Okay, this is an extensive codebase, and a full UI test plan will be quite detailed. I'll break this down by major application features/pages, inferring UI interactions from your backend API structure, frontend HTML templates, and the e2e tests you've provided.
Assumptions:
- The frontend Flask app (
frontend/main.py) serves the HTML templates. - JavaScript files in
frontend/static/js/handle dynamic content loading, API calls, and UI interactions. - The UI generally reflects the capabilities of the API.
- The "UI Vulnerability Demos" toggle (
uiVulnerabilityFeaturesEnabled) affects the visibility/behavior of certain demo sections on the frontend.
Test Plan Table Structure:
- Feature/Module: The high-level area being tested.
- Test Case ID: A unique identifier.
- Test Scenario: What is being tested.
- User Role(s): Who performs the test (e.g., Guest, Regular User, Admin User - potentially via BFLA exploit for some Admin functions).
- Preconditions: What needs to be true before starting the test.
- Test Steps (UI): Step-by-step actions on the frontend.
- Expected Result: What should happen after the steps.
- Notes/Vulnerabilities Tested: Specific vulnerabilities this test might expose or test from a UI perspective.
Frontend UI Testing Plan
Prerequisites for most tests:
- API Server (
app/main.py) is running. - Frontend Server (
frontend/main.py) is running. - Database is initialized with
prepopulated_data.json. - User accounts (admin, regular user AliceSmith, BobJohnson) exist as per
prepopulated_data.json.
| Feature/Module | Test Case ID | Test Scenario | User Role(s) | Preconditions | Test Steps (UI) | Expected Result | Notes/Vulnerabilities Tested |
|---|---|---|---|---|---|---|---|
| 0. Global UI | GBL-001 | Verify UI Vulnerability Demo Toggle Functionality | Guest/User | None | 1. Navigate to any page (e.g., Homepage). 2. Locate the "UI Demos" toggle in the navbar. 3. Observe its initial state (likely OFF). 4. Click the toggle to "ON". 5. Observe status text changes to "ON". 6. Navigate to a page with demo sections (e.g., Profile, Checkout, Admin). 7. Click the toggle to "OFF". 8. Observe status text changes to "OFF". 9. Re-check visibility of demo sections. |
Initial state matches default. Toggle changes state and text. Demo sections (e.g., BOLA forms, Parameter Pollution forms) become visible when toggle is ON. Demo sections are hidden when toggle is OFF. Global message about toggle state change appears. |
Tests core UI feature for enabling/disabling vulnerability demonstration elements. |
| 1. Authentication | AUTH-001 | Successful User Registration | Guest | None | 1. Navigate to /register. 2. Fill Username, Email, Password, Confirm Password with unique valid data. 3. Click "Register". |
Success message displayed. Redirected to /login. |
- |
| AUTH-002 | Registration with existing username/email | Guest | User with that username/email already exists. | 1. Navigate to /register. 2. Fill form with an existing username or email. 3. Click "Register". |
Error message: "Username already registered" or "Email already registered". | - | |
| AUTH-003 | Registration with mismatched passwords | Guest | None | 1. Navigate to /register. 2. Fill form with passwords not matching. 3. Click "Register". |
Error message: "Passwords do not match". | - | |
| AUTH-004 | Successful User Login | Guest | User "AliceSmith" (password: "AlicePass1!") exists. | 1. Navigate to /login. 2. Enter "AliceSmith" for username, "AlicePass1!" for password. 3. Click "Login". |
Success message displayed. Redirected to / (Homepage). Navbar updates to show "Profile", "Orders", "Logout". |
- | |
| AUTH-005 | Login with incorrect credentials | Guest | User "nonexistentuser" does not exist. | 1. Navigate to /login. 2. Enter "nonexistentuser" for username, "wrongpassword" for password. 3. Click "Login". |
Error message: "Login failed: Incorrect username or password". | - | |
| AUTH-006 | User Logout | Regular User | User is logged in. | 1. Click "Logout" link in the navbar. | User is logged out. Redirected to /login or /. Navbar updates to show "Login", "Register". Cart is cleared. |
- | |
| 2. Homepage & Product Listing | HOME-001 | View Product Listing | Guest/User | API serves products. | 1. Navigate to /. |
Page loads with header, search bar. Product grid displays multiple product cards with image, name, price, stock status, and "Add to Cart" button. Loading skeletons shown initially. |
- |
| HOME-002 | Search for Products (valid term) | Guest/User | Products exist matching the search term (e.g., "Laptop"). | 1. Navigate to /. 2. Type "Laptop" into the search bar. 3. Click "Search". |
Product grid updates to show only products with "Laptop" in their name. "search-info" note might be visible. | Test product search. | |
| HOME-003 | Search for Products (no results) | Guest/User | No products match the search term "XYZABC". | 1. Navigate to /. 2. Type "XYZABC" into the search bar. 3. Click "Search". |
Product grid shows a "No products found" message. | - | |
| HOME-004 | Search with Injection-like String | Guest/User | Products exist. | 1. Navigate to /. 2. Type "' OR 1=1 --" into the search bar. 3. Click "Search". |
"search-info" note about injection demo is displayed. Product grid may show all products or behave unexpectedly depending on backend handling (though current backend is safe). |
