feat: As an user I want to have the latest Testing Guide (4.2) inform…

…ation
marcel-haag · May 10, 2024 · 8114abe · 8114abe
1 parent 1888a98
commit 8114abe
Show file tree

Hide file tree

Showing 32 changed files with 279 additions and 172 deletions.
diff --git a/security-c4po-angular/src/app/header/header.component.html b/security-c4po-angular/src/app/header/header.component.html
@@ -19,6 +19,8 @@ <h1>{{SECURITYC4PO_TITLE}} </h1>
       </nb-action>
       <!--OWASP Action-->
       <nb-action>
+        <!-- Latest: https://owasp.org/www-project-web-security-testing-guide/latest/ -->
+        <!-- Stable: https://owasp.org/www-project-web-security-testing-guide/stable/ -->
         <fa-icon title="OWASP Testing Guide"
                  (click)="onClickGoToLink('https://owasp.org/www-project-web-security-testing-guide/v42/')"
                  [icon]="fa.faFileInvoice" class="action-element-icon fa-2x">

diff --git a/...angular/src/app/objective-overview/objective-categories/objective-categories.component.ts b/...angular/src/app/objective-overview/objective-categories/objective-categories.component.ts
@@ -1,14 +1,11 @@
 import {Component, OnDestroy, OnInit} from '@angular/core';
 import {NbMenuItem, NbMenuService} from '@nebular/theme';
-import {of, Subject} from 'rxjs';
 import {Store} from '@ngxs/store';
 import {ChangeCategory} from '@shared/stores/project-state/project-state.actions';
 import {Category} from '@shared/models/category.model';
 import {untilDestroyed} from 'ngx-take-until-destroy';
 import {TranslateService} from '@ngx-translate/core';
 import {ProjectState} from '@shared/stores/project-state/project-state';
-import {catchError, switchMap, tap} from 'rxjs/operators';
-import {Pentest, transformPentestsToObjectiveEntries} from '@shared/models/pentest.model';
 import {UntilDestroy} from '@ngneat/until-destroy';
 
 @Component({

diff --git a/...rity-c4po-angular/src/app/objective-overview/objective-table/objective-table.component.ts b/...rity-c4po-angular/src/app/objective-overview/objective-table/objective-table.component.ts
@@ -45,7 +45,7 @@ export class ObjectiveTableComponent implements OnInit {
   getters: NbGetters<ObjectiveEntry, ObjectiveEntry> = {
     dataGetter: (node: ObjectiveEntry) => node,
     childrenGetter: (node: ObjectiveEntry) => node.childEntries || undefined,
-    expandedGetter: (node: ObjectiveEntry) => !!node.expanded,
+    expandedGetter: (node: ObjectiveEntry) => !!node.expanded
   };
 
