You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As Juice Shop already has a complete set of API integration and end-to-end vulnerability exploit tests, it would be cool to be able to run them through your pipeline as well.
API integration tests
npm run frisby runs all the API tests. It starts a server of its own so you might want to run them instead directly with jasmine-node test/api
End-to-end tests
npm run protractor runs the e2e tests. These cover the entire application using Protractor (which is based on Webdriver) to exploit all the vulns in the app to get a 100% score board. They also start their own server so you might want to run protractor protractor.conf.js instead given that all your Webdriver/Selenium stuff is set up properly.
The fact that the e2e tests are not functional tests but rather exploitability tests makes it a bit different from usual setups of webapps with their e2e suites. But as you rely on the passive mode of ZAP only, it should not make so much of a difference, as it doesn't heavily check for attack signatures really - I guess - because it does not expect to be used like this.
As Juice Shop already has a complete set of API integration and end-to-end vulnerability exploit tests, it would be cool to be able to run them through your pipeline as well.
API integration tests
npm run frisbyruns all the API tests. It starts a server of its own so you might want to run them instead directly withjasmine-node test/apiEnd-to-end tests
npm run protractorruns the e2e tests. These cover the entire application using Protractor (which is based on Webdriver) to exploit all the vulns in the app to get a 100% score board. They also start their own server so you might want to runprotractor protractor.conf.jsinstead given that all your Webdriver/Selenium stuff is set up properly.The fact that the e2e tests are not functional tests but rather exploitability tests makes it a bit different from usual setups of webapps with their e2e suites. But as you rely on the passive mode of ZAP only, it should not make so much of a difference, as it doesn't heavily check for attack signatures really - I guess - because it does not expect to be used like this.
(cc: @zaproxy, @psiinon, @thc202)