Project Date
Cucumber Audit 15 Sep 2023, 07:09

Tag Report

Steps Scenarios Features
Tag Passed Failed Skipped Pending Undefined Total Passed Failed Total Duration Status
@Spoofing 4 2 0 0 0 6 0 2 2 1.294 Failed
Feature: Authentication Page Threats
Tags: @Spoofing
0.232
Scenario Application Impersonation
The server certificate assures that the server is not an impersonated agent trying to deceive the user. An attacker could use this vulnerability to steal sensitive data from the user or make them transfer money.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.004
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.232
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:14)
Feature: Authentication Page Threats
Tags: @Spoofing
1.062
Scenario Session Hijacking Through XSS
During an XSS attack, the session cookie could be stolen if it's accessible through JavaScript. The attacker then could gain access to the user session and use their account to authorize in other applications.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given the response headers are under inspection 0.374
And cookies are cleared 0.009
When I go to "http://localhost.:8000/accounts/login" 0.658
Then the "Set-Cookie" response header should contain "HttpOnly" 0.018
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting any elements of:
  []
to match given predicate but none did.
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$6(ResponseInspectionStepDefs.kt:35)
	at ✽.the "Set-Cookie" response header should contain "HttpOnly"(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:24)