# Security Testing Suite This directory contains comprehensive security tests for the Aniworld application. ## Test Categories ### Authentication Security (`test_auth_security.py`) Tests authentication and authorization security: - **Password Security**: Hashing, strength validation, exposure prevention - **Token Security**: JWT validation, expiration, format checking - **Session Security**: Fixation prevention, regeneration, timeout - **Brute Force Protection**: Rate limiting, account lockout - **Authorization**: Role-based access control, privilege escalation prevention ### Input Validation (`test_input_validation.py`) Tests input validation and sanitization: - **XSS Protection**: Script injection, HTML injection - **Path Traversal**: Directory traversal attempts - **Size Limits**: Oversized input handling - **Special Characters**: Unicode, null bytes, control characters - **Type Validation**: Email, numbers, arrays, objects - **File Upload Security**: Extension validation, size limits, MIME type checking ### SQL Injection Protection (`test_sql_injection.py`) Tests database injection vulnerabilities: - **Classic SQL Injection**: OR 1=1, UNION attacks, comment injection - **Blind SQL Injection**: Time-based, boolean-based - **Second-Order Injection**: Stored malicious data - **NoSQL Injection**: MongoDB operator injection - **ORM Injection**: Attribute and method injection - **Error Disclosure**: Information leakage in error messages ## Running Security Tests ### Run all security tests: ```bash conda run -n AniWorld python -m pytest tests/security/ -v -m security ``` ### Run specific test file: ```bash conda run -n AniWorld python -m pytest tests/security/test_auth_security.py -v ``` ### Run specific test class: ```bash conda run -n AniWorld python -m pytest \ tests/security/test_sql_injection.py::TestSQLInjection -v ``` ### Run with detailed output: ```bash conda run -n AniWorld python -m pytest tests/security/ -vv -s ``` ## Security Test Markers Tests are marked with `@pytest.mark.security` for easy filtering: ```bash # Run only security tests pytest -m security # Run all tests except security pytest -m "not security" ``` ## Expected Security Posture ### Authentication - ✅ Passwords never exposed in responses - ✅ Weak passwords rejected - ✅ Proper password hashing (bcrypt/argon2) - ✅ Brute force protection - ✅ Token expiration enforced - ✅ Session regeneration on privilege change ### Input Validation - ✅ XSS attempts blocked or sanitized - ✅ Path traversal prevented - ✅ File uploads validated and restricted - ✅ Size limits enforced - ✅ Type validation on all inputs - ✅ Special characters handled safely ### SQL Injection - ✅ All SQL injection attempts blocked - ✅ Prepared statements used - ✅ No database errors exposed - ✅ ORM used safely - ✅ No raw SQL with user input ## Common Vulnerabilities Tested ### OWASP Top 10 Coverage 1. **Injection** ✅ - SQL injection - NoSQL injection - Command injection - XSS 2. **Broken Authentication** ✅ - Weak passwords - Session fixation - Token security - Brute force 3. **Sensitive Data Exposure** ✅ - Password exposure - Error message disclosure - Token leakage 4. **XML External Entities (XXE)** ⚠️ - Not applicable (no XML processing) 5. **Broken Access Control** ✅ - Authorization bypass - Privilege escalation - IDOR (Insecure Direct Object Reference) 6. **Security Misconfiguration** ⚠️ - Partially covered 7. **Cross-Site Scripting (XSS)** ✅ - Reflected XSS - Stored XSS - DOM-based XSS 8. **Insecure Deserialization** ⚠️ - Partially covered 9. **Using Components with Known Vulnerabilities** ⚠️ - Requires dependency scanning 10. **Insufficient Logging & Monitoring** ⚠️ - Requires log analysis ## Adding New Security Tests When adding new security tests: 1. Mark with `@pytest.mark.security` 2. Test both positive and negative cases 3. Include variety of attack payloads 4. Document expected behavior 5. Follow OWASP guidelines Example: ```python @pytest.mark.security class TestNewFeatureSecurity: \"\"\"Security tests for new feature.\"\"\" @pytest.mark.asyncio async def test_injection_protection(self, client): \"\"\"Test injection protection.\"\"\" malicious_inputs = [...] for payload in malicious_inputs: response = await client.post("/api/endpoint", json={"data": payload}) assert response.status_code in [400, 422] ``` ## Security Testing Best Practices ### 1. Test All Entry Points - API endpoints - WebSocket connections - File uploads - Query parameters - Headers - Cookies ### 2. Use Comprehensive Payloads - Classic attack vectors - Obfuscated variants - Unicode bypasses - Encoding variations ### 3. Verify Both Prevention and Handling - Attacks should be blocked - Errors should not leak information - Application should remain stable - Logs should capture attempts ### 4. Test Edge Cases - Empty inputs - Maximum sizes - Special characters - Unexpected types - Concurrent requests ## Continuous Security Testing These tests should be run: - Before each release - After security-related code changes - Weekly as part of regression testing - As part of CI/CD pipeline - After dependency updates ## Remediation Guidelines ### If a test fails: 1. **Identify the vulnerability** - What attack succeeded? - Which endpoint is affected? - What data was compromised? 2. **Assess the risk** - CVSS score - Potential impact - Exploitability 3. **Implement fix** - Input validation - Output encoding - Parameterized queries - Access controls 4. **Verify fix** - Re-run failing test - Add additional tests - Test related functionality 5. **Document** - Update security documentation - Add to changelog - Notify team ## Security Tools Integration ### Recommended Tools **Static Analysis:** - Bandit (Python security linter) - Safety (dependency vulnerability scanner) - Semgrep (pattern-based scanner) **Dynamic Analysis:** - OWASP ZAP (penetration testing) - Burp Suite (security testing) - SQLMap (SQL injection testing) **Dependency Scanning:** ```bash # Check for vulnerable dependencies pip-audit safety check ``` **Code Scanning:** ```bash # Run Bandit security linter bandit -r src/ ``` ## Incident Response If a security vulnerability is discovered: 1. **Do not discuss publicly** until patched 2. **Document** the vulnerability privately 3. **Create fix** in private branch 4. **Test thoroughly** 5. **Deploy hotfix** if critical 6. **Notify users** if data affected 7. **Update tests** to prevent regression ## Security Contacts For security concerns: - Create private security advisory on GitHub - Contact maintainers directly - Do not create public issues for vulnerabilities ## References - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - [CWE/SANS Top 25](https://cwe.mitre.org/top25/) - [NIST Security Guidelines](https://www.nist.gov/cybersecurity) - [Python Security Best Practices](https://python.readthedocs.io/en/latest/library/security_warnings.html) ## Compliance These tests help ensure compliance with: - GDPR (data protection) - PCI DSS (if handling payments) - HIPAA (if handling health data) - SOC 2 (security controls) ## Automated Security Scanning ### GitHub Actions Example ```yaml name: Security Tests on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Set up Python uses: actions/setup-python@v2 with: python-version: 3.13 - name: Install dependencies run: | pip install -r requirements.txt pip install bandit safety - name: Run security tests run: pytest tests/security/ -v -m security - name: Run Bandit run: bandit -r src/ - name: Check dependencies run: safety check ``` ## Conclusion Security testing is an ongoing process. These tests provide a foundation, but regular security audits, penetration testing, and staying updated with new vulnerabilities are essential for maintaining a secure application.