Project Date
Cucumber Audit 15 Sep 2023, 07:24

Tag Report

Steps Scenarios Features
Tag Passed Failed Skipped Pending Undefined Total Passed Failed Total Duration Status
@Spoofing 4 2 0 0 0 6 0 2 2 1.194 Failed
Feature: Authentication Page Threats
Tags: @Spoofing
0.210
Scenario Application Impersonation
The server certificate assures that the server is not an impersonated agent trying to deceive the user. An attacker could use this vulnerability to steal sensitive data from the user or make them transfer money.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.002
Steps
When I connect to "http://localhost.:8000/accounts/login" 0.000
Then the connection should be secure 0.210
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting actual:
  sun.net.www.protocol.http.HttpURLConnection:http://localhost.:8000/accounts/login
to be an instance of:
  javax.net.ssl.HttpsURLConnection
but was instance of:
  sun.net.www.protocol.http.HttpURLConnection
	at io.github.multicatch.cucumber.audit.ProtocolInspectionStepDefs._init_$lambda$2(ProtocolInspectionStepDefs.kt:22)
	at ✽.the connection should be secure(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:14)
Feature: Authentication Page Threats
Tags: @Spoofing
0.984
Scenario Session Hijacking Through XSS
During an XSS attack, the session cookie could be stolen if it's accessible through JavaScript. The attacker then could gain access to the user session and use their account to authorize in other applications.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Steps
Given the response headers are under inspection 0.406
And cookies are cleared 0.010
When I go to "http://localhost.:8000/accounts/login" 0.524
Then the "Set-Cookie" response header should contain "HttpOnly" 0.044
java.lang.AssertionError: 
java.lang.AssertionError: 
Expecting any elements of:
  []
to match given predicate but none did.
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.github.multicatch.cucumber.audit.ResponseInspectionStepDefs._init_$lambda$6(ResponseInspectionStepDefs.kt:35)
	at ✽.the "Set-Cookie" response header should contain "HttpOnly"(classpath:io/github/multicatch/cucumber/audit/Authentication_Page.feature:24)