cypress-pentest-plugin
v1.0.7
Published
Cypress Plugin to test web apps for security vulnerabilities
Downloads
5
Maintainers
Readme
Cypress Pentesting Plugin
Cypress plugin for penetration testing web applications. This plugin offers a multitude of functions to test for security flaws in your web application. The focus in this version is on injection attacks, more features will be added in the future.
THIS PLUGIN IS JUST A PROTOTYPE AND NOT READY FOR PRODUCTION USE.
Installation
- Install the plugin via npm:
npm install cypress-pentest-plugin
- add "type": "module" to your package.json
- Create a /logs directory in the root of your project.
Extend Cypress Commands
In order to use the plugin functions in Cypress, you have to add the event listeners to your cypress configuration file:
export default defineConfig({
e2e: {
setupNodeEvents(on, config) {
configurePlugin(on);
return config;
},
}
})
In the commands.ts/js, insert the add commands function:
// import { addCommands } from "cypress-pentest-plugin/dist/index-browser";
addCommands();
This plugin extends Cypress commands with the following:
cy.sqlMap(): Use sqlmap to test for SQL injection vulnerabilities
cy.checkEndpoint(): Check if an endpoint is vulnerable to SQL injection
cy.reflectedXSS(): Check if an endpoint is vulnerable to reflected XSS
And many more to come!
Usage
In your Tests, you can use the functions just like any other Cypress function. You just have to intercept the request. See the example test cases in the cypress folder.
Roadmap
As mentioned before, this plugin is just a prototype. The following features will be added in the future:
- [x] Fix the commands issue
- [ ] Add more injection attacks
- [ ] Implement a way to test for second order SQL Injection
- [ ] Add more security test cases
- [ ] Improve the methods of testing for vulnerabilities
- [x] Add more documentation
If you have any suggestions, ideas or feedback, feel free to email me here