williamzujkowski · November 17, 2025 05:07
diff --git a/authrest-test-suite.py b/authrest-test-suite.py
 #!/usr/bin/env python3
 """
 pytest Test Suite for AuthREST Scanner
 Tests authentication pattern detection
 """
 import pytest
 import requests
 from authrest_scanner import AuthRestScanner, AuthTest

 @pytest.fixture
 def scanner():
    openapi_spec = {
        'paths': {
            '/api/users': {
                'get': {
                    'security': [{'bearerAuth': []}]
                }
            },
            '/api/public': {
                'get': {}  # No auth required
            }
        }
    }
    return AuthRestScanner(openapi_spec, 'http://localhost:5000')

 def test_parse_auth_requirements(scanner):
    """Test OpenAPI spec parsing"""
    tests = scanner.parse_auth_requirements()

    assert len(tests) == 2
    assert tests[0].auth_required == True
    assert tests[1].auth_required == False

 def test_missing_token_validation():
    """Test detection of missing token validation"""
    resp = requests.get(
        'http://localhost:5000/api/users',
        timeout=5
    )

    # Should return 401, but vulnerable API returns 200
    assert resp.status_code == 200, "Auth bypass detected"

 def test_empty_token_accepted():
    """Test detection of empty token acceptance"""
    resp = requests.get(
        'http://localhost:5000/api/admin/settings',
        headers={'Authorization': ''},
        timeout=5
    )

    # Empty string != valid token
    assert resp.status_code != 200, "Empty token accepted"

 def test_role_bypass():
    """Test client-controlled role parameter"""
    resp = requests.post(
        'http://localhost:5000/api/posts',
        json={'role': 'admin', 'content': 'test'},
        timeout=5
    )

    # Client shouldn't control role
    assert resp.status_code != 200, "Role bypass vulnerability"

 def test_session_fixation():
    """Test session ID fixation"""
    resp = requests.post(
        'http://localhost:5000/api/login?session_id=attacker_session',
        json={'username': 'admin', 'password': 'test'},
        timeout=5
    )

    data = resp.json()
    assert 'attacker_session' not in data['token'], "Session fixation possible"
	#!/usr/bin/env python3
	"""
	pytest Test Suite for AuthREST Scanner
	Tests authentication pattern detection
	"""
	import pytest
	import requests
	from authrest_scanner import AuthRestScanner, AuthTest

	@pytest.fixture
	def scanner():
	openapi_spec = {
	'paths': {
	'/api/users': {
	'get': {
	'security': [{'bearerAuth': []}]
	}
	},
	'/api/public': {
	'get': {} # No auth required
	}
	}
	}
	return AuthRestScanner(openapi_spec, 'http://localhost:5000')

	def test_parse_auth_requirements(scanner):
	"""Test OpenAPI spec parsing"""
	tests = scanner.parse_auth_requirements()

	assert len(tests) == 2
	assert tests[0].auth_required == True
	assert tests[1].auth_required == False

	def test_missing_token_validation():
	"""Test detection of missing token validation"""
	resp = requests.get(
	'http://localhost:5000/api/users',
	timeout=5
	)

	# Should return 401, but vulnerable API returns 200
	assert resp.status_code == 200, "Auth bypass detected"

	def test_empty_token_accepted():
	"""Test detection of empty token acceptance"""
	resp = requests.get(
	'http://localhost:5000/api/admin/settings',
	headers={'Authorization': ''},
	timeout=5
	)

	# Empty string != valid token
	assert resp.status_code != 200, "Empty token accepted"

	def test_role_bypass():
	"""Test client-controlled role parameter"""
	resp = requests.post(
	'http://localhost:5000/api/posts',
	json={'role': 'admin', 'content': 'test'},
	timeout=5
	)

	# Client shouldn't control role
	assert resp.status_code != 200, "Role bypass vulnerability"

	def test_session_fixation():
	"""Test session ID fixation"""
	resp = requests.post(
	'http://localhost:5000/api/login?session_id=attacker_session',
	json={'username': 'admin', 'password': 'test'},
	timeout=5
	)

	data = resp.json()
	assert 'attacker_session' not in data['token'], "Session fixation possible"
No results found