mirror of https://github.com/azaion/detections-semantic.git synced 2026-04-22 22:26:39 +00:00

Files

T

Oleksandr Bezdieniezhnykh 8e2ecf50fd Initial commit

Made-with: Cursor

2026-03-26 00:20:30 +02:00

8.6 KiB

Raw Blame History

name, description, category, priority, tokenEstimate, agents, implementation_status, optimization_version, last_optimized, dependencies, quick_reference_card, tags, trust_tier, validation

name

description

Security Testing

<default_to_action> When testing security or conducting audits:

TEST OWASP Top 10 vulnerabilities systematically
VALIDATE authentication and authorization on every endpoint
SCAN dependencies for known vulnerabilities (npm audit)
CHECK for injection attacks (SQL, XSS, command)
VERIFY secrets aren't exposed in code/logs

Quick Security Checks:

Access control → Test horizontal/vertical privilege escalation
Crypto → Verify password hashing, HTTPS, no sensitive data exposed
Injection → Test SQL injection, XSS, command injection
Auth → Test weak passwords, session fixation, MFA enforcement
Config → Check error messages don't leak info

Critical Success Factors:

Think like an attacker, build like a defender
Security is built in, not added at the end
Test continuously in CI/CD, not just before release </default_to_action>

Quick Reference Card

When to Use

Security audits and penetration testing
Testing authentication/authorization
Validating input sanitization
Reviewing security configuration

OWASP Top 10

Use the most recent stable version of the OWASP Top 10. At the start of each security audit, research the current version at https://owasp.org/www-project-top-ten/ and test against all listed categories. Do not rely on a hardcoded list — the OWASP Top 10 is updated periodically and the current version must be verified.

Tools

Type	Tool	Purpose
SAST	SonarQube, Semgrep	Static code analysis
DAST	OWASP ZAP, Burp	Dynamic scanning
Deps	npm audit, Snyk	Dependency vulnerabilities
Secrets	git-secrets, TruffleHog	Secret scanning

Agent Coordination

qe-security-scanner: Multi-layer SAST/DAST scanning
qe-api-contract-validator: API security testing
qe-quality-analyzer: Security code review

Key Vulnerability Tests

1. Broken Access Control

// Horizontal escalation - User A accessing User B's data
test('user cannot access another user\'s order', async () => {
  const userAToken = await login('userA');
  const userBOrder = await createOrder('userB');

  const response = await api.get(`/orders/${userBOrder.id}`, {
    headers: { Authorization: `Bearer ${userAToken}` }
  });
  expect(response.status).toBe(403);
});

// Vertical escalation - Regular user accessing admin
test('regular user cannot access admin', async () => {
  const userToken = await login('regularUser');
  expect((await api.get('/admin/users', {
    headers: { Authorization: `Bearer ${userToken}` }
  })).status).toBe(403);
});

2. Injection Attacks

// SQL Injection
test('prevents SQL injection', async () => {
  const malicious = "' OR '1'='1";
  const response = await api.get(`/products?search=${malicious}`);
  expect(response.body.length).toBeLessThan(100); // Not all products
});

// XSS
test('sanitizes HTML output', async () => {
  const xss = '<script>alert("XSS")</script>';
  await api.post('/comments', { text: xss });

  const html = (await api.get('/comments')).body;
  expect(html).toContain('&lt;script&gt;');
  expect(html).not.toContain('<script>');
});

3. Cryptographic Failures

test('passwords are hashed', async () => {
  await db.users.create({ email: 'test@example.com', password: 'MyPassword123' });
  const user = await db.users.findByEmail('test@example.com');

  expect(user.password).not.toBe('MyPassword123');
  expect(user.password).toMatch(/^\$2[aby]\$\d{2}\$/); // bcrypt
});

test('no sensitive data in API response', async () => {
  const response = await api.get('/users/me');
  expect(response.body).not.toHaveProperty('password');
  expect(response.body).not.toHaveProperty('ssn');
});

