test: add auto-generated e2e security tests skip-checks:true --- .../tests/delete-api-addresss-1.test.ts | 35 +++++++++++++ .../tests/delete-api-basket-items-1.test.ts | 35 +++++++++++++ .brightsec/tests/delete-api-cards-1.test.ts | 35 +++++++++++++ .../tests/delete-api-challenges-123.test.ts | 35 +++++++++++++ .../tests/delete-api-complaints-123.test.ts | 35 +++++++++++++ .../tests/delete-api-feedbacks-123.test.ts | 35 +++++++++++++ .../delete-api-privacy-requests-1.test.ts | 35 +++++++++++++ .../tests/delete-api-products-123.test.ts | 34 +++++++++++++ .../tests/delete-api-quantitys-1.test.ts | 35 +++++++++++++ .../tests/delete-api-recycles-1.test.ts | 35 +++++++++++++ .../delete-api-security-answers-123.test.ts | 35 +++++++++++++ .../delete-api-security-questions-1.test.ts | 35 +++++++++++++ .brightsec/tests/delete-api-users-123.test.ts | 34 +++++++++++++ .brightsec/tests/get-api-addresss-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-addresss.test.ts | 35 +++++++++++++ .../tests/get-api-basketitems-1.test.ts | 34 +++++++++++++ .brightsec/tests/get-api-basketitems.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-cards-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-cards.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-challenges-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-challenges.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-complaints-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-complaints.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-deliverys-1.test.ts | 34 +++++++++++++ .brightsec/tests/get-api-deliverys.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-docs.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-feedbacks-1.test.ts | 34 +++++++++++++ .../tests/get-api-privacy-requests-1.test.ts | 35 +++++++++++++ .../tests/get-api-privacy-requests.test.ts | 34 +++++++++++++ .brightsec/tests/get-api-products-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-products.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-quantitys-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-recycles-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-recycles.test.ts | 35 +++++++++++++ .../tests/get-api-security-questions.test.ts | 34 +++++++++++++ .../tests/get-api-securityanswers-1.test.ts | 35 +++++++++++++ .../tests/get-api-securityanswers.test.ts | 34 +++++++++++++ .../tests/get-api-securityquestions-1.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-users-123.test.ts | 35 +++++++++++++ .brightsec/tests/get-api-users.test.ts | 35 +++++++++++++ .brightsec/tests/get-assets-i18n.test.ts | 35 +++++++++++++ .../get-assets-public-images-padding.test.ts | 34 +++++++++++++ .../get-assets-public-images-products.test.ts | 34 +++++++++++++ .../get-assets-public-images-uploads.test.ts | 35 +++++++++++++ .brightsec/tests/get-dataerasure.test.ts | 35 +++++++++++++ .../get-encryptionkeys-samplefile.test.ts | 35 +++++++++++++ .../get-ftp-quarantine-samplefile.txt.test.ts | 35 +++++++++++++ .brightsec/tests/get-ftp.test.ts | 35 +++++++++++++ .brightsec/tests/get-metrics.test.ts | 35 +++++++++++++ .brightsec/tests/get-profile.test.ts | 38 ++++++++++++++ .brightsec/tests/get-promotion.test.ts | 34 +++++++++++++ .brightsec/tests/get-redirect.test.ts | 35 +++++++++++++ .brightsec/tests/get-rest-2fa-status.test.ts | 35 +++++++++++++ ...st-admin-application-configuration.test.ts | 35 +++++++++++++ ...get-rest-admin-application-version.test.ts | 35 +++++++++++++ .../tests/get-rest-basket-1-order.test.ts | 35 +++++++++++++ .brightsec/tests/get-rest-basket-1.test.ts | 34 +++++++++++++ .brightsec/tests/get-rest-captcha.test.ts | 35 +++++++++++++ .../tests/get-rest-chatbot-status.test.ts | 35 +++++++++++++ .../get-rest-continue-code-findit.test.ts | 35 +++++++++++++ .../get-rest-continue-code-fixit.test.ts | 35 +++++++++++++ .../tests/get-rest-continue-code.test.ts | 35 +++++++++++++ .../tests/get-rest-country-mapping.test.ts | 35 +++++++++++++ .../tests/get-rest-deluxe-membership.test.ts | 35 +++++++++++++ .../tests/get-rest-image-captcha.test.ts | 35 +++++++++++++ .brightsec/tests/get-rest-languages.test.ts | 35 +++++++++++++ .brightsec/tests/get-rest-memories.test.ts | 34 +++++++++++++ .../tests/get-rest-order-history.test.ts | 35 +++++++++++++ .../get-rest-products-123-reviews.test.ts | 35 +++++++++++++ .../tests/get-rest-products-search.test.ts | 34 +++++++++++++ .../get-rest-repeat-notification.test.ts | 34 +++++++++++++ .../tests/get-rest-save-login-ip.test.ts | 35 +++++++++++++ .../tests/get-rest-track-order-12345.test.ts | 35 +++++++++++++ ...t-rest-user-authentication-details.test.ts | 35 +++++++++++++ .../get-rest-user-change-password.test.ts | 35 +++++++++++++ .../get-rest-user-security-question.test.ts | 35 +++++++++++++ .brightsec/tests/get-rest-user-whoami.test.ts | 35 +++++++++++++ .../tests/get-rest-wallet-balance.test.ts | 35 +++++++++++++ .../tests/get-rest-web3-nftmintlisten.test.ts | 35 +++++++++++++ .../tests/get-rest-web3-nftunlocked.test.ts | 35 +++++++++++++ .../get-snippets-fixes-samplekey.test.ts | 35 +++++++++++++ .../get-solve-challenges-server-side.test.ts | 34 +++++++++++++ ...t-support-logs-sample-log-file-log.test.ts | 34 +++++++++++++ .brightsec/tests/get-support-logs.test.ts | 34 +++++++++++++ ...-be-unlocked-by-sending-1btc-to-us.test.ts | 34 +++++++++++++ .brightsec/tests/get-video.test.ts | 35 +++++++++++++ ...easonably-necessary-responsibility.test.ts | 34 +++++++++++++ .brightsec/tests/get-well-known.test.ts | 34 +++++++++++++ .brightsec/tests/options-root.test.ts | 38 ++++++++++++++ .../tests/patch-rest-products-reviews.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-addresss.test.ts | 45 ++++++++++++++++ .../tests/post-api-basket-items.test.ts | 40 +++++++++++++++ .brightsec/tests/post-api-cards.test.ts | 43 ++++++++++++++++ .brightsec/tests/post-api-challenges.test.ts | 40 +++++++++++++++ .brightsec/tests/post-api-complaints.test.ts | 40 +++++++++++++++ .brightsec/tests/post-api-feedbacks.test.ts | 40 +++++++++++++++ .../tests/post-api-privacy-requests.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-products.test.ts | 43 ++++++++++++++++ .brightsec/tests/post-api-quantitys.test.ts | 40 +++++++++++++++ .brightsec/tests/post-api-recycles.test.ts | 42 +++++++++++++++ .../tests/post-api-securityquestions.test.ts | 39 ++++++++++++++ .brightsec/tests/post-api-users.test.ts | 40 +++++++++++++++ .brightsec/tests/post-b2b-v2-orders.test.ts | 39 ++++++++++++++ .brightsec/tests/post-file-upload.test.ts | 38 ++++++++++++++ .../tests/post-profile-image-url.test.ts | 38 ++++++++++++++ .brightsec/tests/post-profile.test.ts | 46 +++++++++++++++++ .../tests/post-rest-2fa-disable.test.ts | 38 ++++++++++++++ .brightsec/tests/post-rest-2fa-setup.test.ts | 40 +++++++++++++++ .brightsec/tests/post-rest-2fa-verify.test.ts | 39 ++++++++++++++ .../post-rest-basket-789-checkout.test.ts | 43 ++++++++++++++++ .../tests/post-rest-chatbot-respond.test.ts | 39 ++++++++++++++ .../tests/post-rest-deluxe-membership.test.ts | 39 ++++++++++++++ .brightsec/tests/post-rest-memories.test.ts | 39 ++++++++++++++ .../tests/post-rest-products-reviews.test.ts | 40 +++++++++++++++ .../tests/post-rest-user-data-export.test.ts | 38 ++++++++++++++ .brightsec/tests/post-rest-user-login.test.ts | 39 ++++++++++++++ .../post-rest-user-reset-password.test.ts | 41 +++++++++++++++ ...t-rest-web3-wallet-exploit-address.test.ts | 38 ++++++++++++++ .../post-rest-web3-walletnftverify.test.ts | 38 ++++++++++++++ .../tests/post-routes-data-erasure.test.ts | 40 +++++++++++++++ .brightsec/tests/post-snippets-fixes.test.ts | 39 ++++++++++++++ .brightsec/tests/put-api-addresss-1.test.ts | 44 ++++++++++++++++ .../tests/put-api-basket-items-1.test.ts | 40 +++++++++++++++ .brightsec/tests/put-api-cards-1.test.ts | 42 +++++++++++++++ .brightsec/tests/put-api-challenges-1.test.ts | 51 +++++++++++++++++++ .brightsec/tests/put-api-complaints-1.test.ts | 39 ++++++++++++++ .brightsec/tests/put-api-feedbacks-1.test.ts | 39 ++++++++++++++ .../tests/put-api-privacy-requests-1.test.ts | 39 ++++++++++++++ .brightsec/tests/put-api-quantitys-1.test.ts | 40 +++++++++++++++ .../tests/put-api-security-answers-1.test.ts | 38 ++++++++++++++ .../put-api-security-questions-1.test.ts | 38 ++++++++++++++ .brightsec/tests/put-api-users-123.test.ts | 46 +++++++++++++++++ .../put-rest-basket-1-coupon-jan23-10.test.ts | 38 ++++++++++++++ ...ut-rest-continue-code-apply-abc123.test.ts | 38 ++++++++++++++ ...findit-apply-samplecontinuecode123.test.ts | 36 +++++++++++++ ...