- The scope of testing is to include authentication, authorisation at access and method levels, handling of malformed requests – maliciously or otherwise and OWASP tests.
- The web applications to be tested will generally have the following broad technologies and properties:
- HTML/JavaScript, usually React, but may use other frameworks or libraries;
- Utilise APIs to store and retrieve UI data, usually Spring Boot/Swagger;
- Utilise system to system data transfer APIs, usually Spring Boot/Swagger;
- Store and retrieve data as XML, JSON, files, compressed files;
- May utilise a portal for authentication and authorisation; and
- May utilise alternate or a mix of authentication/authorisation mechanisms, e.g. Basic auth., client certificates, authentication tokens, OAuth, SAML, etc.
- Testing is required to be performed over the internet.
- Authentication details for multiple accounts will be provided to the selected vendor to allow testing for cross client vulnerabilities.
- For the duration of the penetration test, the company will whitelist a limit of three source IPs allowed to access the security proxy. This IP whitelisting is to limit access to the testing environment and does not form part of the production security plan. These IPs will need to be supplied by the successful seller and should remain static for the duration of the contract.
An example:
Application function | Description |
Login and access dashboard | Log in to system via username and password field. There is also a ‘forgot password’ link. Click on a link to get to the dashboard which open in separate browser tab. |
File submission of report via UI, API and XML | Submitting using UI: User can upload a file by using drag and drop or selecting a file then clicking on the Submit button. Submitting using API: Method of connecting using endpoint. Reporting Entity can connect directly to our dedicated application URL endpoints. Submitting using XML: Reporting Entity can submit reports via XML. |
View receipt | User selects a receipt number for a submission. A new tab opens that displays any validation errors that have occurred for the various submissions under that receipt. User can use the print function in the browser. |
Search criteria in the submissions table | User can search for previous submissions by using typing in the search box and using filters. Several filters are drop down boxes, one is a click date that brings up a date selection and two filters search for keywords or usernames and are typed in. |
Download original submissions file Download entire submissions table. | User can download an individual submission and /or download all submitted records by clicking on the Download button. |
File resubmission via UI and API | Resubmit using UI: User can upload a different file if there was incomplete or erroneous information in a previous file by Drag and drop or selecting a file then click on Resubmit button. Resubmitting using API: Method of connecting using endpoint. Reporting Entity can connect directly to our dedicated application URL endpoints. |
Statistics Reporting | Periodic statistics report that displays tables and graphs based on search criteria (selected period etc.) |
Single Data Entry, Multiple Data Entry | User submits transaction report information using a web form. |
Document Upload | User able to upload specific file types in the portal. |
Secure Messaging | User able communicate with by sending and receiving messages. |