   constructor(

diff --git a/security-c4po-angular/src/assets/i18n/de-DE.json b/security-c4po-angular/src/assets/i18n/de-DE.json
diff --git a/security-c4po-angular/src/assets/i18n/en-US.json b/security-c4po-angular/src/assets/i18n/en-US.json
diff --git a/security-c4po-angular/src/shared/config/global-variables.ts b/security-c4po-angular/src/shared/config/global-variables.ts
@@ -1,4 +1,4 @@
 export const GlobalTitlesVariables = {
   SECURITYC4PO_TITLE: 'Security C4PO',
-  TOTAL_OWASP_OBJECTIVES: 95
+  TOTAL_OWASP_OBJECTIVES: 107 // Old: 95
 };
diff --git a/security-c4po-angular/src/shared/functions/categories/APIIT/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/APIIT/pentests.function.ts
@@ -0,0 +1,14 @@
+import {Pentest} from '@shared/models/pentest.model';
+import {Category} from '@shared/models/category.model';
+import {PentestStatus} from '@shared/models/pentest-status.model';
+
+export function getAPI_Pentests(): Pentest[] {
+  return [
+    {
+      category: Category.API_TESTING,
+      refNumber: 'OTG-API-001',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    },
+  ];
+}
diff --git a/security-c4po-angular/src/shared/functions/categories/CLIENT/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/CLIENT/pentests.function.ts
@@ -75,6 +75,12 @@ export function getCLIENT_Pentests(): Pentest[] {
       refNumber: 'OTG-CLIENT-012',
       status: PentestStatus.NOT_STARTED,
       enabled: true
+    },
+    {
+      category: Category.CLIENT_SIDE_TESTING,
+      refNumber: 'OTG-CLIENT-013',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
     }
   ];
 }
diff --git a/security-c4po-angular/src/shared/functions/categories/CONFIG/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/CONFIG/pentests.function.ts
@@ -51,6 +51,24 @@ export function getCONFIG_Pentests(): Pentest[] {
       refNumber: 'OTG-CONFIG-008',
       status: PentestStatus.NOT_STARTED,
       enabled: true
+    },
+    {
+      category: Category.CONFIGURATION_AND_DEPLOY_MANAGEMENT_TESTING,
+      refNumber: 'OTG-CONFIG-009',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    },
+    {
+      category: Category.CONFIGURATION_AND_DEPLOY_MANAGEMENT_TESTING,
+      refNumber: 'OTG-CONFIG-010',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    },
+    {
+      category: Category.CONFIGURATION_AND_DEPLOY_MANAGEMENT_TESTING,
+      refNumber: 'OTG-CONFIG-011',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
     }
   ];
 }
diff --git a/security-c4po-angular/src/shared/functions/categories/CRYPST/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/CRYPST/pentests.function.ts
@@ -21,6 +21,12 @@ export function getCRYPST_Pentests(): Pentest[] {
       refNumber: 'OTG-CRYPST-003',
       status: PentestStatus.NOT_STARTED,
       enabled: true
+    },
+    {
+      category: Category.CRYPTOGRAPHY,
+      refNumber: 'OTG-CRYPST-004',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
     }
   ];
 }
diff --git a/security-c4po-angular/src/shared/functions/categories/IDENT/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/IDENT/pentests.function.ts
@@ -33,18 +33,6 @@ export function getIDENT_Pentests(): Pentest[] {
       refNumber: 'OTG-IDENT-005',
       status: PentestStatus.NOT_STARTED,
       enabled: true
-    },
-    {
-      category: Category.IDENTITY_MANAGEMENT_TESTING,
-      refNumber: 'OTG-IDENT-006',
-      status: PentestStatus.NOT_STARTED,
-      enabled: true
-    },
-    {
-      category: Category.IDENTITY_MANAGEMENT_TESTING,
-      refNumber: 'OTG-IDENT-007',
-      status: PentestStatus.NOT_STARTED,
-      enabled: true
     }
   ];
 }
diff --git a/security-c4po-angular/src/shared/functions/categories/INPVAL/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/INPVAL/pentests.function.ts
@@ -70,6 +70,18 @@ export function getINPVAL_Pentests(): Pentest[] {
           status: PentestStatus.NOT_STARTED,
           enabled: true
         },
+        {
+          category: Category.INPUT_VALIDATION_TESTING,
+          refNumber: 'OTG-INPVAL-005_7',
+          status: PentestStatus.NOT_STARTED,
