Project Date
Cucumber Audit 15 Sep 2023, 07:09

Failures Overview

The following summary displays scenarios that failed.

Feature: Authentication Page Threats
Tags: @Spoofing
0.232
Scenario Application Impersonation
The server certificate assures that the server is not an impersonated agent trying to deceive the user. An attacker could use this vulnerability to steal sensitive data from the user or make them transfer money.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.004
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.232
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:14)
Feature: Authentication Page Threats
Tags: @Spoofing
1.062
Scenario Session Hijacking Through XSS
During an XSS attack, the session cookie could be stolen if it's accessible through JavaScript. The attacker then could gain access to the user session and use their account to authorize in other applications.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given the response headers are under inspection 0.374
And cookies are cleared 0.009
When I go to "http://localhost.:8000/accounts/login" 0.658
Then the "Set-Cookie" response header should contain "HttpOnly" 0.018
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting any elements of:
  []
to match given predicate but none did.
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$6(ResponseInspectionStepDefs.kt:35)
	at ✽.the "Set-Cookie" response header should contain "HttpOnly"(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:24)
Feature: Authentication Page Threats
Tags: @Tampering
0.001
Scenario User Deception with Modified Responses
If the communication is unencrypted, there is a risk that an attacker could use a Man-in-The-Middle attack to modify responses. They may use a modified page to make user think they authorize a different application.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.000
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:79)
Feature: Authentication Request Threats
Tags: @InformationDisclosure
0.000
Scenario Confidential Data Eavesdropping
HTTP communication is unencrypted and thus prone to eavesdropping via Man-in-The-Middle Attacks. HTTPS is recommended for safe exchange of confidential information such as passwords or tokens.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.000
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:14)
Feature: Authentication Request Threats
Tags: @ElevationOfPrivilege
0.952
Scenario Hostile Linking
An authorization granted to the application should not be a stateless mechanism. An attacker can prepare a link that automatically authorizes the application without any user action. The authorization should only be valid when done by the user.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given I go to "http://localhost.:8000/consumer" 0.181
And I click on "a.btn-primary" 0.286
And I enter "demo" into a field selected by "#id_username" 0.072
And I enter "easypassword" into a field selected by "#id_password" 0.026
And I click on "input[type=submit]" 0.281
And the response headers are under inspection 0.000
When I use a "POST" HTTP method 0.000
And I add a "Content-Type" header with value "application/x-www-form-urlencoded" 0.000
And the request body is "csrfmiddlewaretoken=wrong_csrf&redirect_uri=http%3A%2F%2Fhttpbin.org%2F&scope=read+write&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP&state=4564382&response_type=code&code_challenge=&code_challenge_method=&allow=Authorize" 0.000
And I make a request to "http://localhost.:8000/oauth2/authorize/?response_type=code&state=4564382&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP" 0.100
Then the response code should be 403 0.002
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting ArrayList:
  []
to contain:
  [403]
but could not find the following element(s):
  [403]

	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$37(ResponseInspectionStepDefs.kt:134)
	at ✽.the response code should be 403(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:32)