Tests UI feedback for injection demo. | |
| HOME-005 | Add Product to Cart from Homepage | Guest/User | Product is in stock. | 1. Navigate to /. 2. Find a product card. 3. Click its "Add to Cart" button. |
Success toast/global message "Added [Product Name] to cart" displayed. Cart count in navbar increases by 1. |
- | |
| 3. Product Detail Page | PDP-001 | View Product Details (Valid Product) | Guest/User | Product with ID f47ac10b-58cc-4372-a567-0e02b2c3d479 (Laptop Pro 15) exists. |
1. Navigate to /products/f47ac10b-58cc-4372-a567-0e02b2c3d479. |
Page loads product name, image, price, description, stock status. Quantity input defaults to 1. "Add to Cart" button is visible (if in stock). Accordion sections (Shipping, Returns) are present. Parameter Pollution demo section is present. |
- |
| PDP-002 | View Product Details (Invalid Product) | Guest/User | Product ID non-existent-id does not exist. |
1. Navigate to /products/non-existent-id. |
Error message "Failed to load product details" or similar is displayed. Product detail container shows error state. |
- | |
| PDP-003 | Change Quantity on Product Detail Page | Guest/User | Product is in stock. Product page loaded. | 1. On product detail page, locate quantity input. 2. Click "+" button. 3. Click "-" button. 4. Manually enter "3" in quantity input. |
Quantity increases/decreases with button clicks. Manually entered quantity updates correctly. Quantity does not go below 1 or above max stock. |
- | |
| PDP-004 | Add Product to Cart from Detail Page | Guest/User | Product is in stock. Product page loaded. Quantity is 1. | 1. On product detail page, click "Add to Cart" button. | Success toast/global message displayed. Cart count in navbar increases. |
- | |
| PDP-005 | Test Parameter Pollution Demo UI | Regular User | User is logged in. UI Demos ON. Product page loaded. | 1. On product detail page, scroll to "Parameter Pollution Demo". 2. Observe default param name ("internal_status") and value. 3. Change param value to "on_sale". 4. Click "Apply Parameter & Reload". 5. Verify URL display changes. 6. (Optional) Navigate to the generated URL to see if internal_status field appears for product. |
Demo URL display updates with new parameter. Clicking button should attempt API call (backend dependent). If internal_status is in URL on page load, a warning and the status might be shown. |
Tests UI for Parameter Pollution demo. Actual effect depends on backend. | |
| PDP-006 | Parameter Pollution Demo UI Hidden (Logged Out) | Guest | UI Demos ON. Product page loaded. | 1. On product detail page, scroll to where "Parameter Pollution Demo" section would be. | The "Parameter Pollution Demo" section is not visible. | UI elements conditional on login. | |
| 4. Shopping Cart | CART-001 | View Empty Cart | Guest/User | Cart is empty. | 1. Navigate to /cart. |
"Your cart is empty" message displayed. "Start Shopping" button visible. Subtotal, Shipping, Total are $0.00. Checkout button is disabled. |
- |
| CART-002 | Add Item and View Cart | Guest/User | Cart is empty. | 1. Navigate to /, add a product to cart. 2. Navigate to /cart. |
Product is listed in cart table with image, name, price, quantity (1), item total. Subtotal, Shipping, Total are updated. Checkout button is enabled. |
- | |
| CART-003 | Update Item Quantity in Cart | Guest/User | Item in cart. | 1. Navigate to /cart. 2. For an item, change quantity input to "3". 3. Click quantity "+" or "-" button. |
Item total updates. Cart subtotal, shipping, total update. Navbar cart count updates. |
- | |
| CART-004 | Remove Item from Cart | Guest/User | Item in cart. | 1. Navigate to /cart. 2. For an item, click "Remove" button. 3. Confirm removal if prompted. |
Item is removed from cart table. Cart totals update. If cart becomes empty, "Your cart is empty" message appears. |
- | |
| CART-005 | Apply Promo Code | Guest/User | Item in cart. | 1. Navigate to /cart. 2. Enter "TESTCODE" in promo code input. 3. Click "Apply". |
Success message: "Promo code TESTCODE applied!". Discount line appears in summary. Cart total is reduced. |
UI test for promo code functionality. | |
| CART-006 | Proceed to Checkout (Not Logged In) | Guest | Item in cart. | 1. Navigate to /cart. 2. Click "Proceed to Checkout". |
Global error "Please log in to proceed..." displayed. Redirected to /login. |
- | |
| CART-007 | Proceed to Checkout (Logged In) | Regular User | User logged in. Item in cart. | 1. Navigate to /cart. 2. Click "Proceed to Checkout". |
Redirected to /checkout. |
- | |
| 5. User Profile | PROF-001 | View Own Profile Information | Regular User | User "AliceSmith" logged in. | 1. Navigate to /profile. |
"Your Profile" heading. Displays AliceSmith's username, email, User ID. "Edit Email" button visible. BOLA demo section for accessing other users is visible (if UI Demos ON). Parameter Pollution demo for admin escalation visible (if UI Demos ON). Sections for Addresses and Credit Cards are present. |
- |
| PROF-002 | Edit Own Email | Regular User | User logged in. Profile page loaded. | 1. Click "Edit Email" button. 2. Edit email form appears. 3. Enter a new valid email. 4. Click "Save Email". |
