CrAPI Sample App - Part 2
The test plan created was auto configured as you selected
Auto-populate API parameters for this test plan in the previous step.
Just like developers run tests using JUnit, & PyTest
fixtures, Levo's test plans use fixtures to drive tests. The fixtures provide seed values for API parameters required for the proper execution of the tests.
Levo used examples in the OpenAPI specification to auto populate these fixtures.
5. Install Levo CLI & Login
Levo CLI is the test runner that will execute the test plan against your running instance of crAPI.
Follow the instructions here to install Levo CLI and authenticate it with Levo SaaS.
Skip this step if you have already completed it.
6. Execute the test plan against crAPI
Now we will use the Levo CLI to execute the test plan.
- Ensure you copied the
LRN (Levo Resource Name)to the clipboard in the previous step.
- Ensure you downloaded the
environment.ymlfile from the test plan to your desktop.
- Ensure the
environment.ymlfile is in the same directory from which you launch Levo CLI. You may need to copy the file to the directory from where you launch the CLI.
Execute the following in the shell where you installed Levo CLI:
# Use `host.docker.internal` instead of `localhost` or `127.0.0.1` if crAPI is running on your local machine.
# Modify the --target-url value below if crAPI is running elsewhere.
export TEST_PLAN_LRN="<LRN value copied to your clipboard in previous steps>"
# Execute security tests against crAPI
levo test --test-plan $TEST_PLAN_LRN --target-url http://host.docker.internal:8888 --env-file environment.yml
View the test results in the
Test Runs page
- In the Levo SaaS console side panel, click on
Test Runsand navigate to your most recent test run results
- You will notice that Levo has found failed test cases and an Broken Object Level Authorization vulnerability. Navigate to the BOLA test case status, and review the summary and the logs.
Verify results using crAPI's Hackpad (Optional)
crAPI, use the top level menu to navigate to
Hackpad. Follow instructions in the
Hackpad to verify if the IDOR finding reported by Levo is a true positive.