https://github.com/multicatch/cucumber-audit

Tools for testing and automated scenario-based auditing
https://github.com/multicatch/cucumber-audit

cucumber-jvm gherkin selenium threat-modeling

Last synced: 28 days ago
JSON representation

Tools for testing and automated scenario-based auditing

• Host: GitHub
• URL: https://github.com/multicatch/cucumber-audit
• Owner: multicatch
• License: mit
• Created: 2020-03-18T10:48:05.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-09-15T07:22:11.000Z (about 1 year ago)
• Last Synced: 2024-09-29T02:05:42.388Z (about 1 month ago)
• Topics: cucumber-jvm, gherkin, selenium, threat-modeling
• Language: Kotlin
• Homepage:
• Size: 7.18 MB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# cucumber-audit

[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=multicatch_cucumber-audit&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=multicatch_cucumber-audit)

[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=multicatch_cucumber-audit&metric=coverage)](https://sonarcloud.io/summary/new_code?id=multicatch_cucumber-audit)

Easy automated auditing with preconfigured step definitions.

This project aims to provide an easy way for configuring an automated audit or web application test using Selenium and Cucumber.

## Features

* write audit scenarios using natural language (Gherkin) thanks to [Cucumber](https://github.com/cucumber/cucumber)

* explore your application and inspect responses thanks to [Selenium](https://github.com/SeleniumHQ/selenium)

* use prepared step definitions for writing scenarios without Java/Kotlin knowledge

* use variable substitution in feature files

* manipulate or inspect HTTP requests and responses thanks to [browsermob-proxy](https://github.com/lightbody/browsermob-proxy)

## Full Documentation

[Available here](doc/README.md)

## Sample Scenario

By using predefined steps from this project, you can build a feature like the following:

```gherkin

Feature: Example Feature

  Scenario: An Expected Response

    Given app running on "https://httpbin.org" has already started

    And the response content is under inspection

    When I go to "https://httpbin.org"

    Then the response should contain "A simple HTTP Request & Response Service."

```

Feel free to extend it with more steps, comments or annotations:

```gherkin

  @InformationDisclosure

  Scenario: Exploitation of System Software Information In Headers

  The disclosure of software information may be used to provide knowledge about known vulnerabilities of

  a particular version. The "Server" and "X-Powered-By" headers provide information about technology that

  is used on the server side. Disabling them makes it more difficult to exploit the server software.

    Given the response headers are under inspection

    When I go to "$auth_application_url"

    Then the "Server" response header should not contain numbers

    And the "X-Powered-By" response header should not contain numbers

```

## Running Sample Scenarios

The scenarios are available [here](cucumber-audit-scenarios/src/main/resources/io/github/multicatch/cucumber/audit).

Download a Selenium Gecko driver and run the following command in the project directory:

```shell script

mvn test -DfailIfNoTests=false -Dtest=CucumberTest -Dwebdriver.gecko.driver=/path/to/geckodriver

```

## Running It Standalone

You can run it standalone using jar build in cucumber-audit-standalone module.

Example:

```shell script

java -jar cucumber-audit-standalone.jar path/to/features \

  --glue io.github.multicatch.cucumber.audit \

  --plugin pretty \

  --webdriver.type GECKO \

  --webdriver.gecko.driver path/to/geckodriver \

  --webdriver.headless true

```

Instead of `path/to/features` provide a path to your `*.feature` files. 

Other options:

* `webdriver.type` - specify type of the webdriver used (GECKO/CHROME)

* `webdriver.gecko.driver` - specify location of the geckodriver binary

* `webdriver.chrome.driver` - specify location of the chromedriver binary

* `webdriver.headless` - specify whether to start browser in the headless or not (true/false)

You can also use options available in cucumber standalone. To see them use `--help`.

To use variable substitution plugin, use `--plugin io.github.multicatch.cucumber.audit.variables.VariableResolvingRedactor` option.

Variables will be read from the environment.

## Pretty reports

This project uses [`de.monochromata.cucumber:reporting-plugin`](https://gitlab.com/monochromata-de/cucumber-reporting-plugin) to generate pretty reports.

By default, pretty html reports are generated into `cucumber-audit-scenarios/target/cucumber/cucumber-html-reports` directory.

Reports are automatically deployed and available here:

* [master](https://multicatch.github.io/cucumber-audit/master/cucumber-html-reports/overview-features.html)

* [develop](https://multicatch.github.io/cucumber-audit/develop/cucumber-html-reports/overview-features.html)