Success message "Email updated successfully!". Email display on profile updates. Edit form hides. |
- | |
| PROF-003 | Add New Address | Regular User | User logged in. Profile page loaded. | 1. Click "Add New Address" button. 2. Address form opens. 3. Fill Street, City, Country, Zip Code. 4. Click "Add Address". |
Success message "Address added successfully!". New address appears in the list. Form closes/resets. |
- | |
| PROF-004 | Edit Existing Address | Regular User | User logged in. Address exists. | 1. In address list, click "Edit" for an address. 2. Address form opens, pre-filled with address data. "Editing Address..." indicator shown. 3. Modify street. 4. Click "Update Address". |
Success message "Address updated successfully!". Address details update in the list. Form closes/resets. |
- | |
| PROF-005 | Delete Address | Regular User | User logged in. Address exists. | 1. In address list, click "Delete" for an address. 2. Confirm deletion. |
Success message "Address deleted successfully!". Address is removed from the list. |
- | |
| PROF-006 | Set Default Address | Regular User | User logged in. Multiple addresses exist, one is not default. | 1. For a non-default address, click "Set Default". | Success message "Default address updated!". Address now shows "Default" badge. Previous default no longer has badge. |
- | |
| PROF-007 | Add New Credit Card | Regular User | User logged in. Profile page loaded. | 1. Click "Add New Card" button. 2. Card form opens. 3. Fill Cardholder Name, Card Number, Expiry (MM/YYYY), CVV. 4. Click "Add Card". |
Success message "Credit card added successfully!". New card (masked number) appears in list. Form closes/resets. |
- | |
| PROF-008 | Edit Existing Credit Card | Regular User | User logged in. Card exists. | 1. In card list, click "Edit" for a card. 2. Card form opens, pre-filled (Card #, CVV disabled/placeholder "Not updatable"). "Editing Credit Card..." indicator shown. 3. Modify cardholder name. 4. Click "Update Card". |
Success message "Credit card updated successfully!". Card details update in list. Form closes/resets. |
Card number and CVV are not editable for existing cards via UI. | |
| PROF-009 | Delete Credit Card | Regular User | User logged in. Card exists. | 1. In card list, click "Delete" for a card. 2. Confirm deletion. |
Success message "Credit card deleted successfully!". Card removed from list. |
- | |
| PROF-010 | Set Default Credit Card | Regular User | User logged in. Multiple cards exist, one is not default. | 1. For a non-default card, click "Set Default". | Success message "Default credit card updated!". Card now shows "Default" badge. |
- | |
| PROF-011 | BOLA Demo: View Another User's Profile | Regular User | User "AliceSmith" logged in. User "BobJohnson" exists (ID 00000003-...). UI Demos ON. |
1. Navigate to /profile. 2. Click "Discover Other Users". 3. List of users (including BobJohnson) appears. 4. Click "View Profile (BOLA Exploit)" for BobJohnson. 5. (Alternative: Manually enter Bob's ID if known) 6. Click "Return to My Profile". |
BobJohnson's profile information (username, email, addresses, cards) is displayed. "BOLA DEMO ACTIVE!" banner shown. "Return to My Profile" button appears. Clicking "Return" reloads AliceSmith's profile. |
BOLA (API1:2023) - Accessing other user's data. BFLA (API5:2023) - Listing users. |
|
| PROF-012 | BOLA Demo: Manage Another User's Address | Regular User | User "AliceSmith" logged in, viewing "BobJohnson's" profile via BOLA. UI Demos ON. | 1. While viewing BobJohnson's profile, click "Add New Address". 2. Add a new address. 3. Observe address list for Bob. 4. Edit an existing address of Bob. 5. Delete an address of Bob. |
Address is added/edited/deleted for BobJohnson's profile, not AliceSmith's. Success messages indicate action for Bob. | BOLA (API1:2023) - Modifying other user's data. | |
| PROF-013 | Parameter Pollution Demo: Admin Escalation | Regular User | User "AliceSmith" logged in, viewing own profile. UI Demos ON. | 1. Scroll to "Parameter Pollution Demo: Admin Escalation". 2. Click "Attempt Admin Escalation for AliceSmith". 3. Confirm action. |
Success message "Admin escalation attempt sent...". Profile reloads. AliceSmith's profile now shows "Admin" badge. (User object in localStorage might also update). |
Parameter Pollution (API3:2023) - Privilege Escalation. | |
| 6. Checkout | CHKO-001 | View Checkout Page (Valid State) | Regular User | User logged in. Cart has items. User has at least one address and one card. | 1. Navigate to /checkout. |
Page loads with "Order Summary" (cart items). "Shipping Address" dropdown populated, default selected. "Payment Method" dropdown populated, default selected. "Place Order" button enabled. BOLA Demo section visible (if UI Demos ON). |
- |
| CHKO-002 | Checkout with Empty Cart | Regular User | User logged in. Cart is empty. | 1. Navigate to /checkout. |
Global message "Your cart is empty..." displayed. Redirected to / or /cart. "Place Order" button would be disabled or page content different. |
- | |
| CHKO-003 | Checkout without Login | Guest | Cart has items. | 1. Navigate to /checkout. |
Global message "Please log in..." displayed. Redirected to /login. |
- | |
| CHKO-004 | Successful Order Placement | Regular User | User logged in. Cart has items. Address and Card selected. | 1. Navigate to /checkout. 2. Ensure address and payment are selected. 3. Click "Place Order". |