+          enabled: true
+        },
+        {
+          category: Category.INPUT_VALIDATION_TESTING,
+          refNumber: 'OTG-INPVAL-005_8',
+          status: PentestStatus.NOT_STARTED,
+          enabled: true
+        }
       ]
     },
     {
@@ -106,28 +118,28 @@ export function getINPVAL_Pentests(): Pentest[] {
       category: Category.INPUT_VALIDATION_TESTING,
       refNumber: 'OTG-INPVAL-011',
       status: PentestStatus.NOT_STARTED,
-      enabled: true
-    },
-    {
-      category: Category.INPUT_VALIDATION_TESTING,
-      refNumber: 'OTG-INPVAL-012',
-      status: PentestStatus.NOT_STARTED,
       enabled: true,
       childEntries: [
         {
           category: Category.INPUT_VALIDATION_TESTING,
-          refNumber: 'OTG-INPVAL-012_1',
+          refNumber: 'OTG-INPVAL-011_1',
           status: PentestStatus.NOT_STARTED,
           enabled: true
         },
         {
           category: Category.INPUT_VALIDATION_TESTING,
-          refNumber: 'OTG-INPVAL-012_2',
+          refNumber: 'OTG-INPVAL-011_2',
           status: PentestStatus.NOT_STARTED,
           enabled: true
         }
       ]
     },
+    {
+      category: Category.INPUT_VALIDATION_TESTING,
+      refNumber: 'OTG-INPVAL-012',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true,
+    },
     {
       category: Category.INPUT_VALIDATION_TESTING,
       refNumber: 'OTG-INPVAL-013',
@@ -139,26 +151,6 @@ export function getINPVAL_Pentests(): Pentest[] {
       refNumber: 'OTG-INPVAL-014',
       status: PentestStatus.NOT_STARTED,
       enabled: true,
-      childEntries: [
-        {
-          category: Category.INPUT_VALIDATION_TESTING,
-          refNumber: 'OTG-INPVAL-014_1',
-          status: PentestStatus.NOT_STARTED,
-          enabled: true
-        },
-        {
-          category: Category.INPUT_VALIDATION_TESTING,
-          refNumber: 'OTG-INPVAL-014_2',
-          status: PentestStatus.NOT_STARTED,
-          enabled: true
-        },
-        {
-          category: Category.INPUT_VALIDATION_TESTING,
-          refNumber: 'OTG-INPVAL-014_3',
-          status: PentestStatus.NOT_STARTED,
-          enabled: true
-        }
-      ]
     },
     {
       category: Category.INPUT_VALIDATION_TESTING,
@@ -172,5 +164,23 @@ export function getINPVAL_Pentests(): Pentest[] {
       status: PentestStatus.NOT_STARTED,
       enabled: true
     },
+    {
+      category: Category.INPUT_VALIDATION_TESTING,
+      refNumber: 'OTG-INPVAL-017',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    },
+    {
+      category: Category.INPUT_VALIDATION_TESTING,
+      refNumber: 'OTG-INPVAL-018',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    },
+    {
+      category: Category.INPUT_VALIDATION_TESTING,
+      refNumber: 'OTG-INPVAL-019',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
+    }
   ];
 }
diff --git a/security-c4po-angular/src/shared/functions/categories/SESS/pentests.function.ts b/security-c4po-angular/src/shared/functions/categories/SESS/pentests.function.ts
@@ -51,6 +51,12 @@ export function getSESS_Pentests(): Pentest[] {
       refNumber: 'OTG-SESS-008',
       status: PentestStatus.NOT_STARTED,
       enabled: true
+    },
+    {
+      category: Category.SESSION_MANAGEMENT_TESTING,
+      refNumber: 'OTG-SESS-009',
+      status: PentestStatus.NOT_STARTED,
+      enabled: true
     }
   ];
 }
diff --git a/...y-c4po-angular/src/shared/functions/categories/get-temp-pentests-for-category.function.ts b/...y-c4po-angular/src/shared/functions/categories/get-temp-pentests-for-category.function.ts
@@ -12,6 +12,7 @@ import {getERR_Pentests} from '@shared/functions/categories/ERR/pentests.functio
 import {getCRYPST_Pentests} from '@shared/functions/categories/CRYPST/pentests.function';
 import {getBUSLOGIC_Pentests} from '@shared/functions/categories/BUSLOGIC/pentests.function';
 import {getCLIENT_Pentests} from '@shared/functions/categories/CLIENT/pentests.function';
+import {getAPI_Pentests} from '@shared/functions/categories/APIIT/pentests.function';
 
