From f5c72cca9d8809f2bf21015327dc300627454540 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 14:09:19 +0400 Subject: [PATCH 1/6] chore: initialize PR with an empty commit skip-checks:true From 93b58d74b4cc5557ecfd3d808bcbf36aa1dcb879 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 14:44:48 +0400 Subject: [PATCH 2/6] ci: temporarily disable workflows while addressing security issues skip-checks:true --- .github/workflows/lint-fixer.yml | 29 ----------------------------- .gitlab-ci.yml | 7 ------- 2 files changed, 36 deletions(-) delete mode 100644 .github/workflows/lint-fixer.yml delete mode 100644 .gitlab-ci.yml diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml deleted file mode 100644 index 907f841e1b8..00000000000 --- a/.github/workflows/lint-fixer.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Let me lint:fix that for you" - -on: [push] - -jobs: - LMLFTFY: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: 22 - - name: "Install application" - run: | - npm install --ignore-scripts - cd frontend - npm install --ignore-scripts --legacy-peer-deps - - name: "Fix everything which can be fixed" - run: 'npm run lint:fix' - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-fix linting issues" - branch: ${{ github.head_ref }} - commit_options: '--signoff' - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 7b5f3c01b0a..00000000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,7 +0,0 @@ -include: - - template: Auto-DevOps.gitlab-ci.yml - -variables: - SAST_EXCLUDED_PATHS: "frontend/src/assets/private/**" - TEST_DISABLED: "true" - DAST_DISABLED: "true" From b464442731cb593ecec8d9344aae84cdcb23489c Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 15:32:54 +0400 Subject: [PATCH 3/6] test: add auto-generated e2e security tests skip-checks:true --- .brightsec/tests/delete-api-address-1.test.ts | 44 ++++++++++++++ .../tests/delete-api-addresss-1.test.ts | 43 ++++++++++++++ .../tests/delete-api-basketitems-1.test.ts | 43 ++++++++++++++ .brightsec/tests/delete-api-cards-1.test.ts | 42 ++++++++++++++ .../tests/delete-api-challenges-1.test.ts | 42 ++++++++++++++ .../tests/delete-api-complaints-1.test.ts | 42 ++++++++++++++ .../tests/delete-api-feedbacks-1.test.ts | 42 ++++++++++++++ .brightsec/tests/delete-api-hints-1.test.ts | 42 ++++++++++++++ .../delete-api-privacy-requests-1.test.ts | 43 ++++++++++++++ .../tests/delete-api-products-1.test.ts | 42 ++++++++++++++ .../tests/delete-api-quantitys-1.test.ts | 42 ++++++++++++++ .brightsec/tests/delete-api-recycle-1.test.ts | 42 ++++++++++++++ .../tests/delete-api-recycles-1.test.ts | 42 ++++++++++++++ .../delete-api-security-answers-1.test.ts | 42 ++++++++++++++ .../delete-api-security-questions-1.test.ts | 42 ++++++++++++++ .brightsec/tests/delete-api-users-1.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-address-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-addresss-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-addresss.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-basket-items.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-basketitem-1.test.ts | 42 ++++++++++++++ .../tests/get-api-basketitems-1.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-cards-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-cards.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-challenges-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-challenges.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-complaints-1.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-complaints.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-deliverys-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-deliverys.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-docs.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-feedbacks-1.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-feedbacks.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-hints-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-hints.test.ts | 42 ++++++++++++++ .../tests/get-api-privacy-requests-1.test.ts | 43 ++++++++++++++ .../tests/get-api-privacy-requests.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-products-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-products.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-quantitys-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-quantitys.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-recycle-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-recycles-1.test.ts | 42 ++++++++++++++ .../tests/get-api-security-answers-1.test.ts | 42 ++++++++++++++ .../tests/get-api-security-answers.test.ts | 42 ++++++++++++++ .brightsec/tests/get-api-users-1.test.ts | 43 ++++++++++++++ .brightsec/tests/get-api-users.test.ts | 43 ++++++++++++++ .../get-assets-public-images-padding.test.ts | 42 ++++++++++++++ .../get-assets-public-images-products.test.ts | 42 ++++++++++++++ .../get-assets-public-images-uploads.test.ts | 42 ++++++++++++++ .brightsec/tests/get-dataerasure.test.ts | 43 ++++++++++++++ .../get-encryptionkeys-samplefile-txt.test.ts | 42 ++++++++++++++ .../get-encryptionkeys-samplefile.test.ts | 42 ++++++++++++++ .../get-ftp-quarantine-samplefile-txt.test.ts | 42 ++++++++++++++ .../tests/get-ftp-sample-file-md.test.ts | 42 ++++++++++++++ .brightsec/tests/get-ftp-sample-md.test.ts | 43 ++++++++++++++ .brightsec/tests/get-metrics.test.ts | 43 ++++++++++++++ .brightsec/tests/get-profile.test.ts | 45 +++++++++++++++ .brightsec/tests/get-promotion.test.ts | 43 ++++++++++++++ .brightsec/tests/get-redirect.test.ts | 43 ++++++++++++++ .brightsec/tests/get-rest-2fa-status.test.ts | 43 ++++++++++++++ ...st-admin-application-configuration.test.ts | 43 ++++++++++++++ ...get-rest-admin-application-version.test.ts | 42 ++++++++++++++ .../tests/get-rest-basket-1-order.test.ts | 43 ++++++++++++++ .brightsec/tests/get-rest-basket-1.test.ts | 42 ++++++++++++++ .brightsec/tests/get-rest-captcha.test.ts | 42 ++++++++++++++ .../tests/get-rest-chatbot-status.test.ts | 43 ++++++++++++++ .../get-rest-continue-code-findit.test.ts | 42 ++++++++++++++ .../get-rest-continue-code-fixit.test.ts | 42 ++++++++++++++ .../tests/get-rest-continue-code.test.ts | 42 ++++++++++++++ .../tests/get-rest-country-mapping.test.ts | 43 ++++++++++++++ .../tests/get-rest-deluxe-membership.test.ts | 42 ++++++++++++++ .../tests/get-rest-image-captcha.test.ts | 43 ++++++++++++++ .brightsec/tests/get-rest-languages.test.ts | 43 ++++++++++++++ .brightsec/tests/get-rest-memories.test.ts | 42 ++++++++++++++ .../get-rest-order-history-orders.test.ts | 43 ++++++++++++++ .../tests/get-rest-order-history.test.ts | 43 ++++++++++++++ .../tests/get-rest-products-1-reviews.test.ts | 42 ++++++++++++++ .../tests/get-rest-products-search.test.ts | 42 ++++++++++++++ .../get-rest-repeat-notification.test.ts | 42 ++++++++++++++ .../tests/get-rest-save-login-ip.test.ts | 43 ++++++++++++++ .../tests/get-rest-track-order-12345.test.ts | 42 ++++++++++++++ ...t-rest-user-authentication-details.test.ts | 43 ++++++++++++++ .../get-rest-user-change-password.test.ts | 43 ++++++++++++++ .../get-rest-user-security-question.test.ts | 42 ++++++++++++++ .brightsec/tests/get-rest-user-whoami.test.ts | 43 ++++++++++++++ .../tests/get-rest-wallet-balance.test.ts | 42 ++++++++++++++ .../get-rest-web3-nft-mint-listen.test.ts | 42 ++++++++++++++ .../tests/get-rest-web3-nft-unlocked.test.ts | 42 ++++++++++++++ .brightsec/tests/get-security-txt.test.ts | 43 ++++++++++++++ .../get-snippets-fixes-sample-key.test.ts | 42 ++++++++++++++ .../get-snippets-sample-challenge.test.ts | 42 ++++++++++++++ .../get-solve-challenges-server-side.test.ts | 42 ++++++++++++++ .../tests/get-support-logs-sample-log.test.ts | 42 ++++++++++++++ ...n-easter-egg-within-the-easter-egg.test.ts | 43 ++++++++++++++ ...-be-unlocked-by-sending-1btc-to-us.test.ts | 43 ++++++++++++++ .brightsec/tests/get-video.test.ts | 49 ++++++++++++++++ ...easonably-necessary-responsibility.test.ts | 42 ++++++++++++++ .../tests/get-well-known-security-txt.test.ts | 43 ++++++++++++++ .brightsec/tests/get-well-known.test.ts | 43 ++++++++++++++ .../patch-rest-products-id-reviews.test.ts | 47 +++++++++++++++ .../tests/patch-rest-products-reviews.test.ts | 50 ++++++++++++++++ .brightsec/tests/post-api-addresss.test.ts | 53 +++++++++++++++++ .../tests/post-api-basket-items.test.ts | 44 ++++++++++++++ .brightsec/tests/post-api-cards.test.ts | 51 +++++++++++++++++ .brightsec/tests/post-api-challenges.test.ts | 57 +++++++++++++++++++ .brightsec/tests/post-api-complaints.test.ts | 48 ++++++++++++++++ .brightsec/tests/post-api-feedbacks.test.ts | 48 ++++++++++++++++ .brightsec/tests/post-api-hints.test.ts | 42 ++++++++++++++ .../tests/post-api-privacy-requests.test.ts | 47 +++++++++++++++ .brightsec/tests/post-api-products.test.ts | 50 ++++++++++++++++ .brightsec/tests/post-api-quantitys.test.ts | 48 ++++++++++++++++ .brightsec/tests/post-api-recycles.test.ts | 51 +++++++++++++++++ .../tests/post-api-security-questions.test.ts | 42 ++++++++++++++ .brightsec/tests/post-api-users.test.ts | 48 ++++++++++++++++ .brightsec/tests/post-b2b-v2-orders.test.ts | 50 ++++++++++++++++ .brightsec/tests/post-dataerasure.test.ts | 47 +++++++++++++++ .brightsec/tests/post-file-upload.test.ts | 44 ++++++++++++++ .../tests/post-profile-image-file.test.ts | 47 +++++++++++++++ .../tests/post-profile-image-url.test.ts | 46 +++++++++++++++ .brightsec/tests/post-profile.test.ts | 49 ++++++++++++++++ .../tests/post-rest-2fa-disable.test.ts | 46 +++++++++++++++ .brightsec/tests/post-rest-2fa-setup.test.ts | 48 ++++++++++++++++ .brightsec/tests/post-rest-2fa-verify.test.ts | 47 +++++++++++++++ .../tests/post-rest-basket-1-checkout.test.ts | 51 +++++++++++++++++ .../tests/post-rest-chatbot-respond.test.ts | 47 +++++++++++++++ .../tests/post-rest-deluxe-membership.test.ts | 50 ++++++++++++++++ .brightsec/tests/post-rest-memories.test.ts | 47 +++++++++++++++ .../tests/post-rest-products-reviews.test.ts | 46 +++++++++++++++ .../tests/post-rest-user-data-export.test.ts | 44 ++++++++++++++ .brightsec/tests/post-rest-user-login.test.ts | 47 +++++++++++++++ .../post-rest-user-reset-password.test.ts | 49 ++++++++++++++++ .../tests/post-rest-web3-submit-key.test.ts | 46 +++++++++++++++ ...t-rest-web3-wallet-exploit-address.test.ts | 46 +++++++++++++++ .../post-rest-web3-wallet-nft-verify.test.ts | 46 +++++++++++++++ .brightsec/tests/post-snippets-fixes.test.ts | 47 +++++++++++++++ .../tests/post-snippets-verdict.test.ts | 47 +++++++++++++++ .brightsec/tests/put-api-addresss-1.test.ts | 52 +++++++++++++++++ .../tests/put-api-basketitems-1.test.ts | 48 ++++++++++++++++ .brightsec/tests/put-api-cards-1.test.ts | 50 ++++++++++++++++ .brightsec/tests/put-api-challenges-1.test.ts | 51 +++++++++++++++++ .brightsec/tests/put-api-complaints-1.test.ts | 48 ++++++++++++++++ .brightsec/tests/put-api-feedbacks-1.test.ts | 42 ++++++++++++++ .brightsec/tests/put-api-hints-1.test.ts | 49 ++++++++++++++++ .../tests/put-api-privacy-requests-1.test.ts | 47 +++++++++++++++ .brightsec/tests/put-api-products-1.test.ts | 50 ++++++++++++++++ .brightsec/tests/put-api-quantitys-1.test.ts | 51 +++++++++++++++++ .brightsec/tests/put-api-recycles-1.test.ts | 51 +++++++++++++++++ .../tests/put-api-security-answers-1.test.ts | 48 ++++++++++++++++ .../put-api-security-questions-1.test.ts | 46 +++++++++++++++ .brightsec/tests/put-api-users-1.test.ts | 49 ++++++++++++++++ .../put-rest-basket-1-coupon-jan24-10.test.ts | 43 ++++++++++++++ ...ntinue-code-apply-example-code-123.test.ts | 46 +++++++++++++++ ...st-continue-code-findit-apply-code.test.ts | 46 +++++++++++++++ ...ue-code-fixit-apply-examplecode123.test.ts | 46 +++++++++++++++ ...st-order-history-1-delivery-status.test.ts | 47 +++++++++++++++ .../tests/put-rest-wallet-balance.test.ts | 48 ++++++++++++++++ 157 files changed, 6970 insertions(+) create mode 100644 .brightsec/tests/delete-api-address-1.test.ts create mode 100644 .brightsec/tests/delete-api-addresss-1.test.ts create mode 100644 .brightsec/tests/delete-api-basketitems-1.test.ts create mode 100644 .brightsec/tests/delete-api-cards-1.test.ts create mode 100644 .brightsec/tests/delete-api-challenges-1.test.ts create mode 100644 .brightsec/tests/delete-api-complaints-1.test.ts create mode 100644 .brightsec/tests/delete-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/delete-api-hints-1.test.ts create mode 100644 .brightsec/tests/delete-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/delete-api-products-1.test.ts create mode 100644 .brightsec/tests/delete-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/delete-api-recycle-1.test.ts create mode 100644 .brightsec/tests/delete-api-recycles-1.test.ts create mode 100644 .brightsec/tests/delete-api-security-answers-1.test.ts create mode 100644 .brightsec/tests/delete-api-security-questions-1.test.ts create mode 100644 .brightsec/tests/delete-api-users-1.test.ts create mode 100644 .brightsec/tests/get-api-address-1.test.ts create mode 100644 .brightsec/tests/get-api-addresss-1.test.ts create mode 100644 .brightsec/tests/get-api-addresss.test.ts create mode 100644 .brightsec/tests/get-api-basket-items.test.ts create mode 100644 .brightsec/tests/get-api-basketitem-1.test.ts create mode 100644 .brightsec/tests/get-api-basketitems-1.test.ts create mode 100644 .brightsec/tests/get-api-cards-1.test.ts create mode 100644 .brightsec/tests/get-api-cards.test.ts create mode 100644 .brightsec/tests/get-api-challenges-1.test.ts create mode 100644 .brightsec/tests/get-api-challenges.test.ts create mode 100644 .brightsec/tests/get-api-complaints-1.test.ts create mode 100644 .brightsec/tests/get-api-complaints.test.ts create mode 100644 .brightsec/tests/get-api-deliverys-1.test.ts create mode 100644 .brightsec/tests/get-api-deliverys.test.ts create mode 100644 .brightsec/tests/get-api-docs.test.ts create mode 100644 .brightsec/tests/get-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/get-api-feedbacks.test.ts create mode 100644 .brightsec/tests/get-api-hints-1.test.ts create mode 100644 .brightsec/tests/get-api-hints.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/get-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/get-api-products-1.test.ts create mode 100644 .brightsec/tests/get-api-products.test.ts create mode 100644 .brightsec/tests/get-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/get-api-quantitys.test.ts create mode 100644 .brightsec/tests/get-api-recycle-1.test.ts create mode 100644 .brightsec/tests/get-api-recycles-1.test.ts create mode 100644 .brightsec/tests/get-api-security-answers-1.test.ts create mode 100644 .brightsec/tests/get-api-security-answers.test.ts create mode 100644 .brightsec/tests/get-api-users-1.test.ts create mode 100644 .brightsec/tests/get-api-users.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-padding.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-products.test.ts create mode 100644 .brightsec/tests/get-assets-public-images-uploads.test.ts create mode 100644 .brightsec/tests/get-dataerasure.test.ts create mode 100644 .brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts create mode 100644 .brightsec/tests/get-encryptionkeys-samplefile.test.ts create mode 100644 .brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts create mode 100644 .brightsec/tests/get-ftp-sample-file-md.test.ts create mode 100644 .brightsec/tests/get-ftp-sample-md.test.ts create mode 100644 .brightsec/tests/get-metrics.test.ts create mode 100644 .brightsec/tests/get-profile.test.ts create mode 100644 .brightsec/tests/get-promotion.test.ts create mode 100644 .brightsec/tests/get-redirect.test.ts create mode 100644 .brightsec/tests/get-rest-2fa-status.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-configuration.test.ts create mode 100644 .brightsec/tests/get-rest-admin-application-version.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1-order.test.ts create mode 100644 .brightsec/tests/get-rest-basket-1.test.ts create mode 100644 .brightsec/tests/get-rest-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-chatbot-status.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-findit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code-fixit.test.ts create mode 100644 .brightsec/tests/get-rest-continue-code.test.ts create mode 100644 .brightsec/tests/get-rest-country-mapping.test.ts create mode 100644 .brightsec/tests/get-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/get-rest-image-captcha.test.ts create mode 100644 .brightsec/tests/get-rest-languages.test.ts create mode 100644 .brightsec/tests/get-rest-memories.test.ts create mode 100644 .brightsec/tests/get-rest-order-history-orders.test.ts create mode 100644 .brightsec/tests/get-rest-order-history.test.ts create mode 100644 .brightsec/tests/get-rest-products-1-reviews.test.ts create mode 100644 .brightsec/tests/get-rest-products-search.test.ts create mode 100644 .brightsec/tests/get-rest-repeat-notification.test.ts create mode 100644 .brightsec/tests/get-rest-save-login-ip.test.ts create mode 100644 .brightsec/tests/get-rest-track-order-12345.test.ts create mode 100644 .brightsec/tests/get-rest-user-authentication-details.test.ts create mode 100644 .brightsec/tests/get-rest-user-change-password.test.ts create mode 100644 .brightsec/tests/get-rest-user-security-question.test.ts create mode 100644 .brightsec/tests/get-rest-user-whoami.test.ts create mode 100644 .brightsec/tests/get-rest-wallet-balance.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nft-mint-listen.test.ts create mode 100644 .brightsec/tests/get-rest-web3-nft-unlocked.test.ts create mode 100644 .brightsec/tests/get-security-txt.test.ts create mode 100644 .brightsec/tests/get-snippets-fixes-sample-key.test.ts create mode 100644 .brightsec/tests/get-snippets-sample-challenge.test.ts create mode 100644 .brightsec/tests/get-solve-challenges-server-side.test.ts create mode 100644 .brightsec/tests/get-support-logs-sample-log.test.ts create mode 100644 .brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts create mode 100644 .brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts create mode 100644 .brightsec/tests/get-video.test.ts create mode 100644 .brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts create mode 100644 .brightsec/tests/get-well-known-security-txt.test.ts create mode 100644 .brightsec/tests/get-well-known.test.ts create mode 100644 .brightsec/tests/patch-rest-products-id-reviews.test.ts create mode 100644 .brightsec/tests/patch-rest-products-reviews.test.ts create mode 100644 .brightsec/tests/post-api-addresss.test.ts create mode 100644 .brightsec/tests/post-api-basket-items.test.ts create mode 100644 .brightsec/tests/post-api-cards.test.ts create mode 100644 .brightsec/tests/post-api-challenges.test.ts create mode 100644 .brightsec/tests/post-api-complaints.test.ts create mode 100644 .brightsec/tests/post-api-feedbacks.test.ts create mode 100644 .brightsec/tests/post-api-hints.test.ts create mode 100644 .brightsec/tests/post-api-privacy-requests.test.ts create mode 100644 .brightsec/tests/post-api-products.test.ts create mode 100644 .brightsec/tests/post-api-quantitys.test.ts create mode 100644 .brightsec/tests/post-api-recycles.test.ts create mode 100644 .brightsec/tests/post-api-security-questions.test.ts create mode 100644 .brightsec/tests/post-api-users.test.ts create mode 100644 .brightsec/tests/post-b2b-v2-orders.test.ts create mode 100644 .brightsec/tests/post-dataerasure.test.ts create mode 100644 .brightsec/tests/post-file-upload.test.ts create mode 100644 .brightsec/tests/post-profile-image-file.test.ts create mode 100644 .brightsec/tests/post-profile-image-url.test.ts create mode 100644 .brightsec/tests/post-profile.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-disable.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-setup.test.ts create mode 100644 .brightsec/tests/post-rest-2fa-verify.test.ts create mode 100644 .brightsec/tests/post-rest-basket-1-checkout.test.ts create mode 100644 .brightsec/tests/post-rest-chatbot-respond.test.ts create mode 100644 .brightsec/tests/post-rest-deluxe-membership.test.ts create mode 100644 .brightsec/tests/post-rest-memories.test.ts create mode 100644 .brightsec/tests/post-rest-products-reviews.test.ts create mode 100644 .brightsec/tests/post-rest-user-data-export.test.ts create mode 100644 .brightsec/tests/post-rest-user-login.test.ts create mode 100644 .brightsec/tests/post-rest-user-reset-password.test.ts create mode 100644 .brightsec/tests/post-rest-web3-submit-key.test.ts create mode 100644 .brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts create mode 100644 .brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts create mode 100644 .brightsec/tests/post-snippets-fixes.test.ts create mode 100644 .brightsec/tests/post-snippets-verdict.test.ts create mode 100644 .brightsec/tests/put-api-addresss-1.test.ts create mode 100644 .brightsec/tests/put-api-basketitems-1.test.ts create mode 100644 .brightsec/tests/put-api-cards-1.test.ts create mode 100644 .brightsec/tests/put-api-challenges-1.test.ts create mode 100644 .brightsec/tests/put-api-complaints-1.test.ts create mode 100644 .brightsec/tests/put-api-feedbacks-1.test.ts create mode 100644 .brightsec/tests/put-api-hints-1.test.ts create mode 100644 .brightsec/tests/put-api-privacy-requests-1.test.ts create mode 100644 .brightsec/tests/put-api-products-1.test.ts create mode 100644 .brightsec/tests/put-api-quantitys-1.test.ts create mode 100644 .brightsec/tests/put-api-recycles-1.test.ts create mode 100644 .brightsec/tests/put-api-security-answers-1.test.ts create mode 100644 .brightsec/tests/put-api-security-questions-1.test.ts create mode 100644 .brightsec/tests/put-api-users-1.test.ts create mode 100644 .brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts create mode 100644 .brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts create mode 100644 .brightsec/tests/put-rest-order-history-1-delivery-status.test.ts create mode 100644 .brightsec/tests/put-rest-wallet-balance.test.ts diff --git a/.brightsec/tests/delete-api-address-1.test.ts b/.brightsec/tests/delete-api-address-1.test.ts new file mode 100644 index 00000000000..1f80c3cf00a --- /dev/null +++ b/.brightsec/tests/delete-api-address-1.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/address/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Address/1`, + body: { UserId: 1 }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-addresss-1.test.ts b/.brightsec/tests/delete-api-addresss-1.test.ts new file mode 100644 index 00000000000..e978af15683 --- /dev/null +++ b/.brightsec/tests/delete-api-addresss-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Addresss/1`, + headers: { 'X-Recruiting': 'We are hiring!' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-basketitems-1.test.ts b/.brightsec/tests/delete-api-basketitems-1.test.ts new file mode 100644 index 00000000000..2fc22949611 --- /dev/null +++ b/.brightsec/tests/delete-api-basketitems-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/BasketItems/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/BasketItems/1`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-cards-1.test.ts b/.brightsec/tests/delete-api-cards-1.test.ts new file mode 100644 index 00000000000..ad6ad1b49d9 --- /dev/null +++ b/.brightsec/tests/delete-api-cards-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/cards/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-challenges-1.test.ts b/.brightsec/tests/delete-api-challenges-1.test.ts new file mode 100644 index 00000000000..281126be543 --- /dev/null +++ b/.brightsec/tests/delete-api-challenges-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/Challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Challenges/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-complaints-1.test.ts b/.brightsec/tests/delete-api-complaints-1.test.ts new file mode 100644 index 00000000000..3928b7feaaf --- /dev/null +++ b/.brightsec/tests/delete-api-complaints-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Complaints/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-feedbacks-1.test.ts b/.brightsec/tests/delete-api-feedbacks-1.test.ts new file mode 100644 index 00000000000..a2d70fa80c9 --- /dev/null +++ b/.brightsec/tests/delete-api-feedbacks-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/Feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Feedbacks/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-hints-1.test.ts b/.brightsec/tests/delete-api-hints-1.test.ts new file mode 100644 index 00000000000..12381155ea4 --- /dev/null +++ b/.brightsec/tests/delete-api-hints-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/Hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Hints/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-privacy-requests-1.test.ts b/.brightsec/tests/delete-api-privacy-requests-1.test.ts new file mode 100644 index 00000000000..f41689f1faf --- /dev/null +++ b/.brightsec/tests/delete-api-privacy-requests-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/PrivacyRequests/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-products-1.test.ts b/.brightsec/tests/delete-api-products-1.test.ts new file mode 100644 index 00000000000..48c1e9e2256 --- /dev/null +++ b/.brightsec/tests/delete-api-products-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'bopla', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Products/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-quantitys-1.test.ts b/.brightsec/tests/delete-api-quantitys-1.test.ts new file mode 100644 index 00000000000..26c0d9a418a --- /dev/null +++ b/.brightsec/tests/delete-api-quantitys-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Quantitys/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-recycle-1.test.ts b/.brightsec/tests/delete-api-recycle-1.test.ts new file mode 100644 index 00000000000..9eca4e0b660 --- /dev/null +++ b/.brightsec/tests/delete-api-recycle-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/recycle/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'id_enumeration', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/recycle/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-recycles-1.test.ts b/.brightsec/tests/delete-api-recycles-1.test.ts new file mode 100644 index 00000000000..11dd3929dd8 --- /dev/null +++ b/.brightsec/tests/delete-api-recycles-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'id_enumeration', 'csrf', 'bopla'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Recycles/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-security-answers-1.test.ts b/.brightsec/tests/delete-api-security-answers-1.test.ts new file mode 100644 index 00000000000..998ea77f1cb --- /dev/null +++ b/.brightsec/tests/delete-api-security-answers-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/SecurityAnswers/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-security-questions-1.test.ts b/.brightsec/tests/delete-api-security-questions-1.test.ts new file mode 100644 index 00000000000..70eefdaf204 --- /dev/null +++ b/.brightsec/tests/delete-api-security-questions-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/SecurityQuestions/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-users-1.test.ts b/.brightsec/tests/delete-api-users-1.test.ts new file mode 100644 index 00000000000..c7934b63573 --- /dev/null +++ b/.brightsec/tests/delete-api-users-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('DELETE /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/api/Users/1`, + headers: { Authorization: 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-address-1.test.ts b/.brightsec/tests/get-api-address-1.test.ts new file mode 100644 index 00000000000..49da2902d57 --- /dev/null +++ b/.brightsec/tests/get-api-address-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/address/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'sqli', 'csrf', 'full_path_disclosure', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Address/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-addresss-1.test.ts b/.brightsec/tests/get-api-addresss-1.test.ts new file mode 100644 index 00000000000..74c576a64cd --- /dev/null +++ b/.brightsec/tests/get-api-addresss-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-addresss.test.ts b/.brightsec/tests/get-api-addresss.test.ts new file mode 100644 index 00000000000..fdf79760b39 --- /dev/null +++ b/.brightsec/tests/get-api-addresss.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'xss', 'sqli', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Addresss`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basket-items.test.ts b/.brightsec/tests/get-api-basket-items.test.ts new file mode 100644 index 00000000000..47a004a1ec5 --- /dev/null +++ b/.brightsec/tests/get-api-basket-items.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems`, + headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basketitem-1.test.ts b/.brightsec/tests/get-api-basketitem-1.test.ts new file mode 100644 index 00000000000..277391799ed --- /dev/null +++ b/.brightsec/tests/get-api-basketitem-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitem/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItem/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basketitems-1.test.ts b/.brightsec/tests/get-api-basketitems-1.test.ts new file mode 100644 index 00000000000..fd89901c9f4 --- /dev/null +++ b/.brightsec/tests/get-api-basketitems-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/basketitems/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/BasketItems/1`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-cards-1.test.ts b/.brightsec/tests/get-api-cards-1.test.ts new file mode 100644 index 00000000000..90d7f6144ab --- /dev/null +++ b/.brightsec/tests/get-api-cards-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/cards/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-cards.test.ts b/.brightsec/tests/get-api-cards.test.ts new file mode 100644 index 00000000000..cb1ed3067aa --- /dev/null +++ b/.brightsec/tests/get-api-cards.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Cards`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-challenges-1.test.ts b/.brightsec/tests/get-api-challenges-1.test.ts new file mode 100644 index 00000000000..2c4c9b3ebcf --- /dev/null +++ b/.brightsec/tests/get-api-challenges-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-challenges.test.ts b/.brightsec/tests/get-api-challenges.test.ts new file mode 100644 index 00000000000..b52cd766a30 --- /dev/null +++ b/.brightsec/tests/get-api-challenges.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'bopla', 'business_constraint_bypass', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Challenges`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-complaints-1.test.ts b/.brightsec/tests/get-api-complaints-1.test.ts new file mode 100644 index 00000000000..82ff4a2918f --- /dev/null +++ b/.brightsec/tests/get-api-complaints-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints/1`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-complaints.test.ts b/.brightsec/tests/get-api-complaints.test.ts new file mode 100644 index 00000000000..fadf6093e2a --- /dev/null +++ b/.brightsec/tests/get-api-complaints.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'xss', 'sqli', 'bopla'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Complaints`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-deliverys-1.test.ts b/.brightsec/tests/get-api-deliverys-1.test.ts new file mode 100644 index 00000000000..d8a82ddb0f0 --- /dev/null +++ b/.brightsec/tests/get-api-deliverys-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-deliverys.test.ts b/.brightsec/tests/get-api-deliverys.test.ts new file mode 100644 index 00000000000..f732a81ba9a --- /dev/null +++ b/.brightsec/tests/get-api-deliverys.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/deliverys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'id_enumeration', 'xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Deliverys`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-docs.test.ts b/.brightsec/tests/get-api-docs.test.ts new file mode 100644 index 00000000000..ab3b9723597 --- /dev/null +++ b/.brightsec/tests/get-api-docs.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api-docs', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api-docs`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-feedbacks-1.test.ts b/.brightsec/tests/get-api-feedbacks-1.test.ts new file mode 100644 index 00000000000..5f4a813a081 --- /dev/null +++ b/.brightsec/tests/get-api-feedbacks-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'xss', 'sqli', 'csrf', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Feedbacks/1`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-feedbacks.test.ts b/.brightsec/tests/get-api-feedbacks.test.ts new file mode 100644 index 00000000000..3b0929d4cb8 --- /dev/null +++ b/.brightsec/tests/get-api-feedbacks.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'business_constraint_bypass', 'sqli', 'csrf', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Feedbacks`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-hints-1.test.ts b/.brightsec/tests/get-api-hints-1.test.ts new file mode 100644 index 00000000000..19ff2b44b76 --- /dev/null +++ b/.brightsec/tests/get-api-hints-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Hints/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-hints.test.ts b/.brightsec/tests/get-api-hints.test.ts new file mode 100644 index 00000000000..60c7a5042fe --- /dev/null +++ b/.brightsec/tests/get-api-hints.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/hints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Hints`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-privacy-requests-1.test.ts b/.brightsec/tests/get-api-privacy-requests-1.test.ts new file mode 100644 index 00000000000..e39eeba3f73 --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests/1`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-privacy-requests.test.ts b/.brightsec/tests/get-api-privacy-requests.test.ts new file mode 100644 index 00000000000..e0238f68e18 --- /dev/null +++ b/.brightsec/tests/get-api-privacy-requests.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/PrivacyRequests`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-products-1.test.ts b/.brightsec/tests/get-api-products-1.test.ts new file mode 100644 index 00000000000..4fd4667886e --- /dev/null +++ b/.brightsec/tests/get-api-products-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Products/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-products.test.ts b/.brightsec/tests/get-api-products.test.ts new file mode 100644 index 00000000000..9d8e71d49da --- /dev/null +++ b/.brightsec/tests/get-api-products.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'business_constraint_bypass', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/products`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-quantitys-1.test.ts b/.brightsec/tests/get-api-quantitys-1.test.ts new file mode 100644 index 00000000000..b26d3256ac9 --- /dev/null +++ b/.brightsec/tests/get-api-quantitys-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'csrf', 'xss', 'sqli', 'osi'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Quantitys/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-quantitys.test.ts b/.brightsec/tests/get-api-quantitys.test.ts new file mode 100644 index 00000000000..1191e6e7eba --- /dev/null +++ b/.brightsec/tests/get-api-quantitys.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Quantitys`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-recycle-1.test.ts b/.brightsec/tests/get-api-recycle-1.test.ts new file mode 100644 index 00000000000..ffef03a1cea --- /dev/null +++ b/.brightsec/tests/get-api-recycle-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycle/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/recycle/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-recycles-1.test.ts b/.brightsec/tests/get-api-recycles-1.test.ts new file mode 100644 index 00000000000..652f9926f7f --- /dev/null +++ b/.brightsec/tests/get-api-recycles-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Recycles/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-security-answers-1.test.ts b/.brightsec/tests/get-api-security-answers-1.test.ts new file mode 100644 index 00000000000..93185c65466 --- /dev/null +++ b/.brightsec/tests/get-api-security-answers-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-security-answers.test.ts b/.brightsec/tests/get-api-security-answers.test.ts new file mode 100644 index 00000000000..37e32b7fe4f --- /dev/null +++ b/.brightsec/tests/get-api-security-answers.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/security-answers', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/SecurityAnswers?email=user@example.com`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-users-1.test.ts b/.brightsec/tests/get-api-users-1.test.ts new file mode 100644 index 00000000000..5fd83f8700c --- /dev/null +++ b/.brightsec/tests/get-api-users-1.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'bopla', 'xss', 'sqli', 'csrf', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users/1`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-users.test.ts b/.brightsec/tests/get-api-users.test.ts new file mode 100644 index 00000000000..e19331feed8 --- /dev/null +++ b/.brightsec/tests/get-api-users.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'xss', 'sqli', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/api/Users`, + headers: { 'X-Recruiting': 'YourCompany' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-padding.test.ts b/.brightsec/tests/get-assets-public-images-padding.test.ts new file mode 100644 index 00000000000..5180d243f53 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-padding.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/padding', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'lfi', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/padding`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-products.test.ts b/.brightsec/tests/get-assets-public-images-products.test.ts new file mode 100644 index 00000000000..6f99c8d1e78 --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-products.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'lfi', 'improper_asset_management', 'csrf'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/products`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-uploads.test.ts b/.brightsec/tests/get-assets-public-images-uploads.test.ts new file mode 100644 index 00000000000..a9f6d89c17e --- /dev/null +++ b/.brightsec/tests/get-assets-public-images-uploads.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /assets/public/images/uploads', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/assets/public/images/uploads`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-dataerasure.test.ts b/.brightsec/tests/get-dataerasure.test.ts new file mode 100644 index 00000000000..642063c02b1 --- /dev/null +++ b/.brightsec/tests/get-dataerasure.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'lfi', 'osi', 'sqli'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/dataerasure/`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts new file mode 100644 index 00000000000..79097cfd259 --- /dev/null +++ b/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /encryptionkeys/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'improper_asset_management', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/encryptionkeys/samplefile.txt`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts new file mode 100644 index 00000000000..84c143902b6 --- /dev/null +++ b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /encryptionkeys/samplefile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['directoryListingChallenge', 'accessLogDisclosureChallenge', 'xss', 'csrf', 'lfi'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/encryptionkeys/samplefile`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts new file mode 100644 index 00000000000..8e0c3c2712e --- /dev/null +++ b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/quarantine/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'full_path_disclosure', 'http_method_fuzzing'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/quarantine/samplefile.txt`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-sample-file-md.test.ts b/.brightsec/tests/get-ftp-sample-file-md.test.ts new file mode 100644 index 00000000000..7ba2569c3e7 --- /dev/null +++ b/.brightsec/tests/get-ftp-sample-file-md.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/sample-file.md', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'ssrf', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/sample-file.md`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-sample-md.test.ts b/.brightsec/tests/get-ftp-sample-md.test.ts new file mode 100644 index 00000000000..dd68195b9ac --- /dev/null +++ b/.brightsec/tests/get-ftp-sample-md.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /ftp/sample.md', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'xss', 'full_path_disclosure', 'css_injection', 'unvalidated_redirect'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/ftp/sample.md`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-metrics.test.ts b/.brightsec/tests/get-metrics.test.ts new file mode 100644 index 00000000000..d4c0ec31fcf --- /dev/null +++ b/.brightsec/tests/get-metrics.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /metrics', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'open_database', 'xss'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/metrics`, + headers: { 'Content-Type': 'text/plain; version=0.0.4; charset=utf-8' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-profile.test.ts b/.brightsec/tests/get-profile.test.ts new file mode 100644 index 00000000000..dca5f2d4f88 --- /dev/null +++ b/.brightsec/tests/get-profile.test.ts @@ -0,0 +1,45 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssti', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/profile`, + headers: { + 'Content-Security-Policy': "img-src 'self' ; script-src 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com" + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-promotion.test.ts b/.brightsec/tests/get-promotion.test.ts new file mode 100644 index 00000000000..123daf5b264 --- /dev/null +++ b/.brightsec/tests/get-promotion.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /promotion', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'html_injection', 'css_injection'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/promotion`, + headers: { 'Content-Type': 'text/html' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts new file mode 100644 index 00000000000..0ee07a3ce01 --- /dev/null +++ b/.brightsec/tests/get-redirect.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-2fa-status.test.ts b/.brightsec/tests/get-rest-2fa-status.test.ts new file mode 100644 index 00000000000..3eaf1581e1c --- /dev/null +++ b/.brightsec/tests/get-rest-2fa-status.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/2fa/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'secret_tokens', 'jwt', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/2fa/status`, + headers: { 'Authorization': 'Bearer ' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-admin-application-configuration.test.ts b/.brightsec/tests/get-rest-admin-application-configuration.test.ts new file mode 100644 index 00000000000..d226870aa5f --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-configuration.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-configuration', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'secret_tokens', 'open_database', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-configuration`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-admin-application-version.test.ts b/.brightsec/tests/get-rest-admin-application-version.test.ts new file mode 100644 index 00000000000..b9ffe5b731e --- /dev/null +++ b/.brightsec/tests/get-rest-admin-application-version.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/admin/application-version', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/admin/application-version`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-basket-1-order.test.ts b/.brightsec/tests/get-rest-basket-1-order.test.ts new file mode 100644 index 00000000000..c09e03e1c62 --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1-order.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1/order', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1/order`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-basket-1.test.ts b/.brightsec/tests/get-rest-basket-1.test.ts new file mode 100644 index 00000000000..c09a5446720 --- /dev/null +++ b/.brightsec/tests/get-rest-basket-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/basket/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/basket/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-captcha.test.ts b/.brightsec/tests/get-rest-captcha.test.ts new file mode 100644 index 00000000000..9b1c3dfed79 --- /dev/null +++ b/.brightsec/tests/get-rest-captcha.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'business_constraint_bypass', 'osi'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/captcha`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-chatbot-status.test.ts b/.brightsec/tests/get-rest-chatbot-status.test.ts new file mode 100644 index 00000000000..25ed714de7c --- /dev/null +++ b/.brightsec/tests/get-rest-chatbot-status.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/chatbot/status`, + headers: { "X-Recruiting": "We're hiring! Visit our careers page for more information." }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code-findit.test.ts b/.brightsec/tests/get-rest-continue-code-findit.test.ts new file mode 100644 index 00000000000..dd24c917366 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-findit.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-findIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-findIt`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code-fixit.test.ts b/.brightsec/tests/get-rest-continue-code-fixit.test.ts new file mode 100644 index 00000000000..5028ca6457e --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code-fixit.