Loading indicator "Processing order...". Success message "Order placed successfully!". Cart is cleared. Redirected to /orders page. New order appears in list. |
- | |
| CHKO-005 | BOLA Demo: Order for Another User | Regular User | User "AliceSmith" logged in. Cart has items. User "BobJohnson" exists. UI Demos ON. | 1. Navigate to /checkout. 2. Check "Enable BOLA Exploit Mode". 3. BOLA fields appear. 4. Enter BobJohnson's User ID in "Victim User ID". 5. Enter one of Bob's Address IDs and Credit Card IDs (from prepopulated_data.json or discovered via Profile BOLA). 6. Click "Place Order". |
"BOLA Vulnerability Exploit Mode Active!" warning shown. Success message "BOLA EXPLOIT: Order ... placed FOR BobJohnson!". Cart is cleared. Redirects to orders page showing BobJohnson's orders. |
BOLA (API1:2023) - Placing order as/for another user using their resources. | |
| CHKO-006 | BOLA Demo: Use Another User's Payment for Own Order | Regular User | User "AliceSmith" logged in. Cart has items. User "BobJohnson" has a card. UI Demos ON. | 1. Navigate to /checkout. 2. Select Alice's own address. 3. Check "Enable BOLA Exploit Mode". 4. Leave "Victim User ID" blank (or Alice's ID). 5. Enter BobJohnson's Credit Card ID in "Target Credit Card ID". 6. Click "Place Order". |
"BOLA Vulnerability Exploit Mode Active!" warning shown. Success message "BOLA EXPLOIT: Order ... (for you, AliceSmith) charged to BobJohnson's card!". Cart is cleared. Redirects to AliceSmith's orders page. |
BOLA (API1:2023) - Using another user's payment method for own order. | |
| 7. Order History | ORD-001 | View Own Order History | Regular User | User logged in and has placed orders. | 1. Navigate to /orders. |
List of user's own orders displayed with ID, Date, Status, Total, Item Count. BOLA Demo section for viewing other user's orders is visible (if UI Demos ON). |
- |
| ORD-002 | BOLA Demo: View Another User's Orders | Regular User | User "AliceSmith" logged in. "BobJohnson" has orders. UI Demos ON. | 1. Navigate to /orders. 2. In "BOLA Vulnerability Demo" section, enter BobJohnson's User ID. 3. Click "View Another User's Orders". 4. Click "Return to Your Orders". |
BobJohnson's orders are displayed. "Currently viewing orders for: BobJohnson..." indicator shown. "Return to Your Orders" button restores Alice's orders. |
BOLA (API1:2023) - Viewing other user's orders. | |
| 8. Admin Panel | ADM-001 | Access Admin Page as Regular User (BFLA) | Regular User | User logged in. | 1. Navigate to /admin. |
Admin Dashboard loads. Global message "BFLA Vulnerability Demo: You are accessing admin functions..." displayed. Product list, Add Product form, Update Stock form, Delete User form are visible. Parameter Pollution demo options are available (if UI Demos ON). |
BFLA (API5:2023) - Accessing admin functions. |
| ADM-002 | Admin: Add Product (via BFLA) | Regular User | User logged in. On /admin page. |
1. Fill "Add New Product" form. 2. Optionally check "Set Internal Status" and provide a value. 3. Click "Add Product (Demo Exploit)". |
Success message "Product added successfully!". If internal status was set, success message for Parameter Pollution demo. Product list refreshes, new product appears. |
BFLA (API5:2023) - Creating product. Parameter Pollution (API3:2023) - Setting internal status. |
|
| ADM-003 | Admin: Update Stock (via BFLA) | Regular User | User logged in. On /admin page. Product ID exists. |
1. Fill "Update Product Stock" form with Product ID and new Quantity. 2. Click "Update Stock". |
Success message "Stock for [ProductID] set to [Qty]". Product list stock updates. |
BFLA (API5:2023) - Updating stock. | |
| ADM-004 | Admin: Delete Product (via BFLA) | Regular User | User logged in. On /admin page. Product exists. |
1. In product list, click "Delete" for a product. 2. Confirm deletion. |
Success message "Product [ProductID] deleted successfully.". Product removed from list. |
BFLA (API5:2023) - Deleting product. | |
| ADM-005 | Admin: Delete User (via BFLA) | Regular User | User logged in. On /admin page. Target User ID exists. |
1. Fill "Delete User" form with a Target User ID (e.g., BobJohnson's ID). 2. Click "Delete User". 3. Confirm deletion. |
Success message "User [UserID] deleted.". (Verification: try logging in as deleted user - should fail). |
BFLA (API5:2023) - Deleting user. | |
| ADM-006 | Admin: Parameter Pollution for Product Listing | Regular User | User logged in. On /admin page. UI Demos ON. |
1. Check "Escalate to Admin Privileges" checkbox. 2. Observe "Demo URL" changes. 3. Product list reloads/updates. 4. Check "Show Internal Products" checkbox. 5. Observe "Demo URL" changes. 6. Product list reloads/updates. |
"Demo URL" updates to include &role=admin and/or &status=internal. "BFLA Vulnerability Demo Active" banner updates. Product list potentially shows more products or products with internal status visible (if backend reflects this). |
Parameter Pollution (API3:2023) / BFLA (API5:2023) - Modifying API query to access restricted data/functionality. |
This table provides a comprehensive starting point. Real-world UI testing would also involve:
- Usability Tests: How easy is the UI to use?
