Michael Schiemer
fc3d7e6357
- Add comprehensive health check system with multiple endpoints - Add Prometheus metrics endpoint - Add production logging configurations (5 strategies) - Add complete deployment documentation suite: * QUICKSTART.md - 30-minute deployment guide * DEPLOYMENT_CHECKLIST.md - Printable verification checklist * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference * production-logging.md - Logging configuration guide * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation * README.md - Navigation hub * DEPLOYMENT_SUMMARY.md - Executive summary - Add deployment scripts and automation - Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment - Update README with production-ready features All production infrastructure is now complete and ready for deployment.
335 lines
9.6 KiB
PHP
335 lines
9.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Security\WafTests;
|
|
|
|
use Tests\Security\SecurityTestCase;
|
|
use App\Framework\Waf\WafEngine;
|
|
use App\Framework\Http\Method;
|
|
|
|
/**
|
|
* XSS (Cross-Site Scripting) attack detection tests
|
|
*
|
|
* Tests WAF's ability to detect and block XSS attacks
|
|
*/
|
|
final readonly class XssAttackTest extends SecurityTestCase
|
|
{
|
|
public function __construct(
|
|
private WafEngine $wafEngine
|
|
) {}
|
|
|
|
/**
|
|
* Test WAF blocks XSS attacks in query parameters
|
|
*/
|
|
public function testBlocksXssInQueryParams(): void
|
|
{
|
|
$testCases = $this->generateXssTestCases();
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($testCases as $testCase) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/search',
|
|
method: Method::GET,
|
|
queryParams: ['q' => $testCase['payload']]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = $testCase['description'];
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block " . count($failed) . " XSS attacks in query params:\n" .
|
|
implode("\n", array_slice($failed, 0, 5))
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($testCases) . " XSS attacks in query params\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks XSS attacks in POST data
|
|
*/
|
|
public function testBlocksXssInPostData(): void
|
|
{
|
|
$testCases = $this->generateXssTestCases();
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($testCases as $testCase) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/comments',
|
|
method: Method::POST,
|
|
postData: [
|
|
'comment' => $testCase['payload'],
|
|
'author' => 'Test User'
|
|
]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = $testCase['description'];
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block " . count($failed) . " XSS attacks in POST data:\n" .
|
|
implode("\n", array_slice($failed, 0, 5))
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($testCases) . " XSS attacks in POST data\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks event handler-based XSS
|
|
*/
|
|
public function testBlocksEventHandlerXss(): void
|
|
{
|
|
$eventHandlerAttacks = [
|
|
'<img src=x onerror=alert(1)>',
|
|
'<body onload=alert(1)>',
|
|
'<input onfocus=alert(1) autofocus>',
|
|
'<select onfocus=alert(1) autofocus>',
|
|
'<textarea onfocus=alert(1) autofocus>',
|
|
'<marquee onstart=alert(1)>',
|
|
'<div onmouseover=alert(1)>',
|
|
'<a onmousemove=alert(1)>',
|
|
];
|
|
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($eventHandlerAttacks as $attack) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/profile',
|
|
method: Method::POST,
|
|
postData: ['bio' => $attack]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = substr($attack, 0, 50);
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block event handler XSS:\n" .
|
|
implode("\n", $failed)
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($eventHandlerAttacks) . " event handler XSS attacks\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks JavaScript protocol XSS
|
|
*/
|
|
public function testBlocksJavaScriptProtocol(): void
|
|
{
|
|
$javascriptProtocolAttacks = [
|
|
'javascript:alert(1)',
|
|
'javascript:void(alert(1))',
|
|
'javascript:eval("alert(1)")',
|
|
'jAvAsCrIpT:alert(1)', // Case variation
|
|
'javascript:alert(1)', // HTML entity encoding
|
|
];
|
|
|
|
$blocked = 0;
|
|
|
|
foreach ($javascriptProtocolAttacks as $attack) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/links',
|
|
method: Method::POST,
|
|
postData: ['url' => $attack]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
}
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($javascriptProtocolAttacks) . " javascript: protocol XSS attacks\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF allows legitimate HTML/JavaScript in safe contexts
|
|
*/
|
|
public function testAllowsLegitimateContent(): void
|
|
{
|
|
$legitimateContent = [
|
|
'Check out this <strong>amazing</strong> product!', // Safe HTML tags
|
|
'Contact us at info@example.com', // Email
|
|
'Price is <$50', // Less than symbol
|
|
'Rating: 4.5/5 stars', // Math symbols
|
|
'JavaScript is a programming language', // Word "JavaScript"
|
|
];
|
|
|
|
$allowedCount = 0;
|
|
$falsePositives = [];
|
|
|
|
foreach ($legitimateContent as $content) {
|
|
$request = $this->createLegitimateRequest(
|
|
uri: '/api/content',
|
|
method: Method::POST,
|
|
data: ['text' => $content]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if (!$decision->shouldBlock()) {
|
|
$allowedCount++;
|
|
} else {
|
|
$falsePositives[] = $content;
|
|
}
|
|
}
|
|
|
|
if (!empty($falsePositives)) {
|
|
echo "⚠️ Warning: WAF has " . count($falsePositives) . " false positives:\n";
|
|
foreach ($falsePositives as $fp) {
|
|
echo " - {$fp}\n";
|
|
}
|
|
} else {
|
|
echo "✅ No false positives detected ({$allowedCount}/" . count($legitimateContent) . " legitimate content allowed)\n";
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks encoded XSS attempts
|
|
*/
|
|
public function testBlocksEncodedXss(): void
|
|
{
|
|
$encodedAttacks = [
|
|
urlencode('<script>alert(1)</script>'),
|
|
urlencode('<img src=x onerror=alert(1)>'),
|
|
htmlspecialchars('<script>alert(1)</script>', ENT_QUOTES),
|
|
];
|
|
|
|
$blocked = 0;
|
|
|
|
foreach ($encodedAttacks as $attack) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/comments',
|
|
method: Method::POST,
|
|
postData: ['comment' => $attack]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
}
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($encodedAttacks) . " encoded XSS attacks\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks DOM-based XSS patterns
|
|
*/
|
|
public function testBlocksDomBasedXss(): void
|
|
{
|
|
$domXssPatterns = [
|
|
"document.write('<script>alert(1)</script>')",
|
|
'eval(location.hash)',
|
|
'innerHTML = userInput',
|
|
'document.cookie',
|
|
'window.location = "evil.com"',
|
|
];
|
|
|
|
$blocked = 0;
|
|
|
|
foreach ($domXssPatterns as $pattern) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/code',
|
|
method: Method::POST,
|
|
postData: ['code' => $pattern]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
}
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($domXssPatterns) . " DOM-based XSS patterns\n";
|
|
}
|
|
|
|
/**
|
|
* Run all XSS attack tests
|
|
*/
|
|
public function runAllTests(): array
|
|
{
|
|
$results = [];
|
|
|
|
try {
|
|
$this->testBlocksXssInQueryParams();
|
|
$results['query_params'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['query_params'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksXssInPostData();
|
|
$results['post_data'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['post_data'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksEventHandlerXss();
|
|
$results['event_handlers'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['event_handlers'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksJavaScriptProtocol();
|
|
$results['javascript_protocol'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['javascript_protocol'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testAllowsLegitimateContent();
|
|
$results['false_positives'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['false_positives'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksEncodedXss();
|
|
$results['encoded_attacks'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['encoded_attacks'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksDomBasedXss();
|
|
$results['dom_xss'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['dom_xss'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
return $results;
|
|
}
|
|
}
|