The security testing layer focuses on offensive security practices by simulating real-world attacks against OWASP Juice Shop.
Unlike the API testing layer, which validates endpoint behavior and API security requirements, this layer reproduces attacker techniques to discover vulnerabilities related to client-side attacks, access control weaknesses, insecure configurations, and unsafe application behavior.
The objective is to treat security vulnerabilities as automated regression tests that can be continuously executed throughout the development lifecycle.
This module integrates OWASP ZAP automated scans into the Robot Framework pipeline to identify common web application vulnerabilities.
| ID | Security Test |
|---|---|
| SEC-ZAP-001 | Perform automated spidering to discover application endpoints |
| SEC-ZAP-002 | Execute passive security analysis |
| SEC-ZAP-003 | Execute active vulnerability scanning |
| SEC-ZAP-004 | Generate HTML security reports |
| SEC-ZAP-005 | Fail the pipeline when critical vulnerabilities are detected |
This module uses browser-based attacks to verify whether malicious JavaScript can be executed within the application.
| ID | Security Test |
|---|---|
| SEC-XSS-001 | Reflected XSS payloads are not executed in user input fields |
| SEC-XSS-002 | Stored XSS payloads are safely handled after persistence |
| SEC-XSS-003 | JavaScript execution through malicious HTML attributes is blocked |
| SEC-XSS-004 | Browser alerts cannot be triggered by malicious scripts |
NB : SEC-XSS-003 and SEC-XSS-004 are both included in test cases SEC-XSS-001 and SEC-XSS-002
This module reproduces attacks where an authenticated user attempts to access resources belonging to another user.
| ID | Security Test |
|---|---|
| SEC-BAC-001 | A user cannot access another user's private data |
| SEC-BAC-002 | A rogue user Cannot Access Another User's Resources With Tampered Token |
| SEC-BAC-003 | A non-administrator cannot access administrative functionality |
| SEC-BAC-004 | Direct object reference manipulation does not expose unauthorized data |
This module validates the application's resistance against directory traversal attacks attempting to access unauthorized files.
| ID | Security Test |
|---|---|
| SEC-PATH-001 | Relative path traversal sequences are blocked |
| SEC-PATH-002 | Sensitive system files cannot be accessed |
| SEC-PATH-003 | Encoded traversal payloads are rejected |
This module verifies that file upload mechanisms correctly validate uploaded content and prevent dangerous file execution.
| ID | Security Test |
|---|---|
| SEC-UPLOAD-001 | Executable files are rejected |
| SEC-UPLOAD-002 | Malicious file extensions are blocked |
| = |