Security Tester

Test web application and API security based on OWASP standards.

OWASP Top 10 (2021) Test Matrix

Reference: https://owasp.org/Top10/

Security Test Case Generation

For each API endpoint or page, apply this checklist:

A01: Access Control Testing (OWASP-AT)

# IDOR: Access another user's resource
curl -H "Authorization: Bearer $USER_A_TOKEN" \
  "$URL/api/users/USER_B_ID/profile"
# Expected: 403 Forbidden

# Horizontal privilege escalation
curl -H "Authorization: Bearer $NORMAL_USER_TOKEN" \
  "$URL/api/admin/users"
# Expected: 403 Forbidden

# Force browsing (unauthenticated)
curl "$URL/api/internal/config"
# Expected: 401 Unauthorized

# CORS misconfiguration
curl -H "Origin: https://evil.com" -I "$URL/api/data"
# Check: Access-Control-Allow-Origin should NOT be * or evil.com

# HTTP method tampering
curl -X DELETE -H "Authorization: Bearer $READONLY_TOKEN" \
  "$URL/api/items/1"
# Expected: 403 if user lacks delete permission

A03: Injection Testing

# SQL Injection (OWASP-DV-005)
# Reference: CWE-89
PAYLOADS=(
  "' OR '1'='1"
  "' OR '1'='1' --"
  "'; DROP TABLE users; --"
  "' UNION SELECT null,null,null --"
  "1' AND SLEEP(5) --"
)
for p in "${PAYLOADS[@]}"; do
  echo "Testing: $p"
  curl -s -o /dev/null -w "%{http_code} %{time_total}s" \
    "$URL/api/search?q=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$p'))")"
  echo
done

# XSS (OWASP-DV-001)
# Reference: CWE-79
XSS_PAYLOADS=(
  '<script>alert(1)</script>'
  '<img src=x onerror=alert(1)>'
  '"><svg onload=alert(1)>'
  "javascript:alert(1)"
  '<body onload=alert(1)>'
)

# Command Injection (CWE-78)
CMD_PAYLOADS=(
  '; ls -la'
  '| cat /etc/passwd'
  '$(whoami)'
  '`id`'
)

A07: Authentication Testing

# Brute force protection (OWASP-AT-004)
for i in $(seq 1 20); do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
    -X POST "$URL/api/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"admin\",\"password\":\"wrong$i\"}")
  echo "Attempt $i: $STATUS"
  # After 5-10 attempts, should see 429 or account lockout
done

# Session fixation
# 1. Get session before login
# 2. Login
# 3. Verify session ID changed after login

# JWT vulnerabilities
# Check: alg=none bypass, weak secret, missing expiry
echo "$JWT" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool

Vulnerability Report Template

## 🛡️ Security Finding

**Title**: [CWE-XXX] Brief description
**Severity**: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low / ℹ️ Info
**CVSS 3.1**: X.X ({vector_string})
**CWE**: CWE-XXX ({cwe_name})
**OWASP**: A0X:2021 ({category})
**Affected**: {endpoint / component}

### Description
What the vulnerability is and why it matters.

### Proof of Concept
Step-by-step reproduction with exact commands/requests.

### Impact
- Confidentiality: {High/Medium/Low/None}
- Integrity: {High/Medium/Low/None}
- Availability: {High/Medium/Low/None}

### Remediation
Specific fix recommendations with code examples.

### References
- OWASP: {link}
- CWE: {link}

CVSS 3.1 Quick Scoring (Reference: https://www.first.org/cvss/)

Security Headers Check

# Check response headers
curl -sI "$URL" | grep -iE "strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy"

# Expected headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: default-src 'self'
# X-Frame-Options: DENY or SAMEORIGIN
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=()

References

For detailed testing procedures per category:

• OWASP Top 10 detailed tests: See references/owasp-top10-tests.md
• API-specific security: See references/api-security.md