chemxy / vega Goto Github PK

Resource Upload Feature is not Working

Wrong npm start script for the expressjs server: was ‘’NODE_ENV=development node index.js”, should be “node index.js NODE_ENV=development”

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

The website will crash if the wrong username and password are provided on the login page.

Scenario: User attempts to log in with invalid credentials
Given User is on the Login/SignUp page
When User enters a valid username into the username field
And User enters incorrect password
And User clicks on the Submit button
Then The user should see the prompt “Incorrect username and or password”

Write Selenium Tests for Frontend

Write Unit Tests for Backend Authentication

As a vega user, I should be able to manage my secrets, including the following actions:

Feature: Admin User should be able to manage the secrets of all users
Scenario: Admin User should see all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
Then User should see all secrets of all users

Scenario: Admin User should be able to delete all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
And User deletes a secret of a user
Then User should see the secret was deleted

Scenario: Admin User should be able to update all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
And User clicks on Edit of a secret entry of a user
And User changes the name of the secret
Then User should see the secret was updated

Scenario: Admin User should be able to create a secret for a user
Given User logs in as admin
When User navigates to Manage Secret tab
And User clicks on Create button
And User enters the name of the secret
And User enters the creation date/time of the secret
And User enters the data of the secret
And USer enters the user’s identity
And User clicks on OK button
Then User should see the newly-created secret in the secret list

Scenario: Admin User should see a report of all secrets
Given User logs in as admin
When User navigates to Report tab
Then User should see a report of all secrets

Scenario: Admin User should see a report of all secrets
Given User logs in as admin
When User navigates to Manage Secret tab
And User sets the threshold of the max secrets a user can add per day
Then User should see the threshold was updated

Add CORS support to both frontend and backend

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.

The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

**Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.**

Scenario: User inputs an invalid Name
Given The user is on the Contact Us page
When User enters a name without acceptable syntax
And User enters a valid email
And User enters a valid message
And User clicks on Submit
Then An error message “! Please include an ‘@’ in the email address. ‘S’ is missing an ‘@’” gets prompted

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

The directive: frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.

**Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.**

Scenario: User creating a new account
Given User is on the Login/Signup page
When The user enters an unused username and password
And User clicks ‘Submit’
Then A new account is created with the entered credentials

as a developer, i would like to add ids to the web elements that could be tested by the selenium automation testing.

Scenario: User tries to submit empty form
Given User is on the Contact Us page
When The form fields are empty
Then The submit button must be unclickable

“About Us” navbar option not working.

Scenario: User would like to see the background information of our company“
Given User is on the Vega webpage
When User clicks on “About us” button
Then User is directed to the About us page
And The corresponding background information is presented to the User

Scenario: Log in fields are empty
Given User on the Login/SignUp page
When The Username field is empty
Then The submit button must be unclickable

Add CRUD functionalities to the News&Events component so that an administrator can perform the following actions:

1. add a new news entry
2. delete a news entry
3. update a news entry

Feature: Admins and employees should be able to manage News & Events entries.
Scenario: Admins should be able to create News & Events entries.
Given User logs in as admin
When User navigates to News & Events tab
And User clicks on Create button
And User enters the information of the entry
And User clicks on OK button
Then User should see the entry was created

Scenario: Admins should be able to edit News & Events entries.
Given User logs in as admin
When User navigates to News & Events tab
And User clicks on Edit of an entry
And User changes the information in the selected entry
Then User should see the entry was updated

Scenario: Employees should be able to create News & Events entries.
Given User logs in as employee
When User navigates to News & Events tab
And User clicks on Create button
And User enters the information of the entry
And User clicks on OK button
Then User should see the entry was created

Scenario: Employees should be able to edit News & Events entries.
Given User logs in as employee
When User navigates to News & Events tab
And User clicks on Edit of an entry
And User changes the information in the selected entry
Then User should see the entry was updated

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

Scenario: User tries to submit empty message
Given User is on the Contact Us page
When User enters a valid name
And User enters a valid email
And User leaves the message field blank
Then The submit button must be unclickable

Write Unit Tests for Backend