public void CookieNameWithPrefixSecureTester_Should_NOT_Report_If_All____secure_Cookies_Have_secure_Attribute()
{
// Prepare the test
var config = A.Fake <IResponseCookieNamePrefixTesterConfig>();
IResponseAnalyser httpOnlyTester = new CookieNameWithPrefixSecureTester(config);
var resultHolder = A.Fake <IApplicationReportDataHandler>();
httpOnlyTester.OnAnalysisResultPublished += resultHolder.HandleAnalysisResult;
var requestEvent = this.GetHttpResponseReceivedEventArgs2(UrlScheme.Https);
requestEvent.Response.Headers.Add(new HttpHeader("Set-Cookie", "__secure-Cookie1=SomeValue secure"));
requestEvent.Response.Headers.Add(new HttpHeader("Set-Cookie", "__secure-Cookie2=SomeValue2 secure"));
requestEvent.Response.Cookies.Add(new HttpCookie()
{
Name = "__secure-Cookie1", Value = "SomeValue", HttpOnly = false, IsSecure = true
});
requestEvent.Response.Cookies.Add(new HttpCookie()
{
Name = "__secure-Cookie2", Value = "SomeValue2", HttpOnly = false, IsSecure = true
});
// Invoke the method being tested
httpOnlyTester.AnalyseHttpResponse(this, requestEvent);
// Assert
Assert.IsNotNull(httpOnlyTester.Results);
Assert.IsNotNull(httpOnlyTester.Results.Count() == 0);
A.CallTo(() => resultHolder.HandleAnalysisResult(A <object> ._, A <AnalysisCompletedEventAgrs> ._)).MustNotHaveHappened();
A.CallTo(resultHolder).MustNotHaveHappened();
}
public void CookieNameWithPrefixSecureTester_Should_Report_If____secure_Cookies_Does_Not_Have_secure_Attribute_And_Accessed_Via_Http()
{
// Prepare the test
var config = A.Fake <IResponseCookieNamePrefixTesterConfig>();
IResponseAnalyser httpOnlyTester = new CookieNameWithPrefixSecureTester(config);
var resultHolder = A.Fake <IApplicationReportDataHandler>();
httpOnlyTester.OnAnalysisResultPublished += resultHolder.HandleAnalysisResult;
// Note: the __secure cookies are transferred via Http and not via HTTPS
var requestEvent = this.GetHttpResponseReceivedEventArgs2(UrlScheme.Http);
requestEvent.Response.Headers.Add(new HttpHeader("Set-Cookie", "__secure-Cookie1=SomeValue")); // no secure and accessed via http.
requestEvent.Response.Headers.Add(new HttpHeader("Set-Cookie", "__secure-Cookie2=SomeValue2 secure")); // secure but accessed via http
// no secure and accessed via http
requestEvent.Response.Cookies.Add(new HttpCookie()
{
Name = "__secure-Cookie1", Value = "SomeValue", HttpOnly = false, IsSecure = false
});
// secure but accessed via http
requestEvent.Response.Cookies.Add(new HttpCookie()
{
Name = "__secure-Cookie2", Value = "SomeValue2", HttpOnly = false, IsSecure = true
});
// Invoke the method being tested
httpOnlyTester.AnalyseHttpResponse(this, requestEvent);
// Assert
Assert.IsNotNull(httpOnlyTester.Results);
/* 1. Issue #1 The secure attribute is missing for one cookie.
* 2. the secure attribute is there for another cookie, so there is no problem with secure attribute
* 3. Issue #2 and 3: Both the __secure cookies are accessed via HTTP and not via HTTPS. So both should be reported.
* */
Assert.IsNotNull(httpOnlyTester.Results.Count() == 3);
A.CallTo(() => resultHolder.HandleAnalysisResult(A <object> ._, A <AnalysisCompletedEventAgrs> ._)).MustHaveHappened(Repeated.Exactly.Times(3));
A.CallTo(resultHolder).MustHaveHappened();
}