-order-history-123-delivery-status.test.ts | 38 ++++++++++++++ .../put-rest-products-123-reviews.test.ts | 39 ++++++++++++++ .../tests/put-rest-wallet-balance.test.ts | 39 ++++++++++++++ 138 files changed, 5065 insertions(+) create mode 100644 .brightsec/tests/delete-api-addresss-1.test.ts create mode 100644 .brightsec/tests/delete-api-basket-items-1.test.ts create mode 100644 .brightsec/tests/delete-api-cards-1.test.ts create mode 100644 .brightsec/tests/delete-api-challenges-123.test.ts create mode 100644 .brightsec/tests/delete-api-complaints-123.test.ts create mode 100644 .brightsec/tests/delete-api-feedbacks-123.test.ts create mode 100644 .brightsec/tests/delete-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/delete-api-products-123.test.ts create mode 100644 .brightsec/tests/delete-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/delete-api-recycles-1.test.ts create mode 100644 .brightsec/tests/delete-api-security-answers-123.test.ts create mode 100644 .brightsec/tests/delete-api-security-questions-1.test.ts create mode 100644 .brightsec/tests/delete-api-users-123.test.ts create mode 100644 .brightsec/tests/get-api-addresss-1.test.ts create mode 100644 .brightsec/tests/get-api-addresss.test.ts create mode 100644 .brightsec/tests/get-api-basketitems-1.test.ts create mode 100644 .brightsec/tests/get-api-basketitems.test.ts create mode 100644 .brightsec/tests/get-api-cards-1.test.ts create mode 100644 .brightsec/tests/get-api-cards.test.ts create mode 100644 .brightsec/tests/get-api-challenges-1.test.ts create mode 100644 .brightsec/tests/get-api-challenges.test.ts create mode 100644 .brightsec/tests/get-api-complaints-1.test.ts create mode 100644 .brightsec/tests/get-api-complaints.test.ts create mode 100644 .brightsec/tests/get-api-deliverys-1.test.ts create mode 100644 .brightsec/tests/get-api-deliverys.test.ts create mode 100644 .brightsec/tests/get-api-docs.test.ts create mode 100644 .brightsec/tests/get-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/get-api-products-1.test.ts create mode 100644 .brightsec/tests/get-api-products.test.ts create mode 100644 .brightsec/tests/get-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/get-api-recycles-1.test.ts create mode 100644 .brightsec/tests/get-api-recycles.test.ts create mode 100644 .brightsec/tests/get-api-security-questions.test.ts create mode 100644 .brightsec/tests/get-api-securityanswers-1.test.ts create mode 100644 .brightsec/tests/get-api-securityanswers.test.ts create mode 100644 .brightsec/tests/get-api-securityquestions-1.test.ts create mode 100644 .brightsec/tests/get-api-users-123.test.ts create mode 100644 .brightsec/tests/get-api-users.test.ts create mode 100644 .brightsec/tests/get-assets-i18n.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-padding.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-products.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-uploads.test.ts create mode 100644 .brightsec/tests/get-dataerasure.test.ts create mode 100644 .brightsec/tests/get-encryptionkeys-samplefile.test.ts create mode 100644 .brightsec/tests/get-ftp-quarantine-samplefile.txt.test.ts create mode 100644 .brightsec/tests/get-ftp.test.ts create mode 100644 .brightsec/tests/get-metrics.test.ts create mode 100644 .brightsec/tests/get-profile.test.ts create mode 100644 .brightsec/tests/get-promotion.test.ts create mode 100644 .brightsec/tests/get-redirect.test.ts create mode 100644 .brightsec/tests/get-rest-2fa-status.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-configuration.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-version.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1-order.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1.test.ts create mode 100644 .brightsec/tests/get-rest-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-chatbot-status.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-findit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-fixit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code.test.ts create mode 100644 .brightsec/tests/get-rest-country-mapping.test.ts create mode 100644 .brightsec/tests/get-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/get-rest-image-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-languages.test.ts create mode 100644 .brightsec/tests/get-rest-memories.test.ts create mode 100644 .brightsec/tests/get-rest-order-history.test.ts create mode 100644 .brightsec/tests/get-rest-products-123-reviews.test.ts create mode 100644 .brightsec/tests/get-rest-products-search.test.ts create mode 100644 .brightsec/tests/get-rest-repeat-notification.test.ts create mode 100644 .brightsec/tests/get-rest-save-login-ip.test.ts create mode 100644 .brightsec/tests/get-rest-track-order-12345.test.ts create mode 100644 .brightsec/tests/get-rest-user-authentication-details.test.ts create mode 100644 .brightsec/tests/get-rest-user-change-password.test.ts create mode 100644 .brightsec/tests/get-rest-user-security-question.test.ts create mode 100644 .brightsec/tests/get-rest-user-whoami.test.ts create mode 100644 .brightsec/tests/get-rest-wallet-balance.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nftmintlisten.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nftunlocked.test.ts create mode 100644 .brightsec/tests/get-snippets-fixes-samplekey.test.ts create mode 100644 .brightsec/tests/get-solve-challenges-server-side.test.ts create mode 100644 .brightsec/tests/get-support-logs-sample-log-file-log.test.ts create mode 100644 .brightsec/tests/get-support-logs.test.ts create mode 100644 .brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts create mode 100644 .brightsec/tests/get-video.test.ts create mode 100644 .brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts create mode 100644 .brightsec/tests/get-well-known.test.ts create mode 100644 .brightsec/tests/options-root.test.ts create mode 100644 .brightsec/tests/patch-rest-products-reviews.test.ts create mode 100644 .brightsec/tests/post-api-addresss.test.ts create mode 100644 .brightsec/tests/post-api-basket-items.test.ts create mode 100644 .brightsec/tests/post-api-cards.test.ts create mode 100644 .brightsec/tests/post-api-challenges.test.ts create mode 100644 .brightsec/tests/post-api-complaints.test.ts create mode 100644 .brightsec/tests/post-api-feedbacks.test.ts create mode 100644 .brightsec/tests/post-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/post-api-products.test.ts create mode 100644 .brightsec/tests/post-api-quantitys.test.ts create mode 100644 .brightsec/tests/post-api-recycles.test.ts create mode 100644 .brightsec/tests/post-api-securityquestions.test.ts create mode 100644 .brightsec/tests/post-api-users.test.ts create mode 100644 .brightsec/tests/post-b2b-v2-orders.test.ts create mode 100644 .brightsec/tests/post-file-upload.test.ts create mode 100644 .brightsec/tests/post-profile-image-url.test.ts create mode 100644 .brightsec/tests/post-profile.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-disable.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-setup.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-verify.test.ts create mode 100644 .brightsec/tests/post-rest-basket-789-checkout.test.ts create mode 100644 .brightsec/tests/post-rest-chatbot-respond.test.ts create mode 100644 .brightsec/tests/post-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/post-rest-memories.test.ts create mode 100644 .brightsec/tests/post-rest-products-reviews.test.ts create mode 100644 .brightsec/tests/post-rest-user-data-export.test.ts create mode 100644 .brightsec/tests/post-rest-user-login.test.ts create mode 100644 .brightsec/tests/post-rest-user-reset-password.test.ts create mode 100644 .brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts create mode 100644 .brightsec/tests/post-rest-web3-walletnftverify.test.ts create mode 100644 .brightsec/tests/post-routes-data-erasure.test.ts create mode 100644 .brightsec/tests/post-snippets-fixes.test.ts create mode 100644 .brightsec/tests/put-api-addresss-1.test.ts create mode 100644 .brightsec/tests/put-api-basket-items-1.test.ts create mode 100644 .brightsec/tests/put-api-cards-1.test.ts create mode 100644 .brightsec/tests/put-api-challenges-1.test.ts create mode 100644 .brightsec/tests/put-api-complaints-1.test.ts create mode 100644 .brightsec/tests/put-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/put-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/put-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/put-api-security-answers-1.test.ts create mode 100644 .brightsec/tests/put-api-security-questions-1.test.ts create mode 100644 .brightsec/tests/put-api-users-123.test.ts create mode 100644 .brightsec/tests/put-rest-basket-1-coupon-jan23-10.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-apply-abc123.