The following specific test cases were developed concurrency during the above development process. Additionally KUP_Gatehouse had functionality removed to new classes checking http_headers (interceptor class). The same for VERBchecker <\/p>\n\n\n\n
Sends an email to account with code and link that stays alive for\n5 minutes.<\/p>\n\n\n\n
When post request received must have live reset code\/soft token\nwith new password and confirmed new password. \n<\/p>\n\n\n\n
When the response to new password is\nsent it does not contain any account identifiable information or\npassword data (old or new). Either in successful response or failure<\/p>\n\n\n\n
Verify that the changing password\nfunctionality includes the old password, the new password, and a\npassword confirmation.<\/p>\n\n\n\n
When the response to updated password\nis sent it does not contain any account identifiable information or\npassword data (old or new). Either in successful response or failure.<\/p>\n\n\n\n
Verify that all password fields do not\necho the user\u2019s password when it is entered. ie. echo is set to\nfalse.<\/p>\n\n\n\n
Client asks for a token with the\ndetails of the request. Before sending POST, PUT or DELETE requests.\nRequest must provide type of request, length of request \n<\/p>\n\n\n\n
all forms containing sensitive\ninformation have disabled client side caching, including autocomplete\nfeatures.<\/p>\n\n\n\n
data stored in client side storage \u2013 such as HTML5 local storage, session storage, Indexed DB, regular cookies or Flash cookies \u2013 does not contain sensitive or PII).<\/p>\n\n\n\n
Do not use Flash, Active-X,\nSilverlight, NACL, client-sideJava or other client side technologies\nnot supported natively via W3C browser standards.<\/p>\n\n\n\n
ID values stored on the device and\nretrievable by other applications, such as the UDID or IMEI number\nare not used as authentication tokens.<\/p>\n\n\n\n
sensitive data is not stored\nunprotected on the device, even in system protected areas such as key\nchains.<\/p>\n\n\n\n
same encoding style is used between the\nclient and the server<\/p>\n\n\n\n
Returns true if username and password is correct. \n<\/p>\n\n\n\n
Locks account after 3 attempts (throw an exception)<\/p>\n\n\n\n
It does not reset lost passwords \n<\/p>\n\n\n\n
administrative interfaces are not accessible to un-trusted parties. <\/p>\n\n\n\n
authors can only amend their own\nassessments<\/p>\n\n\n\n
authors can only add assessments in\ntheir own name.<\/p>\n\n\n\n
Failures in authentication should be returned with access blocked, not with any reference to PAD or MAC errors, software\/ framework versions and personal information<\/p>\n\n\n\n
Exceptions should return with access\nblocked.<\/p>\n\n\n\n
Any error\/exception results in a\nrefused access to requested service. \n<\/p>\n\n\n\n
The time for authentication to fail\nshould be the same I.e 5 seconds. \n<\/p>\n\n\n\n
Asks a HMAC service for a token when a post, put or delete request\nis to be made. This is returned to the client. Request must provide\ntype of request, length of request. \n<\/p>\n\n\n\n
Content Security Policy V2 (CSP) is in\nuse in a way that either disables inline JavaScript or provides an\nintegrity check on inline Java Script with CSP noncing or hashing.<\/p>\n\n\n\n
Only Management accounts can access all\nassessments with full control to create, edit and delete assessments\nand accounts.<\/p>\n\n\n\n
Creates accounts with username, password and email address for resetting lost password.<\/p>\n\n\n\n
Password schema should enforce the password conditions identified in the resources and privacy pages unit tests. <\/p>\n\n\n\n
Any error\/ exception must cause the result in a rejected password<\/p>\n\n\n\n
compares a token with what has been sent and see if they are the\nsame. Returns true if so, otherwise returns false. The token is a\ndouble (2) nested hash e.g a json web token.<\/p>\n\n\n\n
Any exception\/error causes a refusal to issue a token. \n<\/p>\n\n\n\n
ID values stored on the device and\nretrievable by other applications, such as the UDID or IMEI number\nare not used as authentication tokens<\/p>\n\n\n\n
Creates a token using HMACs construction based on a request that\nis expected. It takes a request type, length of message and returns a\ntoken<\/p>\n\n\n\n
decrypts a received token<\/p>\n\n\n\n
Should use GMC, CCM or EAX standards (Minimum FIPS 140-2) to encrypt which uses the HMACservice to build the MAC<\/p>\n\n\n\n
Verify that input\nvalidation routines are enforced<\/p>\n\n\n\n
Checks the input\nof participant and author and performs input validation, failures\nresult in request rejection and are logged.<\/p>\n\n\n\n
Rejects any\nassessment containing SQL queries, HQL, OSQL, NOSQL, Xpath query\ntampering, XML External Entity attacks, and XML injection attacks in\nsubmitions from participants, authors and search requests. This\nincludes the assessment itself and any strings embedded in an\nassessment<\/p>\n\n\n\n
Sanitise html\nusing https:\/\/github.com\/OWASP\/java-html-sanitizer<\/a>\n<\/p>\n\n\n\n Any exception or\nfailure in an AssessmentValidator returns a failed or invalid\nassessment and no further processing can take place. \n<\/p>\n\n\n\n Content Security\nPolicy V2 (CSP) is in use in a way that either disables inline\nJavaScript or provides an integrity check on inline Java Script with\nCSP noncing or hashing.<\/p>\n\n\n\n un-trusted file data submitted to the application is not used directly with file I\/O command, particularly to protect against path traversal, local file include, file mime type, and OS command injection vulnerabilities.<\/p>\n\n\n\n No binary data is\nallowed. \n<\/p>\n\n\n\n Only system schema\nand components are used \n<\/p>\n\n\n\n does not execute\nuploaded data obtained from untrusted sources<\/p>\n\n\n\n SQL queries, HQL, OSQL, NOSQL, Xpath query tampering, XML External Entity attacks, and XML injection attacks in submissions from participants, authors and search requests. This includes the assessment itself and any strings embedded in an assessment reports true or false if a given string contains a what the sanitiser is looking for. <\/p>\n\n\n\n Assessment instantiation is only done\nafter the assessment has been validated. Asks the assessmentValidator<\/p>\n\n\n\n Assess the assessment based on components in the assessment it instantiates the components based on component name which implements an IassessmentComponent interface. Once the assessment is built the assess command is sent and an AssessmentResult is returned with a copy of the submitted assessment. <\/p>\n\n\n\n All input is limited to an appropriate\nsize limit<\/p>\n","protected":false},"excerpt":{"rendered":" The following specific test cases were developed concurrency during the above development process. Additionally KUP_Gatehouse had functionality removed to new classes checking http_headers (interceptor class). The same for VERBchecker Resources and Private Pages \u2013 I.e tested from outside the application using a bash script and curl Verify all pages and resources by default require authentication … Continue reading KUP Assessments – Converting Requirements to Specific Test Cases<\/span> iSanitiser \n<\/h2>\n\n\n\n
AssessmentManager<\/h2>\n\n\n\n
iInputCheckFilter<\/h2>\n\n\n\n