-
Notifications
You must be signed in to change notification settings - Fork 0
Testing the Server Endpoints
This document describes the testing of the Server Endpoints
We performed the penetration testing of the server side application by using sqlmap. To use sqlmap we had to collect the list of endpoints, configure sqlmap, and perform the attacks.
The requests made to the server side might contain user defined in three places:
- In the URI as a path variable. An example is the
GET /caff/{id}
URI that gets the data of a CAFF with the user supplied id. - In the URI as query parameters. GET requests might have query parameters, mainly to configure search criteria, or pagination. An example is the
GET /caff?pageSize=100&offset=0
query that lists all CAFFs paginated. - In the body of the request. The API receives information in POST and PUT requests with
multipart/form-data
encoding. An example is thePOST /caff
endpoint that creates a CAFF.
Unfortunately, sqlmap does not support multipart/form-data
requests out-of-the box. However, it is able to process request files, which can contain arbitrary requests. Combining this feature with the feature of defining arbitrary injection points, we were able to generate request files for our endpoints, that mark the possible injection points to the application.
The result of the penetration testing can be seen in the table below. Please note, that these request files contain bearer tokens and id-s, that need to be replaced in a new testing environment!
Endpoint | Request file | Vulnerable for SQL injection |
---|---|---|
POST /auth/login |
file | NO |
POST /auth/register |
file | NO |
POST /auth/passwordReset |
file | NO |
GET /user |
file | NO |
POST /user |
file | NO |
GET /user/{id} |
file | NO |
PUT /user/{id} |
file | NO |
DELETE /user/{id} |
file | NO |
GET /caff |
file | NO |
GET /caff/{id} |
file | NO |
GET /caff/{id}/download |
file | NO |
GET /caff/{id}/preview |
file | NO |
PUT /caff/{id} |
file | NO |
DELETE /caff/{id} |
file | NO |
GET /caff/{id}/comment |
file | NO |
POST /caff/{id}/comment |
file | NO |
GET /caff/{id}/comment/{id} |
file | NO |
PUT /caff/{id}/comment/{id} |
file | NO |
DELETE /caff/{id}/comment/{id} |
file | NO |
As it can be seen, sqlmap did not find any endpoints susceptible to SQL Injection attacks.
As described in the testing plan the servers adherence to the functional requirements and security requirements should be tested with end-to-end tests. The testing was carried out manually using Postman.
Our end-to-end tests were defined following the traceability between the above linked requirements and the various functions of the server component. Performing end-to-end tests can be time consuming so in some cases we grouped similar requirements and tested them as a single end-to-end test.
The tested requirements (Requirement ID(s)
), pre-conditions of the given test case (GIVEN
), performed actions (WHEN
), pass criteria (THEN
) and final test results (Test result
) are listed in the following tables.
Requirement ID(s) | GIVEN | WHEN | THEN | Test result |
---|---|---|---|---|
FU1, FU1.1 | A globally unique username, a valid email and a valid password | AuthController.register | Returned status code is OK, and the newly created user is able to log in | Passed |
FU2, FU2.1 | A valid email or username and the matching password | AuthController.login | Returned status code is OK, and the returned entity is valid | Passed |
FU2.2 | A user | AuthController.passwordReset | Returned status code is OK, and login is only possible with the new password | Passed |
FU3, FU3.1, FU3.2, FU3.3 | A user | UserController.editOne | Returned status code is OK, and the profile (username, email or password) is modified | Passed |
FU4 | An admin and two users | UserController.getAll | Returned status code is OK, and the returned entity contains all the users | Passed |
FU4.1 | An admin and a user | UserController.getMe, UserController.getOne | Returned status code is OK, and the returned entity contains the requested user data | Passed |
FU5, FU5.1 | An admin and a user | UserController.editOne | Returned status code is OK, and the username is modified | Passed |
FU5.2 | An admin and a user | AuthController.passwordReset | Returned status code is OK, and login for the user is only possible with the new password | Passed |
FU5.3 | An admin and a user | UserController.deleteOne | Returned status code is OK, and the deleted user can not be found | Passed |
FCa1 | An admin, a user and two CAFFs | CAFFController.getAll | Returned status code is OK, and the returned entity contains the list of CAFFs | Passed |
FCa1.1, FCa1.1.1, FCa1.1.2 | An admin, a user and two different CAFFs | CAFFController.getAll | Returned status code is OK, and the returned entity only contains the searched CAFF | Passed |
FCa2 | An admin, a user and a CAFF | CAFFController.getOne | Returned status code is OK, and the returned entity contains the CAFF | Passed |
FCa2.1 | An admin, a user and a CAFF | CAFFController.preview | Returned status code is OK, and the returned entity contains the preview of the CAFF | Passed |
FCa3 | An admin, a user and a CAFF | CAFFController.createOne | Returned status code is OK, and the CAFF can only be found after upload | Passed |
FCa3.1, FCa3.1.1, FCa3.1.2 | A user with an uploaded CAFF | CAFFController.editOne | Returned status code is OK, and the CAFF's metadata (name or tag) is modified | Passed |
FCa3.1.3 | A user with an uploaded CAFF | CAFFController.deleteOne | Returned status code is OK, and the CAFF can not be found | Passed |
FCa3.1.4 | Two users and a CAFF | CAFFController.editOne | Returned status code is OK, and the CAFF's metadata (name or tag) is not modified | Passed |
