Skip to content

Security: adityadwic/fullstack-API-automation

Security

docs/SECURITY.md

Security Testing Guide

This guide covers OWASP-based security testing for APIs.

Overview

The framework includes comprehensive security tests based on the OWASP Top 10 API Security Risks.

Running Security Tests

# Run all security tests
npm run test:security

# Or directly with Jest
jest --testPathPattern=security

OWASP Top 10 Coverage

A01:2021 - Broken Access Control

Tests for:

  • Unauthorized access attempts
  • IDOR (Insecure Direct Object Reference)
  • Privilege escalation
it('should not allow unauthorized access', async () => {
  const response = await client.get('/admin/users');
  expect(response.status).not.toBe(200);
});

A02:2021 - Cryptographic Failures

Tests for:

  • HTTPS enforcement
  • Sensitive data exposure
  • Weak encryption
it('should not expose sensitive data', async () => {
  const response = await client.get('/users/1');
  expect(response.data).not.toHaveProperty('password');
});

A03:2021 - Injection

Tests for:

  • SQL injection
  • NoSQL injection
  • Command injection
  • LDAP injection
const sqlPayloads = [
  "'; DROP TABLE users; --",
  "1' OR '1'='1",
];

for (const payload of sqlPayloads) {
  const response = await client.post('/posts', { title: payload });
  expect(response.status).toBe(201); // Should treat as string
}

A04:2021 - Insecure Design

Tests for:

  • Rate limiting
  • Business logic flaws
  • Missing security controls

A05:2021 - Security Misconfiguration

Tests for:

  • Server information disclosure
  • CORS configuration
  • Default credentials

A06:2021 - Vulnerable Components

Tests for:

  • Malformed request handling
  • Error disclosure

A07:2021 - Identification and Authentication Failures

Tests for:

  • Weak password policies
  • Session management
  • Token security

A08:2021 - Software and Data Integrity Failures

Tests for:

  • Data integrity validation
  • Response tampering

A09:2021 - Security Logging and Monitoring Failures

Tests for:

  • Security event logging
  • Audit trail

A10:2021 - Server-Side Request Forgery (SSRF)

Tests for:

  • SSRF attempts via URL parameters
  • Internal network access

XSS Prevention

const xssPayloads = [
  '<script>alert("XSS")</script>',
  '<img src="x" onerror="alert(1)">',
  'javascript:alert(1)',
];

for (const payload of xssPayloads) {
  const response = await client.post('/posts', { title: payload });
  expect(response.data.title).toBe(payload); // Stored as-is
}

Header Security

Validate security headers:

it('should have security headers', async () => {
  const response = await client.get('/users');
  
  // Check recommended headers
  expect(response.headers['x-content-type-options']).toBe('nosniff');
  expect(response.headers['x-frame-options']).toBe('DENY');
});

Best Practices

1. Test Payloads

Use comprehensive payload lists:

  • OWASP Fuzzing Database
  • SecLists
  • Custom payloads

2. Authentication Testing

// Test token expiration
const expiredToken = jwt.generateExpiredToken({ userId: 1 });
const result = jwt.validateToken(expiredToken);
expect(result.valid).toBe(false);

3. Rate Limiting

// Test rate limits
const requests = Array.from({ length: 100 }, () =>
  client.get('/users')
);
const responses = await Promise.all(requests);

const rateLimited = responses.filter(r => r.status === 429);
expect(rateLimited.length).toBeGreaterThan(0);

Security Checklist

  • Authentication bypass testing
  • Authorization testing
  • Input validation testing
  • Session management testing
  • Error handling testing
  • Business logic testing
  • Data validation testing
  • File upload testing
  • API rate limiting testing
  • CORS testing

Resources

For more information, see the main README.md.

There aren't any published security advisories