Writing automated tests can help you find vulnerabilities in your code.
For example, I had a controller that was checking if the user was authorized to make a request. The controller used the Gate facade in laravel to detect if the user was authorized to update and create a model. This worked as expected when testing on the front end, but when I added automated tests, I noticed that first, the unauthorized user was getting validation errors for the request before being served a 403.
This was because I was using a FormRequest class to validate user input but had set the validate method to only return true. The automated test was properly failing because I had attempted a route without the required attributes but was expecting to receive a 403.
This is a vulnerability to me because it sends information about the application to an unauthorized user when it should only be returning a 403.
The test saved a potential exploit, and I was able to use the Gate::allows method within the validate function of the FormRequest to properly determine if the user was authorized before attempting to validate the users input.
Testing rocks!
Trying to do my part in making the world a better place.
This site is hosted for free, so I am thanking the services I am using by adding a link to their websites here in the footer.
© 2020 Chris Wray. All rights reserved.