Project Date
Cucumber Audit 15 Sep 2023, 07:24

Failures Overview

The following summary displays scenarios that failed.

Feature: Authentication Page Threats
Tags: @Spoofing
0.210
Scenario Application Impersonation
The server certificate assures that the server is not an impersonated agent trying to deceive the user. An attacker could use this vulnerability to steal sensitive data from the user or make them transfer money.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.002
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.210
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:14)
Feature: Authentication Page Threats
Tags: @Spoofing
0.984
Scenario Session Hijacking Through XSS
During an XSS attack, the session cookie could be stolen if it's accessible through JavaScript. The attacker then could gain access to the user session and use their account to authorize in other applications.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given the response headers are under inspection 0.406
And cookies are cleared 0.010
When I go to "http://localhost.:8000/accounts/login" 0.524
Then the "Set-Cookie" response header should contain "HttpOnly" 0.044
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting any elements of:
  []
to match given predicate but none did.
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$6(ResponseInspectionStepDefs.kt:35)
	at ✽.the "Set-Cookie" response header should contain "HttpOnly"(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:24)
Feature: Authentication Page Threats
Tags: @Tampering
0.000
Scenario User Deception with Modified Responses
If the communication is unencrypted, there is a risk that an attacker could use a Man-in-The-Middle attack to modify responses. They may use a modified page to make user think they authorize a different application.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.000
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:79)
Feature: Authentication Request Threats
Tags: @InformationDisclosure
0.000
Scenario Confidential Data Eavesdropping
HTTP communication is unencrypted and thus prone to eavesdropping via Man-in-The-Middle Attacks. HTTPS is recommended for safe exchange of confidential information such as passwords or tokens.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.000
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:14)
Feature: Authentication Request Threats
Tags: @ElevationOfPrivilege
0.912
Scenario Hostile Linking
An authorization granted to the application should not be a stateless mechanism. An attacker can prepare a link that automatically authorizes the application without any user action. The authorization should only be valid when done by the user.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given I go to "http://localhost.:8000/consumer" 0.168
And I click on "a.btn-primary" 0.239
And I enter "demo" into a field selected by "#id_username" 0.091
And I enter "easypassword" into a field selected by "#id_password" 0.023
And I click on "input[type=submit]" 0.254
And the response headers are under inspection 0.000
When I use a "POST" HTTP method 0.000
And I add a "Content-Type" header with value "application/x-www-form-urlencoded" 0.000
And the request body is "csrfmiddlewaretoken=wrong_csrf&redirect_uri=http%3A%2F%2Fhttpbin.org%2F&scope=read+write&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP&state=4564382&response_type=code&code_challenge=&code_challenge_method=&allow=Authorize" 0.000
And I make a request to "http://localhost.:8000/oauth2/authorize/?response_type=code&state=4564382&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP" 0.129
Then the response code should be 403 0.004
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting ArrayList:
  []
to contain:
  [403]
but could not find the following element(s):
  [403]

	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$37(ResponseInspectionStepDefs.kt:134)
	at ✽.the response code should be 403(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:32)