SecTester v1.1.0 has been released!

The SecTester shard has been released with v1.1.0 being the latest!

The shard allows you to run security tests as part of the Specs flow, integrating a comprehensive security scanner directly into the development process.

What do we got?

New formatting of issues

New options for spec control

require "sec_tester"

it "tests my app for XSS" do
  server = HTTP::Server.new do |context|
    name = URI.decode_www_form(context.request.query_params["name"]?.to_s)

    context.response.content_type = "text/html"
    context.response << <<-EOF
      <html>
        <body>
          <h1>Hello, world!</h1>
          <p>#{name}</p>
        </body>
      </html>
      EOF
  end

  addr = server.bind_unused_port
  spawn do
    server.listen
  end

  tester = SecTester::Test.new
  tester.run_check(
    scan_name: "UnitTestingScan - XSS",
    test_name: "xss",
    target: SecTester::Target.new("http://#{addr}/?name=jhon")
  )
ensure
  server.try &.close
  tester.try &.cleanup
end

Example of usage in the CI

steps:
  - name: Install npm and Repeater
    run: |
      apt update
      apt-get install -y libnode-dev node-gyp libssl-dev
      apt-get install -y nodejs npm
      npm install -g @neuralegion/nexploit-cli --unsafe-perm=true
  - name: Run tests
    env:
      NEXPLOIT_TOKEN: ${{ secrets.NEXPLOIT_TOKEN }}
    run: crystal spec
7 Likes