Skip to content

WIP Chore/owasp#32

Draft
robdll wants to merge 12 commits intotetherto:developfrom
robdll:chore/owasp
Draft

WIP Chore/owasp#32
robdll wants to merge 12 commits intotetherto:developfrom
robdll:chore/owasp

Conversation

@robdll
Copy link
Contributor

@robdll robdll commented Mar 2, 2026

OWASP API Security Testing Framework

Adds an automated OWASP API Security Top 10 (2023) testing framework for all 29 MiningOS v2 endpoints using Bruno.

What's included

Test generator (owasp/bruno-tests/generate.cjs)

  • Generates 13–15 Bruno test files per endpoint from OWASP templates
  • CLI with --all, --list, --status commands
  • Endpoint registry (endpoints.json) with all 29 v2 endpoints, their params, and review status

414 generated test files covering:

OWASP # Category Tests
#1 Broken Object Level Authorization (BOLA) siteId query injection, X-Site-Id / X-Forwarded-* header injection
#2 Broken Authentication No token, invalid token, empty bearer, wrong auth scheme (Basic)
#3 / #5 Property & Function Level Authorization Method fuzzing — POST, PUT, DELETE on GET-only routes
#4 Unrestricted Resource Consumption Missing required params, invalid param types
#7 Server-Side Request Forgery AWS metadata URL injection in string params
#8 Security Misconfiguration Cache-Control, HSTS, X-Content-Type-Options, X-Powered-By, duplicate headers (8 checks)
#9 Improper Inventory Management Version prefix probing (/v1/, /v2/)

Runner script (run.sh) for running single endpoints or full suites.

Environments for dev and staging with secret token support.

Manual OWASP reviews completed

Two endpoints have been manually reviewed with detailed findings and remediation recommendations (stored in owasp/utils/, gitignored):

  • GET /auth/site/status/live — 3 FAIL (rate limiting, security headers, RPC validation)
  • GET /auth/pool-stats/aggregate — 3 FAIL + 1 WARN (rate limiting, security headers, no capCheck, RPC validation) + 5 verified peer-review bugs (missing days, broken pool filter, Sunday-based weeks, missing pool name, no week range metadata)

How to use

cd owasp/bruno-tests

# List all endpoints
node generate.cjs --list

# Check review progress
node generate.cjs --status

# Run one endpoint
npx @usebruno/cli run pool-stats-aggregate/ --env dev --env-var "token=YOUR_TOKEN"

# Run all
OWASP_TOKEN='your-token' ./run.sh

Test plan

  • Verify generate.cjs --list shows all 29 endpoints
  • Verify generate.cjs --all regenerates 414 test files without errors
  • Run a single endpoint suite against dev and confirm tests execute
  • Open owasp/bruno-tests/ in Bruno GUI and verify collection loads correctly
  • Confirm owasp/utils/ contents are not tracked by git

robdll added 3 commits March 2, 2026 15:42
@robdll
chore: gitignore owasp/utils for internal review docs and PDFs
3463405 
Made-with: Cursor
@robdll
chore: add OWASP Bruno test framework with generator and endpoint reg…
5e8ac52 
…istry

Scaffolding for automated OWASP API Top 10 testing across all 29 v2 endpoints.
Includes a generator script (generate.cjs) that produces 13-15 .bru test files
per endpoint, covering auth bypass, BOLA, method fuzzing, security headers,
SSRF probing, input validation, and inventory checks.

Made-with: Cursor
@robdll
chore: generate OWASP test suites for all 29 API endpoints (414 tests)
18342db 
Auto-generated via `node generate.cjs --all`. Each endpoint folder contains
13-15 Bruno test files covering OWASP API Security Top 10 (2023) categories.

Made-with: Cursor
@robdll robdll marked this pull request as draft March 2, 2026 18:44
robdll added 9 commits March 5, 2026 13:39
@robdll
chore: add custom OWASP tests for metrics/power-mode/timeline endpoint
cd65bd8 
Add 11 endpoint-specific Bruno tests (16-26) covering negative timestamps,
excessive limit, container filter, default params, start>end validation,
huge time ranges, path traversal, NoSQL injection, zero limit,
overwriteCache abuse, and FE response shape validation.
Update endpoints.json status to IMPLEMENTED_NOT_DEPLOYED.

Made-with: Cursor
@robdll
add tests
863dbb7
@robdll
feat: adds metrics hashrate additional tests
45ea8ec
@robdll
feat: adds finance subsidy fees
dbd588f
@robdll
feat: adds tests for /containers endpoint
2d40fe3
@robdll
chore: update container-telemetry tests with correct path and real co…
69298f2 
…ntainer ID

- Fix endpoint path from /auth/containers/:id/telemetry to /auth/metrics/containers/:id
- Update expected response keys to [id, miners, telemetry]
- Set dev environment containerId to bitdeer-4a (real container on dev)
- Mark container-telemetry, containers, pools, finance-energy-balance,
  finance-ebitda, finance-cost-summary, metrics-power-mode-timeline as reviewed
  in endpoints.json

Made-with: Cursor
@robdll
chore: OWASP reviews for cabinets, cabinet-detail, and metrics-consum…
a6ded57 
…ption

- Update cabinets and cabinet-detail Bruno tests with correct response keys
- Set dev environment cabinetId to lv3_pm1
- Update metrics-consumption tests with actual schema (start/end required,
  remove undocumented params)
- Mark cabinets, cabinet-detail, metrics-consumption as reviewed (13/29)

Made-with: Cursor
@robdll
chore: OWASP review for /auth/miners (NOT_IMPLEMENTED)
62e2a0b 
Mark miners endpoint as reviewed — endpoint does not exist in the backend.
Pre-implementation OWASP recommendations and implementation guide provided
in owasp/utils/owasp-miners.md. (14/29 reviewed)

Made-with: Cursor
@robdll
chore: OWASP review for /auth/metrics/miner-status
66fc2ec 
Update endpoint registry and Bruno tests with actual schema
(start/end required, no interval param). Response keys: [log, summary].
Fractional miner counts and missing status categories documented.
(15/29 reviewed)

Made-with: Cursor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robdll