juice-shop
87 строк · 3.0 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import config from 'config'
8const Joi = frisby.Joi
9const security = require('../../lib/insecurity')
10
11const API_URL = 'http://localhost:3000/api'
12const REST_URL = 'http://localhost:3000/rest'
13
14const authHeader = { Authorization: `Bearer ${security.authorize()}`, 'content-type': 'application/json' }
15
16describe('/api/SecurityQuestions', () => {
17it('GET all security questions ', () => {
18return frisby.get(`${API_URL}/SecurityQuestions`)
19.expect('status', 200)
20.expect('header', 'content-type', /application\/json/)
21.expect('jsonTypes', 'data.*', {
22id: Joi.number(),
23question: Joi.string()
24})
25})
26
27it('POST new security question is forbidden via public API even when authenticated', () => {
28return frisby.post(`${API_URL}/SecurityQuestions`, {
29headers: authHeader,
30body: {
31question: 'Your own first name?'
32}
33})
34.expect('status', 401)
35})
36})
37
38describe('/api/SecurityQuestions/:id', () => {
39it('GET existing security question by id is forbidden via public API even when authenticated', () => {
40return frisby.get(`${API_URL}/SecurityQuestions/1`, { headers: authHeader })
41.expect('status', 401)
42})
43
44it('PUT update existing security question is forbidden via public API even when authenticated', () => {
45return frisby.put(`${API_URL}/SecurityQuestions/1`, {
46headers: authHeader,
47body: {
48question: 'Your own first name?'
49}
50})
51.expect('status', 401)
52})
53
54it('DELETE existing security question is forbidden via public API even when authenticated', () => {
55return frisby.del(`${API_URL}/SecurityQuestions/1`, { headers: authHeader })
56.expect('status', 401)
57})
58})
59
60describe('/rest/user/security-question', () => {
61it('GET security question for an existing user\'s email address', () => {
62return frisby.get(`${REST_URL}/user/security-question?email=jim@${config.get<string>('application.domain')}`)
63.expect('status', 200)
64.expect('json', 'question', {
65question: 'Your eldest siblings middle name?'
66})
67})
68
69it('GET security question returns nothing for an unknown email address', () => {
70return frisby.get(`${REST_URL}/user/security-question?email=horst@unknown-us.er`)
71.expect('status', 200)
72.expect('json', {})
73})
74
75it('GET security question throws error for missing email address', () => {
76return frisby.get(`${REST_URL}/user/security-question`)
77.expect('status', 500)
78.expect('header', 'content-type', /text\/html/)
79.expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
80.expect('bodyContains', 'Error: WHERE parameter "email" has invalid "undefined" value')
81})
82
83it('GET security question is not susceptible to SQL Injection attacks', () => {
84return frisby.get(`${REST_URL}/user/security-question?email=';`)
85.expect('status', 200)
86})
87})
88