stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details

Browse Source 
- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections.
- Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts.
- Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities.
- Added SecurityAssertions.cs for common security-specific assertion helpers.
- Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities.
- Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.
This commit is contained in:
master
2025-12-16 13:11:57 +02:00
parent 5a480a3c2a
commit b55d9fa68d
72 changed files with 8051 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
tests/security/README.md Normal file
View File

@@ -0,0 +1,64 @@
# Security Testing Framework
This directory contains systematic security tests covering OWASP Top 10 vulnerabilities for StellaOps modules.
## Structure
```
security/
├── StellaOps.Security.Tests/
│ ├── Infrastructure/ # Base classes and test utilities
│ ├── A01_BrokenAccessControl/ # Authorization bypass tests
│ ├── A02_CryptographicFailures/ # Crypto weakness tests
│ ├── A03_Injection/ # SQL, Command, ORM injection tests
│ ├── A05_SecurityMisconfiguration/ # Config validation tests
│ ├── A07_AuthenticationFailures/ # Auth bypass tests
│ ├── A08_IntegrityFailures/ # Data integrity tests
│ └── A10_SSRF/ # Server-side request forgery tests
└── README.md
```
## OWASP Top 10 Coverage
| Rank | Category | Priority | Status |
|------|----------|----------|--------|
| A01 | Broken Access Control | CRITICAL | ✓ |
| A02 | Cryptographic Failures | CRITICAL | ✓ |
| A03 | Injection | CRITICAL | ✓ |
| A05 | Security Misconfiguration | HIGH | ✓ |
| A07 | Authentication Failures | CRITICAL | ✓ |
| A08 | Integrity Failures | HIGH | ✓ |
| A10 | SSRF | HIGH | ✓ |
## Running Tests
```bash
# Run all security tests
dotnet test tests/security/StellaOps.Security.Tests --filter "Category=Security"
# Run specific OWASP category
dotnet test --filter "FullyQualifiedName~A01_BrokenAccessControl"
# Run with detailed output
dotnet test tests/security/StellaOps.Security.Tests -v normal
```
## Adding New Tests
1. Create test class in appropriate category directory
2. Inherit from `SecurityTestBase`
3. Use `MaliciousPayloads` for injection payloads
4. Use `SecurityAssertions` for security-specific assertions
## CI Integration
Security tests run as part of the CI pipeline:
- All PRs: Run critical security tests (A01, A02, A03, A07)
- Nightly: Full OWASP Top 10 coverage
- Pre-release: Full suite with extended fuzzing
## References
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- StellaOps Security Policy: `docs/13_SECURITY_POLICY.md`