 export function getTempPentestsForCategory(requestedCategory: Category): Pentest[] {
   let pentests: Pentest[];
@@ -60,6 +61,10 @@ export function getTempPentestsForCategory(requestedCategory: Category): Pentest
       pentests = getCLIENT_Pentests();
       break;
     }
+    case Category.API_TESTING: {
+      pentests = getAPI_Pentests();
+      break;
+    }
     default: {
       pentests = [];
       console.error('Invalid categories: ', requestedCategory);

diff --git a/...ity-c4po-angular/src/shared/functions/categories/get-title-key-for-ref-number.function.ts b/...ity-c4po-angular/src/shared/functions/categories/get-title-key-for-ref-number.function.ts
@@ -53,6 +53,10 @@ export function getTitleKeyForRefNumber(refNumber: string): string {
       translationKey += 'client.' + refNumberKey;
       break;
     }
+    case refNumber.includes('API'): {
+      translationKey += 'api.' + refNumberKey;
+      break;
+    }
     default: {
       translationKey = 'pentest.categories.translation';
       console.error('Invalid category number: ', refNumber.slice(4 - refNumber.length));

diff --git a/security-c4po-angular/src/shared/functions/infos/get-pentest-info-for-objective.ts b/security-c4po-angular/src/shared/functions/infos/get-pentest-info-for-objective.ts
@@ -54,6 +54,10 @@ export function getPentestInfoForObjective(refNumber: string): string {
       translationKey += 'client.' + refNumberKey;
       break;
     }
+    case refNumber.includes('API'): {
+      translationKey += 'api.' + refNumberKey;
+      break;
+    }
     default: {
       translationKey = 'objectives.no_info';
       console.error('Invalid category number: ', refNumber.slice(4 - refNumber.length));

diff --git a/security-c4po-angular/src/shared/models/category.model.ts b/security-c4po-angular/src/shared/models/category.model.ts
@@ -9,7 +9,8 @@ export enum Category {
   ERROR_HANDLING,
   CRYPTOGRAPHY,
   BUSINESS_LOGIC_TESTING,
-  CLIENT_SIDE_TESTING
+  CLIENT_SIDE_TESTING,
+  API_TESTING
 }
 
 export class CategoryDetails {

diff --git a/security-c4po-angular/src/shared/modules/finding-dialog/finding-dialog.component.html b/security-c4po-angular/src/shared/modules/finding-dialog/finding-dialog.component.html
@@ -134,10 +134,10 @@
                     type="text" required fullWidth
                     id="{{formArray[5].fieldName}}" nbInput
                     class="form-field form-textarea"
-                    rows="{{formArray[5].controlsConfig[0].value !== '' ? formArray[5].controlsConfig[0].value.split(getRowsFromString).length + 1 : 2}}"
+                    rows="{{formArray[5].controlsConfig[0].value !== '' ? formArray[5].controlsConfig[0].value.split(getRowsFromString).length + 2 : 2}}"
                     [status]="findingFormGroup.get(formArray[5].fieldName).dirty ? (findingFormGroup.get(formArray[5].fieldName).invalid  ? 'danger' : 'basic') : 'basic'"
                     placeholder="{{formArray[5].placeholder | translate}} *">
-            </textarea>
+          </textarea>
           <!-- FIXME: when the bug (https://github.com/angular/components/issues/7739) is fixed -->
           <ng-template ngFor let-error [ngForOf]="formArray[5].errors"
                        *ngIf="findingFormGroup.get(formArray[5].fieldName).dirty">
@@ -156,10 +156,10 @@
                     type="text" fullWidth
                     id="{{formArray[6].fieldName}}" nbInput
                     class="form-field form-textarea"
-                    rows="{{formArray[6].controlsConfig[0].value !== '' ? formArray[6].controlsConfig[0].value.split(getRowsFromString).length + 1 : 2}}"
+                    rows="{{formArray[6].controlsConfig[0].value !== '' ? formArray[6].controlsConfig[0].value.split(getRowsFromString).length + 2 : 2}}"
                     [status]="findingFormGroup.get(formArray[6].fieldName).dirty ? (findingFormGroup.get(formArray[6].fieldName).invalid  ? 'danger' : 'basic') : 'basic'"
                     placeholder="{{formArray[6].placeholder | translate}}">
-            </textarea>
+          </textarea>
           <!-- FIXME: when the bug (https://github.com/angular/components/issues/7739) is fixed -->
           <ng-template ngFor let-error [ngForOf]="formArray[6].errors"
                        *ngIf="findingFormGroup.get(formArray[6].fieldName).dirty">

diff --git a/security-c4po-angular/src/shared/modules/finding-dialog/finding-dialog.component.scss b/security-c4po-angular/src/shared/modules/finding-dialog/finding-dialog.component.scss
@@ -31,7 +31,7 @@
 
