Add security tests to Postman collections

[mbiuki]

Security team is going to add security tests to Postman collections located here: core/dotCMS/src/curl-test
Plus every time there is a new PR related to Postman change (like adding a new resource or so), we check if there must be new security tests added

OWASP TOP 10 SECURITY TESTS

Beta Give feedback

1. Add-Remove_Contentlet_from_a_Page.postman_collection.json #27208
   OKR : Security & Privacy +1
2. ApiToken_Resource.postman_collection.json #27209
   OKR : Security & Privacy +1
   
3. Apps.postman_collection.json #27211
   OKR : Security & Privacy +1
4. BringBack.postman_collection.json #27210
   OKR : Security & Privacy +1
5. Browser_Resource.postman_collection.json #27212
   OKR : Security & Privacy +1
6. Bundle_Resource.postman_collection.json #27213
   OKR : Security & Privacy +1
7. CacheResource.postman_collection.json #27214
   OKR : Security & Privacy +1
8. Category.postman_collection.json #27215
   OKR : Security & Privacy +1
9. ConfigurationResource.postman_collection.json #27216
   OKR : Security & Privacy +1
10. ContainerResource.postman_collection.json #27217
    OKR : Security & Privacy +1
11. Containers.postman_collection.json #27218
    OKR : Security & Privacy +1
12. ContentResourceV1.postman_collection.json #27219
    OKR : Security & Privacy +1
13. CreateAdvanceTemplateOnSpecificHost.postman_collection.json #27220
    OKR : Security & Privacy +1
14. DotAsset-MultiPart-TempFile.postman_collection.json #27221
    OKR : Security & Privacy +1
15. DotAsset.postman_collection.json #27222
    OKR : Security & Privacy +1
16. DotFavoritePage.postman_collection.json #27223
    OKR : Security & Privacy +1
17. ESIndexResourceTests.json #27224
    OKR : Security & Privacy +1
18. Experiment_Result.postman_collection.json #27225
    OKR : Security & Privacy +1
19. Experiments_Resource.postman_collection.json #27226
    OKR : Security & Privacy +1
20. FolderResource.postman_collection.json #27227
    OKR : Security & Privacy +1
21. ForgotPasswordResource.postman_collection.json #27275
    OKR : Security & Privacy +1
22. Form_Resource.postman_collection.json #27276
    OKR : Security & Privacy +1
23. Image.postman_collection.json #27228
    OKR : Security & Privacy +1
24. GraphQLTests.json #27229
    OKR : Security & Privacy +1
25. Integrity_Checker_From_Sender.postman_collection.json #27230
    OKR : Security & Privacy +1
26. Integrity_Checker_JWT_Token_Test.postman_collection.json #27231
    OKR : Security & Privacy +1
27. LanguageResourceTests.json #27232
    OKR : Security & Privacy +1
28. Logger_Resource.postman_collection.json #27233
    OKR : Security & Privacy +1
29. Maintenance_Resource-Donwload_Assets.json #27234
    OKR : Security & Privacy +1
30. Maintenance_Resource-Donwload_Log_File.json #27235
    OKR : Security & Privacy +1
31. Maintenance_Resource-Download_DB_Dump.json #27236
    OKR : Security & Privacy +1
    
32. Maintenance_Resource-Download_Starter.json #27237
    OKR : Security & Privacy +1
33. Maintenance_Resource.json #27238
    OKR : Security & Privacy +1
    
34. Manifest_Download_End_Point.postman_collection.json #27239
    OKR : Security & Privacy +1
35. NavResourceTests.json #27240
    OKR : Security & Privacy +1
36. Osgi.postman_collection.json #27241
    OKR : Security & Privacy +1
37. Page_Version_with_diferrent_Templates.postman_collection.json #27242
    OKR : Security & Privacy +1
38. PagesResourceTests.json #27243
    OKR : Security & Privacy +1
    
39. Permission_Resource.postman_collection.json #27244
    OKR : Security & Privacy +1
40. PortletResource.json #27245
    OKR : Security & Privacy +1
41. Promote_Variant.postman_collection.json #27246
    OKR : Security & Privacy +1
42. PublishQueueResource.json #27247
    OKR : Security & Privacy +1
43. PushPublishFilterResource.postman_collection.json #27248
    OKR : Security & Privacy +1
44. Push_Publish_JWT_Token_Test.postman_collection.json #27249
    OKR : Security & Privacy +1
45. Save_Layout_With_Relative_Path.postman_collection.json #27254
    OKR : Security & Privacy +1
    
46. Push_Publish_from_sender.postman_collection.json #27250
    OKR : Security & Privacy +1
    
47. Reltionship_cache_in_push_publish.postman_collection.json #27251
    OKR : Security & Privacy +1
48. ResourceLink.postman_collection.json #27252
    OKR : Security & Privacy +1
49. RoleResource.postman_collection.json #27253
    OKR : Security & Privacy +1
50. Scripting_Resource.postman_collection.json #27255
    OKR : Security & Privacy +1
51. Site_Resource.postman_collection.json #27256
    OKR : Security & Privacy +1
52. System.postman_collection.json #27257
    OKR : Security & Privacy +1
    
53. SystemTable.postman_collection.json #27258
    OKR : Security & Privacy +1
    
54. Tags_Resource_V2.postman_collection.json #27259
    OKR : Security & Privacy +1
    
55. TempAPI.postman_collection.json #27260
    OKR : Security & Privacy +1
56. Template_Resource.postman_collection.json #27261
    OKR : Security & Privacy +1
57. ThemeResource.postman_collection.json #27262
    OKR : Security & Privacy +1
58. ToolGroupResource.postman_collection.json #27263
    OKR : Security & Privacy +1
59. UserResource.postman_collection.json #27264
    OKR : Security & Privacy +1
60. User_Include_Into_Experiment.postman_collection.json #27265
    OKR : Security & Privacy +1
61. VanityURL.postman_collection.json #27266
    OKR : Security & Privacy +1
62. Velocity.postman_collection.json #27267
    OKR : Security & Privacy +1
63. VelocityMacro.postman_collection.json #27268
    OKR : Security & Privacy Priority : 4 Low +2
64. VelocitySecrets.postman_collection.json #27269
    OKR : Security & Privacy +1
65. VersionableResource.postman_collection.json #27270
    OKR : Security & Privacy +1
66. Visitor.postman_collection.json #27271
    OKR : Security & Privacy +1
67. WebAssets.postman_collection.json #27272
    OKR : Security & Privacy +1
68. Workflow_Resource_Tests.json #27273
    OKR : Security & Privacy +1
69. Workflow Resource Documentation #27274
    OKR : Security & Privacy +1
    

[mbiuki]

We would have to make sure that our security tests are OWASP Top 10 relevant: https://owasp.org/www-project-top-ten/

[bryanboza]

I'm worried about this...

In this case we add the test, but in case that we catch an XSS pattern, we are allowing to create the content ir template. We are just getting the error in the test but the functionality allow to create the content without problems.

[rashik1144]

I'm worried about this...

In this case we add the test, but in case that we catch an XSS pattern, we are allowing to create the content ir template. We are just getting the error in the test but the functionality allow to create the content without problems.

This is also true for container. I think this test is not needed as admin is allowed to put whatever he wants.