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-findit-apply-samplecontinuecode123.test.ts create mode 100644 .brightsec/tests/put-rest-order-history-123-delivery-status.test.ts create mode 100644 .brightsec/tests/put-rest-products-123-reviews.test.ts create mode 100644 .brightsec/tests/put-rest-wallet-balance.test.ts diff --git a/.brightsec/tests/delete-api-addresss-1.test.ts b/.brightsec/tests/delete-api-addresss-1.test.ts new file mode 100644 index 0000000..e3e2fc5 --- /dev/null +++ b/.brightsec/tests/delete-api-addresss-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Addresss/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-basket-items-1.test.ts b/.brightsec/tests/delete-api-basket-items-1.test.ts new file mode 100644 index 0000000..2ef937e --- /dev/null +++ b/.brightsec/tests/delete-api-basket-items-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/basket-items/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/BasketItems/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-cards-1.test.ts b/.brightsec/tests/delete-api-cards-1.test.ts new file mode 100644 index 0000000..b301bdf --- /dev/null +++ b/.brightsec/tests/delete-api-cards-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Cards/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-challenges-123.test.ts b/.brightsec/tests/delete-api-challenges-123.test.ts new file mode 100644 index 0000000..0134ffc --- /dev/null +++ b/.brightsec/tests/delete-api-challenges-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/challenges/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Challenges/123`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-complaints-123.test.ts b/.brightsec/tests/delete-api-complaints-123.test.ts new file mode 100644 index 0000000..012a25f --- /dev/null +++ b/.brightsec/tests/delete-api-complaints-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/complaints/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/complaints/123`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-feedbacks-123.test.ts b/.brightsec/tests/delete-api-feedbacks-123.test.ts new file mode 100644 index 0000000..0562b8c --- /dev/null +++ b/.brightsec/tests/delete-api-feedbacks-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/Feedbacks/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Feedbacks/123`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-privacy-requests-1.test.ts b/.brightsec/tests/delete-api-privacy-requests-1.test.ts new file mode 100644 index 0000000..b28c9ec --- /dev/null +++ b/.brightsec/tests/delete-api-privacy-requests-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/PrivacyRequests/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-products-123.test.ts b/.brightsec/tests/delete-api-products-123.test.ts new file mode 100644 index 0000000..c0e4fdc --- /dev/null +++ b/.brightsec/tests/delete-api-products-123.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/products/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Products/123`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-quantitys-1.test.ts b/.brightsec/tests/delete-api-quantitys-1.test.ts new file mode 100644 index 0000000..95b83bf --- /dev/null +++ b/.brightsec/tests/delete-api-quantitys-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Quantitys/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-recycles-1.test.ts b/.brightsec/tests/delete-api-recycles-1.test.ts new file mode 100644 index 0000000..8dfafe2 --- /dev/null +++ b/.brightsec/tests/delete-api-recycles-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'csrf', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Recycles/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-security-answers-123.test.ts b/.brightsec/tests/delete-api-security-answers-123.test.ts new file mode 100644 index 0000000..71ee8e1 --- /dev/null +++ b/.brightsec/tests/delete-api-security-answers-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/security-answers/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/SecurityAnswers/123`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-security-questions-1.test.ts b/.brightsec/tests/delete-api-security-questions-1.test.ts new file mode 100644 index 0000000..e9dd9c9 --- /dev/null +++ b/.brightsec/tests/delete-api-security-questions-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/SecurityQuestions/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/delete-api-users-123.test.ts b/.brightsec/tests/delete-api-users-123.test.ts new file mode 100644 index 0000000..81ce01f --- /dev/null +++ b/.brightsec/tests/delete-api-users-123.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Users/123`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresss-1.test.ts b/.brightsec/tests/get-api-addresss-1.test.ts new file mode 100644 index 0000000..0ca8db3 --- /dev/null +++ b/.brightsec/tests/get-api-addresss-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss/1`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-addresss.test.ts b/.brightsec/tests/get-api-addresss.test.ts new file mode 100644 index 0000000..908bf3d --- /dev/null +++ b/.brightsec/tests/get-api-addresss.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/Addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss`, + headers: { 'X-Recruiting': '[object Object]' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-basketitems-1.test.ts b/.brightsec/tests/get-api-basketitems-1.test.ts new file mode 100644 index 0000000..025ab38 --- /dev/null +++ b/.brightsec/tests/get-api-basketitems-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitems/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-basketitems.test.ts b/.brightsec/tests/get-api-basketitems.test.ts new file mode 100644 index 0000000..be4dc87 --- /dev/null +++ b/.brightsec/tests/get-api-basketitems.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitems', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'id_enumeration', 'jwt', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-cards-1.test.ts b/.brightsec/tests/get-api-cards-1.test.ts new file mode 100644 index 0000000..7cd8906 --- /dev/null +++ b/.brightsec/tests/get-api-cards-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/cards/1`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-cards.test.ts b/.brightsec/tests/get-api-cards.test.ts new file mode 100644 index 0000000..ee7668b --- /dev/null +++ b/.brightsec/tests/get-api-cards.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/cards`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-challenges-1.test.ts b/.brightsec/tests/get-api-challenges-1.test.ts new file mode 100644 index 0000000..a3309b4 --- /dev/null +++ b/.brightsec/tests/get-api-challenges-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges/1?challenge=example-challenge`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-challenges.test.ts b/.brightsec/tests/get-api-challenges.test.ts new file mode 100644 index 0000000..5dd00fe --- /dev/null +++ b/.brightsec/tests/get-api-challenges.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'business_constraint_bypass', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-complaints-1.test.ts b/.brightsec/tests/get-api-complaints-1.test.ts new file mode 100644 index 0000000..b4ee38c --- /dev/null +++ b/.brightsec/tests/get-api-complaints-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-complaints.test.ts b/.brightsec/tests/get-api-complaints.test.ts new file mode 100644 index 0000000..87ef19c --- /dev/null +++ b/.brightsec/tests/get-api-complaints.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-deliverys-1.test.ts b/.brightsec/tests/get-api-deliverys-1.test.ts new file mode 100644 index 0000000..68d7459 --- /dev/null +++ b/.brightsec/tests/get-api-deliverys-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-deliverys.test.ts b/.brightsec/tests/get-api-deliverys.test.ts new file mode 100644 index 0000000..00e68ea --- /dev/null +++ b/.brightsec/tests/get-api-deliverys.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'improper_asset_management', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-docs.test.ts b/.brightsec/tests/get-api-docs.test.ts new file mode 100644 index 0000000..450b4b5 --- /dev/null +++ b/.brightsec/tests/get-api-docs.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api-docs', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'xss', 'csrf', 'open_database'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api-docs`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-feedbacks-1.test.ts b/.brightsec/tests/get-api-feedbacks-1.test.ts new file mode 100644 index 0000000..d7a1f0a --- /dev/null +++ b/.brightsec/tests/get-api-feedbacks-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Feedbacks/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-privacy-requests-1.test.ts b/.brightsec/tests/get-api-privacy-requests-1.test.ts new file mode 100644 index 0000000..37f9ced --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests/1`, + headers: { 'X-Recruiting': 'example@example.com' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-privacy-requests.test.ts b/.brightsec/tests/get-api-privacy-requests.test.ts new file mode 100644 index 0000000..1ce64cf --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-products-1.test.ts b/.brightsec/tests/get-api-products-1.test.ts new file mode 100644 index 0000000..f139bd3 --- /dev/null +++ b/.brightsec/tests/get-api-products-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'sqli', 'xss', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Products/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-products.test.ts b/.brightsec/tests/get-api-products.test.ts new file mode 100644 index 0000000..e563621 --- /dev/null +++ b/.brightsec/tests/get-api-products.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Products?q=sample`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-quantitys-1.test.ts b/.brightsec/tests/get-api-quantitys-1.test.ts new file mode 100644 index 0000000..40244d3 --- /dev/null +++ b/.brightsec/tests/get-api-quantitys-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'csrf', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Quantitys/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-recycles-1.test.ts b/.brightsec/tests/get-api-recycles-1.test.ts new file mode 100644 index 0000000..8733707 --- /dev/null +++ b/.brightsec/tests/get-api-recycles-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Recycles/1`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-recycles.test.ts b/.brightsec/tests/get-api-recycles.test.ts new file mode 100644 index 0000000..74407fd --- /dev/null +++ b/.brightsec/tests/get-api-recycles.