Security Testing

Security testing must be performed before every deployment. This guide covers how to test for common vulnerabilities.

SQL Injection Testing

Test Procedure

1. Identify all user input points in your code
2. Test with malicious SQL payloads
3. Verify queries are parameterized

Test Cases

# Test with SQL injection payloads
curl -X POST https://reformer-platform.onrender.com/api/vimeo/search \
  -H "Content-Type: application/json" \
  -d '{
    "keywords": ["'\'' OR '\''1'\''='\''1"],
    "workout_type": "pilates"
  }'

# Expected: Empty results or validation error
# NOT: Database error or unexpected data returned

Payloads to Test

const sqlInjectionPayloads = [
  "' OR '1'='1",
  "'; DROP TABLE users; --",
  "' UNION SELECT * FROM accounts --",
  "1' OR '1'='1' --",
  "admin'--",
  "' OR 1=1--",
  "' OR 'a'='a"
];

What to Look For

• ❌ Database errors in response
• ❌ Unexpected data returned
• ❌ Stack traces showing SQL queries
• ✅ Validation errors or empty results
• ✅ No database errors in logs

CORS Testing

Test Procedure

# Test from unauthorized origin (should fail)
curl -H "Origin: https://evil.com" \
     -H "Access-Control-Request-Method: POST" \
     -X OPTIONS \
     https://reformer-platform.onrender.com/api/health

# Expected: CORS error or 403 Forbidden
# NOT: 200 OK with Access-Control-Allow-Origin: *

Test Cases

1. Authorized origin - Should succeed
2. Unauthorized origin - Should fail with CORS error
3. No origin - Should succeed (mobile apps, Postman)
4. Malformed origin - Should fail

Authentication Testing

Test Procedure

# Test without authentication (should fail)
curl https://reformer-platform.onrender.com/api/protected-endpoint

# Expected: 401 Unauthorized
# NOT: 200 OK with data

# Test with invalid token (should fail)
curl -H "Authorization: Bearer invalid-token" \
     https://reformer-platform.onrender.com/api/protected-endpoint

# Expected: 401 Unauthorized
# NOT: 200 OK

Test Cases

1. No token - Should return 401
2. Invalid token - Should return 401
3. Expired token - Should return 401
4. Valid token - Should return 200

Input Validation Testing

Test Procedure

# Test with invalid input types
curl -X POST https://reformer-platform.onrender.com/api/users \
  -H "Content-Type: application/json" \
  -d '{
    "email": "not-an-email",
    "age": "not-a-number"
  }'

# Expected: 400 Bad Request with validation errors
# NOT: 200 OK or 500 Internal Server Error

Test Cases

1. Wrong data types - Should return 400
2. Missing required fields - Should return 400
3. Invalid formats (email, URL, etc.) - Should return 400
4. Extremely long strings - Should return 400 or truncate
5. Special characters - Should sanitize or reject

Authorization Testing

Test Procedure

# Test accessing another user's resource
curl -H "Authorization: Bearer user1-token" \
     https://reformer-platform.onrender.com/api/users/user2-id/data

# Expected: 403 Forbidden
# NOT: 200 OK with user2's data

Test Cases

1. Access own resource - Should succeed
2. Access other user's resource - Should fail with 403
3. Admin accessing any resource - Should succeed
4. Regular user accessing admin endpoint - Should fail with 403

Rate Limiting Testing

Test Procedure

# Send rapid requests
for i in {1..10}; do
  curl https://reformer-platform.onrender.com/api/auth/login \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"email":"test@example.com","password":"test"}'
done

# Expected: First few succeed, then 429 Too Many Requests

Test Cases

1. Normal rate - Should succeed
2. Exceeding rate limit - Should return 429
3. Rate limit headers - Should include X-RateLimit-* headers

Secrets Exposure Testing

Test Procedure

1. Search codebase for hardcoded secrets:

   grep -r "sk_live\|api_key\|password\|secret" --include="*.js" --include="*.ts"

2. Check git history for committed secrets:

   git log --all --full-history --source -- "*secret*" "*password*" "*api_key*"

3. Check environment variables are set:

   # In production, verify all required env vars exist

What to Look For

• ❌ Hardcoded API keys
• ❌ Committed secrets in git
• ❌ Secrets in logs
• ❌ Secrets in error messages
• ✅ All secrets in environment variables

Automated Security Testing

Pre-commit Checks

# Run security linter
npm run lint:security

# Check for known vulnerabilities
npm audit

# Run security tests
npm run test:security

CI/CD Integration

Security tests should run automatically:

1. On every pull request
2. Before deployment
3. On schedule (daily/weekly)

Security Testing Checklist

Before deploying, verify:

• SQL injection tests pass
• CORS tests pass
• Authentication tests pass
• Authorization tests pass
• Input validation tests pass
• Rate limiting tests pass
• No secrets exposed
• Dependencies scanned for vulnerabilities
• Security audit completed

Reporting Security Test Results

Document test results in:

• Pull request comments
• Security audit reports
• Deployment logs

Include:

• Test cases executed
• Results (pass/fail)
• Vulnerabilities found
• Fixes applied