Passive scan unit tests
31 views
Skip to first unread message
psiinon
Jul 27, 2016, 8:00:17 AM7/27/16
to OWASP ZAP Developer Group
I've just submitted PR #471 which adds a rule for testing for SameSite cookies.
As part of that I've implemented some unit tests for that class: https://github.com/psiinon/zap-extensions/blob/edf5af2df7bfbb8affd0eef1146e78068407c76e/test/org/zaproxy/zap/extension/pscanrulesAlpha/CookieSameSiteScannerUnitTest.java
These are the first unit tests we have for passive scan rules, and as I'd like this to become standard practice I'd like feedback on them.
Are they easy enough to understand?
Could the implementation be improved in any way?
Any other comments or suggestions?
Volunteers to write similar tests for our existing passive scan rules also much appreciated ;)
Cheers,
Simon
As part of that I've implemented some unit tests for that class: https://github.com/psiinon/zap-extensions/blob/edf5af2df7bfbb8affd0eef1146e78068407c76e/test/org/zaproxy/zap/extension/pscanrulesAlpha/CookieSameSiteScannerUnitTest.java
These are the first unit tests we have for passive scan rules, and as I'd like this to become standard practice I'd like feedback on them.
Are they easy enough to understand?
Could the implementation be improved in any way?
Any other comments or suggestions?
Volunteers to write similar tests for our existing passive scan rules also much appreciated ;)
Cheers,
Simon
psiinon
Jul 27, 2016, 11:12:08 AM7/27/16
to OWASP ZAP Developer Group
I've updated the PR and now the direct link to the unit test file has changed :(
Best just find the file in the PR: https://github.com/zaproxy/zap-extensions/pull/471 :)
Best just find the file in the PR: https://github.com/zaproxy/zap-extensions/pull/471 :)
psiinon
Aug 2, 2016, 6:44:36 AM8/2/16
to OWASP ZAP Developer Group
One of the comments on https://github.com/zaproxy/zap-extensions/pull/473 (now outdated, so I dont think I can link to it directly) was a suggestion to introduce a helper method for setting the response headers rather than repeating the same info each time.
I must admit I kind of like seeing the full headers as plain text, but maybe thats because I'm used to looking at them in ZAP ;)
Any preferences for or against using such helper methods?
I'm happy to go with the flow...
I must admit I kind of like seeing the full headers as plain text, but maybe thats because I'm used to looking at them in ZAP ;)
Any preferences for or against using such helper methods?
I'm happy to go with the flow...
psiinon
Aug 4, 2016, 10:38:40 AM8/4/16
to OWASP ZAP Developer Group
I've updated https://github.com/zaproxy/zap-extensions/pull/473 based on more comments received, and also updated the X-Frame-Options rule to only report issues at LOW threshold if the CSP 'frame-ancestors' element is present.
Reply all
Reply to author
Forward
0 new messages