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Recycles`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-security-questions.test.ts b/.brightsec/tests/get-api-security-questions.test.ts new file mode 100644 index 0000000..8e68b02 --- /dev/null +++ b/.brightsec/tests/get-api-security-questions.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/security-questions', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'improper_asset_management', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityQuestions`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityanswers-1.test.ts b/.brightsec/tests/get-api-securityanswers-1.test.ts new file mode 100644 index 0000000..f9e61f4 --- /dev/null +++ b/.brightsec/tests/get-api-securityanswers-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityanswers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers/1?email=user@example.com`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityanswers.test.ts b/.brightsec/tests/get-api-securityanswers.test.ts new file mode 100644 index 0000000..3c0c064 --- /dev/null +++ b/.brightsec/tests/get-api-securityanswers.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityanswers', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-securityquestions-1.test.ts b/.brightsec/tests/get-api-securityquestions-1.test.ts new file mode 100644 index 0000000..6153eb6 --- /dev/null +++ b/.brightsec/tests/get-api-securityquestions-1.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/securityquestions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityQuestions/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-users-123.test.ts b/.brightsec/tests/get-api-users-123.test.ts new file mode 100644 index 0000000..3ce877d --- /dev/null +++ b/.brightsec/tests/get-api-users-123.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users/123`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-api-users.test.ts b/.brightsec/tests/get-api-users.test.ts new file mode 100644 index 0000000..d1dcedc --- /dev/null +++ b/.brightsec/tests/get-api-users.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-i18n.test.ts b/.brightsec/tests/get-assets-i18n.test.ts new file mode 100644 index 0000000..c9dc89c --- /dev/null +++ b/.brightsec/tests/get-assets-i18n.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/i18n', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'improper_asset_management', 'full_path_disclosure', 'lfi'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/i18n`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-padding.test.ts b/.brightsec/tests/get-assets-public-images-padding.test.ts new file mode 100644 index 0000000..07487d1 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-padding.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/padding', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'lfi', 'ssrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/padding`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-products.test.ts b/.brightsec/tests/get-assets-public-images-products.test.ts new file mode 100644 index 0000000..a33d276 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-products.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'lfi', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/products`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-assets-public-images-uploads.test.ts b/.brightsec/tests/get-assets-public-images-uploads.test.ts new file mode 100644 index 0000000..603fd99 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-uploads.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/uploads', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'lfi', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/uploads`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-dataerasure.test.ts b/.brightsec/tests/get-dataerasure.test.ts new file mode 100644 index 0000000..36e3398 --- /dev/null +++ b/.brightsec/tests/get-dataerasure.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'lfi', 'xss', 'bopla', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/dataerasure`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts new file mode 100644 index 0000000..06e972a --- /dev/null +++ b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /encryptionkeys/samplefile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'improper_asset_management', 'full_path_disclosure', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/encryptionkeys/samplefile`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-ftp-quarantine-samplefile.txt.test.ts b/.brightsec/tests/get-ftp-quarantine-samplefile.txt.test.ts new file mode 100644 index 0000000..d6d4672 --- /dev/null +++ b/.brightsec/tests/get-ftp-quarantine-samplefile.txt.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/quarantine/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'directoryListingChallenge', 'full_path_disclosure', 'ssrf', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/quarantine/samplefile.txt`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-ftp.test.ts b/.brightsec/tests/get-ftp.test.ts new file mode 100644 index 0000000..8ff43e7 --- /dev/null +++ b/.brightsec/tests/get-ftp.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'file_upload', 'full_path_disclosure', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp`, + headers: { 'X-Recruiting': 'YourCompany' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-metrics.test.ts b/.brightsec/tests/get-metrics.test.ts new file mode 100644 index 0000000..6c4c063 --- /dev/null +++ b/.brightsec/tests/get-metrics.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /metrics', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'csrf', 'xss', 'insecure_tls_configuration', 'server_side_js_injection'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/metrics`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-profile.test.ts b/.brightsec/tests/get-profile.test.ts new file mode 100644 index 0000000..1b7bc92 --- /dev/null +++ b/.brightsec/tests/get-profile.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'ssti', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/profile`, + headers: { + 'X-Recruiting': 'We are hiring! Check our careers page for more information.', + 'Content-Security-Policy': "img-src 'self' undefined; script-src 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com" + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-promotion.test.ts b/.brightsec/tests/get-promotion.test.ts new file mode 100644 index 0000000..ffd767b --- /dev/null +++ b/.brightsec/tests/get-promotion.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /promotion', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'open_cloud_storage', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/promotion`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts new file mode 100644 index 0000000..6b7b768 --- /dev/null +++ b/.brightsec/tests/get-redirect.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-2fa-status.test.ts b/.brightsec/tests/get-rest-2fa-status.test.ts new file mode 100644 index 0000000..bfab6c8 --- /dev/null +++ b/.brightsec/tests/get-rest-2fa-status.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/2fa/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'secret_tokens', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/2fa/status`, + headers: { 'X-Recruiting': 'YourCompany' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-admin-application-configuration.test.ts b/.brightsec/tests/get-rest-admin-application-configuration.test.ts new file mode 100644 index 0000000..a6c93af --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-configuration.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-configuration', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'improper_asset_management', 'secret_tokens', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-configuration`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-admin-application-version.test.ts b/.brightsec/tests/get-rest-admin-application-version.test.ts new file mode 100644 index 0000000..ae47f89 --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-version.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-version', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'improper_asset_management', 'full_path_disclosure', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-version`, + headers: { 'X-Recruiting': 'Your Company is Hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-basket-1-order.test.ts b/.brightsec/tests/get-rest-basket-1-order.test.ts new file mode 100644 index 0000000..22a6560 --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1-order.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1/order', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1/order`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-basket-1.test.ts b/.brightsec/tests/get-rest-basket-1.test.ts new file mode 100644 index 0000000..2664039 --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-captcha.test.ts b/.brightsec/tests/get-rest-captcha.test.ts new file mode 100644 index 0000000..02b84ad --- /dev/null +++ b/.brightsec/tests/get-rest-captcha.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'business_constraint_bypass', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/captcha`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-chatbot-status.test.ts b/.brightsec/tests/get-rest-chatbot-status.test.ts new file mode 100644 index 0000000..5084898 --- /dev/null +++ b/.brightsec/tests/get-rest-chatbot-status.