Skip to main content

Providing Authorization Information for Test Plans - Horizontal & Vertical Authorization Abuse Test Cases

Often you will want to test APIs for both Horizontal Authorization Abuse, and Vertical Authorization Abuse, in a single test plan.

This requires credentials for additional users, and their associated role information.

User role information for API endpoints is provided in the API catalog via the metadata.yml file. The metadata file specifies the various roles used by the API, and specific roles that apply to specific API endpoints.

While the metadata file is used to specify role information, the environment.yml file requires the provisioning of one or more users per role (as specified in the metadata file), and their respective authentication credentials.

For example if the metadata file has specified two roles (ROLE_USER, and ROLE_ADMIN), the autogenerated environment.yml file will have the below structure (assuming the default Bearer AuthN mechanism is being used).

# Environment file that contains users, roles and their Authentication
# mechanisms that will be used by the API endpoints.
iam:
  users:
  - name: user_1
    # Default user for `ROLE_USER` that is used in general, unless overridden by a specific test case.
    # This user is the primary user (victim) in horizontal authZ abuse test cases involving `ROLE_USER`.
    default: true
    bearer_tokens:
    - name: bearerAuth
      value: <Enter the bearer token>
    roles:
        - ROLE_USER
  - name: user_2
  # This additional user at role `ROLE_USER` is used in horizontal authZ abuse test cases.
  # This user is the secondary user (attacker) in horizontal authZ abuse test cases.
    bearer_tokens:
    - name: bearerAuth
      value: <Enter the bearer token>
      roles:
        - ROLE_USER
  - name: user_3
    # Default user for `ROLE_ADMIN` that is used in general, unless overridden by a specific test case.
    # This user is the primary user (victim) in horizontal authZ abuse test cases involving `ROLE_ADMIN`.
    default: true 
    bearer_tokens:
    - name: bearerAuth
      value: <Enter the bearer token>
    roles:
        - ROLE_ADMIN
  - name: user_4
    # This additional user at role `ROLE_ADMIN` is used in horizontal authZ abuse test cases.
    # This user is the secondary user (attacker) in horizontal authZ abuse test cases involving `ROLE_ADMIN`.
    bearer_tokens:
    - name: bearerAuth
      value: <Enter the bearer token>
    roles:
        - ROLE_ADMIN

Since the test plan has test cases for both horizontal and vertical authZ abuse, we have to provide credentials for 4 users. Two users for ROLE_USER, two users for ROLE_ADMIN. The two users at each role level will be used for the horizontal authorization abuse test cases (Victim user and Attacker user).

If using an authentication mechanism other than Bearer AuthN, please modify the auto generated YAML appropriately.