Stefan Streichsbier streichsbaer
streichsbaer
/ WebApplicationSteps.java
Created
July 6, 2016 04:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class WebApplicationSteps { | |
| [...] | |
| public WebApplicationSteps() { | |
| } | |
| [..] | |
| @Given("^a new browser or client instance$") | |
| public void createAppForAnyClient() { | |
| createApp(); | |
| } |
streichsbaer
/ authentication.feature
Created
July 6, 2016 03:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @authentication | |
| Feature: Authentication | |
| Verify that the authentication system is robust | |
| [...] | |
| @cwe-319-auth | |
| Scenario: Transmit authentication credentials over HTTPS | |
| Given a new browser or client instance | |
| And the client/browser is configured to use an intercepting proxy | |
| And the proxy logs are cleared | |
| When the default user logs in |
streichsbaer
/ bdd-security test run output
Last active
July 6, 2016 03:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [...] | |
| net.continuumsecurity.junit.SecurityTest > Scenario: Transmit authentication credentials over HTTPS.Then the protocol should be HTTPS FAILED | |
| java.lang.AssertionError | |
| [...] | |
| Report available on: /Users/.../bdd-security/build/reports/cucumber/pretty/feature-overview.html | |
| [...] | |
| BUILD FAILED |
streichsbaer
/ clone_and_execute_bdd-security.sh
Created
July 6, 2016 02:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| git clone https://github.com/continuumsecurity/bdd-security.git | |
| cd bdd-security | |
| ./gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" test |
streichsbaer
/ download_and_execute_Ropeytasks.sh
Last active
July 6, 2016 02:39
Download and execute the vulnerable RopeyTasks Application
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget https://raw.githubusercontent.com/continuumsecurity/RopeyTasks/master/ropeytasks.jar?raw=true -O ropeytasks.jar | |
| java -jar ropeytasks.jar |
streichsbaer
/ Custom-Portlet.java
Created
December 14, 2015 06:07
Ajax CSRF protection workaround for Liferay
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public void serveResource(ResourceRequest resourceRequest, ResourceResponse resourceResponse) throws IOException, PortletException { | |
| HttpServletRequest request = PortalUtil.getOriginalServletRequest(PortalUtil.getHttpServletRequest(resourceRequest)); | |
| try { | |
| HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(PortalUtil.getHttpServletRequest(resourceRequest)){ | |
| @Override | |
| public String getParameter(String name) { | |
| if (name.equals("p_auth")) { | |
| return PortalUtil.getOriginalServletRequest((HttpServletRequest) super.getRequest()).getParameter(name); | |
| } |
NewerOlder