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'improper_asset_management', 'open_database', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/chatbot/status`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code-findit.test.ts b/.brightsec/tests/get-rest-continue-code-findit.test.ts new file mode 100644 index 0000000..9989358 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-findit.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-findIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-findIt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code-fixit.test.ts b/.brightsec/tests/get-rest-continue-code-fixit.test.ts new file mode 100644 index 0000000..d6cbca1 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-fixit.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-fixIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'csrf', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-fixIt`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-continue-code.test.ts b/.brightsec/tests/get-rest-continue-code.test.ts new file mode 100644 index 0000000..d2ff56f --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'sqli', 'id_enumeration', 'open_database', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code`, + headers: { 'X-Recruiting': 'https://example.com/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-country-mapping.test.ts b/.brightsec/tests/get-rest-country-mapping.test.ts new file mode 100644 index 0000000..2eac3c8 --- /dev/null +++ b/.brightsec/tests/get-rest-country-mapping.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/country-mapping', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'open_database'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/country-mapping`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-deluxe-membership.test.ts b/.brightsec/tests/get-rest-deluxe-membership.test.ts new file mode 100644 index 0000000..c20cf79 --- /dev/null +++ b/.brightsec/tests/get-rest-deluxe-membership.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/deluxe-membership`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-image-captcha.test.ts b/.brightsec/tests/get-rest-image-captcha.test.ts new file mode 100644 index 0000000..0ca1d05 --- /dev/null +++ b/.brightsec/tests/get-rest-image-captcha.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/image-captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management', 'osi'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/image-captcha`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-languages.test.ts b/.brightsec/tests/get-rest-languages.test.ts new file mode 100644 index 0000000..5fb5d4b --- /dev/null +++ b/.brightsec/tests/get-rest-languages.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/languages', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['full_path_disclosure', 'xss', 'lfi', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/languages`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-memories.test.ts b/.brightsec/tests/get-rest-memories.test.ts new file mode 100644 index 0000000..b50c116 --- /dev/null +++ b/.brightsec/tests/get-rest-memories.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/memories`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-order-history.test.ts b/.brightsec/tests/get-rest-order-history.test.ts new file mode 100644 index 0000000..aa95c09 --- /dev/null +++ b/.brightsec/tests/get-rest-order-history.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/order-history', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/order-history`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-products-123-reviews.test.ts b/.brightsec/tests/get-rest-products-123-reviews.test.ts new file mode 100644 index 0000000..cd67e1f --- /dev/null +++ b/.brightsec/tests/get-rest-products-123-reviews.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'xss', 'csrf', 'id_enumeration', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/123/reviews`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-products-search.test.ts b/.brightsec/tests/get-rest-products-search.test.ts new file mode 100644 index 0000000..b5bff6a --- /dev/null +++ b/.brightsec/tests/get-rest-products-search.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/search', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'business_constraint_bypass', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/search?q=example`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-repeat-notification.test.ts b/.brightsec/tests/get-rest-repeat-notification.test.ts new file mode 100644 index 0000000..979bfcf --- /dev/null +++ b/.brightsec/tests/get-rest-repeat-notification.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/repeat-notification', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/repeat-notification?challenge=sample-challenge`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-save-login-ip.test.ts b/.brightsec/tests/get-rest-save-login-ip.test.ts new file mode 100644 index 0000000..012f2be --- /dev/null +++ b/.brightsec/tests/get-rest-save-login-ip.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/saveLoginIp', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/saveLoginIp`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-track-order-12345.test.ts b/.brightsec/tests/get-rest-track-order-12345.test.ts new file mode 100644 index 0000000..adcb1db --- /dev/null +++ b/.brightsec/tests/get-rest-track-order-12345.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/track-order/12345', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/track-order/12345`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-authentication-details.test.ts b/.brightsec/tests/get-rest-user-authentication-details.test.ts new file mode 100644 index 0000000..c3fa350 --- /dev/null +++ b/.brightsec/tests/get-rest-user-authentication-details.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/authentication-details`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-change-password.test.ts b/.brightsec/tests/get-rest-user-change-password.test.ts new file mode 100644 index 0000000..c3d83bb --- /dev/null +++ b/.brightsec/tests/get-rest-user-change-password.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/change-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'sqli', 'jwt'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/change-password?current=currentPassword123&new=newPassword456&repeat=newPassword456`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-security-question.test.ts b/.brightsec/tests/get-rest-user-security-question.test.ts new file mode 100644 index 0000000..e48722d --- /dev/null +++ b/.brightsec/tests/get-rest-user-security-question.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/security-question', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'sqli', 'xss', 'csrf', 'email_injection'], + attackParamLocations: [AttackParamLocation.QUERY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/security-question?email=user@example.com`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-user-whoami.test.ts b/.brightsec/tests/get-rest-user-whoami.test.ts new file mode 100644 index 0000000..5077308 --- /dev/null +++ b/.brightsec/tests/get-rest-user-whoami.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/whoami', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'jwt', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/whoami`, + headers: { 'X-Recruiting': 'true' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-wallet-balance.test.ts b/.brightsec/tests/get-rest-wallet-balance.test.ts new file mode 100644 index 0000000..cb9add5 --- /dev/null +++ b/.brightsec/tests/get-rest-wallet-balance.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/wallet/balance`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts b/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts new file mode 100644 index 0000000..2158118 --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nftmintlisten.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftMintListen', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'secret_tokens', 'business_constraint_bypass', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftMintListen`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-rest-web3-nftunlocked.test.ts b/.brightsec/tests/get-rest-web3-nftunlocked.test.ts new file mode 100644 index 0000000..02ffa18 --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nftunlocked.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftUnlocked', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'business_constraint_bypass', 'nosql', 'xss', 'insecure_tls_configuration', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftUnlocked`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-snippets-fixes-samplekey.test.ts b/.brightsec/tests/get-snippets-fixes-samplekey.test.ts new file mode 100644 index 0000000..e597e83 --- /dev/null +++ b/.brightsec/tests/get-snippets-fixes-samplekey.