stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b55d9fa68d27848d9e0367447142771dd0c0fc7b
git.stella-ops.org/tests/security/README.md
master b55d9fa68d
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF) 
- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections.
- Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts.
- Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities.
- Added SecurityAssertions.cs for common security-specific assertion helpers.
- Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities.
- Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.
2025-12-16 13:11:57 +02:00

2.1 KiB
Raw Blame History

Security Testing Framework

This directory contains systematic security tests covering OWASP Top 10 vulnerabilities for StellaOps modules.

Structure

security/
├── StellaOps.Security.Tests/
│   ├── Infrastructure/           # Base classes and test utilities
│   ├── A01_BrokenAccessControl/  # Authorization bypass tests
│   ├── A02_CryptographicFailures/ # Crypto weakness tests
│   ├── A03_Injection/            # SQL, Command, ORM injection tests
│   ├── A05_SecurityMisconfiguration/ # Config validation tests
│   ├── A07_AuthenticationFailures/   # Auth bypass tests
│   ├── A08_IntegrityFailures/    # Data integrity tests
│   └── A10_SSRF/                 # Server-side request forgery tests
└── README.md

OWASP Top 10 Coverage

Rank Category Priority Status
A01 Broken Access Control CRITICAL
A02 Cryptographic Failures CRITICAL
A03 Injection CRITICAL
A05 Security Misconfiguration HIGH
A07 Authentication Failures CRITICAL
A08 Integrity Failures HIGH
A10 SSRF HIGH

Running Tests

# Run all security tests
dotnet test tests/security/StellaOps.Security.Tests --filter "Category=Security"

# Run specific OWASP category
dotnet test --filter "FullyQualifiedName~A01_BrokenAccessControl"

# Run with detailed output
dotnet test tests/security/StellaOps.Security.Tests -v normal

Adding New Tests

  1. Create test class in appropriate category directory
  2. Inherit from SecurityTestBase
  3. Use MaliciousPayloads for injection payloads
  4. Use SecurityAssertions for security-specific assertions

CI Integration

Security tests run as part of the CI pipeline:

  • All PRs: Run critical security tests (A01, A02, A03, A07)
  • Nightly: Full OWASP Top 10 coverage
  • Pre-release: Full suite with extended fuzzing

References