FCa3.2, FCa3.2.1, FCa3.2.2 | An admin and a CAFF | CAFFController.editOne | Returned status code is OK, and the users CAFF's metadata (name or tag) is modified | Passed |
FCa3.2.3 | An admin, a user and a CAFF | CAFFController.deleteOne | Returned status code is OK, and the users CAFF can not be found | Passed |
FCa4 | An admin, a user and a CAFF | CAFFController.download | Returned status code is OK, and the returned entity contains the CAFF | Passed |
FCo1 | A user and a CAFF | CAFFController.createOneComment | Returned status code is OK, and the newly created comment can be found | Passed |
FCo1.1 | A user, a CAFF and a comment from the user | CAFFController.editOneComment | Returned status code is OK, and the commet is changed | Passed |
FCo1.2 | A user, a CAFF and a comment from the user | CAFFController.deleteOneComment | Returned status code is OK, and the comment can not be found | Passed |
FCo1.3 | Two users, a CAFF and a comment from one of the users | CAFFController.editOneComment | Returned status code is OK, and the comment is not changed | Passed |
FCo1.4 | Two users, a CAFF and a comment from one of the users | CAFFController.deleteOneComment | Returned status code is OK, and the comment can still be found | Passed |
FCo2 | An admin and a CAFF | CAFFController.createOneComment | Returned status code is OK, and the comment can be found | Passed |
FCo2.1 | An admin, a user and a CAFF with a comment from the user | CAFFController.editOneComment | Returned status code is OK, and the commet is changed | Passed |
FCo2.2 | An admin, a user and a CAFF with a comment from the user | CAFFController.deleteOneComment | Returned status code is OK, and the comment can not be found | Passed |
Requirement ID(s) | GIVEN | WHEN | THEN | Test result |
---|---|---|---|---|
SCo1 | Two users | UserController.getOne | Returned status code is OK if the user checks its own personal data (username and email) | Passed |
SCo1.1 | An admin and a user | UserController.getOne | Returned status code is OK, and the personal data (username and email) is returned | Passed |
SCo2 | An admin and a user | /actuator/httptrace | Returned status code is OK, and the log is returned only when the requester is an admin | Passed |
SCo3 | An admin and a user | UserController.getOne | Returned status code is OK, and the password is not revealed for anyone | Passed |
SI1, SI1.2 | Two users and a CAFF | CAFFController.editOne | Returned status code is OK, and the CAFF's metadata (name or tag) is not modified | Passed |
SI1.1, SI1.2 | An admin, a user and a CAFF | CAFFController.editOne | Returned status code is OK, and the users CAFF's metadata (name or tag) is modified | Passed |
SI2, SI2.2 | Two users, a CAFF and a comment from one of the users | CAFFController.editOneComment | Returned status code is OK, and the comment is not changed | Passed |
SI2.1, SI2.2 | An admin, a user, a CAFF and a comment from the user | CAFFController.editOneComment | Returned status code is OK, and the comment is changed | Passed |
SI3, SI3.2 | Two users, a CAFF and a comment from one of the users | CAFFController.deleteOneComment | Returned status code is OK, and the comment can still be found | Passed |
SI3.1, SI3.2 | An admin, a user and a CAFF with a comment from the user | CAFFController.deleteOneComment | Returned status code is OK, and the comment can not be found | Passed |
SI4 | Two users | UserController.editOne | Returned status code is OK, and the other users data is not changed | Passed |
SI4.1, SI4.2, SI4.3 | An admin and a user | UserController.editOne | Returned status code is OK, and only the username could be changed | Passed |
SI5 | An admin and two users | UserController.deleteOne | Returned status code is OK, and only the administrator could delete a user | Passed |
SI6* | - | - | - | - |
SAv1 | A user | e.g. AuthController.login | Returned status code is OK (however testing robustness is not the goal of E2E tests) | Passed |
SAv2* | - | - | - | - |
SAe1, SAe1.1 | A non-registered entity, an admin and a user | AuthController.login and e.g. UserController.getMe | Returned status code is OK | Passed |
SAe2 | A globally unique username, a valid email and a valid password | AuthController.register | Returned status code is OK, and the newly created user is able to log in | Passed |
SAe3 | An admin, a globally unique username, a valid email and a valid password | AuthController.register | Returned status code is OK, and the newly created user is able to log in | Passed |
SAe4 | An admin and a user | AuthController.register | Returned status code is OK, and only the admin registered by the admin is created | Passed |
SAo1, SAo1.1 | A user | Every endpoint | Returned status code is OK if the user performs a valid action | Passed |
SAo2, SAo2.1 | An admin | Every endpoint | Returned status code is OK if the admin performs a valid action | Passed |
SAu1, SAu2 | An admin and a user | Every endpoint | The performed activities by both the users and admins can be seen in the log files | Passed |
*Some of the requirements cannot be tested purely by end-to-end tests:
- SI6: Log files cannot be modified through the defined endpoints.
- SAv2 is satisfied by having physical access to the server.
In conclusion all the requirements defined during the design phase are covered. As performing the above described end-to-end tests did not reveal any shortcomings of the server, we concluded (assuming the tests are correct) that the server satisfies all of our functional- and security requirements.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System