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /snippets/fixes/sampleKey', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'bopla', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/snippets/fixes/sampleKey`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-solve-challenges-server-side.test.ts b/.brightsec/tests/get-solve-challenges-server-side.test.ts new file mode 100644 index 0000000..7362f28 --- /dev/null +++ b/.brightsec/tests/get-solve-challenges-server-side.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /solve/challenges/server-side', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'ssti', 'ssrf', 'xss', 'osi'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/solve/challenges/server-side`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-support-logs-sample-log-file-log.test.ts b/.brightsec/tests/get-support-logs-sample-log-file-log.test.ts new file mode 100644 index 0000000..ef71ee9 --- /dev/null +++ b/.brightsec/tests/get-support-logs-sample-log-file-log.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /support/logs/sample-log-file.log', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['full_path_disclosure', 'lfi', 'access_log_disclosure_challenge', 'directoryListingChallenge'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/support/logs/sample-log-file.log`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-support-logs.test.ts b/.brightsec/tests/get-support-logs.test.ts new file mode 100644 index 0000000..6320486 --- /dev/null +++ b/.brightsec/tests/get-support-logs.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /support/logs', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['full_path_disclosure', 'lfi', 'improper_asset_management', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/support/logs`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts new file mode 100644 index 0000000..49ba80b --- /dev/null +++ b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'unvalidated_redirect', 'xss', 'sqli', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc-to-us`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-video.test.ts b/.brightsec/tests/get-video.test.ts new file mode 100644 index 0000000..ebd247a --- /dev/null +++ b/.brightsec/tests/get-video.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /video', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'http_method_fuzzing', 'improper_asset_management', 'insecure_tls_configuration'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/video`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts new file mode 100644 index 0000000..adf5b89 --- /dev/null +++ b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'unvalidated_redirect', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/get-well-known.test.ts b/.brightsec/tests/get-well-known.test.ts new file mode 100644 index 0000000..e7a41a1 --- /dev/null +++ b/.brightsec/tests/get-well-known.test.ts @@ -0,0 +1,34 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /.well-known', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'lfi', 'open_cloud_storage'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/.well-known`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/options-root.test.ts b/.brightsec/tests/options-root.test.ts new file mode 100644 index 0000000..4d8e98d --- /dev/null +++ b/.brightsec/tests/options-root.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('OPTIONS /', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['http_method_fuzzing', 'csrf', 'xss', 'insecure_tls_configuration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.OPTIONS, + url: `${baseUrl}/`, + headers: { + 'Access-Control-Allow-Origin': '*', + 'Content-Type': 'application/json' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/patch-rest-products-reviews.test.ts b/.brightsec/tests/patch-rest-products-reviews.test.ts new file mode 100644 index 0000000..483b9ba --- /dev/null +++ b/.brightsec/tests/patch-rest-products-reviews.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'nosql', 'stored_xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/rest/products/reviews`, + body: { + id: '60c72b2f9b1d8e001c8e4b8a', + message: 'Updated review message.' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-addresss.test.ts b/.brightsec/tests/post-api-addresss.test.ts new file mode 100644 index 0000000..256c21b --- /dev/null +++ b/.brightsec/tests/post-api-addresss.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'csrf', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Addresss`, + body: { + UserId: 1, + fullName: 'John Doe', + mobileNum: 1234567890, + zipCode: '12345', + streetAddress: '123 Main St', + city: 'Metropolis', + state: 'NY', + country: 'USA' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-basket-items.test.ts b/.brightsec/tests/post-api-basket-items.test.ts new file mode 100644 index 0000000..685d9b5 --- /dev/null +++ b/.brightsec/tests/post-api-basket-items.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/BasketItems`, + body: { + ProductId: 1, + BasketId: 1, + quantity: 2 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-cards.test.ts b/.brightsec/tests/post-api-cards.test.ts new file mode 100644 index 0000000..ff455a9 --- /dev/null +++ b/.brightsec/tests/post-api-cards.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'date_manipulation', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + skipStaticParams: false + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Cards`, + body: { + UserId: 1, + fullName: 'John Doe', + cardNum: 1234567812345678, + expMonth: 12, + expYear: 2085 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-challenges.test.ts b/.brightsec/tests/post-api-challenges.test.ts new file mode 100644 index 0000000..d9a0c28 --- /dev/null +++ b/.brightsec/tests/post-api-challenges.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Challenges`, + body: { + name: 'Example Challenge', + description: 'Solve the example challenge', + difficulty: 3 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-complaints.test.ts b/.brightsec/tests/post-api-complaints.test.ts new file mode 100644 index 0000000..f1e39f8 --- /dev/null +++ b/.brightsec/tests/post-api-complaints.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'bopla', 'xss', 'csrf', 'osi', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Complaints`, + body: { + UserId: 1, + message: 'This is a sample complaint message.', + file: 'optional-file-path.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-feedbacks.test.ts b/.brightsec/tests/post-api-feedbacks.test.ts new file mode 100644 index 0000000..fa443a1 --- /dev/null +++ b/.brightsec/tests/post-api-feedbacks.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'stored_xss', 'bopla', 'sqli', 'proto_pollution'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Feedbacks`, + body: { + UserId: 1, + comment: 'Great service!', + rating: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-privacy-requests.test.ts b/.brightsec/tests/post-api-privacy-requests.test.ts new file mode 100644 index 0000000..c68006e --- /dev/null +++ b/.brightsec/tests/post-api-privacy-requests.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/PrivacyRequests`, + body: { + UserId: 123, + deletionRequested: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-products.test.ts b/.brightsec/tests/post-api-products.test.ts new file mode 100644 index 0000000..3c46bde --- /dev/null +++ b/.brightsec/tests/post-api-products.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'file_upload', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Products`, + body: { + id: 1, + name: 'Sample Product', + description: 'A sample product description.', + price: 19.99, + deluxePrice: 29.99, + image: 'sample-image.png' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-quantitys.test.ts b/.brightsec/tests/post-api-quantitys.test.ts new file mode 100644 index 0000000..ba29617 --- /dev/null +++ b/.brightsec/tests/post-api-quantitys.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Quantitys`, + body: { + ProductId: 123, + quantity: 10, + limitPerUser: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts new file mode 100644 index 0000000..88bb248 --- /dev/null +++ b/.brightsec/tests/post-api-recycles.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'date_manipulation', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Recycles`, + body: { + UserId: 1, + AddressId: 1, + quantity: 10, + isPickup: true, + date: '2023-10-01T10:00:00Z' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-securityquestions.test.ts b/.brightsec/tests/post-api-securityquestions.test.ts new file mode 100644 index 0000000..fb3d021 --- /dev/null +++ b/.brightsec/tests/post-api-securityquestions.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/securityquestions', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration', 'osi', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/SecurityQuestions`, + body: { + question: 'What is your pet’s name?', + answer: 'Fluffy' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-api-users.test.ts b/.brightsec/tests/post-api-users.test.ts new file mode 100644 index 0000000..5d351fc --- /dev/null +++ b/.brightsec/tests/post-api-users.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'sqli', 'bopla', 'email_injection', 'proto_pollution', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Users`, + body: { + email: 'user@example.com', + password: 'securePassword123', + passwordRepeat: 'securePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-b2b-v2-orders.test.ts b/.brightsec/tests/post-b2b-v2-orders.test.ts new file mode 100644 index 0000000..377d94d --- /dev/null +++ b/.brightsec/tests/post-b2b-v2-orders.