DIREKT Security Test Plan¶
Automated¶
- secret and dependency scanning;
- static analysis;
- authorization matrix tests;
- input/file validation;
- webhook signature/replay;
- session/revocation;
- evidence URL expiry;
- public/private serialization;
- rate limits;
- audit event assertions.
Manual/independent¶
Before pilot:
- IDOR and role escalation;
- Android local storage/log inspection;
- portal session/CSRF/XSS;
- file upload/storage;
- location exposure;
- trust-state tampering;
- payment flow;
- backup/restore access;
- Pages/public asset review.
Abuse scenarios¶
Collusion, duplicate provider, fake review, account recovery attack, OTP enumeration, field evidence replay and complaint harassment.
Findings¶
Severity, evidence, affected version, owner, due date, regression test and risk acceptance. Critical/high blocks release unless formally resolved/accepted by authorized owner.