This repo accompanies a blog post which you can find here Shifting Left with Nuclei: A Tester's Experience.
It is a clone of a REST API I created with the addition of Nuclei to try to understand it a little more, the original repo is here.
In this repo I have implemented Nuclei the really interesting DAST (Dynamic Application Security Testing) tool.
I have often looked at DAST tools and saw how complicated they can be with shift left ideas. At their core they often want to be ran in as realistic an environment as possible but running these in pre-prod/prod can lead to a weird roll back situation needed. Although this could be very useful to test how the application is deployed etc.
In this repo I want to look at taking Nuclei and DAST to as early a point as possible and seeing how much value can be gained. I will be entirely hand writing templates to look for common security misconfigurations in an API.
Below is the content from the origin README detailing how to use the REST API.
Eden is a mock plant shop. It is an example of a very basic REST API with integration tests. My hope is to make a test framework that can be scaled.
Ensure you have Node & NPM installed.
npm install
docker-compose up -d
See the package.json for all available commands
# Set up the database
# Create the db
npm run db:create
# Set up the tables
npm run migrate
# Set up some very basic seeded data
npm run seed
# General server use
# Start the server using nodemon
npm start
# returns all plants
curl localhost:3000/api/plants
# returns a specific plant
curl localhost:3000/api/plants/1
# Adds a plant to the db
curl -X POST localhost:3000/api/plants\
-H 'Content-Type: application/json'\
-d '{"species": "Boston Fern","colour": "Green","size": "S","season": true}'
# Update a plant in the db
curl -X PUT localhost:3000/api/plants/1\
-H 'Content-Type: application/json'\
-d '{"species": "Cactus","colour": "Purple","size": "L","season": false}'
# Delete a plant in the db
curl -X DELETE localhost:3000/api/plants/1
# Using the test suite
# Run all tests
npm test
# Update the snapshots
npm test -- -u
# Start Jest in interactive watch mode
npm test -- --watch
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.