Skip to content

Instantly share code, notes, and snippets.

View streichsbaer's full-sized avatar

Stefan Streichsbier streichsbaer

66 followers · 78 following
View GitHub Profile
@streichsbaer
streichsbaer / download_and_execute_Ropeytasks.sh
Last active July 6, 2016 02:39
Download and execute the vulnerable RopeyTasks Application
wget https://raw.githubusercontent.com/continuumsecurity/RopeyTasks/master/ropeytasks.jar?raw=true -O ropeytasks.jar
java -jar ropeytasks.jar
@streichsbaer
streichsbaer / bdd-security test run output
Last active July 6, 2016 03:07
[...]
net.continuumsecurity.junit.SecurityTest > Scenario: Transmit authentication credentials over HTTPS.Then the protocol should be HTTPS FAILED
java.lang.AssertionError
[...]
Report available on: /Users/.../bdd-security/build/reports/cucumber/pretty/feature-overview.html
[...]
BUILD FAILED
@streichsbaer
streichsbaer / authentication.feature
Created July 6, 2016 03:56
@authentication
Feature: Authentication
Verify that the authentication system is robust
[...]
@cwe-319-auth
Scenario: Transmit authentication credentials over HTTPS
Given a new browser or client instance
And the client/browser is configured to use an intercepting proxy
And the proxy logs are cleared
When the default user logs in
@streichsbaer
streichsbaer / WebApplicationSteps.java
Created July 6, 2016 04:07
public class WebApplicationSteps {
[...]
public WebApplicationSteps() {
}
[..]
@Given("^a new browser or client instance$")
public void createAppForAnyClient() {
createApp();
}
@streichsbaer
streichsbaer / config.xml
Created July 6, 2016 04:31
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
<baseUrl>http://localhost:8080/</baseUrl>
<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
<!-- Optional names of the session ID cookies for session management testing. -->
<sessionIds>
<name>JSESSIONID</name>
</sessionIds>
<!-- the default user to use when logging in to the app -->
@streichsbaer
streichsbaer / RopeyTasksApplication.java
Last active July 6, 2016 05:02
[..]
public class RopeyTasksApplication extends WebApplication implements ILogin,
ILogout,INavigable {
[..]
@Override
public void openLoginPage() {
driver.get(Config.getInstance().getBaseUrl() + "user/login");
findAndWaitForElement(By.id("username"));
}
[..]
@streichsbaer
streichsbaer / download_and_execute_WebGoat.sh
Created July 6, 2016 05:22
wget https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar
java -jar webgoat-container-7.0.1-war-exec.jar
@streichsbaer
streichsbaer / updated-config.xml
Created July 6, 2016 05:41
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
[...]
<baseUrl>http://localhost:8080/WebGoat/</baseUrl>
<class>net.continuumsecurity.WebGoatApplication</class>
<defaultUsername>guest</defaultUsername>
<defaultPassword>guest</defaultPassword>
[...]
</web-app>
@streichsbaer
streichsbaer / WebGoatApplication.java
Last active July 6, 2016 06:13
package net.continuumsecurity;
import net.continuumsecurity.Config;
import net.continuumsecurity.Credentials;
import net.continuumsecurity.UserPassCredentials;
import net.continuumsecurity.behaviour.ILogin;
import net.continuumsecurity.behaviour.ILogout;
import net.continuumsecurity.behaviour.INavigable;
import net.continuumsecurity.web.WebApplication;
import org.openqa.selenium.By;
@streichsbaer
streichsbaer / config.xml
Created March 13, 2017 09:27
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
<!-- Base URL of the application to test -->
<baseUrl>http://10.1.1.251:8080/WebGoat/</baseUrl>
<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
<class>net.continuumsecurity.WebGoatApplication</class>
<sslyze>