Suite: core_features
Feature: Injecting sql in groups search field
In order to inject javascript in group search field and group name field
As an admin
To see if mahara is secure enough
Feature: Attempt sql inject on login form
In order to make sure JavaScript could not be passed to data base
As a visitor
So I can see that Mahara could not be hacked
Feature: Check search is free from sql vulnerability
In order to check the main search field is secure
As an admin I want to inject sql into the search field
So I can check the field doesn't error
Feature: Suckypasswords Test increase of array size
In order to limit the crappy passwords people try to put in
As an admin
So I can make sure that my users/myself have decent passwords
Feature: Injecting sql in groups search field
In order to inject javascript in group search field and group name field
As an admin
To see if mahara is secure enough
-
Given the following site settings are set:
| field | value |
| skins | 1 | - Given I log in as "admin" with password "Kupuh1pa!"
- And I choose "Groups" in "Engage" from main menu
- And I click on "Create group"
-
And I set the following fields to these values:
| Group name | <script>alert(1);</script> |
| Group description | <script>alert(1);</script> |
| Open | Off |
| Hide group | Off | - And I click on "Save group"
- And I should see "Group saved successfully"
- And I choose "Administer groups" in "Groups" from administration menu
-
When I set the following fields to these values:
| search_query | <script>alert(1);</script> |
- And I click on "Search"
- And I click on "About"
- And I should see "About us"
- Then I go to "homepage"
-
Given the following site settings are set:
| field | value |
| skins | 1 | - Given I log in as "admin" with password "Kupuh1pa!"
- And I choose "Skins" in "Create" from main menu
- And I click on "Create skin"
-
When I set the following fields to these values:
| Skin title | <script>alert(1);</script> |
| Skin description | <script>alert(1);</script> |
| Skin access | This is a private skin | - And I click on "Save"
- And I should see "Skin saved successfully"
- And I should not see a popup
-
Given the following site settings are set:
| field | value |
| skins | 1 | - Given I log in as "admin" with password "Kupuh1pa!"
- And I choose "Files" in "Create" from main menu
- And I attach the file "Image2.png" to "File"
- And I click on "Delete"
- And I should see "Are you sure you want to delete this file?" in popup
- And I accept the confirm popup
Feature: Attempt sql inject on login form
In order to make sure JavaScript could not be passed to data base
As a visitor
So I can see that Mahara could not be hacked
-
Given I set the following fields to these values:
| Username | admin |
| Password | ' OR 1=1;-- | - When I click on "Login"
- Then I should see "You have not provided the correct credentials to log in. Please check your username and password are correct."
Feature: Check search is free from sql vulnerability
In order to check the main search field is secure
As an admin I want to inject sql into the search field
So I can check the field doesn't error
- Given I log in as "admin" with password "Kupuh1pa!"
-
When I set the following fields to these values:
| Search for people | 'or 1=1;-- |
- And I click on "Go"
- Then I should see "No search results found"
Feature: Suckypasswords Test increase of array size
In order to limit the crappy passwords people try to put in
As an admin
So I can make sure that my users/myself have decent passwords
-
Given the following "users" exist:
| username | password | email | firstname | lastname | institution | authname | role |
| Supercool | Kupuh1pa! | Supercool@example.org | Super | Cool | mahara | internal | member | - Given I log in as "admin" with password "Kupuh1pa!"
- And I choose "Preferences" in "Settings" from account menu
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "abc123"
- And I fill in "Confirm password" with "abc123"
- And I click on "Save"
- And I should see "Password must be at least 8 characters long."
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "administrator"
- And I fill in "Confirm password" with "administrator"
- And I click on "Save"
- And I should see "Password must contain upper and lowercase letters, numbers, symbols."
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "Admin@123"
- And I fill in "Confirm password" with "Admin@123"
- And I click on "Save"
- And I should see "Your password is too easy"
- And I log out
-
Given the following "users" exist:
| username | password | email | firstname | lastname | institution | authname | role |
| Supercool | Kupuh1pa! | Supercool@example.org | Super | Cool | mahara | internal | member | - Given I log in as "Supercool" with password "Kupuh1pa!"
- And I choose "Preferences" in "Settings" from account menu
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "fastdog"
- And I fill in "Confirm password" with "fastdog"
- And I click on "Save"
- And I should see "Password must be at least 8 characters long."
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "supercool"
- And I fill in "Confirm password" with "supercool"
- And I click on "Save"
- And I should see "Passwords are case sensitive and must be different from your username."
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "administrator"
- And I fill in "Confirm password" with "administrator"
- And I click on "Save"
- And I should see "Password must contain upper and lowercase letters, numbers, symbols."
- And I fill in "Current password" with "Kupuh1pa!"
- And I fill in "New password" with "P@ssw0rd"
- And I fill in "Confirm password" with "P@ssw0rd"
- And I click on "Save"
- And I should see "Your password is too easy"
- And I log out