Micro-Id-Gym (MIG) is a flexible and extendable tool designed to assist system administrators and security testers in conducting security testing on Identity Management (IdM) protocol implementations. MIG provides both a toolsuite for penetration testing and testplans for IdM protocol implementations.
A testplan for a protocol/standard, also known as a human readable testplan, comprises a set of specifications written in a format that is easily understandable by humans. It outlines the tests required to validate the compliance of a specific protocol/standard. MIG currently offers a human readable testplan that covers the OIDC protocol.
As for the tools, MIG offers a seamless testing environment known as i-mig-t, a script designed to enhance the readability of the human readable testplan by converting it into PDF format, a script to translate the majority of the human readable tests into a machine-readable format compatible with the security testing tool, MIG-T, and integration of the spid-cie-oidc-django implementation from Developers Italia.
mig
├── tools
│ ├── mig-t (submodule)
│ ├── i-mig-t
│ ├── testplan-to-mr
│ └── testplan-to-pdf
└── testplans
└── spid-cie-oidc
└── implementations
└── spid-cie-oidc-django
The tool folder provides a testing environment, useful scripts and all the available tools of mig. Following is a brief description of each tool available:
- mig-t: a semi-automated security testing tool provided as a BurpSuite Community Edition (Burp) extension based on a declarative language for security testing. It is provided as a git submodule. To access additional information, kindly consult this link.
- i-mig-t: stands for integrated mig-t and includes a Docker image containing Burp, Mozilla Firefox, and mig-t. For more details, please refer to this link.
- testplan-to-mr: a script to convert the testplan from a human readable format into machine-readable format for mig-t. To access further information, please visit this link.
- testplan-to-pdf: a script for converting the human readable testplan into a PDF format to improve readability. For additional details, please visit this link.
This folder aims to contain the specifications of testplans for IdM protocols/standards. For each IdM protocol/standard a human readable testplan is provided in CSV format. Currently, the following testplans are available in MIG:
- spid-cie-oidc: this testplan is focusing on SPID/CIE OIDC and based on SPID/CIE OpenID Connect Regole tecniche
For each IdM protocol/standard, a human readable test plan is made available. Each IdM protocol/standard may encompass one or more implementations. The available implementations are located in this folder. Below, you'll find a brief description of the currently available implementations:
- spid-cie-oidc-django: spid-cie-oidc-django implementation provided by Developers Italia.
MIG currently supports the spid-cie-oidc testplan along with the implementation of spid-cie-oidc-django. To execute MIG with spid-cie-oidc testplan against the spid-cie-oidc-django implementation, please refer to the folder and consult the provided readme.
-
session: is a list of user actions which can be seen as a UI integration test that testers use to create for web applications and which inherits the Selenium engine and its primitives.
-
human readable test: test cases or test specifications that are defined in a way that can be easily understood by humans, particularly testers, developers, project managers, and other stakeholders who may not have specialized technical knowledge. The human readable version of the tests prioritize clarity, simplicity, and comprehensibility, making them accessible to a broad audience without the need for deep technical expertise.
-
machine readable test: test cases or test specifications that are formatted and structured in a way that can be interpreted, and executed by automated testing tools, scripts, or software programs. These tests are designed in JSON format and ready to be parsed and executed by MIG-T.
Please refer to the following guides:
- For executing a testplan, please consult this readme.
- In a generic scenario, refer to this readme.
Please follow the guidelines reported here.
Please follow the instructions reported here.
Our project welcomes contributions from various types of users, each with unique ways to contribute. We appreciate contributions from users of all types, and together, we can make our project even better! Here's a list of potential user types and the guidelines on the actions they can take to participate in our project:
Instructions
- To get started, follow the instructions to run
i-mig-t
. - In testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/tests/, you can find a list of all available and supported machine-readable tests.
- In testplans/spid-cie-oidc/implementations/spid-cie-oidc-django/input/mig-t/sessions/, you can find related sessions.
Instructions
A guide on how to add your RP to the testing environment can be found here
Instructions
To contribute a test plan for a different IdM protocol, please adhere to the repository's structure within the testplan
folder.
- Create a
readme.md
file containing information about the test plan you wish to add. - The added test plan file should have a
.csv
extension and include all the columns specified in the testplan.csv file.
Instructions
To propose changes or enhancements to the existing SPID/CIE OIDC test plan located in /testplans/spid-cie-oidc/, kindly initiate discussions by creating issues directly within the repository or by submitting a pull request.
Instructions
To facilitate improvements or modifications to MIG, consider the following options:
- Initiate discussions by opening issues to propose new features or report any identified bugs.
- Actively participate in improving the source code by submitting a pull request.
To contribute to mig-t
, please consult its dedicated repository.
Instructions
- For contributions falling into a category not mentioned above, feel free to reach out to us at a.bisegna@fbk.eu through our communication channels. We welcome all forms of contribution and collaboration.
- Micro-Id-Gym - Identity Management Workouts with Container-Based Microservices
- Andrea Bisegna (PhD Thesis, University of Genova, 2023) Automated Security Testing for Identity Management of Large-scale Digital Infrastructures
- Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022) Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
- Alessandro Biasi (Bachelor's Thesis, University of Trento, 2022) Syntax And Semantics Of A Declarative Language For Security Testing Of Browser Based Security Protocols
Everything in this repository is licensed under the Apache 2.0 license
Copyright 2023, Fondazione Bruno Kessler
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Designed and developed within Security & Trust Research Unit at Fondazione Bruno Kessler (Italy) in cooperation with Istituto Poligrafico e Zecca dello Stato (Italy) and Futuro & Conoscenza.