   .form-textarea {
     width: 30rem !important;
-    height: 8rem;
+    min-height: 8rem;
   }
 
   .additionalUrl {

diff --git a/security-c4po-angular/src/shared/services/api/pentest.service.ts b/security-c4po-angular/src/shared/services/api/pentest.service.ts
@@ -25,7 +25,7 @@ export class PentestService {
    * Load Pentests
    * @param category the categories of which the pentests should be requested
    */
-  // ToDo: Should be refactored to be less ugly fr
+  // ToDo: Should be refactored to be less ugly
   public loadPentests(category: Category): Observable<Pentest[]> {
     return this.store.select(ProjectState.project).pipe(
       switchMap(project => this.getPentestByProjectIdAndCategory(project.id, category)),

diff --git a/security-c4po-api/src/main/kotlin/com/securityc4po/api/pentest/PentestCategory.kt b/security-c4po-api/src/main/kotlin/com/securityc4po/api/pentest/PentestCategory.kt
@@ -11,5 +11,6 @@ enum class PentestCategory {
     ERROR_HANDLING,
     CRYPTOGRAPHY,
     BUSINESS_LOGIC_TESTING,
-    CLIENT_SIDE_TESTING
+    CLIENT_SIDE_TESTING,
+    API_TESTING
 }
diff --git a/security-c4po-api/src/main/kotlin/com/securityc4po/api/project/ProjectController.kt b/security-c4po-api/src/main/kotlin/com/securityc4po/api/project/ProjectController.kt
@@ -29,8 +29,6 @@ class ProjectController(private val projectService: ProjectService, private val
     fun getProjects(
         @AuthenticationPrincipal user: Appuser
     ): Mono<ResponseEntity<List<ResponseBody>>> {
-
-        println("controller " + user.getSub())
         return projectService.getProjects(user.getSub()).map { projectList ->
             projectList.map {
                 it.toProjectResponseBody()

diff --git a/security-c4po-api/src/main/resources/application-TEST.properties b/security-c4po-api/src/main/resources/application-TEST.properties
@@ -1,5 +1,7 @@
 ## IdentityProvider (Keycloak) ##
-keycloak.client.url=http://localhost:9999
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
+keycloakhost=localhost
+keycloak.client.url=http://localhost:8080/
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 
 ## Database (MONGODB) Config ##

diff --git a/security-c4po-api/src/main/resources/application.properties b/security-c4po-api/src/main/resources/application.properties
@@ -32,6 +32,6 @@ keycloakhost=localhost
 keycloak.client.url=http://localhost:8080
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 
-## Total number of pentests / objectives listet in the OWASP testing guide
-## https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
-owasp.web.objectives=95
+## Total number of pentests / objectives listed in the OWASP testing guide
+## https://owasp.org/www-project-web-security-testing-guide/v42/
+owasp.web.objectives=107
diff --git a/security-c4po-api/src/test/kotlin/com/securityc4po/api/BaseContainerizedTest.kt b/security-c4po-api/src/test/kotlin/com/securityc4po/api/BaseContainerizedTest.kt
@@ -63,6 +63,7 @@ abstract class BaseContainerizedTest {
                 Wait.forHttp("/auth")
             )
 
+
         @DynamicPropertySource
         @JvmStatic
         fun jwtValidationProperties(registry: DynamicPropertyRegistry) {

diff --git a/security-c4po-reporting/src/main/kotlin/com/securityc4po/reporting/remote/APIService.kt b/security-c4po-reporting/src/main/kotlin/com/securityc4po/reporting/remote/APIService.kt
@@ -23,7 +23,8 @@ class APIService(private val apiClient: APIClient) {
         "ERROR_HANDLING",
         "CRYPTOGRAPHY",
         "BUSINESS_LOGIC_TESTING",
-        "CLIENT_SIDE_TESTING"
+        "CLIENT_SIDE_TESTING",
+        "API_TESTING"
     )
 
     /**