- Accessibility Tests: (WCAG compliance)
- Performance Tests: How fast does the UI load and respond?
- Cross-Browser/Device Tests: Does it work on Chrome, Firefox, Safari, mobile, etc.?
- More Granular Negative Tests: Testing all form validations, invalid inputs, etc.
- Visual Regression Tests: Ensuring UI appearance doesn't break.
The focus here was on functional and vulnerability-related UI testing based on your codebase.Okay, this is a comprehensive plan. Based on your codebase, here's a clear and concise table outlining a plan to test all major elements of your e-commerce application via the frontend UI, step by step.
Assumptions:
- The frontend Flask app (
frontend/main.py) serves the HTML templates fromfrontend/templates/. - JavaScript files in
frontend/static/js/(especiallymain.js,admin.js,product-detail.js,checkout.js) handle dynamic content, API interactions, and UI logic. - The UI is designed to interact with the API endpoints defined in your
app/routers/. - The "UI Vulnerability Demos" toggle switch in the navbar (
base.html,main.js) influences the visibility of certain vulnerability demonstration UI elements.
Pre-Test Setup (General):
- Ensure the backend API server is running (e.g.,
uvicorn app.main:app). - Ensure the frontend Flask server is running (e.g.,
python frontend/main.py). - Clear browser cache/localStorage or use an incognito window for a clean session, especially when switching user roles.
- Have test user credentials ready (e.g.,
admin,AliceSmith,BobJohnsonfromprepopulated_data.json). - Familiarize yourself with product IDs, user IDs, address IDs, and card IDs from
prepopulated_data.jsonfor targeted testing.
Frontend UI Test Plan
| Feature/Module | Test Case ID | Test Scenario | User Role(s) | Preconditions | Test Steps (UI) | Expected Result | Notes/Vulnerabilities Tested (UI Perspective) |
|---|---|---|---|---|---|---|---|
| 0. Global UI & Navigation | GBL-001 | Verify UI Vulnerability Demo Toggle | Guest / Logged-in User | None | 1. Navigate to any page. 2. Locate the "UI Demos" toggle switch in the navbar. 3. Click the toggle to ON. 4. Observe status text next to toggle updates to "ON". 5. Navigate to a page with demo elements (e.g., Profile, Checkout, Admin). 6. Click the toggle to OFF. 7. Observe status text updates to "OFF". |
Toggle state changes correctly. A global message about the toggle status is displayed. UI elements related to vulnerability demos (e.g., BOLA forms, Parameter Pollution forms) become visible/hidden according to the toggle state (verified in specific feature tests). |
Core UI feature for controlling visibility of vulnerability demo sections. |
| GBL-002 | Verify Navbar Links (Guest) | Guest | User is not logged in. | 1. Navigate to /. 2. Inspect navbar links. |
Links visible: "Home", "Cart (0)", "Login", "Register". "Profile", "Orders", "Admin Page", "Logout" are NOT visible. | Basic navigation. | |
| GBL-003 | Verify Navbar Links (Logged-in Regular User) | Regular User | User "AliceSmith" is logged in. | 1. Log in as "AliceSmith". 2. Navigate to /. 3. Inspect navbar links. |
Links visible: "Home", "Cart", "Profile (AliceSmith)", "Orders", "Logout". "Admin Page" (without demo badge) NOT visible unless UI Demos are ON. "Login", "Register" NOT visible. | Navigation for authenticated user. | |
| GBL-004 | Verify Navbar Links (Logged-in Admin User) | Admin User | User "admin" is logged in. | 1. Log in as "admin". 2. Navigate to /. 3. Inspect navbar links. |
Links visible: "Home", "Cart", "Profile (admin)", "Orders", "Admin Page", "Logout". | Navigation for admin user. | |
| GBL-005 | Verify Navbar Links (Admin via UI Demo Toggle) | Regular User | User "AliceSmith" is logged in. "UI Demos" toggle is ON. |
1. Log in as "AliceSmith". 2. Ensure "UI Demos" toggle is ON. 3. Inspect navbar links. |
"Admin Page (Demo)" link is visible in the navbar. | BFLA visibility due to UI demo toggle. | |
| 1. User Authentication | AUTH-001 | Successful User Registration | Guest | None | 1. Navigate to /register. 2. Fill "Username", "Email", "Password", "Confirm Password" with unique, valid data. 3. Click "Register" button. |
Success message "Registration successful! Please log in." displayed. User is redirected to /login. |
- |
| AUTH-002 | Attempt Registration with Existing Username/Email | Guest | Username "AliceSmith" or email "alice.smith@example.com" already exists. | 1. Navigate to /register. 2. Use "AliceSmith" for username or "alice.smith@example.com" for email. 3. Click "Register". |
Error message displayed (e.g., "Username already registered" or "Email already registered"). | - | |
| AUTH-003 | Successful User Login | Guest | User "AliceSmith" (password: "AlicePass1!") exists. | 1. Navigate to /login. 2. Enter "AliceSmith" for username and "AlicePass1!" for password. 3. Click "Login" button. |
Success message "Login successful! Redirecting..." displayed. User is redirected to /. Navbar updates for logged-in user. |
