Easy automated auditing with preconfigured step definitions.
This project aims to provide an easy way for configuring an automated audit or web application test using Selenium and Cucumber.
By using predefined steps from this project, you can build a feature like the following:
Feature: Example Feature
Scenario: An Expected Response
Given app running on "https://httpbin.org" has already started
And the response content is under inspection
When I go to "https://httpbin.org"
Then the response should contain "A simple HTTP Request & Response Service."
Feel free to extend it with more steps, comments or annotations:
@InformationDisclosure
Scenario: Exploitation of System Software Information In Headers
The disclosure of software information may be used to provide knowledge about known vulnerabilities of
a particular version. The "Server" and "X-Powered-By" headers provide information about technology that
is used on the server side. Disabling them makes it more difficult to exploit the server software.
Given the response headers are under inspection
When I go to "$auth_application_url"
Then the "Server" response header should not contain numbers
And the "X-Powered-By" response header should not contain numbers
The scenarios are available here.
Download a Selenium Gecko driver and run the following command in the project directory:
mvn test -DfailIfNoTests=false -Dtest=CucumberTest -Dwebdriver.gecko.driver=/path/to/geckodriver
You can run it standalone using jar build in cucumber-audit-standalone module.
Example:
java -jar cucumber-audit-standalone.jar path/to/features \
--glue io.github.multicatch.cucumber.audit \
--plugin pretty \
--webdriver.type GECKO \
--webdriver.gecko.driver path/to/geckodriver \
--webdriver.headless true
Instead of path/to/features
provide a path to your *.feature
files.
Other options:
webdriver.type
- specify type of the webdriver used (GECKO/CHROME)webdriver.gecko.driver
- specify location of the geckodriver binarywebdriver.chrome.driver
- specify location of the chromedriver binarywebdriver.headless
- specify whether to start browser in the headless or not (true/false)You can also use options available in cucumber standalone. To see them use --help
.
To use variable substitution plugin, use --plugin io.github.multicatch.cucumber.audit.variables.VariableResolvingRedactor
option.
Variables will be read from the environment.
This project uses de.monochromata.cucumber:reporting-plugin
to generate pretty reports.
By default, pretty html reports are generated into cucumber-audit-scenarios/target/cucumber/cucumber-html-reports
directory.
Reports are automatically deployed and available here: