Project Date
Cucumber Audit 15 Sep 2023, 07:24

Feature Report

Steps Scenarios Features
Feature Passed Failed Skipped Pending Undefined Total Passed Failed Total Duration Status
Authentication Request Threats 17 2 0 0 0 19 0 2 2 0.951 Failed
Feature Authentication Request Threats
0.010
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.010
Tags: @InformationDisclosure
0.000
Scenario Confidential Data Eavesdropping
HTTP communication is unencrypted and thus prone to eavesdropping via Man-in-The-Middle Attacks. HTTPS is recommended for safe exchange of confidential information such as passwords or tokens.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.000
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:14)
0.028
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.027
Tags: @ElevationOfPrivilege
0.912
Scenario Hostile Linking
An authorization granted to the application should not be a stateless mechanism. An attacker can prepare a link that automatically authorizes the application without any user action. The authorization should only be valid when done by the user.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given I go to "http://localhost.:8000/consumer" 0.168
And I click on "a.btn-primary" 0.239
And I enter "demo" into a field selected by "#id_username" 0.091
And I enter "easypassword" into a field selected by "#id_password" 0.023
And I click on "input[type=submit]" 0.254
And the response headers are under inspection 0.000
When I use a "POST" HTTP method 0.000
And I add a "Content-Type" header with value "application/x-www-form-urlencoded" 0.000
And the request body is "csrfmiddlewaretoken=wrong_csrf&redirect_uri=http%3A%2F%2Fhttpbin.org%2F&scope=read+write&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP&state=4564382&response_type=code&code_challenge=&code_challenge_method=&allow=Authorize" 0.000
And I make a request to "http://localhost.:8000/oauth2/authorize/?response_type=code&state=4564382&client_id=Qv6vn7hxGGNyGuLxOU7DHtvPAykevYe1fKwy0eEP" 0.129
Then the response code should be 403 0.004
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting ArrayList:
  []
to contain:
  [403]
but could not find the following element(s):
  [403]

	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$37(ResponseInspectionStepDefs.kt:134)
	at ✽.the response code should be 403(classpath:io/github/multicatch/cucumber/audit/Authentication_Request.feature:32)