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code-fixIt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'sqli', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code-fixIt`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code.test.ts b/.brightsec/tests/get-rest-continue-code.test.ts new file mode 100644 index 00000000000..0fe493bb3a1 --- /dev/null +++ b/.brightsec/tests/get-rest-continue-code.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/continue-code', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'business_constraint_bypass', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/continue-code`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-country-mapping.test.ts b/.brightsec/tests/get-rest-country-mapping.test.ts new file mode 100644 index 00000000000..43b22651b43 --- /dev/null +++ b/.brightsec/tests/get-rest-country-mapping.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/country-mapping', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/country-mapping`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-deluxe-membership.test.ts b/.brightsec/tests/get-rest-deluxe-membership.test.ts new file mode 100644 index 00000000000..62e1f5be189 --- /dev/null +++ b/.brightsec/tests/get-rest-deluxe-membership.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'jwt', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/deluxe-membership`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-image-captcha.test.ts b/.brightsec/tests/get-rest-image-captcha.test.ts new file mode 100644 index 00000000000..b58c6c0782e --- /dev/null +++ b/.brightsec/tests/get-rest-image-captcha.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/image-captcha', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/image-captcha`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-languages.test.ts b/.brightsec/tests/get-rest-languages.test.ts new file mode 100644 index 00000000000..c706a89c5e2 --- /dev/null +++ b/.brightsec/tests/get-rest-languages.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/languages', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['full_path_disclosure', 'xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/languages`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-memories.test.ts b/.brightsec/tests/get-rest-memories.test.ts new file mode 100644 index 00000000000..612febf9056 --- /dev/null +++ b/.brightsec/tests/get-rest-memories.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/memories`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-order-history-orders.test.ts b/.brightsec/tests/get-rest-order-history-orders.test.ts new file mode 100644 index 00000000000..a1f09339ae1 --- /dev/null +++ b/.brightsec/tests/get-rest-order-history-orders.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/order-history/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'nosql', 'bopla', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/order-history/orders`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-order-history.test.ts b/.brightsec/tests/get-rest-order-history.test.ts new file mode 100644 index 00000000000..c46140ec23d --- /dev/null +++ b/.brightsec/tests/get-rest-order-history.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/order-history', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'nosql', 'xss', 'bopla', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/order-history`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-products-1-reviews.test.ts b/.brightsec/tests/get-rest-products-1-reviews.test.ts new file mode 100644 index 00000000000..ee4f77f5d28 --- /dev/null +++ b/.brightsec/tests/get-rest-products-1-reviews.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/1/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['nosql', 'business_constraint_bypass', 'xss'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/1/reviews`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-products-search.test.ts b/.brightsec/tests/get-rest-products-search.test.ts new file mode 100644 index 00000000000..bd348b47888 --- /dev/null +++ b/.brightsec/tests/get-rest-products-search.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/products/search?q=:query', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'full_path_disclosure', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/products/search?q=apple`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-repeat-notification.test.ts b/.brightsec/tests/get-rest-repeat-notification.test.ts new file mode 100644 index 00000000000..45e59ed37cc --- /dev/null +++ b/.brightsec/tests/get-rest-repeat-notification.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/repeat-notification', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'xss', 'csrf', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/repeat-notification?challenge=SQL%20Injection`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-save-login-ip.test.ts b/.brightsec/tests/get-rest-save-login-ip.test.ts new file mode 100644 index 00000000000..0f36ec4696a --- /dev/null +++ b/.brightsec/tests/get-rest-save-login-ip.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/saveLoginIp', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/saveLoginIp`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-track-order-12345.test.ts b/.brightsec/tests/get-rest-track-order-12345.test.ts new file mode 100644 index 00000000000..a5febc32db6 --- /dev/null +++ b/.brightsec/tests/get-rest-track-order-12345.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/track-order/12345', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'nosql', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/track-order/12345`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-authentication-details.test.ts b/.brightsec/tests/get-rest-user-authentication-details.test.ts new file mode 100644 index 00000000000..a9a04675555 --- /dev/null +++ b/.brightsec/tests/get-rest-user-authentication-details.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'id_enumeration', 'jwt'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/authentication-details?callback=callbackFunction`, + headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-change-password.test.ts b/.brightsec/tests/get-rest-user-change-password.test.ts new file mode 100644 index 00000000000..7ee2ffd4690 --- /dev/null +++ b/.brightsec/tests/get-rest-user-change-password.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/change-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'bopla', 'sqli', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/change-password?current=current_password_example&new=new_password_example&repeat=new_password_example`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-security-question.test.ts b/.brightsec/tests/get-rest-user-security-question.test.ts new file mode 100644 index 00000000000..2a8ac91d16e --- /dev/null +++ b/.brightsec/tests/get-rest-user-security-question.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/security-question', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/security-question?email=user@example.com`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-whoami.test.ts b/.brightsec/tests/get-rest-user-whoami.test.ts new file mode 100644 index 00000000000..d981d372b74 --- /dev/null +++ b/.brightsec/tests/get-rest-user-whoami.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/user/whoami', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'id_enumeration', 'bopla', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/user/whoami?callback=callbackFunction`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-wallet-balance.test.ts b/.brightsec/tests/get-rest-wallet-balance.test.ts new file mode 100644 index 00000000000..ca31b986b10 --- /dev/null +++ b/.brightsec/tests/get-rest-wallet-balance.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'nosql', 'xss'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/wallet/balance`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts b/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts new file mode 100644 index 00000000000..85f1a6ee6bc --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftMintListen', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'secret_tokens', 'business_constraint_bypass', 'osi'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftMintListen`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts b/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts new file mode 100644 index 00000000000..9dfb95affa8 --- /dev/null +++ b/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /rest/web3/nftUnlocked', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'insecure_tls_configuration', 'improper_asset_management', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/rest/web3/nftUnlocked`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-security-txt.test.ts b/.brightsec/tests/get-security-txt.test.ts new file mode 100644 index 00000000000..5643c9b1257 --- /dev/null +++ b/.brightsec/tests/get-security-txt.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/security.txt`, + headers: { 'X-Recruiting': '/#/jobs' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-snippets-fixes-sample-key.test.ts b/.brightsec/tests/get-snippets-fixes-sample-key.test.ts new file mode 100644 index 00000000000..f8b99686bce --- /dev/null +++ b/.brightsec/tests/get-snippets-fixes-sample-key.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /snippets/fixes/sampleKey', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'sqli', 'id_enumeration', 'csrf', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/snippets/fixes/sampleKey`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-snippets-sample-challenge.test.ts b/.brightsec/tests/get-snippets-sample-challenge.test.ts new file mode 100644 index 00000000000..09049991e2c --- /dev/null +++ b/.brightsec/tests/get-snippets-sample-challenge.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /snippets/sample-challenge', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'id_enumeration', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/snippets/sample-challenge`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-solve-challenges-server-side.test.ts b/.brightsec/tests/get-solve-challenges-server-side.test.ts new file mode 100644 index 00000000000..dfe1f990016 --- /dev/null +++ b/.brightsec/tests/get-solve-challenges-server-side.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /solve/challenges/server-side', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssti', 'ssrf', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-support-logs-sample-log.test.ts b/.brightsec/tests/get-support-logs-sample-log.test.ts new file mode 100644 index 00000000000..160d02272e5 --- /dev/null +++ b/.brightsec/tests/get-support-logs-sample-log.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /support/logs/sample.log', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['lfi', 'full_path_disclosure', 'improper_asset_management'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/support/logs/sample.log`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts new file mode 100644 index 00000000000..bfa9bb14ee8 --- /dev/null +++ b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'full_path_disclosure', 'improper_asset_management', 'open_cloud_storage'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg`, + headers: { 'X-Recruiting': 'undefined' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts new file mode 100644 index 00000000000..ea150bb670d --- /dev/null +++ b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'unvalidated_redirect', 'sqli', 'ssrf', 'osi'], + attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us`, + headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-video.test.ts b/.brightsec/tests/get-video.test.ts new file mode 100644 index 00000000000..cdf315e2b94 --- /dev/null +++ b/.brightsec/tests/get-video.test.ts @@ -0,0 +1,49 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /video', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'full_path_disclosure', 'ssrf'], + attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/video`, + headers: { + 'Content-Range': 'bytes 0-1023/2048', + 'Accept-Ranges': 'bytes', + 'Content-Length': '1024', + 'Content-Location': '/assets/public/videos/owasp_promo.mp4', + 'Content-Type': 'video/mp4' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts new file mode 100644 index 00000000000..e1c5cdcbba2 --- /dev/null +++ b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'lfi', 'improper_asset_management', 'full_path_disclosure'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-well-known-security-txt.test.ts b/.brightsec/tests/get-well-known-security-txt.test.ts new file mode 100644 index 00000000000..fa7ce6868fc --- /dev/null +++ b/.brightsec/tests/get-well-known-security-txt.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /.well-known/security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'xss', 'improper_asset_management', 'full_path_disclosure', 'insecure_tls_configuration'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/.well-known/security.txt`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-well-known.test.ts b/.brightsec/tests/get-well-known.test.ts new file mode 100644 index 00000000000..3be5b4e3c45 --- /dev/null +++ b/.brightsec/tests/get-well-known.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /.well-known', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['improper_asset_management', 'full_path_disclosure', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/.well-known`, + headers: { 'X-Recruiting': '' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-rest-products-id-reviews.test.ts b/.brightsec/tests/patch-rest-products-id-reviews.test.ts new file mode 100644 index 00000000000..33b3510fdf0 --- /dev/null +++ b/.brightsec/tests/patch-rest-products-id-reviews.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /rest/products/:id/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'nosql', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/rest/products/60c72b2f9b1d8e001c8e4b8a/reviews`, + body: { + id: "60c72b2f9b1d8e001c8e4b8a", + message: "Updated review message." + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/patch-rest-products-reviews.test.ts b/.brightsec/tests/patch-rest-products-reviews.test.ts new file mode 100644 index 00000000000..1027c7b4d81 --- /dev/null +++ b/.brightsec/tests/patch-rest-products-reviews.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'nosql', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PATCH, + url: `${baseUrl}/rest/products/reviews`, + body: { + id: "507f1f77bcf86cd799439011", + message: "Updated review message" + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': '' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-addresss.test.ts b/.brightsec/tests/post-api-addresss.test.ts new file mode 100644 index 00000000000..cbb2dfbd207 --- /dev/null +++ b/.brightsec/tests/post-api-addresss.test.ts @@ -0,0 +1,53 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'csrf', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Addresss`, + body: { + UserId: 1, + fullName: "John Doe", + mobileNum: 1234567890, + zipCode: "12345", + streetAddress: "123 Main St", + city: "Anytown", + state: "Anystate", + country: "Anyland" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-basket-items.test.ts b/.brightsec/tests/post-api-basket-items.test.ts new file mode 100644 index 00000000000..e2c194c27c2 --- /dev/null +++ b/.brightsec/tests/post-api-basket-items.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/BasketItems`, + body: [{ "ProductId": 1, "BasketId": 1, "quantity": 2 }], + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-cards.test.ts b/.brightsec/tests/post-api-cards.test.ts new file mode 100644 index 00000000000..609605ae4c6 --- /dev/null +++ b/.brightsec/tests/post-api-cards.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'date_manipulation', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, + skipStaticParams: false + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/cards`, + body: { + UserId: 1, + fullName: "John Doe", + cardNum: 1234567812345678, + expMonth: 12, + expYear: 2099 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-challenges.test.ts b/.brightsec/tests/post-api-challenges.test.ts new file mode 100644 index 00000000000..00dd012629b --- /dev/null +++ b/.brightsec/tests/post-api-challenges.test.ts @@ -0,0 +1,57 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'csrf', 'bopla', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Challenges`, + body: { + key: "restfulXssChallenge", + name: "Cross-Site Scripting", + category: "Security", + description: "A challenge to test XSS vulnerabilities.", + difficulty: 3, + mitigationUrl: "https://example.com/mitigation", + tags: "xss,security", + solved: false, + disabledEnv: null, + tutorialOrder: 1, + codingChallengeStatus: 0, + hasCodingChallenge: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-complaints.test.ts b/.brightsec/tests/post-api-complaints.test.ts new file mode 100644 index 00000000000..e0b1f184c8e --- /dev/null +++ b/.brightsec/tests/post-api-complaints.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'file_upload', 'xss', 'bopla', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Complaints`, + body: { + UserId: 123, + message: 'This is a sample complaint message.', + file: 'optional-file-path-or-url' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-feedbacks.test.ts b/.brightsec/tests/post-api-feedbacks.test.ts new file mode 100644 index 00000000000..b2b98a6436d --- /dev/null +++ b/.brightsec/tests/post-api-feedbacks.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'bopla', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Feedbacks`, + body: { + UserId: 1, + comment: 'Great product!', + rating: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-hints.test.ts b/.brightsec/tests/post-api-hints.test.ts new file mode 100644 index 00000000000..38e9ee3e722 --- /dev/null +++ b/.brightsec/tests/post-api-hints.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/hints', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'nosql'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Hints`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-privacy-requests.test.ts b/.brightsec/tests/post-api-privacy-requests.test.ts new file mode 100644 index 00000000000..1d7b9f425da --- /dev/null +++ b/.brightsec/tests/post-api-privacy-requests.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/PrivacyRequests`, + body: { + UserId: 123, + deletionRequested: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-products.test.ts b/.brightsec/tests/post-api-products.test.ts new file mode 100644 index 00000000000..0c7d6b48ef6 --- /dev/null +++ b/.brightsec/tests/post-api-products.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Products`, + body: { + name: 'Sample Product', + description: 'A sample product description.', + price: 19.99, + deluxePrice: 29.99, + image: 'sample-product.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-quantitys.test.ts b/.brightsec/tests/post-api-quantitys.test.ts new file mode 100644 index 00000000000..65f6c58fb03 --- /dev/null +++ b/.brightsec/tests/post-api-quantitys.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'csrf', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Quantitys`, + body: { + ProductId: 1, + quantity: 100, + limitPerUser: 5 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts new file mode 100644 index 00000000000..9705fb649a1 --- /dev/null +++ b/.brightsec/tests/post-api-recycles.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'bopla', 'csrf', 'date_manipulation', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, + skipStaticParams: false + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Recycles`, + body: { + UserId: 1, + AddressId: 1, + quantity: 10, + isPickup: true, + date: "2023-10-01T00:00:00Z" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-security-questions.test.ts b/.brightsec/tests/post-api-security-questions.test.ts new file mode 100644 index 00000000000..282b1c7c038 --- /dev/null +++ b/.brightsec/tests/post-api-security-questions.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/security-questions', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'sqli', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/SecurityQuestions`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-users.test.ts b/.brightsec/tests/post-api-users.test.ts new file mode 100644 index 00000000000..ee989164696 --- /dev/null +++ b/.brightsec/tests/post-api-users.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'sqli', 'csrf', 'email_injection', 'proto_pollution'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/api/Users`, + body: { + email: 'user@example.com', + password: 'securePassword123', + passwordRepeat: 'securePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-b2b-v2-orders.test.ts b/.brightsec/tests/post-b2b-v2-orders.test.ts new file mode 100644 index 00000000000..b62f21502da --- /dev/null +++ b/.brightsec/tests/post-b2b-v2-orders.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['osi', 'business_constraint_bypass', 'xss', 'csrf', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/b2b/v2/orders`, + body: { + cid: "12345", + orderLinesData: "" + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': '' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-dataerasure.test.ts b/.brightsec/tests/post-dataerasure.test.ts new file mode 100644 index 00000000000..a5eacfe635f --- /dev/null +++ b/.brightsec/tests/post-dataerasure.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/dataerasure`, + body: { + email: 'user@example.com', + securityAnswer: 'exampleAnswer' + }, + headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-file-upload.test.ts b/.brightsec/tests/post-file-upload.test.ts new file mode 100644 index 00000000000..675337ee811 --- /dev/null +++ b/.brightsec/tests/post-file-upload.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /file-upload', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'xss', 'ssrf', 'xxe'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/file-upload`, + headers: { 'Content-Type': 'multipart/form-data' }, + body: `--boundary\r\nContent-Disposition: form-data; name="file"; filename="example.zip"\r\nContent-Type: application/zip\r\n\r\n\r\n--boundary--`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile-image-file.test.ts b/.brightsec/tests/post-profile-image-file.test.ts new file mode 100644 index 00000000000..aaf6558ff3a --- /dev/null +++ b/.brightsec/tests/post-profile-image-file.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile/image/file', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'ssrf', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile/image/file`, + headers: { + 'Content-Type': 'multipart/form-data', + 'X-Recruiting': 'true' + }, + body: "--boundary\r\nContent-Disposition: form-data; name=\"file\"; filename=\"profile.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n\r\n--boundary--", + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile-image-url.test.ts b/.brightsec/tests/post-profile-image-url.test.ts new file mode 100644 index 00000000000..76b52071e9e --- /dev/null +++ b/.brightsec/tests/post-profile-image-url.