3.3.1 - Example
TestList Formulation
If the process has been successful, our Requirements Traceability Matrix (RTM) should now contain all the necessary information to construct a testlist. Each potential vulnerability identified has been documented in the RTM with appropriate references and links during the exploration of potential attack vectors. If the RTM has not yet been constructed, now is the time to review all the suggestions from section 3.3 to ensure that all relevant information has been included.
| Feature ID | Description | potential Vulnerability | Test Method | References |
|---|---|---|---|---|
| F001 | User Authentication | JWT is prone to signature bypasses | SCA should point out CVE. There is also other methods of attack that need to be tested described here: https://portswigger.net/web-security/jwt |
|
| F002 | User login | SQLI | A potential POC can be build following this resource. https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4 |
Screenshot-1 |
| F003 | SpikyFactor.js | RCE | SonarQube detected a potential RCE in the calculate function of the challenge/helpers/SpikyFactor.js |
Screenshot-2 |