Cypress Pentesting Plugin

Cypress plugin for penetration testing web applications. This plugin offers a multitude of functions to test for security flaws in your web application. The focus in this version is on injection attacks, more features will be added in the future.

THIS PLUGIN IS JUST A PROTOTYPE AND NOT READY FOR PRODUCTION USE.

Installation

1. Install the plugin via npm:

npm install cypress-pentest-plugin

2. add "type": "module" to your package.json
3. Create a /logs directory in the root of your project.

Extend Cypress Commands

In order to use the plugin functions in Cypress, you have to add the event listeners to your cypress configuration file:

export default defineConfig({
    e2e: {
        setupNodeEvents(on, config) {
            configurePlugin(on);
            return config;
        },

    }
})

In the commands.ts/js, insert the add commands function:

// import {  addCommands } from "cypress-pentest-plugin/dist/index-browser";
addCommands();

This plugin extends Cypress commands with the following:

• cy.sqlMap(): Use sqlmap to test for SQL injection vulnerabilities
• cy.checkEndpoint(): Check if an endpoint is vulnerable to SQL injection
• cy.reflectedXSS(): Check if an endpoint is vulnerable to reflected XSS

And many more to come!

Usage

In your Tests, you can use the functions just like any other Cypress function. You just have to intercept the request. See the example test cases in the cypress folder.

Roadmap

As mentioned before, this plugin is just a prototype. The following features will be added in the future:

• [x] Fix the commands issue
• [ ] Add more injection attacks
• [ ] Implement a way to test for second order SQL Injection
• [ ] Add more security test cases
• [ ] Improve the methods of testing for vulnerabilities
• [x] Add more documentation

If you have any suggestions, ideas or feedback, feel free to email me here