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile/image/url', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'file_upload', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile/image/url`, + body: { + imageUrl: 'https://example.com/image.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile.test.ts b/.brightsec/tests/post-profile.test.ts new file mode 100644 index 00000000000..59de928613d --- /dev/null +++ b/.brightsec/tests/post-profile.test.ts @@ -0,0 +1,49 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /profile', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'xss', 'jwt'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/profile`, + body: { + username: 'newUsername' + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-disable.test.ts b/.brightsec/tests/post-rest-2fa-disable.test.ts new file mode 100644 index 00000000000..48af4a16f98 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-disable.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/disable', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'osi', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/disable`, + body: { + password: 'examplePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-setup.test.ts b/.brightsec/tests/post-rest-2fa-setup.test.ts new file mode 100644 index 00000000000..45faa4922c2 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-setup.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/setup', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/setup`, + body: { + password: "userpassword123", + setupToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", + initialToken: "123456" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-verify.test.ts b/.brightsec/tests/post-rest-2fa-verify.test.ts new file mode 100644 index 00000000000..e7646bdc656 --- /dev/null +++ b/.brightsec/tests/post-rest-2fa-verify.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/2fa/verify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'xss', 'osi', 'sqli', 'nosql'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/2fa/verify`, + body: { + tmpToken: "sampleTmpToken123", + totpToken: "123456" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-basket-1-checkout.test.ts b/.brightsec/tests/post-rest-basket-1-checkout.test.ts new file mode 100644 index 00000000000..b6c5c8d2457 --- /dev/null +++ b/.brightsec/tests/post-rest-basket-1-checkout.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/basket/1/checkout', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'csrf', 'osi'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/basket/1/checkout`, + body: { + orderDetails: { + deliveryMethodId: 1, + paymentId: "wallet", + addressId: 123 + }, + UserId: 456 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-chatbot-respond.test.ts b/.brightsec/tests/post-rest-chatbot-respond.test.ts new file mode 100644 index 00000000000..13d2ebb294b --- /dev/null +++ b/.brightsec/tests/post-rest-chatbot-respond.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/chatbot/respond', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['jwt', 'xss', 'server_side_js_injection', 'csrf', 'nosql'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/chatbot/respond`, + body: { + action: "query", + query: "Hello, how are you?" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-deluxe-membership.test.ts b/.brightsec/tests/post-rest-deluxe-membership.test.ts new file mode 100644 index 00000000000..22a1184a14c --- /dev/null +++ b/.brightsec/tests/post-rest-deluxe-membership.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/deluxe-membership`, + body: { + UserId: 1, + paymentMode: "wallet" + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': 'We are hiring!' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-memories.test.ts b/.brightsec/tests/post-rest-memories.test.ts new file mode 100644 index 00000000000..dde56f92862 --- /dev/null +++ b/.brightsec/tests/post-rest-memories.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['file_upload', 'bopla', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/memories`, + body: { + caption: "A day at the beach", + UserId: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-products-reviews.test.ts b/.brightsec/tests/post-rest-products-reviews.test.ts new file mode 100644 index 00000000000..d705f2b2f95 --- /dev/null +++ b/.brightsec/tests/post-rest-products-reviews.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'nosql', 'xss', 'bopla'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/products/reviews`, + body: { + id: '60c72b2f9b1e8e001f8e4c8a' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-data-export.test.ts b/.brightsec/tests/post-rest-user-data-export.test.ts new file mode 100644 index 00000000000..bb3ecd2c837 --- /dev/null +++ b/.brightsec/tests/post-rest-user-data-export.test.ts @@ -0,0 +1,44 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/data-export', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'nosql', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/data-export`, + body: { "UserId": 1 }, + headers: { 'Authorization': 'Bearer ', 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-login.test.ts b/.brightsec/tests/post-rest-user-login.test.ts new file mode 100644 index 00000000000..9a4876d9d84 --- /dev/null +++ b/.brightsec/tests/post-rest-user-login.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/login', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'csrf', 'nosql'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/login`, + body: { + email: 'user@example.com', + password: 'securePassword123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-reset-password.test.ts b/.brightsec/tests/post-rest-user-reset-password.test.ts new file mode 100644 index 00000000000..e69f5367590 --- /dev/null +++ b/.brightsec/tests/post-rest-user-reset-password.test.ts @@ -0,0 +1,49 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/user/reset-password', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'email_injection', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/user/reset-password`, + body: { + email: "user@example.com", + answer: "correct_answer", + new: "new_password", + repeat: "new_password" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-submit-key.test.ts b/.brightsec/tests/post-rest-web3-submit-key.test.ts new file mode 100644 index 00000000000..67aff33cb68 --- /dev/null +++ b/.brightsec/tests/post-rest-web3-submit-key.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/submitKey', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'nosql', 'xss', 'bopla', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/submitKey`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts new file mode 100644 index 00000000000..301c630fb70 --- /dev/null +++ b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletExploitAddress', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['ssrf', 'xss', 'csrf', 'osi', 'bopla'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletExploitAddress`, + body: { + walletAddress: "0x1234567890abcdef1234567890abcdef12345678" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts b/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts new file mode 100644 index 00000000000..eafa72ff6f3 --- /dev/null +++ b/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /rest/web3/walletNFTVerify', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'nosql', 'xss', 'osi', 'server_side_js_injection'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/rest/web3/walletNFTVerify`, + body: { + walletAddress: '0x1234567890abcdef1234567890abcdef12345678' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-snippets-fixes.test.ts b/.brightsec/tests/post-snippets-fixes.test.ts new file mode 100644 index 00000000000..3fbb1b1e2df --- /dev/null +++ b/.brightsec/tests/post-snippets-fixes.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /snippets/fixes', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/snippets/fixes`, + body: { + key: "exampleKey", + selectedFix: 1 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/post-snippets-verdict.test.ts b/.brightsec/tests/post-snippets-verdict.test.ts new file mode 100644 index 00000000000..be7b0eae98a --- /dev/null +++ b/.brightsec/tests/post-snippets-verdict.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('POST /snippets/verdict', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['xss', 'sqli', 'nosql', 'csrf', 'proto_pollution'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/snippets/verdict`, + body: { + selectedLines: [1, 2, 3], + key: "exampleKey" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-addresss-1.test.ts b/.brightsec/tests/put-api-addresss-1.test.ts new file mode 100644 index 00000000000..098096e9d71 --- /dev/null +++ b/.brightsec/tests/put-api-addresss-1.test.ts @@ -0,0 +1,52 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Addresss/1`, + body: { + fullName: 'John Doe', + mobileNum: 1234567890, + zipCode: '12345', + streetAddress: '123 Main St', + city: 'Metropolis', + state: 'NY', + country: 'USA' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-basketitems-1.test.ts b/.brightsec/tests/put-api-basketitems-1.test.ts new file mode 100644 index 00000000000..e1b235a6fb4 --- /dev/null +++ b/.brightsec/tests/put-api-basketitems-1.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/BasketItems/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/BasketItems/1`, + body: { + ProductId: 1, + BasketId: 1, + quantity: 2 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-cards-1.test.ts b/.brightsec/tests/put-api-cards-1.test.ts new file mode 100644 index 00000000000..533c77c906f --- /dev/null +++ b/.brightsec/tests/put-api-cards-1.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'date_manipulation', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, + skipStaticParams: false + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/cards/1`, + body: { + fullName: 'John Doe', + cardNum: 1234567812345678, + expMonth: 12, + expYear: 2099 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-challenges-1.test.ts b/.brightsec/tests/put-api-challenges-1.test.ts new file mode 100644 index 00000000000..11065fa36fe --- /dev/null +++ b/.brightsec/tests/put-api-challenges-1.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Challenges/1`, + body: { + name: 'SQL Injection Challenge', + category: 'Injection', + description: 'Exploit SQL Injection vulnerability', + difficulty: 3, + key: 'sqlInjectionChallenge', + solved: false + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-complaints-1.test.ts b/.brightsec/tests/put-api-complaints-1.test.ts new file mode 100644 index 00000000000..ea68a0ddce4 --- /dev/null +++ b/.brightsec/tests/put-api-complaints-1.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'file_upload', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Complaints/1`, + body: { + UserId: 1, + message: "This is a sample complaint message.", + file: "optional-file-path.jpg" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-feedbacks-1.test.ts b/.brightsec/tests/put-api-feedbacks-1.test.ts new file mode 100644 index 00000000000..b7d7f1ee7ed --- /dev/null +++ b/.brightsec/tests/put-api-feedbacks-1.test.ts @@ -0,0 +1,42 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'xss', 'sqli', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Feedbacks/1`, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-hints-1.test.ts b/.brightsec/tests/put-api-hints-1.test.ts new file mode 100644 index 00000000000..8903897ccea --- /dev/null +++ b/.brightsec/tests/put-api-hints-1.test.ts @@ -0,0 +1,49 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'xss', 'sqli', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Hints/1`, + body: { + ChallengeId: 1, + text: "Sample hint text", + order: 1, + unlocked: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-privacy-requests-1.test.ts b/.brightsec/tests/put-api-privacy-requests-1.test.ts new file mode 100644 index 00000000000..8079e5f9306 --- /dev/null +++ b/.brightsec/tests/put-api-privacy-requests-1.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/PrivacyRequests/1`, + body: { + UserId: 123, + deletionRequested: true + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-products-1.test.ts b/.brightsec/tests/put-api-products-1.test.ts new file mode 100644 index 00000000000..fd58ea31bda --- /dev/null +++ b/.brightsec/tests/put-api-products-1.test.ts @@ -0,0 +1,50 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'xss', 'sqli', 'csrf', 'http_method_fuzzing'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Products/1`, + body: { + name: 'New Product Name', + description: 'Updated description for the product.', + price: 19.99, + deluxePrice: 29.99, + image: 'new-image-url.jpg' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-quantitys-1.test.ts b/.brightsec/tests/put-api-quantitys-1.test.ts new file mode 100644 index 00000000000..0e85f461cd2 --- /dev/null +++ b/.brightsec/tests/put-api-quantitys-1.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/Quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['business_constraint_bypass', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Quantitys/1`, + body: { + ProductId: 1, + quantity: 100, + limitPerUser: 5 + }, + headers: { + 'Content-Type': 'application/json', + 'X-Recruiting': '' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-recycles-1.test.ts b/.brightsec/tests/put-api-recycles-1.test.ts new file mode 100644 index 00000000000..1b4b1a9240a --- /dev/null +++ b/.brightsec/tests/put-api-recycles-1.test.ts @@ -0,0 +1,51 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['sqli', 'bopla', 'csrf', 'date_manipulation', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, + skipStaticParams: true + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Recycles/1`, + body: { + UserId: 1, + AddressId: 1, + quantity: 10, + isPickup: true, + date: "2023-10-10T00:00:00Z" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-security-answers-1.test.ts b/.brightsec/tests/put-api-security-answers-1.test.ts new file mode 100644 index 00000000000..f81e1062a7b --- /dev/null +++ b/.brightsec/tests/put-api-security-answers-1.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/SecurityAnswers/1`, + body: { + UserId: 1, + SecurityQuestionId: 2, + answer: "hashed_answer" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-security-questions-1.test.ts b/.brightsec/tests/put-api-security-questions-1.test.ts new file mode 100644 index 00000000000..d7acf0f2d41 --- /dev/null +++ b/.brightsec/tests/put-api-security-questions-1.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'xss', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/SecurityQuestions/1`, + body: { + question: "What is your favorite color?" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-users-1.test.ts b/.brightsec/tests/put-api-users-1.test.ts new file mode 100644 index 00000000000..ba3b179a989 --- /dev/null +++ b/.brightsec/tests/put-api-users-1.test.ts @@ -0,0 +1,49 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'jwt', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/api/Users/1`, + body: { + username: 'newUsername' + }, + headers: { + 'Content-Type': 'application/json', + Authorization: 'Bearer ' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts b/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts new file mode 100644 index 00000000000..e7cc7a4b4fc --- /dev/null +++ b/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts @@ -0,0 +1,43 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/basket/1/coupon/JAN24-10', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'xss', 'csrf', 'business_constraint_bypass'], + attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/basket/1/coupon/JAN24-10`, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts b/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts new file mode 100644 index 00000000000..54b2eeef99d --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'xss', 'sqli', 'nosql', 'osi', 'xxe'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code/apply/exampleCode123`, + body: { + continueCode: "exampleCode123" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts b/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts new file mode 100644 index 00000000000..52a29e1266b --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code-findIt/apply/:code', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'csrf', 'http_method_fuzzing', 'id_enumeration', 'nosql', 'xss'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code-findIt/apply/yXjv6Z5jWJnzD6a3YvmwPRXK7roAyzHDde2Og19yEN84plqxkMBbLVQrDeoY`, + body: { + continueCode: "yXjv6Z5jWJnzD6a3YvmwPRXK7roAyzHDde2Og19yEN84plqxkMBbLVQrDeoY" + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts b/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts new file mode 100644 index 00000000000..8d231106f54 --- /dev/null +++ b/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts @@ -0,0 +1,46 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/continue-code-fixIt/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'id_enumeration', 'xss', 'osi', 'sqli'], + attackParamLocations: [AttackParamLocation.BODY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/continue-code-fixIt/apply/exampleCode123`, + body: { + continueCode: 'exampleCode123' + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts b/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts new file mode 100644 index 00000000000..f39aee67d51 --- /dev/null +++ b/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts @@ -0,0 +1,47 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/order-history/1/delivery-status', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'id_enumeration', 'nosql', 'csrf', 'xss'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: "tssbox/juice-shop:master", + databases: ["SQLite"], + user_roles: { + roles: ["customer", "deluxe", "accounting", "admin"] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/order-history/1/delivery-status`, + body: { delivered: false }, + headers: { + 'Authorization': 'Bearer ', + 'Content-Type': 'application/json' + }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-wallet-balance.test.ts b/.brightsec/tests/put-rest-wallet-balance.test.ts new file mode 100644 index 00000000000..71a9fa164a9 --- /dev/null +++ b/.brightsec/tests/put-rest-wallet-balance.test.ts @@ -0,0 +1,48 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('PUT /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['bopla', 'sqli', 'csrf', 'xss', 'id_enumeration'], + attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + }, + poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.PUT, + url: `${baseUrl}/rest/wallet/balance`, + body: { + UserId: 1, + paymentId: 123, + balance: 100 + }, + headers: { 'Content-Type': 'application/json' }, + auth: process.env.BRIGHT_AUTH_ID + }); +}); \ No newline at end of file From a7ed55a0988d088db27e0328708267f00b83fa70 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 15:33:12 +0400 Subject: [PATCH 4/6] ci: add CI workflow to run e2e security tests --- .github/workflows/bright.yml | 63 +++++++++++++++++++ .../configure-bright-credentials/action.yaml | 53 ++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 .github/workflows/bright.yml create mode 100644 .github/workflows/composite/configure-bright-credentials/action.yaml diff --git a/.github/workflows/bright.yml b/.github/workflows/bright.yml new file mode 100644 index 00000000000..42f568f6750 --- /dev/null +++ b/.github/workflows/bright.yml @@ -0,0 +1,63 @@ +name: Bright + +on: + pull_request: + branches: + - '**' + +permissions: + checks: write + contents: read + id-token: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out Git repository + uses: actions/checkout@v4 + + - name: Use Node.js 20.x + uses: actions/setup-node@v4 + with: + node-version: '20' + + - name: Install application dependencies + run: | + npm install + + - name: Start application + run: | + npm start & + + - name: Probe application readiness + run: | + for i in {1..30}; do nc -z 127.0.0.1 3000 && exit 0 || sleep 5; done; exit 1 + + - name: Use Node.js 22.x for SecTesterJS + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Install SecTesterJS dependencies + run: | + npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter + + - name: Authenticate with Bright + uses: ./.github/workflows/composite/configure-bright-credentials + with: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: bSLRUwVyZ9aMHv4S9BrwaW + BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }} + + - name: Run security tests + env: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: bSLRUwVyZ9aMHv4S9BrwaW + BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRIGHT_TOKEN: ${{ env.BRIGHT_TOKEN }} + BRIGHT_TARGET_URL: http://127.0.0.1:3000 + SECTESTER_SCAN_POOL_SIZE: ${{ vars.SECTESTER_SCAN_POOL_SIZE }} + run: | + node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts \ No newline at end of file diff --git a/.github/workflows/composite/configure-bright-credentials/action.yaml b/.github/workflows/composite/configure-bright-credentials/action.yaml new file mode 100644 index 00000000000..84983846b0d --- /dev/null +++ b/.github/workflows/composite/configure-bright-credentials/action.yaml @@ -0,0 +1,53 @@ +name: 'Configure BrightSec credentials' + +inputs: + BRIGHT_HOSTNAME: + description: 'Hostname for the BrightSec environment' + required: true + BRIGHT_PROJECT_ID: + description: 'Project ID for BrightSec' + required: true + BRIGHT_TOKEN: + description: 'Pre-configured token' + required: false + +runs: + using: 'composite' + steps: + - id: configure_env_from_input + name: 'Set existing token in env' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN != '' }} + env: + BRIGHT_TOKEN: ${{ inputs.BRIGHT_TOKEN }} + run: | + echo "BRIGHT_TOKEN=${BRIGHT_TOKEN}" >> $GITHUB_ENV + + - id: configure_bright_credentials_through_oidc + name: 'Exchange OIDC credentials for Bright token' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN == '' }} + env: + BRIGHT_HOSTNAME: ${{ inputs.BRIGHT_HOSTNAME }} + BRIGHT_PROJECT_ID: ${{ inputs.BRIGHT_PROJECT_ID }} + run: | + # Retrieve OIDC token from GitHub + OIDC_TOKEN=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value') + + # Post the token to BrightSec + RESPONSE=$(curl -s -X POST "https://${BRIGHT_HOSTNAME}/api/v1/projects/${BRIGHT_PROJECT_ID}/api-keys/oidc" \ + -H "Content-Type: application/json" \ + -d "{\"token\": \"${OIDC_TOKEN}\"}") + + if ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then + echo "Error: $RESPONSE" 1>&2 + exit 1 + fi + + # Extract the pureKey + PURE_KEY=$(echo "$RESPONSE" | jq -r '.pureKey') + + # Mask and store in environment + echo "::add-mask::$PURE_KEY" + echo "BRIGHT_TOKEN=$PURE_KEY" >> $GITHUB_ENV From 93dce5c129f1ebe4e6a00898574150021ecd0824 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 18:41:38 +0400 Subject: [PATCH 5/6] test: remove completed test files that are no longer relevant skip-checks:true --- .brightsec/tests/delete-api-address-1.test.ts | 44 -------------- .../tests/delete-api-addresss-1.test.ts | 43 -------------- .../tests/delete-api-basketitems-1.test.ts | 43 -------------- .brightsec/tests/delete-api-cards-1.test.ts | 42 -------------- .../tests/delete-api-challenges-1.test.ts | 42 -------------- .../tests/delete-api-complaints-1.test.ts | 42 -------------- .../tests/delete-api-feedbacks-1.test.ts | 42 -------------- .brightsec/tests/delete-api-hints-1.test.ts | 42 -------------- .../delete-api-privacy-requests-1.test.ts | 43 -------------- .../tests/delete-api-products-1.test.ts | 42 -------------- .../tests/delete-api-quantitys-1.test.ts | 42 -------------- .brightsec/tests/delete-api-recycle-1.test.ts | 42 -------------- .../tests/delete-api-recycles-1.test.ts | 42 -------------- .../delete-api-security-answers-1.test.ts | 42 -------------- .../delete-api-security-questions-1.test.ts | 42 -------------- .brightsec/tests/delete-api-users-1.test.ts | 43 -------------- .brightsec/tests/get-api-address-1.test.ts | 42 -------------- .brightsec/tests/get-api-addresss-1.test.ts | 42 -------------- .brightsec/tests/get-api-addresss.test.ts | 42 -------------- .brightsec/tests/get-api-basket-items.test.ts | 43 -------------- .brightsec/tests/get-api-basketitem-1.test.ts | 42 -------------- .../tests/get-api-basketitems-1.test.ts | 43 -------------- .brightsec/tests/get-api-cards-1.test.ts | 42 -------------- .brightsec/tests/get-api-cards.test.ts | 43 -------------- .brightsec/tests/get-api-challenges-1.test.ts | 42 -------------- .brightsec/tests/get-api-challenges.test.ts | 42 -------------- .brightsec/tests/get-api-complaints-1.test.ts | 43 -------------- .brightsec/tests/get-api-complaints.test.ts | 43 -------------- .brightsec/tests/get-api-deliverys.test.ts | 42 -------------- .brightsec/tests/get-api-docs.test.ts | 42 -------------- .brightsec/tests/get-api-feedbacks-1.test.ts | 43 -------------- .brightsec/tests/get-api-feedbacks.test.ts | 42 -------------- .brightsec/tests/get-api-hints-1.test.ts | 42 -------------- .brightsec/tests/get-api-hints.test.ts | 42 -------------- .../tests/get-api-privacy-requests-1.test.ts | 43 -------------- .../tests/get-api-privacy-requests.test.ts | 43 -------------- .brightsec/tests/get-api-products-1.test.ts | 42 -------------- .brightsec/tests/get-api-products.test.ts | 42 -------------- .brightsec/tests/get-api-quantitys-1.test.ts | 42 -------------- .brightsec/tests/get-api-quantitys.test.ts | 42 -------------- .brightsec/tests/get-api-recycle-1.test.ts | 42 -------------- .brightsec/tests/get-api-recycles-1.test.ts | 42 -------------- .../tests/get-api-security-answers-1.test.ts | 42 -------------- .../tests/get-api-security-answers.test.ts | 42 -------------- .brightsec/tests/get-api-users-1.test.ts | 43 -------------- .brightsec/tests/get-api-users.test.ts | 43 -------------- .../get-assets-public-images-padding.test.ts | 42 -------------- .../get-assets-public-images-products.test.ts | 42 -------------- .../get-assets-public-images-uploads.test.ts | 42 -------------- .brightsec/tests/get-dataerasure.test.ts | 43 -------------- .../get-encryptionkeys-samplefile-txt.test.ts | 42 -------------- .../get-encryptionkeys-samplefile.test.ts | 42 -------------- .../get-ftp-quarantine-samplefile-txt.test.ts | 42 -------------- .../tests/get-ftp-sample-file-md.test.ts | 42 -------------- .brightsec/tests/get-ftp-sample-md.test.ts | 43 -------------- .brightsec/tests/get-metrics.test.ts | 43 -------------- .brightsec/tests/get-profile.test.ts | 45 --------------- .brightsec/tests/get-promotion.test.ts | 43 -------------- .brightsec/tests/get-redirect.test.ts | 43 -------------- .brightsec/tests/get-rest-2fa-status.test.ts | 43 -------------- ...st-admin-application-configuration.test.ts | 43 -------------- ...get-rest-admin-application-version.test.ts | 42 -------------- .../tests/get-rest-basket-1-order.test.ts | 43 -------------- .brightsec/tests/get-rest-basket-1.test.ts | 42 -------------- .brightsec/tests/get-rest-captcha.test.ts | 42 -------------- .../tests/get-rest-chatbot-status.test.ts | 43 -------------- .../get-rest-continue-code-findit.test.ts | 42 -------------- .../get-rest-continue-code-fixit.test.ts | 42 -------------- .../tests/get-rest-continue-code.test.ts | 42 -------------- .../tests/get-rest-country-mapping.test.ts | 43 -------------- .../tests/get-rest-deluxe-membership.test.ts | 42 -------------- .../tests/get-rest-image-captcha.test.ts | 43 -------------- .brightsec/tests/get-rest-languages.test.ts | 43 -------------- .brightsec/tests/get-rest-memories.test.ts | 42 -------------- .../get-rest-order-history-orders.test.ts | 43 -------------- .../tests/get-rest-order-history.test.ts | 43 -------------- .../tests/get-rest-products-1-reviews.test.ts | 42 -------------- .../get-rest-repeat-notification.test.ts | 42 -------------- .../tests/get-rest-save-login-ip.test.ts | 43 -------------- .../tests/get-rest-track-order-12345.test.ts | 42 -------------- ...t-rest-user-authentication-details.test.ts | 43 -------------- .../get-rest-user-change-password.test.ts | 43 -------------- .../get-rest-user-security-question.test.ts | 42 -------------- .brightsec/tests/get-rest-user-whoami.test.ts | 43 -------------- .../tests/get-rest-wallet-balance.test.ts | 42 -------------- .../get-rest-web3-nft-mint-listen.test.ts | 42 -------------- .../tests/get-rest-web3-nft-unlocked.test.ts | 42 -------------- .brightsec/tests/get-security-txt.test.ts | 43 -------------- .../get-snippets-fixes-sample-key.test.ts | 42 -------------- .../get-snippets-sample-challenge.test.ts | 42 -------------- .../get-solve-challenges-server-side.test.ts | 42 -------------- .../tests/get-support-logs-sample-log.test.ts | 42 -------------- ...n-easter-egg-within-the-easter-egg.test.ts | 43 -------------- ...-be-unlocked-by-sending-1btc-to-us.test.ts | 43 -------------- .brightsec/tests/get-video.test.ts | 49 ---------------- ...easonably-necessary-responsibility.test.ts | 42 -------------- .../tests/get-well-known-security-txt.test.ts | 43 -------------- .brightsec/tests/get-well-known.test.ts | 43 -------------- .../patch-rest-products-id-reviews.test.ts | 47 --------------- .../tests/patch-rest-products-reviews.test.ts | 50 ---------------- .brightsec/tests/post-api-addresss.test.ts | 53 ----------------- .../tests/post-api-basket-items.test.ts | 44 -------------- .brightsec/tests/post-api-cards.test.ts | 51 ----------------- .brightsec/tests/post-api-challenges.test.ts | 57 ------------------- .brightsec/tests/post-api-complaints.test.ts | 48 ---------------- .brightsec/tests/post-api-feedbacks.test.ts | 48 ---------------- .brightsec/tests/post-api-hints.test.ts | 42 -------------- .../tests/post-api-privacy-requests.test.ts | 47 --------------- .brightsec/tests/post-api-products.test.ts | 50 ---------------- .brightsec/tests/post-api-quantitys.test.ts | 48 ---------------- .brightsec/tests/post-api-recycles.test.ts | 51 ----------------- .../tests/post-api-security-questions.test.ts | 42 -------------- .brightsec/tests/post-api-users.test.ts | 48 ---------------- .brightsec/tests/post-b2b-v2-orders.test.ts | 50 ---------------- .brightsec/tests/post-dataerasure.test.ts | 47 --------------- .brightsec/tests/post-file-upload.test.ts | 44 -------------- .../tests/post-profile-image-file.test.ts | 47 --------------- .../tests/post-profile-image-url.test.ts | 46 --------------- .brightsec/tests/post-profile.test.ts | 49 ---------------- .../tests/post-rest-2fa-disable.test.ts | 46 --------------- .brightsec/tests/post-rest-2fa-setup.test.ts | 48 ---------------- .brightsec/tests/post-rest-2fa-verify.test.ts | 47 --------------- .../tests/post-rest-basket-1-checkout.test.ts | 51 ----------------- .../tests/post-rest-chatbot-respond.test.ts | 47 --------------- .../tests/post-rest-deluxe-membership.test.ts | 50 ---------------- .brightsec/tests/post-rest-memories.test.ts | 47 --------------- .../tests/post-rest-products-reviews.test.ts | 46 --------------- .../tests/post-rest-user-data-export.test.ts | 44 -------------- .brightsec/tests/post-rest-user-login.test.ts | 47 --------------- .../post-rest-user-reset-password.test.ts | 49 ---------------- .../tests/post-rest-web3-submit-key.test.ts | 46 --------------- ...t-rest-web3-wallet-exploit-address.test.ts | 46 --------------- .../post-rest-web3-wallet-nft-verify.test.ts | 46 --------------- .brightsec/tests/post-snippets-fixes.test.ts | 47 --------------- .../tests/post-snippets-verdict.test.ts | 47 --------------- .brightsec/tests/put-api-addresss-1.test.ts | 52 ----------------- .../tests/put-api-basketitems-1.test.ts | 48 ---------------- .brightsec/tests/put-api-cards-1.test.ts | 50 ---------------- .brightsec/tests/put-api-challenges-1.test.ts | 51 ----------------- .brightsec/tests/put-api-complaints-1.test.ts | 48 ---------------- .brightsec/tests/put-api-feedbacks-1.test.ts | 42 -------------- .brightsec/tests/put-api-hints-1.test.ts | 49 ---------------- .../tests/put-api-privacy-requests-1.test.ts | 47 --------------- .brightsec/tests/put-api-products-1.test.ts | 50 ---------------- .brightsec/tests/put-api-quantitys-1.test.ts | 51 ----------------- .brightsec/tests/put-api-recycles-1.test.ts | 51 ----------------- .../tests/put-api-security-answers-1.test.ts | 48 ---------------- .../put-api-security-questions-1.test.ts | 46 --------------- .brightsec/tests/put-api-users-1.test.ts | 49 ---------------- .../put-rest-basket-1-coupon-jan24-10.test.ts | 43 -------------- ...ntinue-code-apply-example-code-123.test.ts | 46 --------------- ...st-continue-code-findit-apply-code.test.ts | 46 --------------- ...ue-code-fixit-apply-examplecode123.test.ts | 46 --------------- ...st-order-history-1-delivery-status.test.ts | 47 --------------- .../tests/put-rest-wallet-balance.test.ts | 48 ---------------- 155 files changed, 6886 deletions(-) delete mode 100644 .brightsec/tests/delete-api-address-1.test.ts delete mode 100644 .brightsec/tests/delete-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/delete-api-basketitems-1.test.ts delete mode 100644 .brightsec/tests/delete-api-cards-1.test.ts delete mode 100644 .brightsec/tests/delete-api-challenges-1.test.ts delete mode 100644 .brightsec/tests/delete-api-complaints-1.test.ts delete mode 100644 .brightsec/tests/delete-api-feedbacks-1.test.ts delete mode 100644 .brightsec/tests/delete-api-hints-1.test.ts delete mode 100644 .brightsec/tests/delete-api-privacy-requests-1.test.ts delete mode 100644 .brightsec/tests/delete-api-products-1.test.ts delete mode 100644 .brightsec/tests/delete-api-quantitys-1.test.ts delete mode 100644 .brightsec/tests/delete-api-recycle-1.test.ts delete mode 100644 .brightsec/tests/delete-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/delete-api-security-answers-1.test.ts delete mode 100644 .brightsec/tests/delete-api-security-questions-1.test.ts delete mode 100644 .brightsec/tests/delete-api-users-1.test.ts delete mode 100644 .brightsec/tests/get-api-address-1.test.ts delete mode 100644 .brightsec/tests/get-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/get-api-addresss.test.ts delete mode 100644 .brightsec/tests/get-api-basket-items.test.ts delete mode 100644 .brightsec/tests/get-api-basketitem-1.test.ts delete mode 100644 .brightsec/tests/get-api-basketitems-1.test.ts delete mode 100644 .brightsec/tests/get-api-cards-1.test.ts delete mode 100644 .brightsec/tests/get-api-cards.test.ts delete mode 100644 .brightsec/tests/get-api-challenges-1.test.ts delete mode 100644 .brightsec/tests/get-api-challenges.test.ts delete mode 100644 .brightsec/tests/get-api-complaints-1.test.ts delete mode 100644 .brightsec/tests/get-api-complaints.test.ts delete mode 100644 .brightsec/tests/get-api-deliverys.test.ts delete mode 100644 .brightsec/tests/get-api-docs.test.ts delete mode 100644 .brightsec/tests/get-api-feedbacks-1.test.ts delete mode 100644 .brightsec/tests/get-api-feedbacks.test.ts delete mode 100644 .brightsec/tests/get-api-hints-1.test.ts delete mode 100644 .brightsec/tests/get-api-hints.test.ts delete mode 100644 .brightsec/tests/get-api-privacy-requests-1.test.ts delete mode 100644 .brightsec/tests/get-api-privacy-requests.test.ts delete mode 100644 .brightsec/tests/get-api-products-1.test.ts delete mode 100644 .brightsec/tests/get-api-products.test.ts delete mode 100644 .brightsec/tests/get-api-quantitys-1.test.ts delete mode 100644 .brightsec/tests/get-api-quantitys.test.ts delete mode 100644 .brightsec/tests/get-api-recycle-1.test.ts delete mode 100644 .brightsec/tests/get-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/get-api-security-answers-1.test.ts delete mode 100644 .brightsec/tests/get-api-security-answers.test.ts delete mode 100644 .brightsec/tests/get-api-users-1.test.ts delete mode 100644 .brightsec/tests/get-api-users.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-padding.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-products.test.ts delete mode 100644 .brightsec/tests/get-assets-public-images-uploads.test.ts delete mode 100644 .brightsec/tests/get-dataerasure.test.ts delete mode 100644 .brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts delete mode 100644 .brightsec/tests/get-encryptionkeys-samplefile.test.ts delete mode 100644 .brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts delete mode 100644 .brightsec/tests/get-ftp-sample-file-md.test.ts delete mode 100644 .brightsec/tests/get-ftp-sample-md.test.ts delete mode 100644 .brightsec/tests/get-metrics.test.ts delete mode 100644 .brightsec/tests/get-profile.test.ts delete mode 100644 .brightsec/tests/get-promotion.test.ts delete mode 100644 .brightsec/tests/get-redirect.test.ts delete mode 100644 .brightsec/tests/get-rest-2fa-status.test.ts delete mode 100644 .brightsec/tests/get-rest-admin-application-configuration.test.ts delete mode 100644 .brightsec/tests/get-rest-admin-application-version.test.ts delete mode 100644 .brightsec/tests/get-rest-basket-1-order.test.ts delete mode 100644 .brightsec/tests/get-rest-basket-1.test.ts delete mode 100644 .brightsec/tests/get-rest-captcha.test.ts delete mode 100644 .brightsec/tests/get-rest-chatbot-status.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code-findit.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code-fixit.test.ts delete mode 100644 .brightsec/tests/get-rest-continue-code.test.ts delete mode 100644 .brightsec/tests/get-rest-country-mapping.test.ts delete mode 100644 .brightsec/tests/get-rest-deluxe-membership.test.ts delete mode 100644 .brightsec/tests/get-rest-image-captcha.test.ts delete mode 100644 .brightsec/tests/get-rest-languages.test.ts delete mode 100644 .brightsec/tests/get-rest-memories.test.ts delete mode 100644 .brightsec/tests/get-rest-order-history-orders.test.ts delete mode 100644 .brightsec/tests/get-rest-order-history.test.ts delete mode 100644 .brightsec/tests/get-rest-products-1-reviews.test.ts delete mode 100644 .brightsec/tests/get-rest-repeat-notification.test.ts delete mode 100644 .brightsec/tests/get-rest-save-login-ip.test.ts delete mode 100644 .brightsec/tests/get-rest-track-order-12345.test.ts delete mode 100644 .brightsec/tests/get-rest-user-authentication-details.test.ts delete mode 100644 .brightsec/tests/get-rest-user-change-password.test.ts delete mode 100644 .brightsec/tests/get-rest-user-security-question.test.ts delete mode 100644 .brightsec/tests/get-rest-user-whoami.test.ts delete mode 100644 .brightsec/tests/get-rest-wallet-balance.test.ts delete mode 100644 .brightsec/tests/get-rest-web3-nft-mint-listen.test.ts delete mode 100644 .brightsec/tests/get-rest-web3-nft-unlocked.test.ts delete mode 100644 .brightsec/tests/get-security-txt.test.ts delete mode 100644 .brightsec/tests/get-snippets-fixes-sample-key.test.ts delete mode 100644 .brightsec/tests/get-snippets-sample-challenge.test.ts delete mode 100644 .brightsec/tests/get-solve-challenges-server-side.test.ts delete mode 100644 .brightsec/tests/get-support-logs-sample-log.test.ts delete mode 100644 .brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts delete mode 100644 .brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts delete mode 100644 .brightsec/tests/get-video.test.ts delete mode 100644 .brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts delete mode 100644 .brightsec/tests/get-well-known-security-txt.test.ts delete mode 100644 .brightsec/tests/get-well-known.test.ts delete mode 100644 .brightsec/tests/patch-rest-products-id-reviews.test.ts delete mode 100644 .brightsec/tests/patch-rest-products-reviews.test.ts delete mode 100644 .brightsec/tests/post-api-addresss.test.ts delete mode 100644 .brightsec/tests/post-api-basket-items.test.ts delete mode 100644 .brightsec/tests/post-api-cards.test.ts delete mode 100644 .brightsec/tests/post-api-challenges.test.ts delete mode 100644 .brightsec/tests/post-api-complaints.test.ts delete mode 100644 .brightsec/tests/post-api-feedbacks.test.ts delete mode 100644 .brightsec/tests/post-api-hints.test.ts delete mode 100644 .brightsec/tests/post-api-privacy-requests.test.ts delete mode 100644 .brightsec/tests/post-api-products.test.ts delete mode 100644 .brightsec/tests/post-api-quantitys.test.ts delete mode 100644 .brightsec/tests/post-api-recycles.test.ts delete mode 100644 .brightsec/tests/post-api-security-questions.test.ts delete mode 100644 .brightsec/tests/post-api-users.test.ts delete mode 100644 .brightsec/tests/post-b2b-v2-orders.test.ts delete mode 100644 .brightsec/tests/post-dataerasure.test.ts delete mode 100644 .brightsec/tests/post-file-upload.test.ts delete mode 100644 .brightsec/tests/post-profile-image-file.test.ts delete mode 100644 .brightsec/tests/post-profile-image-url.test.ts delete mode 100644 .brightsec/tests/post-profile.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-disable.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-setup.test.ts delete mode 100644 .brightsec/tests/post-rest-2fa-verify.test.ts delete mode 100644 .brightsec/tests/post-rest-basket-1-checkout.test.ts delete mode 100644 .brightsec/tests/post-rest-chatbot-respond.test.ts delete mode 100644 .brightsec/tests/post-rest-deluxe-membership.test.ts delete mode 100644 .brightsec/tests/post-rest-memories.test.ts delete mode 100644 .brightsec/tests/post-rest-products-reviews.test.ts delete mode 100644 .brightsec/tests/post-rest-user-data-export.test.ts delete mode 100644 .brightsec/tests/post-rest-user-login.test.ts delete mode 100644 .brightsec/tests/post-rest-user-reset-password.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-submit-key.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts delete mode 100644 .brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts delete mode 100644 .brightsec/tests/post-snippets-fixes.test.ts delete mode 100644 .brightsec/tests/post-snippets-verdict.test.ts delete mode 100644 .brightsec/tests/put-api-addresss-1.test.ts delete mode 100644 .brightsec/tests/put-api-basketitems-1.test.ts delete mode 100644 .brightsec/tests/put-api-cards-1.test.ts delete mode 100644 .brightsec/tests/put-api-challenges-1.test.ts delete mode 100644 .brightsec/tests/put-api-complaints-1.test.ts delete mode 100644 .brightsec/tests/put-api-feedbacks-1.test.ts delete mode 100644 .brightsec/tests/put-api-hints-1.test.ts delete mode 100644 .brightsec/tests/put-api-privacy-requests-1.test.ts delete mode 100644 .brightsec/tests/put-api-products-1.test.ts delete mode 100644 .brightsec/tests/put-api-quantitys-1.test.ts delete mode 100644 .brightsec/tests/put-api-recycles-1.test.ts delete mode 100644 .brightsec/tests/put-api-security-answers-1.test.ts delete mode 100644 .brightsec/tests/put-api-security-questions-1.test.ts delete mode 100644 .brightsec/tests/put-api-users-1.test.ts delete mode 100644 .brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts delete mode 100644 .brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts delete mode 100644 .brightsec/tests/put-rest-order-history-1-delivery-status.test.ts delete mode 100644 .brightsec/tests/put-rest-wallet-balance.test.ts diff --git a/.brightsec/tests/delete-api-address-1.test.ts b/.brightsec/tests/delete-api-address-1.test.ts deleted file mode 100644 index 1f80c3cf00a..00000000000 --- a/.brightsec/tests/delete-api-address-1.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/address/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Address/1`, - body: { UserId: 1 }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-addresss-1.test.ts b/.brightsec/tests/delete-api-addresss-1.test.ts deleted file mode 100644 index e978af15683..00000000000 --- a/.brightsec/tests/delete-api-addresss-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Addresss/1`, - headers: { 'X-Recruiting': 'We are hiring!' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-basketitems-1.test.ts b/.brightsec/tests/delete-api-basketitems-1.test.ts deleted file mode 100644 index 2fc22949611..00000000000 --- a/.brightsec/tests/delete-api-basketitems-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/BasketItems/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/BasketItems/1`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-cards-1.test.ts b/.brightsec/tests/delete-api-cards-1.test.ts deleted file mode 100644 index ad6ad1b49d9..00000000000 --- a/.brightsec/tests/delete-api-cards-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/cards/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-challenges-1.test.ts b/.brightsec/tests/delete-api-challenges-1.test.ts deleted file mode 100644 index 281126be543..00000000000 --- a/.brightsec/tests/delete-api-challenges-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/Challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Challenges/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-complaints-1.test.ts b/.brightsec/tests/delete-api-complaints-1.test.ts deleted file mode 100644 index 3928b7feaaf..00000000000 --- a/.brightsec/tests/delete-api-complaints-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Complaints/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-feedbacks-1.test.ts b/.brightsec/tests/delete-api-feedbacks-1.test.ts deleted file mode 100644 index a2d70fa80c9..00000000000 --- a/.brightsec/tests/delete-api-feedbacks-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/Feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'bopla', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Feedbacks/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-hints-1.test.ts b/.brightsec/tests/delete-api-hints-1.test.ts deleted file mode 100644 index 12381155ea4..00000000000 --- a/.brightsec/tests/delete-api-hints-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/Hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Hints/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-privacy-requests-1.test.ts b/.brightsec/tests/delete-api-privacy-requests-1.test.ts deleted file mode 100644 index f41689f1faf..00000000000 --- a/.brightsec/tests/delete-api-privacy-requests-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/PrivacyRequests/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-products-1.test.ts b/.brightsec/tests/delete-api-products-1.test.ts deleted file mode 100644 index 48c1e9e2256..00000000000 --- a/.brightsec/tests/delete-api-products-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'bopla', 'http_method_fuzzing', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Products/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-quantitys-1.test.ts b/.brightsec/tests/delete-api-quantitys-1.test.ts deleted file mode 100644 index 26c0d9a418a..00000000000 --- a/.brightsec/tests/delete-api-quantitys-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'http_method_fuzzing', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Quantitys/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-recycle-1.test.ts b/.brightsec/tests/delete-api-recycle-1.test.ts deleted file mode 100644 index 9eca4e0b660..00000000000 --- a/.brightsec/tests/delete-api-recycle-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/recycle/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'id_enumeration', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/recycle/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-recycles-1.test.ts b/.brightsec/tests/delete-api-recycles-1.test.ts deleted file mode 100644 index 11dd3929dd8..00000000000 --- a/.brightsec/tests/delete-api-recycles-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'id_enumeration', 'csrf', 'bopla'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Recycles/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-security-answers-1.test.ts b/.brightsec/tests/delete-api-security-answers-1.test.ts deleted file mode 100644 index 998ea77f1cb..00000000000 --- a/.brightsec/tests/delete-api-security-answers-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/SecurityAnswers/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-security-questions-1.test.ts b/.brightsec/tests/delete-api-security-questions-1.test.ts deleted file mode 100644 index 70eefdaf204..00000000000 --- a/.brightsec/tests/delete-api-security-questions-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/SecurityQuestions/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/delete-api-users-1.test.ts b/.brightsec/tests/delete-api-users-1.test.ts deleted file mode 100644 index c7934b63573..00000000000 --- a/.brightsec/tests/delete-api-users-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('DELETE /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'xss'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.DELETE, - url: `${baseUrl}/api/Users/1`, - headers: { Authorization: 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-address-1.test.ts b/.brightsec/tests/get-api-address-1.test.ts deleted file mode 100644 index 49da2902d57..00000000000 --- a/.brightsec/tests/get-api-address-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/address/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'xss', 'sqli', 'csrf', 'full_path_disclosure', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Address/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-addresss-1.test.ts b/.brightsec/tests/get-api-addresss-1.test.ts deleted file mode 100644 index 74c576a64cd..00000000000 --- a/.brightsec/tests/get-api-addresss-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresss/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-addresss.test.ts b/.brightsec/tests/get-api-addresss.test.ts deleted file mode 100644 index fdf79760b39..00000000000 --- a/.brightsec/tests/get-api-addresss.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'xss', 'sqli', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Addresss`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basket-items.test.ts b/.brightsec/tests/get-api-basket-items.test.ts deleted file mode 100644 index 47a004a1ec5..00000000000 --- a/.brightsec/tests/get-api-basket-items.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/BasketItems`, - headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basketitem-1.test.ts b/.brightsec/tests/get-api-basketitem-1.test.ts deleted file mode 100644 index 277391799ed..00000000000 --- a/.brightsec/tests/get-api-basketitem-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/basketitem/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/BasketItem/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-basketitems-1.test.ts b/.brightsec/tests/get-api-basketitems-1.test.ts deleted file mode 100644 index fd89901c9f4..00000000000 --- a/.brightsec/tests/get-api-basketitems-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/basketitems/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/BasketItems/1`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-cards-1.test.ts b/.brightsec/tests/get-api-cards-1.test.ts deleted file mode 100644 index 90d7f6144ab..00000000000 --- a/.brightsec/tests/get-api-cards-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/cards/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-cards.test.ts b/.brightsec/tests/get-api-cards.test.ts deleted file mode 100644 index cb1ed3067aa..00000000000 --- a/.brightsec/tests/get-api-cards.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Cards`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-challenges-1.test.ts b/.brightsec/tests/get-api-challenges-1.test.ts deleted file mode 100644 index 2c4c9b3ebcf..00000000000 --- a/.brightsec/tests/get-api-challenges-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Challenges/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-challenges.test.ts b/.brightsec/tests/get-api-challenges.test.ts deleted file mode 100644 index b52cd766a30..00000000000 --- a/.brightsec/tests/get-api-challenges.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'bopla', 'business_constraint_bypass', 'id_enumeration', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Challenges`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-complaints-1.test.ts b/.brightsec/tests/get-api-complaints-1.test.ts deleted file mode 100644 index 82ff4a2918f..00000000000 --- a/.brightsec/tests/get-api-complaints-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Complaints/1`, - headers: { 'X-Recruiting': 'undefined' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-complaints.test.ts b/.brightsec/tests/get-api-complaints.test.ts deleted file mode 100644 index fadf6093e2a..00000000000 --- a/.brightsec/tests/get-api-complaints.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'xss', 'sqli', 'bopla'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Complaints`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-deliverys.test.ts b/.brightsec/tests/get-api-deliverys.test.ts deleted file mode 100644 index f732a81ba9a..00000000000 --- a/.brightsec/tests/get-api-deliverys.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/deliverys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['business_constraint_bypass', 'id_enumeration', 'xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Deliverys`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-docs.test.ts b/.brightsec/tests/get-api-docs.test.ts deleted file mode 100644 index ab3b9723597..00000000000 --- a/.brightsec/tests/get-api-docs.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api-docs', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api-docs`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-feedbacks-1.test.ts b/.brightsec/tests/get-api-feedbacks-1.test.ts deleted file mode 100644 index 5f4a813a081..00000000000 --- a/.brightsec/tests/get-api-feedbacks-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'xss', 'sqli', 'csrf', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Feedbacks/1`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-feedbacks.test.ts b/.brightsec/tests/get-api-feedbacks.test.ts deleted file mode 100644 index 3b0929d4cb8..00000000000 --- a/.brightsec/tests/get-api-feedbacks.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'business_constraint_bypass', 'sqli', 'csrf', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Feedbacks`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-hints-1.test.ts b/.brightsec/tests/get-api-hints-1.test.ts deleted file mode 100644 index 19ff2b44b76..00000000000 --- a/.brightsec/tests/get-api-hints-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Hints/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-hints.test.ts b/.brightsec/tests/get-api-hints.test.ts deleted file mode 100644 index 60c7a5042fe..00000000000 --- a/.brightsec/tests/get-api-hints.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/hints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Hints`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-privacy-requests-1.test.ts b/.brightsec/tests/get-api-privacy-requests-1.test.ts deleted file mode 100644 index e39eeba3f73..00000000000 --- a/.brightsec/tests/get-api-privacy-requests-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'csrf', 'sqli', 'xss', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/PrivacyRequests/1`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-privacy-requests.test.ts b/.brightsec/tests/get-api-privacy-requests.test.ts deleted file mode 100644 index e0238f68e18..00000000000 --- a/.brightsec/tests/get-api-privacy-requests.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/PrivacyRequests`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-products-1.test.ts b/.brightsec/tests/get-api-products-1.test.ts deleted file mode 100644 index 4fd4667886e..00000000000 --- a/.brightsec/tests/get-api-products-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'xss', 'id_enumeration', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Products/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-products.test.ts b/.brightsec/tests/get-api-products.test.ts deleted file mode 100644 index 9d8e71d49da..00000000000 --- a/.brightsec/tests/get-api-products.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'xss', 'business_constraint_bypass', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/products`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-quantitys-1.test.ts b/.brightsec/tests/get-api-quantitys-1.test.ts deleted file mode 100644 index b26d3256ac9..00000000000 --- a/.brightsec/tests/get-api-quantitys-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'csrf', 'xss', 'sqli', 'osi'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Quantitys/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-quantitys.test.ts b/.brightsec/tests/get-api-quantitys.test.ts deleted file mode 100644 index 1191e6e7eba..00000000000 --- a/.brightsec/tests/get-api-quantitys.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Quantitys`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-recycle-1.test.ts b/.brightsec/tests/get-api-recycle-1.test.ts deleted file mode 100644 index ffef03a1cea..00000000000 --- a/.brightsec/tests/get-api-recycle-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/recycle/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/recycle/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-recycles-1.test.ts b/.brightsec/tests/get-api-recycles-1.test.ts deleted file mode 100644 index 652f9926f7f..00000000000 --- a/.brightsec/tests/get-api-recycles-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'id_enumeration', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Recycles/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-security-answers-1.test.ts b/.brightsec/tests/get-api-security-answers-1.test.ts deleted file mode 100644 index 93185c65466..00000000000 --- a/.brightsec/tests/get-api-security-answers-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityAnswers/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-security-answers.test.ts b/.brightsec/tests/get-api-security-answers.test.ts deleted file mode 100644 index 37e32b7fe4f..00000000000 --- a/.brightsec/tests/get-api-security-answers.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/security-answers', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/SecurityAnswers?email=user@example.com`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-users-1.test.ts b/.brightsec/tests/get-api-users-1.test.ts deleted file mode 100644 index 5fd83f8700c..00000000000 --- a/.brightsec/tests/get-api-users-1.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'bopla', 'xss', 'sqli', 'csrf', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Users/1`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-api-users.test.ts b/.brightsec/tests/get-api-users.test.ts deleted file mode 100644 index e19331feed8..00000000000 --- a/.brightsec/tests/get-api-users.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'xss', 'sqli', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/api/Users`, - headers: { 'X-Recruiting': 'YourCompany' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-padding.test.ts b/.brightsec/tests/get-assets-public-images-padding.test.ts deleted file mode 100644 index 5180d243f53..00000000000 --- a/.brightsec/tests/get-assets-public-images-padding.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/padding', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'lfi', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/padding`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-products.test.ts b/.brightsec/tests/get-assets-public-images-products.test.ts deleted file mode 100644 index 6f99c8d1e78..00000000000 --- a/.brightsec/tests/get-assets-public-images-products.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'lfi', 'improper_asset_management', 'csrf'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/products`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-assets-public-images-uploads.test.ts b/.brightsec/tests/get-assets-public-images-uploads.test.ts deleted file mode 100644 index a9f6d89c17e..00000000000 --- a/.brightsec/tests/get-assets-public-images-uploads.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /assets/public/images/uploads', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/assets/public/images/uploads`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-dataerasure.test.ts b/.brightsec/tests/get-dataerasure.test.ts deleted file mode 100644 index 642063c02b1..00000000000 --- a/.brightsec/tests/get-dataerasure.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'lfi', 'osi', 'sqli'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/dataerasure/`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts deleted file mode 100644 index 79097cfd259..00000000000 --- a/.brightsec/tests/get-encryptionkeys-samplefile-txt.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /encryptionkeys/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'improper_asset_management', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/encryptionkeys/samplefile.txt`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts b/.brightsec/tests/get-encryptionkeys-samplefile.test.ts deleted file mode 100644 index 84c143902b6..00000000000 --- a/.brightsec/tests/get-encryptionkeys-samplefile.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /encryptionkeys/samplefile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['directoryListingChallenge', 'accessLogDisclosureChallenge', 'xss', 'csrf', 'lfi'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/encryptionkeys/samplefile`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts b/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts deleted file mode 100644 index 8e0c3c2712e..00000000000 --- a/.brightsec/tests/get-ftp-quarantine-samplefile-txt.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/quarantine/samplefile.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'full_path_disclosure', 'http_method_fuzzing'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/quarantine/samplefile.txt`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-sample-file-md.test.ts b/.brightsec/tests/get-ftp-sample-file-md.test.ts deleted file mode 100644 index 7ba2569c3e7..00000000000 --- a/.brightsec/tests/get-ftp-sample-file-md.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/sample-file.md', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'ssrf', 'xss', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/sample-file.md`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-ftp-sample-md.test.ts b/.brightsec/tests/get-ftp-sample-md.test.ts deleted file mode 100644 index dd68195b9ac..00000000000 --- a/.brightsec/tests/get-ftp-sample-md.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /ftp/sample.md', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'xss', 'full_path_disclosure', 'css_injection', 'unvalidated_redirect'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/ftp/sample.md`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-metrics.test.ts b/.brightsec/tests/get-metrics.test.ts deleted file mode 100644 index d4c0ec31fcf..00000000000 --- a/.brightsec/tests/get-metrics.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /metrics', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'csrf', 'full_path_disclosure', 'open_database', 'xss'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/metrics`, - headers: { 'Content-Type': 'text/plain; version=0.0.4; charset=utf-8' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-profile.test.ts b/.brightsec/tests/get-profile.test.ts deleted file mode 100644 index dca5f2d4f88..00000000000 --- a/.brightsec/tests/get-profile.test.ts +++ /dev/null @@ -1,45 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /profile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssti', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/profile`, - headers: { - 'Content-Security-Policy': "img-src 'self' ; script-src 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com" - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-promotion.test.ts b/.brightsec/tests/get-promotion.test.ts deleted file mode 100644 index 123daf5b264..00000000000 --- a/.brightsec/tests/get-promotion.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /promotion', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'html_injection', 'css_injection'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/promotion`, - headers: { 'Content-Type': 'text/html' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts deleted file mode 100644 index 0ee07a3ce01..00000000000 --- a/.brightsec/tests/get-redirect.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['unvalidated_redirect', 'ssrf'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/redirect?to=https://example.com`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-2fa-status.test.ts b/.brightsec/tests/get-rest-2fa-status.test.ts deleted file mode 100644 index 3eaf1581e1c..00000000000 --- a/.brightsec/tests/get-rest-2fa-status.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/2fa/status', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'secret_tokens', 'jwt', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/2fa/status`, - headers: { 'Authorization': 'Bearer ' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-admin-application-configuration.test.ts b/.brightsec/tests/get-rest-admin-application-configuration.test.ts deleted file mode 100644 index d226870aa5f..00000000000 --- a/.brightsec/tests/get-rest-admin-application-configuration.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/admin/application-configuration', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'secret_tokens', 'open_database', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/admin/application-configuration`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-admin-application-version.test.ts b/.brightsec/tests/get-rest-admin-application-version.test.ts deleted file mode 100644 index b9ffe5b731e..00000000000 --- a/.brightsec/tests/get-rest-admin-application-version.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/admin/application-version', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/admin/application-version`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-basket-1-order.test.ts b/.brightsec/tests/get-rest-basket-1-order.test.ts deleted file mode 100644 index c09e03e1c62..00000000000 --- a/.brightsec/tests/get-rest-basket-1-order.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/basket/1/order', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/basket/1/order`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-basket-1.test.ts b/.brightsec/tests/get-rest-basket-1.test.ts deleted file mode 100644 index c09a5446720..00000000000 --- a/.brightsec/tests/get-rest-basket-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/basket/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/basket/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-captcha.test.ts b/.brightsec/tests/get-rest-captcha.test.ts deleted file mode 100644 index 9b1c3dfed79..00000000000 --- a/.brightsec/tests/get-rest-captcha.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/captcha', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'business_constraint_bypass', 'osi'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/captcha`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-chatbot-status.test.ts b/.brightsec/tests/get-rest-chatbot-status.test.ts deleted file mode 100644 index 25ed714de7c..00000000000 --- a/.brightsec/tests/get-rest-chatbot-status.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'jwt', 'xss', 'server_side_js_injection', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/chatbot/status`, - headers: { "X-Recruiting": "We're hiring! Visit our careers page for more information." }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code-findit.test.ts b/.brightsec/tests/get-rest-continue-code-findit.test.ts deleted file mode 100644 index dd24c917366..00000000000 --- a/.brightsec/tests/get-rest-continue-code-findit.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code-findIt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['business_constraint_bypass', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code-findIt`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code-fixit.test.ts b/.brightsec/tests/get-rest-continue-code-fixit.test.ts deleted file mode 100644 index 5028ca6457e..00000000000 --- a/.brightsec/tests/get-rest-continue-code-fixit.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code-fixIt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['business_constraint_bypass', 'sqli', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code-fixIt`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-continue-code.test.ts b/.brightsec/tests/get-rest-continue-code.test.ts deleted file mode 100644 index 0fe493bb3a1..00000000000 --- a/.brightsec/tests/get-rest-continue-code.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/continue-code', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'business_constraint_bypass', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/continue-code`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-country-mapping.test.ts b/.brightsec/tests/get-rest-country-mapping.test.ts deleted file mode 100644 index 43b22651b43..00000000000 --- a/.brightsec/tests/get-rest-country-mapping.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/country-mapping', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/country-mapping`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-deluxe-membership.test.ts b/.brightsec/tests/get-rest-deluxe-membership.test.ts deleted file mode 100644 index 62e1f5be189..00000000000 --- a/.brightsec/tests/get-rest-deluxe-membership.