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'business_constraint_bypass', 'sqli', 'xss', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/b2b/v2/orders`, + body: { + cid: '12345', + orderLinesData: '[{"productId":1,"quantity":2}]' + }, + headers: { 'Content-Type': 'application/json', 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-file-upload.test.ts b/.brightsec/tests/post-file-upload.test.ts new file mode 100644 index 0000000..6ec6a34 --- /dev/null +++ b/.brightsec/tests/post-file-upload.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /file-upload', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'xss', 'lfi', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/file-upload`, + body: { + file: 'example.txt' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-profile-image-url.test.ts b/.brightsec/tests/post-profile-image-url.test.ts new file mode 100644 index 0000000..ed855f9 --- /dev/null +++ b/.brightsec/tests/post-profile-image-url.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile/image/url', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'file_upload', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile/image/url`, + body: { + imageUrl: 'https://example.com/image.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-profile.test.ts b/.brightsec/tests/post-profile.test.ts new file mode 100644 index 0000000..7f7b2e7 --- /dev/null +++ b/.brightsec/tests/post-profile.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'file_upload', 'xss', 'sqli', 'osi', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile`, + body: { + username: 'john_doe', + email: 'john.doe@example.com', + password: 'securePassword123', + role: 'customer', + deluxeToken: '', + lastLoginIp: '192.168.1.1', + profileImage: '/assets/public/images/uploads/default.svg', + totpSecret: '', + isActive: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-disable.test.ts b/.brightsec/tests/post-rest-2fa-disable.test.ts new file mode 100644 index 0000000..2bd86d4 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-disable.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/disable', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/disable`, + body: { + password: 'examplePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-setup.test.ts b/.brightsec/tests/post-rest-2fa-setup.test.ts new file mode 100644 index 0000000..07ecf30 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-setup.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/setup', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'secret_tokens', 'xss', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/setup`, + body: { + password: 'examplePassword123', + setupToken: 'exampleSetupToken', + initialToken: '123456' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-2fa-verify.test.ts b/.brightsec/tests/post-rest-2fa-verify.test.ts new file mode 100644 index 0000000..f409b6a --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-verify.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/verify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'jwt', 'sqli', 'xss', 'osi', 'nosql', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/verify`, + body: { + tmpToken: 'sampleTmpToken', + totpToken: '123456' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-basket-789-checkout.test.ts b/.brightsec/tests/post-rest-basket-789-checkout.test.ts new file mode 100644 index 0000000..e496906 --- /dev/null +++ b/.brightsec/tests/post-rest-basket-789-checkout.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/basket/789/checkout', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/basket/789/checkout`, + body: { + orderDetails: { + deliveryMethodId: 1, + paymentId: 'wallet', + addressId: 123 + }, + UserId: 456 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-chatbot-respond.test.ts b/.brightsec/tests/post-rest-chatbot-respond.test.ts new file mode 100644 index 0000000..bc26505 --- /dev/null +++ b/.brightsec/tests/post-rest-chatbot-respond.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/chatbot/respond', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'xss', 'csrf', 'prompt_injection'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/chatbot/respond`, + body: { + action: 'query', + query: 'Hello, how are you?' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-deluxe-membership.test.ts b/.brightsec/tests/post-rest-deluxe-membership.test.ts new file mode 100644 index 0000000..2e6a2a1 --- /dev/null +++ b/.brightsec/tests/post-rest-deluxe-membership.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/deluxe-membership`, + body: { + UserId: 123, + paymentMode: 'wallet' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-memories.test.ts b/.brightsec/tests/post-rest-memories.test.ts new file mode 100644 index 0000000..ef89758 --- /dev/null +++ b/.brightsec/tests/post-rest-memories.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'bopla', 'stored_xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/memories`, + body: { + caption: 'A beautiful sunset', + UserId: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-products-reviews.test.ts b/.brightsec/tests/post-rest-products-reviews.test.ts new file mode 100644 index 0000000..e0a0258 --- /dev/null +++ b/.brightsec/tests/post-rest-products-reviews.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'stored_xss', 'sqli', 'bopla', 'email_injection'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/products/reviews`, + body: { + product: '123', + message: 'Great product!', + author: 'user@example.com' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-data-export.test.ts b/.brightsec/tests/post-rest-user-data-export.test.ts new file mode 100644 index 0000000..11580b7 --- /dev/null +++ b/.brightsec/tests/post-rest-user-data-export.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/data-export', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/data-export`, + body: { + UserId: '123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-login.test.ts b/.brightsec/tests/post-rest-user-login.test.ts new file mode 100644 index 0000000..50b0414 --- /dev/null +++ b/.brightsec/tests/post-rest-user-login.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/login', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/login`, + body: { + email: 'user@example.com', + password: 'securePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-user-reset-password.test.ts b/.brightsec/tests/post-rest-user-reset-password.test.ts new file mode 100644 index 0000000..98cdc79 --- /dev/null +++ b/.brightsec/tests/post-rest-user-reset-password.test.ts @@ -0,0 +1,41 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/reset-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'email_injection', 'sqli', 'xss', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/reset-password`, + body: { + email: 'user@example.com', + answer: 'correct_answer', + new: 'newPassword123', + repeat: 'newPassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts new file mode 100644 index 0000000..de49a0e --- /dev/null +++ b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletExploitAddress', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'nosql', 'xss', 'osi', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletExploitAddress`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-rest-web3-walletnftverify.test.ts b/.brightsec/tests/post-rest-web3-walletnftverify.test.ts new file mode 100644 index 0000000..01c817b --- /dev/null +++ b/.brightsec/tests/post-rest-web3-walletnftverify.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletNFTVerify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'osi', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletNFTVerify`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-routes-data-erasure.test.ts b/.brightsec/tests/post-routes-data-erasure.test.ts new file mode 100644 index 0000000..b9b538e --- /dev/null +++ b/.brightsec/tests/post-routes-data-erasure.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /routes/dataErasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'lfi', 'xss', 'bopla', 'osi'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/routes/dataErasure`, + body: { + email: 'user@example.com', + securityAnswer: 'myAnswer', + layout: 'optionalLayout' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/post-snippets-fixes.test.ts b/.brightsec/tests/post-snippets-fixes.test.ts new file mode 100644 index 0000000..59678fa --- /dev/null +++ b/.brightsec/tests/post-snippets-fixes.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /snippets/fixes', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'proto_pollution', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/snippets/fixes`, + body: { + key: 'exampleChallengeKey', + selectedFix: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-addresss-1.test.ts b/.brightsec/tests/put-api-addresss-1.test.ts new file mode 100644 index 0000000..c64ae64 --- /dev/null +++ b/.brightsec/tests/put-api-addresss-1.