• Stars
    star
    559
  • Rank 79,673 (Top 2 %)
  • Language
    Java
  • License
    GNU Affero Genera...
  • Created over 12 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

BDD Automated Security Tests for Web Applications

Build Status

BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.

The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner.

It tests Web Applications and API's from an external point of view and does not require access to the target source code.

Documentation on the Wiki

Version 2.2 Changelog

  • Upgraded to OWASP ZAP 2.6.0
  • Upgraded ZAP Client API to 1.2.0 from maven central
  • Corrected bugs with ambiguous step definitions

Version 2.1 Changelog

  • Upgraded to OWASP ZAP 2.5.0
  • Upgraded ZAP Client API to 1.0.0 from maven central

Version 2.0 Changelog

  • Cucumber-JVM replaced JBehave
  • Gradle replaced Ant
  • Rearranged files to fit Gradle/Maven conventions
  • Removed command line runners. Tests run from gradle

Legacy JBehave version is available on the jbehave branch

v0.9.2 Changelog

  • Integrated with OWASP ZAP 2.4.3.
  • Support setting an API KEY for ZAP

v0.9.1 Changelog

  • HtmlUnitDriver support, it is also the default driver if no other driver is specified in config.xml. BIG speed improvements.
  • Support for testing non-browser based web services and APIs. See the getting started guide for more details.
  • Removed all TestNG tests.

v0.9 Changelog

  • Moved tables that are auto-generated during startup into the stories/auto-generated folder. Tables that are user editable stay in the stories/tables folder.
  • Hosts and expected open ports are defined in the config.xml. Nessus and port scanning stories now read the target data from these files
  • Moved the Nessus false positives to tables/nessus.false_positives.table
  • Moved the OWASP ZAP false positives to tables/zap.false_positives.table
  • Fixed bug in the portscan story
  • Enabled portscanning of multiple hosts

More Repositories

1

OpenThreatModel

The Open Threat Modeling Format (OTM) defines a platform independent way to define the threat model of any system.
162
star
2

zap-webdriver

Example security tests using Selenium WebDriver and OWASP ZAP
Java
65
star
3

Community

IriusRisk Community
Python
61
star
4

startleft

StartLeft is an automation tool for generating Threat Models written in the Open Threat Model (OTM) format from a variety of different sources such as IaC files, diagrams or projects exported from Threat Modelling tools.
Python
42
star
5

resty-burp

REST/JSON interface to Burp Suite
Java
33
star
6

nessus-java-client

A minimal Java client for the Nessus XML RPC interface
Java
23
star
7

RopeyTasks

Deliberately vulnerable web application
Groovy
22
star
8

zap-java-api

A client API for OWASP ZAP that uses Java types.
Java
19
star
9

GoCD-EC2-Elastic-Agent-Plugin

Plugin for GoCD server that will spin up and shut down EC2 instances as its agent workers on demand
Java
12
star
10

iriusrisktoolkitui

IriusRiskToolKitUI is a Python GUI client for working with several common tasks regarding security content management in IriusRisk platform.
Python
9
star
11

IriusRisk-Central

Provides content useful for IriusRisk threat modelling, including templates, API scripts, libraries and more.
Python
7
star
12

bdd-security.iriusrisk

Testing of the IriusRisk community edition
Java
5
star
13

iriusrisk-threat-model-verification-suite

Python
4
star
14

iriusrisk-cli

Command Line Interface for IriusRisk
Java
1
star
15

jsslyze

Java wrapper for SSLyze
Java
1
star
16

iriusrisk-client-lib

IriusRisk client Java library
Java
1
star
17

spring-insecure-sample

How to secure the default AppFuse Spring MVC application.
Java
1
star
18

bdd-teammentor

A BDD-Security project for TeamMentor
Java
1
star
19

IriusTest.policy

Example of how human-verifiable security policies can be written in IriusTest
CSS
1
star