@contrast/test-bench-utils
Shared code to use in Contrast's web framework test apps.
Last updated 2 days ago by pmcclory .
UNLICENSED · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install @contrast/test-bench-utils 
SYNC missed versions from official npm registry.

@contrast/test-bench-utils npm (scoped)

Shared code for use in Contrast's Node.js test apps.

Adding a shared sink

Under lib/routes.js, create a sink definition with the following form:

  [ruleName: string]: {
    base: string,                    // '/cmdInjection',
    name: string,                    // 'Command Injection',
    link: string,                    // 'https://www.owasp.org/index.php/Command_Injection',
    products: string[],              // ['Assess', 'Protect']
    inputs: string[],                // ['query'],
    sinks: Object<string, Function>, // sinks.commmandInjection
  }

Then create a file under lib/sinks/ that exports functions with a consistent signature:

  /**
   * @param {string} input user input string
   * @param {Object} opts
   * @param {boolean=} opts.safe are we calling the sink safely?
   * @param {boolean=} opts.noop are we calling the sink as a noop?
   */
  module.exports['sinkName'] = async function sink(input, { safe = false, noop = false } = {}) {};

The sink function will be called by the endpoint handler appropriately by each framework. By default, for the /unsafe endpoint the function is called with user input, and for the /safe and /noop endpoints it is called with the safe and noop options set to true, respectively.

Front-end content

If there is any custom data you want to provide to the test bench front end, you can export it from lib/content/. For example, we export the following XML string as a potential attack for the xxe rule:

lib/content/xxe.js

module.exports.attackXml = `
<!DOCTYPE read-fs [<!ELEMENT read-fs ANY >
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
<users>
  <user>
    <read-fs>&passwd;</read-fs>
    <name>C.K Frode</name>
  </user>
</users>`;

This string is then used by the xxe.ejs view in @contrast/test-bench-utils to render an input prepopulated with the attack value.

Adding a shared view

Once you have configured a sink you're ready to add a shared view. Shared view templates are rendered with the following locals provided:

  • name: the name of the vulnerability being tested
  • link: a link to OWASP or another reference describing the vulnerability
  • sinkData: an array of objects describing the sinks exercising a rule, containing (at least) the following keys:
    • method: the HTTP method being used to submit the attack
    • name: the name of the particular sink being exercised
    • url: the api endpoint url to hit
  • _csrf for Kraken apps, we provide the csrf token to be included as a hidden field within a form

An endpoint may also be configured to provide additional locals to the template to render additional context for a rule. For example, we provide an XML string to the xxe endpoint as a potential attack value.

Test Bench Applications

Once you have configured the shared sink and view, consult the following instructions for including the shared functionality in each test bench app:

Current Tags

  • 2.2.0-beta.0                                ...           beta (7 months ago)
  • 3.4.0                                ...           latest (2 days ago)

33 Versions

  • 3.4.0                                ...           2 days ago
  • 3.3.1                                ...           2 months ago
  • 3.2.2-tweaks.2                                ...           2 months ago
  • 3.2.2-tweaks.1                                ...           2 months ago
  • 3.2.2-tweaks.0                                ...           2 months ago
  • 3.2.2                                ...           2 months ago
  • 3.2.1                                ...           2 months ago
  • 3.2.0                                ...           2 months ago
  • 3.1.0                                ...           2 months ago
  • 3.0.0                                ...           3 months ago
  • 2.14.0                                ...           3 months ago
  • 2.13.0                                ...           3 months ago
  • 2.12.0                                ...           3 months ago
  • 2.10.1                                ...           4 months ago
  • 2.10.0                                ...           4 months ago
  • 2.9.0                                ...           4 months ago
  • 2.8.0                                ...           4 months ago
  • 2.7.0                                ...           4 months ago
  • 2.5.0                                ...           4 months ago
  • 2.4.0                                ...           6 months ago
  • 2.3.0                                ...           7 months ago
  • 2.2.2                                ...           7 months ago
  • 2.2.1                                ...           7 months ago
  • 2.2.0                                ...           7 months ago
  • 2.2.0-beta.0                                ...           7 months ago
  • 2.1.0                                ...           8 months ago
  • 2.0.0                                ...           9 months ago
  • 1.1.4-0                                ...           9 months ago
  • 1.1.3-0                                ...           10 months ago
  • 1.1.2-0                                ...           10 months ago
  • 1.1.1-0                                ...           10 months ago
  • 1.1.0                                ...           10 months ago
  • 1.0.0                                ...           a year ago
Downloads
Today 0
This Week 43
This Month 43
Last Day 43
Last Week 0
Last Month 32
Dependencies (20)
Dev Dependencies (9)
Dependents (0)
None

Copyright 2014 - 2016 © taobao.org |