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Addresss/1`, + body: { + fullName: 'John Doe', + mobileNum: 1234567890, + zipCode: '12345', + streetAddress: '123 Main St', + city: 'Metropolis', + state: 'NY', + country: 'USA' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-basket-items-1.test.ts b/.brightsec/tests/put-api-basket-items-1.test.ts new file mode 100644 index 0000000..a96f372 --- /dev/null +++ b/.brightsec/tests/put-api-basket-items-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/basket-items/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/BasketItems/1`, + body: { + ProductId: 1, + BasketId: 1, + quantity: 2 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-cards-1.test.ts b/.brightsec/tests/put-api-cards-1.test.ts new file mode 100644 index 0000000..e2deddb --- /dev/null +++ b/.brightsec/tests/put-api-cards-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Cards/1`, + body: { + UserId: 1, + fullName: 'John Doe', + cardNum: 1234567812345678, + expMonth: 12, + expYear: 2099 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-challenges-1.test.ts b/.brightsec/tests/put-api-challenges-1.test.ts new file mode 100644 index 0000000..304d4af --- /dev/null +++ b/.brightsec/tests/put-api-challenges-1.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'csrf', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Challenges/1`, + body: { + name: "SQL Injection", + category: "Injection", + description: "Exploit SQL injection vulnerabilities", + difficulty: 3, + hint: "Check for SQL syntax errors", + hintUrl: "http://example.com/hint", + mitigationUrl: "http://example.com/mitigation", + key: "sqlInjectionChallenge", + disabledEnv: null, + tutorialOrder: 1, + tags: "security,sql", + solved: false, + codingChallengeStatus: 0, + hasCodingChallenge: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-complaints-1.test.ts b/.brightsec/tests/put-api-complaints-1.test.ts new file mode 100644 index 0000000..3ea7a02 --- /dev/null +++ b/.brightsec/tests/put-api-complaints-1.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'file_upload', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/complaints/1`, + body: { + message: 'This is a sample complaint message.', + file: 'complaint_document.pdf' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-feedbacks-1.test.ts b/.brightsec/tests/put-api-feedbacks-1.test.ts new file mode 100644 index 0000000..85df968 --- /dev/null +++ b/.brightsec/tests/put-api-feedbacks-1.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Feedbacks/1`, + body: { + comment: 'This is a sample feedback comment.', + rating: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-privacy-requests-1.test.ts b/.brightsec/tests/put-api-privacy-requests-1.test.ts new file mode 100644 index 0000000..b23c0b4 --- /dev/null +++ b/.brightsec/tests/put-api-privacy-requests-1.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/PrivacyRequests/1`, + body: { + UserId: 123, + deletionRequested: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-quantitys-1.test.ts b/.brightsec/tests/put-api-quantitys-1.test.ts new file mode 100644 index 0000000..0e1bc54 --- /dev/null +++ b/.brightsec/tests/put-api-quantitys-1.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Quantitys/1`, + body: { + ProductId: 1, + quantity: 100, + limitPerUser: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-security-answers-1.test.ts b/.brightsec/tests/put-api-security-answers-1.test.ts new file mode 100644 index 0000000..3aac572 --- /dev/null +++ b/.brightsec/tests/put-api-security-answers-1.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/SecurityAnswers/1`, + body: { + answer: 'hashed_example_answer' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-security-questions-1.test.ts b/.brightsec/tests/put-api-security-questions-1.test.ts new file mode 100644 index 0000000..b2e4ddf --- /dev/null +++ b/.brightsec/tests/put-api-security-questions-1.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'xss'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/SecurityQuestions/1`, + body: { + question: 'What is your favorite color?' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-api-users-123.test.ts b/.brightsec/tests/put-api-users-123.test.ts new file mode 100644 index 0000000..40c2743 --- /dev/null +++ b/.brightsec/tests/put-api-users-123.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/users/123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'file_upload', 'xss', 'sqli', 'osi', 'proto_pollution'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/users/123`, + body: { + username: 'john_doe', + email: 'john.doe@example.com', + password: 'securePassword123', + role: 'customer', + deluxeToken: '', + lastLoginIp: '192.168.1.1', + profileImage: '/assets/public/images/uploads/john_doe.png', + totpSecret: '', + isActive: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-basket-1-coupon-jan23-10.test.ts b/.brightsec/tests/put-rest-basket-1-coupon-jan23-10.test.ts new file mode 100644 index 0000000..52fd1f9 --- /dev/null +++ b/.brightsec/tests/put-rest-basket-1-coupon-jan23-10.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/basket/1/coupon/JAN23-10', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'sqli', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/basket/1/coupon/JAN23-10`, + body: { + coupon: 'JAN23-10' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts b/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts new file mode 100644 index 0000000..a094c1e --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-apply-abc123.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code/apply/abc123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'id_enumeration', 'open_database'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code/apply/abc123`, + body: { + continueCode: 'abc123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-continue-code-findit-apply-samplecontinuecode123.test.ts b/.brightsec/tests/put-rest-continue-code-findit-apply-samplecontinuecode123.test.ts new file mode 100644 index 0000000..b04bb97 --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-findit-apply-samplecontinuecode123.test.ts @@ -0,0 +1,36 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code-findIt/apply/sampleContinueCode123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'csrf', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code-findIt/apply/sampleContinueCode123`, + body: {}, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts b/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts new file mode 100644 index 0000000..aceb56c --- /dev/null +++ b/.brightsec/tests/put-rest-order-history-123-delivery-status.test.ts @@ -0,0 +1,38 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/order-history/123/delivery-status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH, AttackParamLocation.HEADER] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/order-history/123/delivery-status`, + body: { + deliveryStatus: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-products-123-reviews.test.ts b/.brightsec/tests/put-rest-products-123-reviews.test.ts new file mode 100644 index 0000000..b7723f7 --- /dev/null +++ b/.brightsec/tests/put-rest-products-123-reviews.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/products/123/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'nosql', 'email_injection'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/products/123/reviews`, + body: { + message: 'Great product!', + author: 'user@example.com' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); diff --git a/.brightsec/tests/put-rest-wallet-balance.test.ts b/.brightsec/tests/put-rest-wallet-balance.test.ts new file mode 100644 index 0000000..f30c3d7 --- /dev/null +++ b/.brightsec/tests/put-rest-wallet-balance.test.ts @@ -0,0 +1,39 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'sqli', 'nosql', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/wallet/balance`, + body: { + paymentId: '123', + balance: 100 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); From 2cb3ea3d29cd4ec3ed96762879f9991d52211c35 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 8 Jul 2025 19:18:46 +0400 Subject: [PATCH 4/4] ci: add CI workflow to run e2e security tests --- .github/workflows/bright.yml | 53 ++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/bright.yml diff --git a/.github/workflows/bright.yml b/.github/workflows/bright.yml new file mode 100644 index 0000000..f2d9ebb --- /dev/null +++ b/.github/workflows/bright.yml @@ -0,0 +1,53 @@ +name: Bright + +on: + pull_request: + branches: + - '**' + +permissions: + checks: write + contents: read + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }} + BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }} + BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }} + BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRIGHT_TARGET_URL: 'http://127.0.0.1:3000' + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: 22 + + - name: Install application dependencies + run: npm install + + - name: Install SecTester dependencies + run: npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter + + - name: Ensure .env file exists + run: | + if [ ! -f .env ]; then + echo "Missing .env file!" && exit 1 + fi + + - name: Start application + run: | + npm start & + while ! nc -z 127.0.0.1 3000; do + sleep 1 + done + + - name: Run security tests + run: | + node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts \ No newline at end of file