Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update example tests in contribution docs #86

Merged
merged 1 commit into from
May 6, 2023
Merged

chore: update example tests in contribution docs #86

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 29 additions & 31 deletions content/development/contribution_guidelines.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,26 +370,26 @@ Full documentation of the required formatting and available options of the YAML
Example of a simple *positive test*:

```yaml
- test_title: 932100-21
- test_title: 932230-26
desc: "Unix command injection"
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Accept: */*
method: POST
uri: "/"
data: "var=` /bin/cat /etc/passwd`"
version: HTTP/1.0
output:
log_contains: id "932100"
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "var=` /bin/cat /etc/passwd`"
version: HTTP/1.1
output:
log_contains: id "932230"
```

This test will succeed if the log output contains `id "932100"`, which would indicate that the rule in question matched and generated an alert.
This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert.

It's important that tests consistently include the HTTP header fields `Host`, `User-Agent`, and `Accept`. CRS includes rules that detect if these headers are missing or empty, so these headers should be included in each test to avoid unnecessarily causing those rules to match. Ideally, *each positive test should cause* **only** *the rule in question to match*.

Expand All @@ -400,26 +400,24 @@ The rule's description field, `desc`, is important. It should describe what is b
Example of a simple *negative test*:

```yaml
- test_title: 932150-5
desc: "Natural language 'ping pong tables' should not cause FPs"
- test_title: 932260-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Accept: */*
method: POST
uri: "/"
data: "foo=ping pong tables"
version: HTTP/1.0
output:
no_log_contains: id "932150"
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "OWASP CRS test agent"
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: 'foo=ping pong tables'
uri: '/post'
output:
no_log_contains: id "932260"
```

This test will succeed if the log output does **not** contain `id "932150"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert.
This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert.

### Encoded and Raw Requests

Expand Down