juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7
import config from 'config'
8
const Joi = frisby.Joi
9
const security = require('../../lib/insecurity')
10

11
const API_URL = 'http://localhost:3000/api'
12
const REST_URL = 'http://localhost:3000/rest'
13

14
const authHeader = { Authorization: `Bearer ${security.authorize()}`, 'content-type': 'application/json' }
15

16
describe('/api/SecurityQuestions', () => {
17
  it('GET all security questions ', () => {
18
    return frisby.get(`${API_URL}/SecurityQuestions`)
19
      .expect('status', 200)
20
      .expect('header', 'content-type', /application\/json/)
21
      .expect('jsonTypes', 'data.*', {
22
        id: Joi.number(),
23
        question: Joi.string()
24
      })
25
  })
26

27
  it('POST new security question is forbidden via public API even when authenticated', () => {
28
    return frisby.post(`${API_URL}/SecurityQuestions`, {
29
      headers: authHeader,
30
      body: {
31
        question: 'Your own first name?'
32
      }
33
    })
34
      .expect('status', 401)
35
  })
36
})
37

38
describe('/api/SecurityQuestions/:id', () => {
39
  it('GET existing security question by id is forbidden via public API even when authenticated', () => {
40
    return frisby.get(`${API_URL}/SecurityQuestions/1`, { headers: authHeader })
41
      .expect('status', 401)
42
  })
43

44
  it('PUT update existing security question is forbidden via public API even when authenticated', () => {
45
    return frisby.put(`${API_URL}/SecurityQuestions/1`, {
46
      headers: authHeader,
47
      body: {
48
        question: 'Your own first name?'
49
      }
50
    })
51
      .expect('status', 401)
52
  })
53

54
  it('DELETE existing security question is forbidden via public API even when authenticated', () => {
55
    return frisby.del(`${API_URL}/SecurityQuestions/1`, { headers: authHeader })
56
      .expect('status', 401)
57
  })
58
})
59

60
describe('/rest/user/security-question', () => {
61
  it('GET security question for an existing user\'s email address', () => {
62
    return frisby.get(`${REST_URL}/user/security-question?email=jim@${config.get<string>('application.domain')}`)
63
      .expect('status', 200)
64
      .expect('json', 'question', {
65
        question: 'Your eldest siblings middle name?'
66
      })
67
  })
68

69
  it('GET security question returns nothing for an unknown email address', () => {
70
    return frisby.get(`${REST_URL}/user/security-question?email=horst@unknown-us.er`)
71
      .expect('status', 200)
72
      .expect('json', {})
73
  })
74

75
  it('GET security question throws error for missing email address', () => {
76
    return frisby.get(`${REST_URL}/user/security-question`)
77
      .expect('status', 500)
78
      .expect('header', 'content-type', /text\/html/)
79
      .expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
80
      .expect('bodyContains', 'Error: WHERE parameter &quot;email&quot; has invalid &quot;undefined&quot; value')
81
  })
82

83
  it('GET security question is not susceptible to SQL Injection attacks', () => {
84
    return frisby.get(`${REST_URL}/user/security-question?email=';`)
85
      .expect('status', 200)
86
  })
87
})
88