# Security Testing Guide

This guide provides step-by-step instructions for performing the manual security tests from `references/MANUAL_SECURITY_TESTING_CHECKLIST.md`.

## Prerequisites

- You are logged in as **User A (ID: 5195)**
- **User B (ID: 5196)** exists as the victim account
- **Organization A** and **Organization B** exist
- **Bank A** exists (optional)

## Test Accounts

| Profile | ID | Email |
|---------|-------|-------|
| User A (you) | 5195 | user-a@test.nl |
| User B (victim) | 5196 | user-b@test.nl |
| Organization A | TBD | TBD |
| Organization B | TBD | TBD |

## How to Manipulate Session

Since Laravel stores sessions server-side (not in browser Session Storage), use this command:

```bash
cd /home/r/Websites/timebank_cc_2
php manipulate-session.php <profile_id> <type>
```

**Examples:**
```bash
# Change to User B
php manipulate-session.php 5196 user

# Change to Organization A (ID 1)
php manipulate-session.php 1 org

# Change to Bank A (ID 1)
php manipulate-session.php 1 bank

# Change back to User A
php manipulate-session.php 5195 user
```

After running the command, **refresh your browser** to apply the changes.

---

## Test Category 1: Profile Deletion Authorization

### Test 1.1: Unauthorized User Profile Deletion
**Risk Level:** CRITICAL

**Steps:**
1. Login as User A (already done)
2. Note User A's profile ID: **5195**
3. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
4. Refresh browser
5. Navigate to Settings → Delete Account
6. Attempt to delete the profile

**Expected Result:** ✅ HTTP 403 Forbidden error
**Security Failure:** ❌ Profile deletion succeeds

**Log Verification:**
```bash
tail -f storage/logs/laravel.log | grep "ProfileAuthorizationHelper"
```
Should show: "Unauthorized User access attempt"

**Reset Session After Test:**
```bash
php manipulate-session.php 5195 user  # Change back to User A
```

---

### Test 1.2: Unauthorized Organization Profile Deletion
**Risk Level:** CRITICAL

**Prerequisites:** Find Organization A and B IDs first:
```bash
mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 -e \
"SELECT id, name, email FROM organizations WHERE name LIKE '%Organization%' LIMIT 5;"
```

**Steps:**
1. Login as User A (member of Organization A)
2. Switch to Organization A profile using the profile switcher
3. Note Organization A's ID
4. Run session manipulation:
   ```bash
   php manipulate-session.php <org_b_id> org
   ```
5. Refresh browser
6. Navigate to organization settings → Delete Account
7. Attempt deletion

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ Organization B deleted

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

### Test 1.3: Legitimate Profile Deletion (Control Test)
**Purpose:** Verify legitimate operations still work

**Steps:**
1. Login as User A
2. Ensure session is NOT manipulated (reset if needed):
   ```bash
   php manipulate-session.php 5195 user
   ```
3. Refresh browser
4. Navigate to Settings → Delete Account
5. Complete deletion process (⚠️ Use a test account, not your main account!)

**Expected Result:** ✅ Profile deletion succeeds
**Security Failure:** ❌ Legitimate deletion blocked

---

## Test Category 2: Profile Modification Authorization

### Test 2.1: Unauthorized Profile Settings Modification
**Risk Level:** CRITICAL

**Steps:**
1. Login as User A
2. Navigate to profile settings page
3. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
4. Refresh browser
5. Attempt to modify profile details (name, email, about, etc.)
6. Click Save

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User B's profile modified

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

### Test 2.2: Unauthorized Organization Settings Modification
**Risk Level:** CRITICAL

**Steps:**
1. Login as User A
2. Switch to Organization A
3. Run session manipulation:
   ```bash
   php manipulate-session.php <org_b_id> org
   ```
4. Refresh browser
5. Navigate to organization settings
6. Attempt to modify organization details
7. Click Save

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ Organization B modified

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

## Test Category 3: Message Settings Authorization

### Test 3.1: Unauthorized Message Settings Access
**Risk Level:** CRITICAL

**Steps:**
1. Login as User A
2. Navigate to Settings → Message Settings
3. Note current notification preferences
4. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
5. Refresh browser
6. Toggle notification settings (email, push, etc.)
7. Click Save