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'jwt', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/deluxe-membership`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-image-captcha.test.ts b/.brightsec/tests/get-rest-image-captcha.test.ts deleted file mode 100644 index b58c6c0782e..00000000000 --- a/.brightsec/tests/get-rest-image-captcha.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/image-captcha', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/image-captcha`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-languages.test.ts b/.brightsec/tests/get-rest-languages.test.ts deleted file mode 100644 index c706a89c5e2..00000000000 --- a/.brightsec/tests/get-rest-languages.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/languages', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['full_path_disclosure', 'xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/languages`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-memories.test.ts b/.brightsec/tests/get-rest-memories.test.ts deleted file mode 100644 index 612febf9056..00000000000 --- a/.brightsec/tests/get-rest-memories.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'xss', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/memories`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-order-history-orders.test.ts b/.brightsec/tests/get-rest-order-history-orders.test.ts deleted file mode 100644 index a1f09339ae1..00000000000 --- a/.brightsec/tests/get-rest-order-history-orders.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/order-history/orders', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'nosql', 'bopla', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/order-history/orders`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-order-history.test.ts b/.brightsec/tests/get-rest-order-history.test.ts deleted file mode 100644 index c46140ec23d..00000000000 --- a/.brightsec/tests/get-rest-order-history.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/order-history', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'nosql', 'xss', 'bopla', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/order-history`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-products-1-reviews.test.ts b/.brightsec/tests/get-rest-products-1-reviews.test.ts deleted file mode 100644 index ee4f77f5d28..00000000000 --- a/.brightsec/tests/get-rest-products-1-reviews.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/products/1/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['nosql', 'business_constraint_bypass', 'xss'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/products/1/reviews`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-repeat-notification.test.ts b/.brightsec/tests/get-rest-repeat-notification.test.ts deleted file mode 100644 index 45e59ed37cc..00000000000 --- a/.brightsec/tests/get-rest-repeat-notification.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/repeat-notification', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'xss', 'csrf', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/repeat-notification?challenge=SQL%20Injection`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-save-login-ip.test.ts b/.brightsec/tests/get-rest-save-login-ip.test.ts deleted file mode 100644 index 0f36ec4696a..00000000000 --- a/.brightsec/tests/get-rest-save-login-ip.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/saveLoginIp', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'bopla'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/saveLoginIp`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-track-order-12345.test.ts b/.brightsec/tests/get-rest-track-order-12345.test.ts deleted file mode 100644 index a5febc32db6..00000000000 --- a/.brightsec/tests/get-rest-track-order-12345.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/track-order/12345', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'nosql', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/track-order/12345`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-authentication-details.test.ts b/.brightsec/tests/get-rest-user-authentication-details.test.ts deleted file mode 100644 index a9a04675555..00000000000 --- a/.brightsec/tests/get-rest-user-authentication-details.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'bopla', 'id_enumeration', 'jwt'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/authentication-details?callback=callbackFunction`, - headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-change-password.test.ts b/.brightsec/tests/get-rest-user-change-password.test.ts deleted file mode 100644 index 7ee2ffd4690..00000000000 --- a/.brightsec/tests/get-rest-user-change-password.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/change-password', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'bopla', 'sqli', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/change-password?current=current_password_example&new=new_password_example&repeat=new_password_example`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-security-question.test.ts b/.brightsec/tests/get-rest-user-security-question.test.ts deleted file mode 100644 index 2a8ac91d16e..00000000000 --- a/.brightsec/tests/get-rest-user-security-question.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/security-question', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/security-question?email=user@example.com`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-user-whoami.test.ts b/.brightsec/tests/get-rest-user-whoami.test.ts deleted file mode 100644 index d981d372b74..00000000000 --- a/.brightsec/tests/get-rest-user-whoami.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/user/whoami', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'id_enumeration', 'bopla', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.QUERY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/user/whoami?callback=callbackFunction`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-wallet-balance.test.ts b/.brightsec/tests/get-rest-wallet-balance.test.ts deleted file mode 100644 index ca31b986b10..00000000000 --- a/.brightsec/tests/get-rest-wallet-balance.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'jwt', 'nosql', 'xss'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/wallet/balance`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts b/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts deleted file mode 100644 index 85f1a6ee6bc..00000000000 --- a/.brightsec/tests/get-rest-web3-nft-mint-listen.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/web3/nftMintListen', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssrf', 'secret_tokens', 'business_constraint_bypass', 'osi'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/web3/nftMintListen`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts b/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts deleted file mode 100644 index 9dfb95affa8..00000000000 --- a/.brightsec/tests/get-rest-web3-nft-unlocked.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /rest/web3/nftUnlocked', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'insecure_tls_configuration', 'improper_asset_management', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/rest/web3/nftUnlocked`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-security-txt.test.ts b/.brightsec/tests/get-security-txt.test.ts deleted file mode 100644 index 5643c9b1257..00000000000 --- a/.brightsec/tests/get-security-txt.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/security.txt`, - headers: { 'X-Recruiting': '/#/jobs' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-snippets-fixes-sample-key.test.ts b/.brightsec/tests/get-snippets-fixes-sample-key.test.ts deleted file mode 100644 index f8b99686bce..00000000000 --- a/.brightsec/tests/get-snippets-fixes-sample-key.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /snippets/fixes/sampleKey', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'sqli', 'id_enumeration', 'csrf', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/snippets/fixes/sampleKey`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-snippets-sample-challenge.test.ts b/.brightsec/tests/get-snippets-sample-challenge.test.ts deleted file mode 100644 index 09049991e2c..00000000000 --- a/.brightsec/tests/get-snippets-sample-challenge.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /snippets/sample-challenge', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'id_enumeration', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/snippets/sample-challenge`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-solve-challenges-server-side.test.ts b/.brightsec/tests/get-solve-challenges-server-side.test.ts deleted file mode 100644 index dfe1f990016..00000000000 --- a/.brightsec/tests/get-solve-challenges-server-side.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /solve/challenges/server-side', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssti', 'ssrf', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.QUERY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-support-logs-sample-log.test.ts b/.brightsec/tests/get-support-logs-sample-log.test.ts deleted file mode 100644 index 160d02272e5..00000000000 --- a/.brightsec/tests/get-support-logs-sample-log.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /support/logs/sample.log', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['lfi', 'full_path_disclosure', 'improper_asset_management'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/support/logs/sample.log`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts b/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts deleted file mode 100644 index bfa9bb14ee8..00000000000 --- a/.brightsec/tests/get-the-devs-are-so-funny-they-hid-an-easter-egg-within-the-easter-egg.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'full_path_disclosure', 'improper_asset_management', 'open_cloud_storage'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg`, - headers: { 'X-Recruiting': 'undefined' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts b/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts deleted file mode 100644 index ea150bb670d..00000000000 --- a/.brightsec/tests/get-this-page-is-hidden-behind-an-incredibly-high-paywall-that-could-only-be-unlocked-by-sending-1btc-to-us.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'unvalidated_redirect', 'sqli', 'ssrf', 'osi'], - attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us`, - headers: { 'X-Recruiting': 'We are hiring! Check out our careers page.' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-video.test.ts b/.brightsec/tests/get-video.test.ts deleted file mode 100644 index cdf315e2b94..00000000000 --- a/.brightsec/tests/get-video.test.ts +++ /dev/null @@ -1,49 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /video', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'full_path_disclosure', 'ssrf'], - attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/video`, - headers: { - 'Content-Range': 'bytes 0-1023/2048', - 'Accept-Ranges': 'bytes', - 'Content-Length': '1024', - 'Content-Location': '/assets/public/videos/owasp_promo.mp4', - 'Content-Type': 'video/mp4' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts b/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts deleted file mode 100644 index e1c5cdcbba2..00000000000 --- a/.brightsec/tests/get-we-may-also-instruct-you-to-refuse-all-reasonably-necessary-responsibility.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'lfi', 'improper_asset_management', 'full_path_disclosure'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-well-known-security-txt.test.ts b/.brightsec/tests/get-well-known-security-txt.test.ts deleted file mode 100644 index fa7ce6868fc..00000000000 --- a/.brightsec/tests/get-well-known-security-txt.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /.well-known/security.txt', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'xss', 'improper_asset_management', 'full_path_disclosure', 'insecure_tls_configuration'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/.well-known/security.txt`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/get-well-known.test.ts b/.brightsec/tests/get-well-known.test.ts deleted file mode 100644 index 3be5b4e3c45..00000000000 --- a/.brightsec/tests/get-well-known.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('GET /.well-known', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['improper_asset_management', 'full_path_disclosure', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.GET, - url: `${baseUrl}/.well-known`, - headers: { 'X-Recruiting': '' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/patch-rest-products-id-reviews.test.ts b/.brightsec/tests/patch-rest-products-id-reviews.test.ts deleted file mode 100644 index 33b3510fdf0..00000000000 --- a/.brightsec/tests/patch-rest-products-id-reviews.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PATCH /rest/products/:id/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'nosql', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PATCH, - url: `${baseUrl}/rest/products/60c72b2f9b1d8e001c8e4b8a/reviews`, - body: { - id: "60c72b2f9b1d8e001c8e4b8a", - message: "Updated review message." - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/patch-rest-products-reviews.test.ts b/.brightsec/tests/patch-rest-products-reviews.test.ts deleted file mode 100644 index 1027c7b4d81..00000000000 --- a/.brightsec/tests/patch-rest-products-reviews.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'nosql', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PATCH, - url: `${baseUrl}/rest/products/reviews`, - body: { - id: "507f1f77bcf86cd799439011", - message: "Updated review message" - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': '' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-addresss.test.ts b/.brightsec/tests/post-api-addresss.test.ts deleted file mode 100644 index cbb2dfbd207..00000000000 --- a/.brightsec/tests/post-api-addresss.test.ts +++ /dev/null @@ -1,53 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'xss', 'csrf', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Addresss`, - body: { - UserId: 1, - fullName: "John Doe", - mobileNum: 1234567890, - zipCode: "12345", - streetAddress: "123 Main St", - city: "Anytown", - state: "Anystate", - country: "Anyland" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-basket-items.test.ts b/.brightsec/tests/post-api-basket-items.test.ts deleted file mode 100644 index e2c194c27c2..00000000000 --- a/.brightsec/tests/post-api-basket-items.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/basket-items', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'xss', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/BasketItems`, - body: [{ "ProductId": 1, "BasketId": 1, "quantity": 2 }], - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-cards.test.ts b/.brightsec/tests/post-api-cards.test.ts deleted file mode 100644 index 609605ae4c6..00000000000 --- a/.brightsec/tests/post-api-cards.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/cards', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'xss', 'date_manipulation', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, - skipStaticParams: false - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/cards`, - body: { - UserId: 1, - fullName: "John Doe", - cardNum: 1234567812345678, - expMonth: 12, - expYear: 2099 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-challenges.test.ts b/.brightsec/tests/post-api-challenges.test.ts deleted file mode 100644 index 00dd012629b..00000000000 --- a/.brightsec/tests/post-api-challenges.test.ts +++ /dev/null @@ -1,57 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/challenges', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'csrf', 'bopla', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Challenges`, - body: { - key: "restfulXssChallenge", - name: "Cross-Site Scripting", - category: "Security", - description: "A challenge to test XSS vulnerabilities.", - difficulty: 3, - mitigationUrl: "https://example.com/mitigation", - tags: "xss,security", - solved: false, - disabledEnv: null, - tutorialOrder: 1, - codingChallengeStatus: 0, - hasCodingChallenge: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-complaints.test.ts b/.brightsec/tests/post-api-complaints.test.ts deleted file mode 100644 index e0b1f184c8e..00000000000 --- a/.brightsec/tests/post-api-complaints.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/complaints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'file_upload', 'xss', 'bopla', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Complaints`, - body: { - UserId: 123, - message: 'This is a sample complaint message.', - file: 'optional-file-path-or-url' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-feedbacks.test.ts b/.brightsec/tests/post-api-feedbacks.test.ts deleted file mode 100644 index b2b98a6436d..00000000000 --- a/.brightsec/tests/post-api-feedbacks.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/feedbacks', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'bopla', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Feedbacks`, - body: { - UserId: 1, - comment: 'Great product!', - rating: 5 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-hints.test.ts b/.brightsec/tests/post-api-hints.test.ts deleted file mode 100644 index 38e9ee3e722..00000000000 --- a/.brightsec/tests/post-api-hints.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/hints', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'sqli', 'nosql'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Hints`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-privacy-requests.test.ts b/.brightsec/tests/post-api-privacy-requests.test.ts deleted file mode 100644 index 1d7b9f425da..00000000000 --- a/.brightsec/tests/post-api-privacy-requests.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/privacy-requests', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'id_enumeration', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/PrivacyRequests`, - body: { - UserId: 123, - deletionRequested: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-products.test.ts b/.brightsec/tests/post-api-products.test.ts deleted file mode 100644 index 0c7d6b48ef6..00000000000 --- a/.brightsec/tests/post-api-products.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Products`, - body: { - name: 'Sample Product', - description: 'A sample product description.', - price: 19.99, - deluxePrice: 29.99, - image: 'sample-product.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-quantitys.test.ts b/.brightsec/tests/post-api-quantitys.test.ts deleted file mode 100644 index 65f6c58fb03..00000000000 --- a/.brightsec/tests/post-api-quantitys.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/quantitys', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['business_constraint_bypass', 'csrf', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Quantitys`, - body: { - ProductId: 1, - quantity: 100, - limitPerUser: 5 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-recycles.test.ts b/.brightsec/tests/post-api-recycles.test.ts deleted file mode 100644 index 9705fb649a1..00000000000 --- a/.brightsec/tests/post-api-recycles.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'bopla', 'csrf', 'date_manipulation', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, - skipStaticParams: false - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Recycles`, - body: { - UserId: 1, - AddressId: 1, - quantity: 10, - isPickup: true, - date: "2023-10-01T00:00:00Z" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-security-questions.test.ts b/.brightsec/tests/post-api-security-questions.test.ts deleted file mode 100644 index 282b1c7c038..00000000000 --- a/.brightsec/tests/post-api-security-questions.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/security-questions', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'sqli', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/SecurityQuestions`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-api-users.test.ts b/.brightsec/tests/post-api-users.test.ts deleted file mode 100644 index ee989164696..00000000000 --- a/.brightsec/tests/post-api-users.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /api/users', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'sqli', 'csrf', 'email_injection', 'proto_pollution'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/api/Users`, - body: { - email: 'user@example.com', - password: 'securePassword123', - passwordRepeat: 'securePassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-b2b-v2-orders.test.ts b/.brightsec/tests/post-b2b-v2-orders.test.ts deleted file mode 100644 index b62f21502da..00000000000 --- a/.brightsec/tests/post-b2b-v2-orders.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /b2b/v2/orders', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['osi', 'business_constraint_bypass', 'xss', 'csrf', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/b2b/v2/orders`, - body: { - cid: "12345", - orderLinesData: "" - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': '' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-dataerasure.test.ts b/.brightsec/tests/post-dataerasure.test.ts deleted file mode 100644 index a5eacfe635f..00000000000 --- a/.brightsec/tests/post-dataerasure.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /dataerasure', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/dataerasure`, - body: { - email: 'user@example.com', - securityAnswer: 'exampleAnswer' - }, - headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-file-upload.test.ts b/.brightsec/tests/post-file-upload.test.ts deleted file mode 100644 index 675337ee811..00000000000 --- a/.brightsec/tests/post-file-upload.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /file-upload', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'xss', 'ssrf', 'xxe'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/file-upload`, - headers: { 'Content-Type': 'multipart/form-data' }, - body: `--boundary\r\nContent-Disposition: form-data; name="file"; filename="example.zip"\r\nContent-Type: application/zip\r\n\r\n\r\n--boundary--`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile-image-file.test.ts b/.brightsec/tests/post-profile-image-file.test.ts deleted file mode 100644 index aaf6558ff3a..00000000000 --- a/.brightsec/tests/post-profile-image-file.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile/image/file', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'ssrf', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile/image/file`, - headers: { - 'Content-Type': 'multipart/form-data', - 'X-Recruiting': 'true' - }, - body: "--boundary\r\nContent-Disposition: form-data; name=\"file\"; filename=\"profile.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n\r\n--boundary--", - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile-image-url.test.ts b/.brightsec/tests/post-profile-image-url.test.ts deleted file mode 100644 index 76b52071e9e..00000000000 --- a/.brightsec/tests/post-profile-image-url.