- | |
| AUTH-004 | Attempt Login with Incorrect Credentials | Guest | Credentials do not match any user. | 1. Navigate to /login. 2. Enter "invaliduser" and "invalidpass". 3. Click "Login". |
Error message "Login failed: Incorrect username or password" displayed. | - | |
| AUTH-005 | User Logout | Regular User | User is logged in. | 1. Click "Logout" link in the navbar. | User is logged out. Redirected to /login (or /). Navbar updates to guest view. Cart is cleared from localStorage and UI. |
- | |
| 2. Homepage & Products | HOME-001 | View Product Listing on Homepage | Guest / User | API is serving products. | 1. Navigate to /. |
Page title is correct. Hero section and search bar are visible. Loading skeletons appear briefly. Product grid ( #products-container) displays multiple product cards. Each card shows image, title, short description, price, stock status, and "Add to Cart" button. |
- |
| HOME-002 | Search for Products (Valid Term) | Guest / User | Products matching "Laptop" exist. | 1. On homepage, type "Laptop" into the search input (#search-term). 2. Click the "Search" button. |
Product grid updates to show only products containing "Laptop" in their name. The "#search-info" note (about injection demo) might become visible on input focus. |
- | |
| HOME-003 | Search for Products (Injection Demo UI Feedback) | Guest / User | - | 1. On homepage, type _ (or any character) into #search-term. 2. Observe if "#search-info" div appears. 3. (Optional) Type ' OR 1=1 -- and click "Search". |
The "#search-info" div (Note: This search feature demonstrates potential injection vulnerabilities) becomes visible. Search results may be normal or empty depending on backend handling of the specific string. |
Tests UI note for injection. Actual injection depends on backend. | |
| HOME-004 | Add Product to Cart from Homepage | Guest / User | A product is in stock. | 1. On homepage, find an in-stock product card. 2. Click its "Add to Cart" button. |
Global success message "Added [Product Name] to cart." displayed. Cart count in navbar ( #cart-item-count) increases. |
- | |
| 3. Product Detail Page | PDP-001 | View Valid Product Details | Guest / User | Product ID f47ac10b-58cc-4372-a567-0e02b2c3d479 (Laptop Pro 15) exists. |
1. Navigate to /products/f47ac10b-58cc-4372-a567-0e02b2c3d479 (or .html). |
Page loads product name, image, price, full description, stock status. Quantity input defaults to 1. "Add to Cart" button visible. Accordion sections (Shipping, Returns) are present and functional. "Parameter Pollution Demo" section is visible (if UI Demos ON and user logged in). |
- |
| PDP-002 | View Invalid Product Details | Guest / User | Product ID invalid-id does not exist. |
1. Navigate to /products/invalid-id. |
Error message "Failed to load product details" (or similar) displayed. Product detail container shows an error state. | - | |
| PDP-003 | Adjust Quantity and Add to Cart | Guest / User | Product page loaded, product in stock. | 1. On product detail page, click quantity "+" button twice. 2. Verify quantity input is "3". 3. Click "Add to Cart" button. |
Quantity input updates. Global success message displayed. Navbar cart count reflects 3 items added. |
- | |
| PDP-004 | Parameter Pollution Demo UI Interaction | Regular User | User logged in. "UI Demos" toggle is ON. Product page loaded. | 1. On product detail page, find "Parameter Pollution Demo" section. 2. Enter "internal_status" in "Parameter Name", "on_hold" in "Parameter Value". 3. Click "Apply Parameter & Reload". |
Success message "Product updated..." may appear. Page reloads. "Demo URL" display shows the constructed URL with parameters. If backend reflects this, product's internal_status might appear on the page. A warning about parameter pollution might be displayed if the internal_status URL param is present on load. |
UI for Parameter Pollution (API3:2023). | |
| 4. Shopping Cart | CART-001 | View Empty Cart | Guest / User | Cart is empty. | 1. Navigate to /cart. |
"Your cart is empty" message displayed. Subtotal, Shipping, Total are $0.00. "Proceed to Checkout" button is disabled or not visible. |
- |
| CART-002 | Add Item, View Cart, Update Quantity, Remove Item | Guest / User | Product "Laptop Pro 15" exists and is in stock. | 1. Navigate to /, add "Laptop Pro 15" to cart. 2. Navigate to /cart. 3. Verify "Laptop Pro 15" is in cart with quantity 1. 4. Change quantity to "2" using input or buttons. 5. Click "Remove" button for "Laptop Pro 15". 6. Confirm removal. |
Laptop appears in cart. Totals are correct. Quantity updates, totals recalculate. Laptop is removed. Cart becomes empty, totals reset to $0.00. |
- | |
| CART-003 | Apply Promo Code (UI Only) | Guest / User | Item(s) in cart. | 1. Navigate to /cart. 2. Enter "TESTCODE" in promo code input. 3. Click "Apply". |