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User B's message settings changed

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

## Test Category 4: Chat/Conversation Authorization

### Test 4.1: Unauthorized Conversation Access
**Risk Level:** HIGH

**Prerequisites:**
1. Create a conversation between User B and another user
2. Note the conversation ID from the URL

**Steps:**
1. Login as User A
2. Manually navigate to: `/chat/{conversation_id}`
3. Attempt to view conversation
4. Attempt to send messages

**Expected Result:** ✅ HTTP 403 Forbidden or redirect
**Security Failure:** ❌ User A can read/send messages

---

## Test Category 5: Transaction/Payment Authorization

### Test 5.1: Unauthorized Transaction Viewing
**Risk Level:** HIGH

**Prerequisites:**
1. User B creates transaction with User C
2. Note transaction ID

**Steps:**
1. Login as User A
2. Navigate to `/transaction/{transaction_id}`

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User A can view transaction

---

### Test 5.2: Session Manipulation for Transaction Access
**Risk Level:** CRITICAL

**Steps:**
1. Login as User A
2. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
3. Refresh browser
4. Navigate to Transactions page
5. Check which transactions are visible

**Expected Result:** ✅ Only User A's transactions visible (or 403 error)
**Security Failure:** ❌ User B's transactions visible

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

## Useful Commands

### View Current Sessions
```bash
mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 -e \
"SELECT id, user_id, ip_address, FROM_UNIXTIME(last_activity) as last_active \
FROM sessions WHERE last_activity > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 2 HOUR)) \
ORDER BY last_activity DESC LIMIT 5;"
```

### Find Profile IDs
```bash
# Users
mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 -e \
"SELECT id, name, email FROM users WHERE name LIKE '%User%' ORDER BY id LIMIT 10;"

# Organizations
mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 -e \
"SELECT id, name, email FROM organizations WHERE name LIKE '%Organization%' LIMIT 10;"

# Banks
mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 -e \
"SELECT id, name, email FROM banks LIMIT 10;"
```

### Monitor Authorization Logs
```bash
# Watch for authorization attempts
tail -f storage/logs/laravel.log | grep "ProfileAuthorizationHelper"

# Watch for unauthorized access attempts
tail -f storage/logs/laravel.log | grep -i "Unauthorized.*access attempt"
```

### Reset Session to User A
```bash
php manipulate-session.php 5195 user
```

---

## Troubleshooting

**Problem:** Session manipulation doesn't work
**Solution:** Make sure you refresh the browser after running the command

**Problem:** Can't find profile IDs
**Solution:** Use the MySQL commands above to query the database

**Problem:** Script permission denied
**Solution:** Run `chmod +x manipulate-session.php`

**Problem:** Need to restore your original session
**Solution:** Run `php manipulate-session.php 5195 user` and refresh browser

---

## Important Notes

1. **Always refresh your browser** after manipulating the session
2. **Reset your session** back to User A after each test: `php manipulate-session.php 5195 user`
3. **Monitor logs** during testing: `tail -f storage/logs/laravel.log | grep ProfileAuthorizationHelper`
4. **Don't delete important accounts** - use test accounts for deletion tests
5. These tests are for **security testing only** - never use in production

---

## Test Category 6: AccountInfoModal — IDOR (Balance Leakage)

### Test 6.1: Unauthorized Balance Viewing via Session Manipulation
**Risk Level:** HIGH — **Fixed 2026-03-23**
**Component:** `app/Http/Livewire/AccountInfoModal.php`
**Fix:** `ProfileAuthorizationHelper::authorize($profile)` added to `loadAccounts()` after profile resolution. Manipulated session now returns HTTP 403.