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile/image/url', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssrf', 'file_upload', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile/image/url`, - body: { - imageUrl: 'https://example.com/image.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-profile.test.ts b/.brightsec/tests/post-profile.test.ts deleted file mode 100644 index 59de928613d..00000000000 --- a/.brightsec/tests/post-profile.test.ts +++ /dev/null @@ -1,49 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /profile', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'xss', 'jwt'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/profile`, - body: { - username: 'newUsername' - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-disable.test.ts b/.brightsec/tests/post-rest-2fa-disable.test.ts deleted file mode 100644 index 48af4a16f98..00000000000 --- a/.brightsec/tests/post-rest-2fa-disable.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/disable', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'bopla', 'osi', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/disable`, - body: { - password: 'examplePassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-setup.test.ts b/.brightsec/tests/post-rest-2fa-setup.test.ts deleted file mode 100644 index 45faa4922c2..00000000000 --- a/.brightsec/tests/post-rest-2fa-setup.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/setup', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'jwt', 'secret_tokens'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/setup`, - body: { - password: "userpassword123", - setupToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", - initialToken: "123456" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-2fa-verify.test.ts b/.brightsec/tests/post-rest-2fa-verify.test.ts deleted file mode 100644 index e7646bdc656..00000000000 --- a/.brightsec/tests/post-rest-2fa-verify.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/2fa/verify', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'jwt', 'xss', 'osi', 'sqli', 'nosql'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/2fa/verify`, - body: { - tmpToken: "sampleTmpToken123", - totpToken: "123456" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-basket-1-checkout.test.ts b/.brightsec/tests/post-rest-basket-1-checkout.test.ts deleted file mode 100644 index b6c5c8d2457..00000000000 --- a/.brightsec/tests/post-rest-basket-1-checkout.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/basket/1/checkout', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss', 'csrf', 'osi'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/basket/1/checkout`, - body: { - orderDetails: { - deliveryMethodId: 1, - paymentId: "wallet", - addressId: 123 - }, - UserId: 456 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-chatbot-respond.test.ts b/.brightsec/tests/post-rest-chatbot-respond.test.ts deleted file mode 100644 index 13d2ebb294b..00000000000 --- a/.brightsec/tests/post-rest-chatbot-respond.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/chatbot/respond', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['jwt', 'xss', 'server_side_js_injection', 'csrf', 'nosql'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/chatbot/respond`, - body: { - action: "query", - query: "Hello, how are you?" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-deluxe-membership.test.ts b/.brightsec/tests/post-rest-deluxe-membership.test.ts deleted file mode 100644 index 22a1184a14c..00000000000 --- a/.brightsec/tests/post-rest-deluxe-membership.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/deluxe-membership', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/deluxe-membership`, - body: { - UserId: 1, - paymentMode: "wallet" - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': 'We are hiring!' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-memories.test.ts b/.brightsec/tests/post-rest-memories.test.ts deleted file mode 100644 index dde56f92862..00000000000 --- a/.brightsec/tests/post-rest-memories.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/memories', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['file_upload', 'bopla', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/memories`, - body: { - caption: "A day at the beach", - UserId: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-products-reviews.test.ts b/.brightsec/tests/post-rest-products-reviews.test.ts deleted file mode 100644 index d705f2b2f95..00000000000 --- a/.brightsec/tests/post-rest-products-reviews.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'nosql', 'xss', 'bopla'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/products/reviews`, - body: { - id: '60c72b2f9b1e8e001f8e4c8a' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-data-export.test.ts b/.brightsec/tests/post-rest-user-data-export.test.ts deleted file mode 100644 index bb3ecd2c837..00000000000 --- a/.brightsec/tests/post-rest-user-data-export.test.ts +++ /dev/null @@ -1,44 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/data-export', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'nosql', 'xss', 'ssrf'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/data-export`, - body: { "UserId": 1 }, - headers: { 'Authorization': 'Bearer ', 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-login.test.ts b/.brightsec/tests/post-rest-user-login.test.ts deleted file mode 100644 index 9a4876d9d84..00000000000 --- a/.brightsec/tests/post-rest-user-login.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/login', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'csrf', 'nosql'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/login`, - body: { - email: 'user@example.com', - password: 'securePassword123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-user-reset-password.test.ts b/.brightsec/tests/post-rest-user-reset-password.test.ts deleted file mode 100644 index e69f5367590..00000000000 --- a/.brightsec/tests/post-rest-user-reset-password.test.ts +++ /dev/null @@ -1,49 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/user/reset-password', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'email_injection', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/user/reset-password`, - body: { - email: "user@example.com", - answer: "correct_answer", - new: "new_password", - repeat: "new_password" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-submit-key.test.ts b/.brightsec/tests/post-rest-web3-submit-key.test.ts deleted file mode 100644 index 67aff33cb68..00000000000 --- a/.brightsec/tests/post-rest-web3-submit-key.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/submitKey', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'nosql', 'xss', 'bopla', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/submitKey`, - body: { - walletAddress: '0x1234567890abcdef1234567890abcdef12345678' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts b/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts deleted file mode 100644 index 301c630fb70..00000000000 --- a/.brightsec/tests/post-rest-web3-wallet-exploit-address.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/walletExploitAddress', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['ssrf', 'xss', 'csrf', 'osi', 'bopla'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/walletExploitAddress`, - body: { - walletAddress: "0x1234567890abcdef1234567890abcdef12345678" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts b/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts deleted file mode 100644 index eafa72ff6f3..00000000000 --- a/.brightsec/tests/post-rest-web3-wallet-nft-verify.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /rest/web3/walletNFTVerify', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'nosql', 'xss', 'osi', 'server_side_js_injection'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/rest/web3/walletNFTVerify`, - body: { - walletAddress: '0x1234567890abcdef1234567890abcdef12345678' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-snippets-fixes.test.ts b/.brightsec/tests/post-snippets-fixes.test.ts deleted file mode 100644 index 3fbb1b1e2df..00000000000 --- a/.brightsec/tests/post-snippets-fixes.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /snippets/fixes', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/snippets/fixes`, - body: { - key: "exampleKey", - selectedFix: 1 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/post-snippets-verdict.test.ts b/.brightsec/tests/post-snippets-verdict.test.ts deleted file mode 100644 index be7b0eae98a..00000000000 --- a/.brightsec/tests/post-snippets-verdict.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('POST /snippets/verdict', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['xss', 'sqli', 'nosql', 'csrf', 'proto_pollution'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.POST, - url: `${baseUrl}/snippets/verdict`, - body: { - selectedLines: [1, 2, 3], - key: "exampleKey" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-addresss-1.test.ts b/.brightsec/tests/put-api-addresss-1.test.ts deleted file mode 100644 index 098096e9d71..00000000000 --- a/.brightsec/tests/put-api-addresss-1.test.ts +++ /dev/null @@ -1,52 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Addresss/1`, - body: { - fullName: 'John Doe', - mobileNum: 1234567890, - zipCode: '12345', - streetAddress: '123 Main St', - city: 'Metropolis', - state: 'NY', - country: 'USA' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-basketitems-1.test.ts b/.brightsec/tests/put-api-basketitems-1.test.ts deleted file mode 100644 index e1b235a6fb4..00000000000 --- a/.brightsec/tests/put-api-basketitems-1.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/BasketItems/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'business_constraint_bypass', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/BasketItems/1`, - body: { - ProductId: 1, - BasketId: 1, - quantity: 2 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-cards-1.test.ts b/.brightsec/tests/put-api-cards-1.test.ts deleted file mode 100644 index 533c77c906f..00000000000 --- a/.brightsec/tests/put-api-cards-1.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/cards/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'date_manipulation', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, - skipStaticParams: false - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/cards/1`, - body: { - fullName: 'John Doe', - cardNum: 1234567812345678, - expMonth: 12, - expYear: 2099 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-challenges-1.test.ts b/.brightsec/tests/put-api-challenges-1.test.ts deleted file mode 100644 index 11065fa36fe..00000000000 --- a/.brightsec/tests/put-api-challenges-1.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/challenges/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Challenges/1`, - body: { - name: 'SQL Injection Challenge', - category: 'Injection', - description: 'Exploit SQL Injection vulnerability', - difficulty: 3, - key: 'sqlInjectionChallenge', - solved: false - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-complaints-1.test.ts b/.brightsec/tests/put-api-complaints-1.test.ts deleted file mode 100644 index ea68a0ddce4..00000000000 --- a/.brightsec/tests/put-api-complaints-1.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/Complaints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'file_upload', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Complaints/1`, - body: { - UserId: 1, - message: "This is a sample complaint message.", - file: "optional-file-path.jpg" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-feedbacks-1.test.ts b/.brightsec/tests/put-api-feedbacks-1.test.ts deleted file mode 100644 index b7d7f1ee7ed..00000000000 --- a/.brightsec/tests/put-api-feedbacks-1.test.ts +++ /dev/null @@ -1,42 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/Feedbacks/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'xss', 'sqli', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Feedbacks/1`, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-hints-1.test.ts b/.brightsec/tests/put-api-hints-1.test.ts deleted file mode 100644 index 8903897ccea..00000000000 --- a/.brightsec/tests/put-api-hints-1.test.ts +++ /dev/null @@ -1,49 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/Hints/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'xss', 'sqli', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Hints/1`, - body: { - ChallengeId: 1, - text: "Sample hint text", - order: 1, - unlocked: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-privacy-requests-1.test.ts b/.brightsec/tests/put-api-privacy-requests-1.test.ts deleted file mode 100644 index 8079e5f9306..00000000000 --- a/.brightsec/tests/put-api-privacy-requests-1.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/privacy-requests/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'id_enumeration', 'sqli', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/PrivacyRequests/1`, - body: { - UserId: 123, - deletionRequested: true - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-products-1.test.ts b/.brightsec/tests/put-api-products-1.test.ts deleted file mode 100644 index fd58ea31bda..00000000000 --- a/.brightsec/tests/put-api-products-1.test.ts +++ /dev/null @@ -1,50 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/products/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'xss', 'sqli', 'csrf', 'http_method_fuzzing'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Products/1`, - body: { - name: 'New Product Name', - description: 'Updated description for the product.', - price: 19.99, - deluxePrice: 29.99, - image: 'new-image-url.jpg' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-quantitys-1.test.ts b/.brightsec/tests/put-api-quantitys-1.test.ts deleted file mode 100644 index 0e85f461cd2..00000000000 --- a/.brightsec/tests/put-api-quantitys-1.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/Quantitys/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['business_constraint_bypass', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Quantitys/1`, - body: { - ProductId: 1, - quantity: 100, - limitPerUser: 5 - }, - headers: { - 'Content-Type': 'application/json', - 'X-Recruiting': '' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-recycles-1.test.ts b/.brightsec/tests/put-api-recycles-1.test.ts deleted file mode 100644 index 1b4b1a9240a..00000000000 --- a/.brightsec/tests/put-api-recycles-1.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/recycles/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['sqli', 'bopla', 'csrf', 'date_manipulation', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined, - skipStaticParams: true - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Recycles/1`, - body: { - UserId: 1, - AddressId: 1, - quantity: 10, - isPickup: true, - date: "2023-10-10T00:00:00Z" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-security-answers-1.test.ts b/.brightsec/tests/put-api-security-answers-1.test.ts deleted file mode 100644 index f81e1062a7b..00000000000 --- a/.brightsec/tests/put-api-security-answers-1.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/security-answers/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'sqli', 'xss', 'csrf'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.PATH], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/SecurityAnswers/1`, - body: { - UserId: 1, - SecurityQuestionId: 2, - answer: "hashed_answer" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-security-questions-1.test.ts b/.brightsec/tests/put-api-security-questions-1.test.ts deleted file mode 100644 index d7acf0f2d41..00000000000 --- a/.brightsec/tests/put-api-security-questions-1.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/security-questions/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'xss', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/SecurityQuestions/1`, - body: { - question: "What is your favorite color?" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-api-users-1.test.ts b/.brightsec/tests/put-api-users-1.test.ts deleted file mode 100644 index ba3b179a989..00000000000 --- a/.brightsec/tests/put-api-users-1.test.ts +++ /dev/null @@ -1,49 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /api/users/1', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'jwt', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/api/Users/1`, - body: { - username: 'newUsername' - }, - headers: { - 'Content-Type': 'application/json', - Authorization: 'Bearer ' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts b/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts deleted file mode 100644 index e7cc7a4b4fc..00000000000 --- a/.brightsec/tests/put-rest-basket-1-coupon-jan24-10.test.ts +++ /dev/null @@ -1,43 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/basket/1/coupon/JAN24-10', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'xss', 'csrf', 'business_constraint_bypass'], - attackParamLocations: [AttackParamLocation.PATH, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/basket/1/coupon/JAN24-10`, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts b/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts deleted file mode 100644 index 54b2eeef99d..00000000000 --- a/.brightsec/tests/put-rest-continue-code-apply-example-code-123.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'xss', 'sqli', 'nosql', 'osi', 'xxe'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code/apply/exampleCode123`, - body: { - continueCode: "exampleCode123" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts b/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts deleted file mode 100644 index 52a29e1266b..00000000000 --- a/.brightsec/tests/put-rest-continue-code-findit-apply-code.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code-findIt/apply/:code', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'csrf', 'http_method_fuzzing', 'id_enumeration', 'nosql', 'xss'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code-findIt/apply/yXjv6Z5jWJnzD6a3YvmwPRXK7roAyzHDde2Og19yEN84plqxkMBbLVQrDeoY`, - body: { - continueCode: "yXjv6Z5jWJnzD6a3YvmwPRXK7roAyzHDde2Og19yEN84plqxkMBbLVQrDeoY" - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts b/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts deleted file mode 100644 index 8d231106f54..00000000000 --- a/.brightsec/tests/put-rest-continue-code-fixit-apply-examplecode123.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/continue-code-fixIt/apply/exampleCode123', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['csrf', 'id_enumeration', 'xss', 'osi', 'sqli'], - attackParamLocations: [AttackParamLocation.BODY], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/continue-code-fixIt/apply/exampleCode123`, - body: { - continueCode: 'exampleCode123' - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts b/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts deleted file mode 100644 index f39aee67d51..00000000000 --- a/.brightsec/tests/put-rest-order-history-1-delivery-status.test.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/order-history/1/delivery-status', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'id_enumeration', 'nosql', 'csrf', 'xss'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: "tssbox/juice-shop:master", - databases: ["SQLite"], - user_roles: { - roles: ["customer", "deluxe", "accounting", "admin"] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/order-history/1/delivery-status`, - body: { delivered: false }, - headers: { - 'Authorization': 'Bearer ', - 'Content-Type': 'application/json' - }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file diff --git a/.brightsec/tests/put-rest-wallet-balance.test.ts b/.brightsec/tests/put-rest-wallet-balance.test.ts deleted file mode 100644 index 71a9fa164a9..00000000000 --- a/.brightsec/tests/put-rest-wallet-balance.test.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { test, before, after } from 'node:test'; -import { SecRunner } from '@sectester/runner'; -import { AttackParamLocation, HttpMethod } from '@sectester/scan'; - -const timeout = 40 * 60 * 1000; -const baseUrl = process.env.BRIGHT_TARGET_URL!; - -let runner!: SecRunner; - -before(async () => { - runner = new SecRunner({ - hostname: process.env.BRIGHT_HOSTNAME!, - projectId: process.env.BRIGHT_PROJECT_ID! - }); - - await runner.init(); -}); - -after(() => runner.clear()); - -test('PUT /rest/wallet/balance', { signal: AbortSignal.timeout(timeout) }, async () => { - await runner - .createScan({ - tests: ['bopla', 'sqli', 'csrf', 'xss', 'id_enumeration'], - attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER], - starMetadata: { - code_source: 'tssbox/juice-shop:master', - databases: ['SQLite'], - user_roles: { - roles: ['customer', 'deluxe', 'accounting', 'admin'] - } - }, - poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined - }) - .setFailFast(false) - .timeout(timeout) - .run({ - method: HttpMethod.PUT, - url: `${baseUrl}/rest/wallet/balance`, - body: { - UserId: 1, - paymentId: 123, - balance: 100 - }, - headers: { 'Content-Type': 'application/json' }, - auth: process.env.BRIGHT_AUTH_ID - }); -}); \ No newline at end of file From 512d83327c12684018578ac69aaa820cfad69944 Mon Sep 17 00:00:00 2001 From: Viachaslau Date: Tue, 25 Nov 2025 18:41:53 +0400 Subject: [PATCH 6/6] test: optimize security tests to focus on specific vulnerabilities skip-checks:true --- .brightsec/tests/get-api-deliverys-1.test.ts | 4 ++-- .brightsec/tests/get-rest-products-search.test.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.brightsec/tests/get-api-deliverys-1.test.ts b/.brightsec/tests/get-api-deliverys-1.test.ts index d8a82ddb0f0..a1a10842e0e 100644 --- a/.brightsec/tests/get-api-deliverys-1.test.ts +++ b/.brightsec/tests/get-api-deliverys-1.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['id_enumeration', 'bopla', 'sqli', 'xss'], + tests: ['id_enumeration'], attackParamLocations: [AttackParamLocation.PATH], starMetadata: { code_source: "tssbox/juice-shop:master", @@ -39,4 +39,4 @@ test('GET /api/deliverys/1', { signal: AbortSignal.timeout(timeout) }, async () url: `${baseUrl}/api/Deliverys/1`, auth: process.env.BRIGHT_AUTH_ID }); -}); \ No newline at end of file +}); diff --git a/.brightsec/tests/get-rest-products-search.test.ts b/.brightsec/tests/get-rest-products-search.test.ts index bd348b47888..fd7c8a29f33 100644 --- a/.brightsec/tests/get-rest-products-search.test.ts +++ b/.brightsec/tests/get-rest-products-search.test.ts @@ -21,7 +21,7 @@ after(() => runner.clear()); test('GET /rest/products/search?q=:query', { signal: AbortSignal.timeout(timeout) }, async () => { await runner .createScan({ - tests: ['sqli', 'full_path_disclosure', 'xss'], + tests: ['sqli'], attackParamLocations: [AttackParamLocation.QUERY], starMetadata: { code_source: "tssbox/juice-shop:master", @@ -39,4 +39,4 @@ test('GET /rest/products/search?q=:query', { signal: AbortSignal.timeout(timeout url: `${baseUrl}/rest/products/search?q=apple`, auth: process.env.BRIGHT_AUTH_ID }); -}); \ No newline at end of file +});