Success message "Promo code 'TESTCODE' applied!" appears. A discount line is added to the order summary. The total amount is reduced. |
UI for promo code logic. | |
| 5. User Profile | PROF-001 | View Own Profile, Addresses, Credit Cards | Regular User | User "AliceSmith" logged in. Alice has addresses and cards. | 1. Navigate to /profile. |
"AliceSmith's Profile" (or "Your Profile") heading. User info (username, email, ID) displayed. List of Alice's addresses displayed, with default clearly marked. List of Alice's credit cards (masked) displayed, with default marked. "Add New Address/Card" buttons visible. |
- |
| PROF-002 | Add/Edit/Delete Address | Regular User | User "AliceSmith" logged in. | 1. On /profile, click "Add New Address". 2. Fill and submit form. 3. Verify new address appears. 4. Click "Edit" on an address. 5. Modify details and submit. 6. Verify address updates. 7. Click "Delete" on an address and confirm. 8. Verify address is removed. 9. Click "Set Default" on a non-default address. |
Each action results in a success message. Address list updates correctly. "Editing Address..." indicator shown during edit. Form opens/closes as expected. Default address badge updates. |
- | |
| PROF-003 | Add/Edit/Delete Credit Card | Regular User | User "AliceSmith" logged in. | 1. On /profile, click "Add New Card". 2. Fill and submit form (CVV, Card # required for new). 3. Verify new card appears. 4. Click "Edit" on a card. 5. Modify details (CVV, Card # NOT editable) and submit. 6. Verify card updates. 7. Click "Delete" on a card and confirm. 8. Verify card is removed. 9. Click "Set Default" on a non-default card. |
Each action results in a success message. Card list updates correctly. "Editing Credit Card..." indicator shown during edit. Form opens/closes. Card #/CVV fields disabled/placeholder for edit. Default card badge updates. |
- | |
| PROF-004 | BOLA Demo: View Another User's Profile UI | Regular User | "AliceSmith" logged in. User "BobJohnson" (ID 00000003-...) exists. "UI Demos" toggle ON. |
1. Navigate to /profile. 2. In "BOLA Vulnerability Demo" section, click "Discover Other Users". 3. Select "BobJohnson" from the list (or manually enter his ID) and click "View Profile (BOLA Exploit)". 4. Click "Return to My Profile". |
List of users (excluding Alice) appears. BobJohnson's profile, addresses, and cards are displayed. "BOLA DEMO ACTIVE!" banner is visible. "Currently viewing: BobJohnson's Profile" is shown. Actions (Add/Edit/Delete Address/Card) now target BobJohnson. Clicking "Return" reloads Alice's profile. |
BOLA (API1) UI: Accessing other's data. BFLA (API5) UI: Listing users. |
|
| PROF-005 | BOLA Demo: Modify Another User's Data UI | Regular User | AliceSmith logged in, viewing BobJohnson's profile via BOLA. "UI Demos" toggle ON. | 1. While viewing BobJohnson's profile, attempt to add a new address for Bob. 2. Attempt to edit one of Bob's existing addresses. 3. Attempt to delete one of Bob's addresses. |
Operations succeed and reflect on BobJohnson's data (not Alice's). Success messages mention BobJohnson or the target user. |
BOLA (API1) UI: Modifying other's data. | |
| PROF-006 | Parameter Pollution Demo: Admin Escalation UI | Regular User | "AliceSmith" logged in, viewing own profile. "UI Demos" toggle ON. | 1. On /profile, find "Parameter Pollution Demo: Admin Escalation". 2. Click "Attempt Admin Escalation for AliceSmith". 3. Confirm. |
Success message about attempt. Profile reloads. "Admin" badge appears next to AliceSmith's username. "Admin Page" link might appear in navbar. |
Parameter Pollution (API3) UI. | |
| 6. Checkout Process | CHKO-001 | Initiate Checkout & View Form | Regular User | User logged in. Cart has items. User has address & card. | 1. Navigate to /cart. 2. Click "Proceed to Checkout". 3. On /checkout page, observe the form. |
Cart summary is displayed. Shipping address dropdown pre-selects default (if any). Payment method dropdown pre-selects default (if any). "Place Order" button enabled. BOLA Demo section for "Order for Another User" is visible (if UI Demos ON). |
- |
| CHKO-002 | Successful Order Placement (Normal) | Regular User | All preconditions for CHKO-001 met. | 1. On /checkout page, confirm/select address and payment. 2. Click "Place Order". |
"Processing order..." shown. Success message "Order ... placed successfully!" displayed. Cart is cleared. User redirected to /orders. New order appears at the top of order list. |
- | |
| CHKO-003 | BOLA Demo: Order FOR Another User UI | Regular User | "AliceSmith" logged in. Cart has items. BobJohnson exists with address/card. "UI Demos" ON. | 1. Navigate to /checkout. 2. Check "Enable BOLA Exploit Mode". 3. BOLA fields appear. 4. Click "Find Users", select BobJohnson. "Target User ID" populated. 5. Click "Find Target Addresses", select one of Bob's addresses. "Target Address ID" populated. 6. Click "Find Target Cards", select one of Bob's cards. "Target Credit Card ID" populated. 7. Click "Place Order". |