**Steps:**
1. Login as User A
2. Open the Account Info modal (click the balance link in the navigation) — note your own balances
3. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
4. Refresh browser
5. Open the Account Info modal again

**Expected Result:** ✅ HTTP 403 Forbidden OR modal shows zero/no accounts
**Security Failure:** ❌ User B's account balances are visible

**Log Verification:**
```bash
tail -f storage/logs/laravel.log | grep "ProfileAuthorizationHelper"
```

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

### Test 6.2: Cross-Profile-Type Balance Leakage (Organization)
**Risk Level:** HIGH

**Steps:**
1. Login as User A
2. Run session manipulation to switch to an organization you are NOT a member of:
   ```bash
   php manipulate-session.php <org_b_id> org
   ```
3. Refresh browser
4. Open the Account Info modal

**Expected Result:** ✅ HTTP 403 Forbidden OR modal shows zero accounts
**Security Failure:** ❌ Organization B's account balances are visible

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

## Test Category 7: Reports — Arbitrary File Write

### Test 7.1: Malformed Base64 Chart Image Upload
**Risk Level:** MEDIUM — **Fixed 2026-03-23**
**Component:** `app/Http/Livewire/Reports.php` — `exportPdfWithChart()` / `exportPdfWithCharts()`
**Fix:** `decodeChartImage()` helper validates PNG/JPEG magic bytes before writing. `base64_decode(..., strict: true)` used to reject malformed input. Non-image payloads abort with HTTP 422 and are logged.

**Steps:**
1. Login as User A
2. Navigate to the Reports page
3. Open browser DevTools → Network tab
4. Trigger any PDF export that invokes `exportPdfWithChart`
5. Locate the Livewire POST request and copy the payload
6. Modify the `chartImage` parameter to contain a PHP webshell encoded as base64:
   ```
   data:image/png;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
   ```
   (This decodes to `<?php system($_GET['cmd']); ?>`)
7. Re-send the modified request (use DevTools "Copy as fetch" then paste in Console)

**Expected Result:** ✅ Request rejected (invalid MIME type), or file written but not web-executable
**Security Failure:** ❌ PHP file written to an accessible path and the application executes it

**Verify storage is not web-accessible:**
```bash
curl -I http://localhost/storage/temp/
# Should return 404 or 403, not 200
```

---

### Test 7.2: Unauthenticated Livewire Chart Export Action
**Risk Level:** MEDIUM — **Fixed 2026-03-23** (`abort_unless(Auth::check(), 403)` added)

**Steps:**
1. Log out entirely
2. POST a Livewire request to `exportPdfWithChart` with a valid-looking base64 payload

**Expected Result:** ✅ Redirected to login, or 401/403 response
**Security Failure:** ❌ File written to temp storage without authentication

---

## Test Category 8: ExportProfileData — Authorization Verification

### Test 8.1: Unauthorized Transaction Export via Session Manipulation
**Risk Level:** HIGH
**Component:** `app/Http/Livewire/Profile/ExportProfileData.php` — `exportTransactions()`
**Note:** This component DOES call `ProfileAuthorizationHelper::authorize()`. This test verifies the protection works correctly.

**Steps:**
1. Login as User A
2. Navigate to Profile → Export Data
3. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
4. Refresh browser
5. Attempt to export transactions (any format)

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User B's transactions are exported

**Log Verification:**
```bash
tail -f storage/logs/laravel.log | grep "ProfileAuthorizationHelper"
```
Should show: "Unauthorized User profile access attempt"

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

### Test 8.2: Unauthorized Messages Export
**Risk Level:** HIGH

**Steps:**
1. Login as User A
2. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
3. Refresh browser
4. Attempt to export messages

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User B's private messages exported

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

### Test 8.3: Unauthorized Contacts Export
**Risk Level:** MEDIUM

**Steps:**
1. Login as User A
2. Run session manipulation:
   ```bash
   php manipulate-session.php 5196 user
   ```
3. Refresh browser
4. Attempt to export contacts

**Expected Result:** ✅ HTTP 403 Forbidden
**Security Failure:** ❌ User B's contact list exported

**Reset:**
```bash
php manipulate-session.php 5195 user
```

---

## Quick Reference

| Action | Command |
|--------|---------|
| Change to User B | `php manipulate-session.php 5196 user` |
| Change to Org B (ID 1) | `php manipulate-session.php 1 org` |
| Change to Bank A (ID 1) | `php manipulate-session.php 1 bank` |
| Reset to User A | `php manipulate-session.php 5195 user` |
| Monitor logs | `tail -f storage/logs/laravel.log \| grep ProfileAuthorizationHelper` |
| Check temp dir not web-accessible | `curl -I http://localhost/storage/temp/` |