Hugging Face's logo

Spaces:
Mayank022
/
api-testing-env
Running

App Files Community
api-testing-env
File size: 5,087 Bytes
a4f74f3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
{
  "tasks": [
    {
      "id": "basic_validation",
      "name": "Basic Endpoint Validation",
      "difficulty": "easy",
      "description": "Test all CRUD endpoints with valid inputs and verify correct status codes.",
      "max_steps": 25,
      "bugs": ["BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03"]
    },
    {
      "id": "edge_cases",
      "name": "Edge Cases & Error Handling",
      "difficulty": "medium",
      "description": "Test boundary conditions, invalid inputs, and error responses.",
      "max_steps": 35,
      "bugs": [
        "BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03",
        "BUG_TASK_04", "BUG_TASK_05", "BUG_TASK_06",
        "BUG_USER_01", "BUG_USER_02", "BUG_AUTH_02"
      ]
    },
    {
      "id": "security_workflows",
      "name": "Security & Multi-Step Workflows",
      "difficulty": "hard",
      "description": "Discover authorization flaws, injection vulnerabilities, and workflow bugs.",
      "max_steps": 45,
      "bugs": [
        "BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03",
        "BUG_TASK_04", "BUG_TASK_05", "BUG_TASK_06",
        "BUG_TASK_07", "BUG_TASK_08", "BUG_TASK_09",
        "BUG_USER_01", "BUG_USER_02",
        "BUG_AUTH_01", "BUG_AUTH_02"
      ]
    }
  ],
  "bug_registry": {
    "BUG_TASK_01": {
      "severity": "easy",
      "category": "status_code",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "GET /tasks/{id} returns 200 with null for non-existent task",
      "recommendation": "Return 404 Not Found for non-existent resources"
    },
    "BUG_TASK_02": {
      "severity": "easy",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "POST /tasks with missing title returns 500 instead of 400",
      "recommendation": "Validate required fields and return 400/422 with descriptive error"
    },
    "BUG_TASK_03": {
      "severity": "easy",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "GET /tasks?page=-1 returns 200 instead of 400",
      "recommendation": "Validate pagination parameters: page >= 1, limit > 0"
    },
    "BUG_TASK_04": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "PUT /tasks/{id} accepts invalid email format",
      "recommendation": "Validate email format with regex before accepting"
    },
    "BUG_TASK_05": {
      "severity": "medium",
      "category": "status_code",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "DELETE /tasks/{id} returns 200 for non-existent task",
      "recommendation": "Check resource existence before deletion, return 404 if missing"
    },
    "BUG_TASK_06": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API4:2023 Unrestricted Resource Consumption",
      "description": "No pagination cap on limit parameter",
      "recommendation": "Cap pagination limit at 100, reject values above maximum"
    },
    "BUG_TASK_07": {
      "severity": "hard",
      "category": "security",
      "owasp": "API1:2023 Broken Object Level Authorization",
      "description": "BOLA: any user can access any task",
      "recommendation": "Verify resource ownership: check task.owner_id matches authenticated user"
    },
    "BUG_TASK_08": {
      "severity": "hard",
      "category": "validation",
      "owasp": "API4:2023 Unrestricted Resource Consumption",
      "description": "Long title causes 500 error",
      "recommendation": "Add input length validation: title max 200 chars"
    },
    "BUG_TASK_09": {
      "severity": "hard",
      "category": "security",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "SQL injection payload stored verbatim",
      "recommendation": "Sanitize user input before storage, escape HTML/SQL special characters"
    },
    "BUG_USER_01": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "POST /users accepts invalid email",
      "recommendation": "Validate email format server-side before creating user"
    },
    "BUG_USER_02": {
      "severity": "medium",
      "category": "security",
      "owasp": "API3:2023 Broken Object Property Level Authorization",
      "description": "Response exposes password hash",
      "recommendation": "Never return sensitive fields (password_hash) in API responses"
    },
    "BUG_AUTH_01": {
      "severity": "hard",
      "category": "security",
      "owasp": "API1:2023 Broken Object Level Authorization",
      "description": "Broken authorization: cross-user token access",
      "recommendation": "Enforce ownership check on all write operations (PUT/DELETE)"
    },
    "BUG_AUTH_02": {
      "severity": "medium",
      "category": "security",
      "owasp": "API2:2023 Broken Authentication",
      "description": "Empty password login succeeds",
      "recommendation": "Validate password is non-empty and verify against stored hash"
    }
  }
}