cucumber-audit

Easy automated auditing with preconfigured step definitions.

This project aims to provide an easy way for configuring an automated audit or web application test using Selenium and Cucumber.

Features

• write audit scenarios using natural language (Gherkin) thanks to Cucumber
• explore your application and inspect responses thanks to Selenium
• use prepared step definitions for writing scenarios without Java/Kotlin knowledge
• use variable substitution in feature files
• manipulate or inspect HTTP requests and responses thanks to browsermob-proxy

Full Documentation

Available here

Sample Scenario

By using predefined steps from this project, you can build a feature like the following:

Feature: Example Feature

  Scenario: An Expected Response
    Given app running on "https://httpbin.org" has already started
    And the response content is under inspection
    When I go to "https://httpbin.org"
    Then the response should contain "A simple HTTP Request & Response Service."

Feel free to extend it with more steps, comments or annotations:

  @InformationDisclosure
  Scenario: Exploitation of System Software Information In Headers
  The disclosure of software information may be used to provide knowledge about known vulnerabilities of
  a particular version. The "Server" and "X-Powered-By" headers provide information about technology that
  is used on the server side. Disabling them makes it more difficult to exploit the server software.

    Given the response headers are under inspection
    When I go to "$auth_application_url"
    Then the "Server" response header should not contain numbers
    And the "X-Powered-By" response header should not contain numbers

Running Sample Scenarios

The scenarios are available here.

Download a Selenium Gecko driver and run the following command in the project directory:

mvn test -DfailIfNoTests=false -Dtest=CucumberTest -Dwebdriver.gecko.driver=/path/to/geckodriver

Running It Standalone

You can run it standalone using jar build in cucumber-audit-standalone module.

Example:

java -jar cucumber-audit-standalone.jar path/to/features \
  --glue io.github.multicatch.cucumber.audit \
  --plugin pretty \
  --webdriver.type GECKO \
  --webdriver.gecko.driver path/to/geckodriver \
  --webdriver.headless true

Instead of path/to/features provide a path to your *.feature files.

Other options:

• webdriver.type - specify type of the webdriver used (GECKO/CHROME)
• webdriver.gecko.driver - specify location of the geckodriver binary
• webdriver.chrome.driver - specify location of the chromedriver binary
• webdriver.headless - specify whether to start browser in the headless or not (true/false)

You can also use options available in cucumber standalone. To see them use --help.

To use variable substitution plugin, use --plugin io.github.multicatch.cucumber.audit.variables.VariableResolvingRedactor option. Variables will be read from the environment.

Pretty reports

This project uses de.monochromata.cucumber:reporting-plugin to generate pretty reports.

By default, pretty html reports are generated into cucumber-audit-scenarios/target/cucumber/cucumber-html-reports directory.

Reports are automatically deployed and available here:

• master
• develop