--- name: security-testing description: "Test for security vulnerabilities using OWASP principles. Use when conducting security audits, testing auth, or implementing security practices." category: specialized-testing priority: critical tokenEstimate: 1200 agents: [qe-security-scanner, qe-api-contract-validator, qe-quality-analyzer] implementation_status: optimized optimization_version: 1.0 last_optimized: 2025-12-02 dependencies: [] quick_reference_card: true tags: [security, owasp, sast, dast, vulnerabilities, auth, injection] trust_tier: 3 validation: schema_path: schemas/output.json validator_path: scripts/validate-config.json eval_path: evals/security-testing.yaml --- # Security Testing When testing security or conducting audits: 1. TEST OWASP Top 10 vulnerabilities systematically 2. VALIDATE authentication and authorization on every endpoint 3. SCAN dependencies for known vulnerabilities (npm audit) 4. CHECK for injection attacks (SQL, XSS, command) 5. VERIFY secrets aren't exposed in code/logs **Quick Security Checks:** - Access control → Test horizontal/vertical privilege escalation - Crypto → Verify password hashing, HTTPS, no sensitive data exposed - Injection → Test SQL injection, XSS, command injection - Auth → Test weak passwords, session fixation, MFA enforcement - Config → Check error messages don't leak info **Critical Success Factors:** - Think like an attacker, build like a defender - Security is built in, not added at the end - Test continuously in CI/CD, not just before release ## Quick Reference Card ### When to Use - Security audits and penetration testing - Testing authentication/authorization - Validating input sanitization - Reviewing security configuration ### OWASP Top 10 (2021) | # | Vulnerability | Key Test | |---|---------------|----------| | 1 | Broken Access Control | User A accessing User B's data | | 2 | Cryptographic Failures | Plaintext passwords, HTTP | | 3 | Injection | SQL/XSS/command injection | | 4 | Insecure Design | Rate limiting, session timeout | | 5 | Security Misconfiguration | Verbose errors, exposed /admin | | 6 | Vulnerable Components | npm audit, outdated packages | | 7 | Auth Failures | Weak passwords, no MFA | | 8 | Integrity Failures | Unsigned updates, malware | | 9 | Logging Failures | No audit trail for breaches | | 10 | SSRF | Server fetching internal URLs | ### Tools | Type | Tool | Purpose | |------|------|---------| | SAST | SonarQube, Semgrep | Static code analysis | | DAST | OWASP ZAP, Burp | Dynamic scanning | | Deps | npm audit, Snyk | Dependency vulnerabilities | | Secrets | git-secrets, TruffleHog | Secret scanning | ### Agent Coordination - `qe-security-scanner`: Multi-layer SAST/DAST scanning - `qe-api-contract-validator`: API security testing - `qe-quality-analyzer`: Security code review --- ## Key Vulnerability Tests ### 1. Broken Access Control ```javascript // Horizontal escalation - User A accessing User B's data test('user cannot access another user\'s order', async () => { const userAToken = await login('userA'); const userBOrder = await createOrder('userB'); const response = await api.get(`/orders/${userBOrder.id}`, { headers: { Authorization: `Bearer ${userAToken}` } }); expect(response.status).toBe(403); }); // Vertical escalation - Regular user accessing admin test('regular user cannot access admin', async () => { const userToken = await login('regularUser'); expect((await api.get('/admin/users', { headers: { Authorization: `Bearer ${userToken}` } })).status).toBe(403); }); ``` ### 2. Injection Attacks ```javascript // SQL Injection test('prevents SQL injection', async () => { const malicious = "' OR '1'='1"; const response = await api.get(`/products?search=${malicious}`); expect(response.body.length).toBeLessThan(100); // Not all products }); // XSS test('sanitizes HTML output', async () => { const xss = ''; await api.post('/comments', { text: xss }); const html = (await api.get('/comments')).body; expect(html).toContain('<script>'); expect(html).not.toContain('