4. Security Misconfiguration

test('errors don\'t leak sensitive info', async () => {
  const response = await api.post('/login', { email: 'nonexistent@test.com', password: 'wrong' });
  expect(response.body.error).toBe('Invalid credentials'); // Generic message
});

test('sensitive endpoints not exposed', async () => {
  const endpoints = ['/debug', '/.env', '/.git', '/admin'];
  for (let ep of endpoints) {
    expect((await fetch(`https://example.com${ep}`)).status).not.toBe(200);
  }
});

5. Rate Limiting

test('rate limiting prevents brute force', async () => {
  const responses = [];
  for (let i = 0; i < 20; i++) {
    responses.push(await api.post('/login', { email: 'test@example.com', password: 'wrong' }));
  }
  expect(responses.filter(r => r.status === 429).length).toBeGreaterThan(0);
});

Security Checklist

Authentication

Strong password requirements (12+ chars)
Password hashing (bcrypt, scrypt, Argon2)
MFA for sensitive operations
Account lockout after failed attempts
Session ID changes after login
Session timeout

Authorization

Check authorization on every request
Least privilege principle
No horizontal escalation
No vertical escalation

Data Protection

HTTPS everywhere
Encrypted at rest
Secrets not in code/logs
PII compliance (GDPR)

Input Validation

Server-side validation
Parameterized queries (no SQL injection)
Output encoding (no XSS)
Rate limiting

CI/CD Integration

# GitHub Actions
security-checks:
  steps:
    - name: Dependency audit
      run: npm audit --audit-level=high

    - name: SAST scan
      run: npm run sast

    - name: Secret scan
      uses: trufflesecurity/trufflehog@main

    - name: DAST scan
      if: github.ref == 'refs/heads/main'
      run: docker run owasp/zap2docker-stable zap-baseline.py -t https://staging.example.com

Pre-commit hooks:

#!/bin/sh
git-secrets --scan
npm run lint:security

Agent-Assisted Security Testing

// Comprehensive multi-layer scan
await Task("Security Scan", {
  target: 'src/',
  layers: { sast: true, dast: true, dependencies: true, secrets: true },
  severity: ['critical', 'high', 'medium']
}, "qe-security-scanner");

// OWASP Top 10 testing
await Task("OWASP Scan", {
  categories: ['broken-access-control', 'injection', 'cryptographic-failures'],
  depth: 'comprehensive'
}, "qe-security-scanner");

// Validate fix
await Task("Validate Fix", {
  vulnerability: 'CVE-2024-12345',
  expectedResolution: 'upgrade package to v2.0.0',
  retestAfterFix: true
}, "qe-security-scanner");

Agent Coordination Hints

Memory Namespace

aqe/security/
├── scans/*           - Scan results
├── vulnerabilities/* - Found vulnerabilities
├── fixes/*           - Remediation tracking
└── compliance/*      - Compliance status

Fleet Coordination

const securityFleet = await FleetManager.coordinate({
  strategy: 'security-testing',
  agents: [
    'qe-security-scanner',
    'qe-api-contract-validator',
    'qe-quality-analyzer',
    'qe-deployment-readiness'
  ],
  topology: 'parallel'
});

Common Mistakes

❌ Security by Obscurity

Hiding admin at /super-secret-admin → Use proper auth

❌ Client-Side Validation Only

JavaScript validation can be bypassed → Always validate server-side

❌ Trusting User Input

Assuming input is safe → Sanitize, validate, escape all input

❌ Hardcoded Secrets

API keys in code → Environment variables, secret management

agentic-quality-engineering - Security with agents
api-testing-patterns - API security testing
compliance-testing - GDPR, HIPAA, SOC2

Remember

Think like an attacker: What would you try to break? Test that. Build like a defender: Assume input is malicious until proven otherwise. Test continuously: Security testing is ongoing, not one-time.

With Agents: Agents automate vulnerability scanning, track remediation, and validate fixes. Use agents to maintain security posture at scale.

8.6 KiB Raw Blame History