"BOLA Exploit Mode Active!" warning appears. "Theft Preview" updates to show Bob's card details. Success message "BOLA EXPLOIT: Order ... placed FOR BobJohnson!". Redirects to /orders (now showing Bob's orders or a message indicating this). |
BOLA (API1) UI: Ordering FOR another user, using their address and payment. | |
| CHKO-004 | BOLA Demo: Order for SELF, PAY with Another's Card UI | Regular User | "AliceSmith" logged in. Cart has items. BobJohnson has a card. "UI Demos" ON. | 1. Navigate to /checkout. 2. Select Alice's own address. 3. Check "Enable BOLA Exploit Mode". 4. Leave "Target User ID" blank (or Alice's). 5. Leave "Target Address ID" blank (or Alice's). 6. Click "Find Target Cards", select one of Bob's cards. "Target Credit Card ID" populated. 7. Click "Place Order". |
"BOLA Exploit Mode Active!" warning. "Theft Preview" shows Bob's card. Success message "BOLA EXPLOIT: Order ... (for you, AliceSmith) charged to BobJohnson's card!". Redirects to /orders (showing Alice's orders). |
BOLA (API1) UI: Ordering for self, but charging another user's card. | |
| 7. Order History Page | ORD-001 | View Own Orders | Regular User | User logged in, has placed orders. | 1. Navigate to /orders. |
Table lists user's own orders with details. "BOLA Vulnerability Demo" section is visible (if UI Demos ON). |
- |
| ORD-002 | BOLA Demo: View Another User's Orders UI | Regular User | "AliceSmith" logged in. "BobJohnson" has orders. "UI Demos" ON. | 1. Navigate to /orders. 2. In "BOLA Demo" section, click "List Users", then select "BobJohnson" or enter Bob's ID into "Enter User ID to View Orders". 3. Click "View Another User's Orders". 4. Click "Return to Your Orders". |
BobJohnson's orders are displayed. An indicator "Currently viewing orders for: BobJohnson..." is shown. "Return to Your Orders" button works. |
BOLA (API1) UI: Viewing other user's orders. | |
| 8. Admin Dashboard | ADM-001 | Access Admin Page as Regular User (BFLA UI Demo) | Regular User | User "AliceSmith" logged in. "UI Demos" toggle ON. | 1. Navigate to /admin (e.g., via navbar link if UI demos are ON). |
Admin Dashboard page loads. "BFLA Vulnerability Demo Active" banner displayed. Product list, Add Product form, Update Stock form, Delete User form are all visible and functional. "Parameter Pollution Demo Options" are visible. |
BFLA (API5) UI: Accessing admin functionality. |
| ADM-002 | Admin: Parameter Pollution Demo for Product List UI | Regular User | On /admin page. "UI Demos" ON. |
1. Check "Escalate to Admin Privileges" checkbox. 2. Observe "Demo URL" updates. 3. Check "Show Internal Products" checkbox. 4. Observe "Demo URL" updates. |
"Demo URL" updates to include &role=admin and/or &status=internal. Product list below may refresh and show different/more products based on backend response to polluted params (e.g., products with internal status). Banner updates to reflect current pollution. |
Parameter Pollution (API3) / BFLA (API5) UI. | |
| ADM-003 | Admin: Add Product (BFLA UI Demo) | Regular User | On /admin page. |
1. Fill "Add New Product" form with valid data. 2. (Optional) Check "Set Internal Status" and enter a value like "backordered". 3. Click "Add Product (Demo Exploit)". |
Success message "Product added successfully!". If internal status was set, a message about parameter pollution might appear. New product appears in the admin product list. |
BFLA (API5) / Parameter Pollution (API3) UI. | |
| ADM-004 | Admin: Update Stock (BFLA UI Demo) | Regular User | On /admin page. A product ID (e.g., from Laptop Pro 15) is known. |
1. Fill "Update Product Stock" form with a valid Product ID and a new Quantity. 2. Click "Update Stock". |
Success message "Stock for [ProductID] set to [Quantity]". The stock for that product updates in the admin product list. |
BFLA (API5) UI. | |
| ADM-005 | Admin: Delete Product (BFLA UI Demo) | Regular User | On /admin page. Product exists. |
1. In the product list, click "Delete" for a product. 2. Confirm deletion. |
Success message "Product [ProductID] deleted successfully." Product is removed from the list. |
BFLA (API5) UI. | |
| ADM-006 | Admin: Delete User (BFLA UI Demo) | Regular User | On /admin page. User "BobJohnson" exists. |
1. Fill "Delete User" form with BobJohnson's User ID. 2. Click "Delete User". 3. Confirm deletion. |
Success message "User [UserID] deleted.". (To verify, try logging in as BobJohnson - should fail). |
BFLA (API5) UI. |
Coupons currently have no dedicated UI. Use the API endpoints directly:
# Create a demo coupon (BFLA)
curl -X POST -H "Authorization: Bearer <token>" \
"http://localhost:8000/api/admin/coupons?code=WELCOME10&discount_type=percentage&discount_value=10"
# Apply a coupon to an order
curl -X POST -H "Authorization: Bearer <token>" \
"http://localhost:8000/api/users/<user_id>/orders/<order_id>/apply-coupon?coupon_code=WELCOME10"