Menu

qTest Controller-Configuration for Security Enhancement 9.7.1 OnPremise

Overview

During an attempted CSRF attack, user credentials may potentially be inherited and then used to maliciously perform undesirable actions, usually affecting a change of state of server. Please note that this does not result in any data theft.

By default, the qTest 9.7.1+ OnPremise installation will disable some security configurations to make the installation process easier. If you would like to enable these security features, follow the instructions below.

Note: Can be applied on Windows and Linux non-docker.

Prerequisite

Enable SSL for all applications. Follow the guides below for your OS:

Configure CSRF for qTest Manager

Stop qTest Service

  • Linux (non-Docker)- Access the current directory "qtestctl" where you've installed your latest version of Manager.
    systemctl stop qtest
  • Windows
    C:\[path_to_qtestctl]>net stop qtest

Modify qtestctl/manager/build.gradle

  1. Edit file qtestctl/manager/build.gradle
    a. Find with keywords (Line 212, at version 9.7.1)
    testconductor.environment=onpremise
    b. Add your configuration below this line:
    testconductor.environment=onpremise
    [Add config here]
  2. Add CSRF config (Eg. Allow domain qtestdev.com, qtestnet.com

    qtestctl/manager/build.gradle

    211  # WEB-INF/classes/configuration/common/override.properties
    212 testconductor.environment=onpremise
    213
    214  
    # csrf config
    215 qtest.request.nonce.disabled=false
    216 qtest.request.nonce.mode=HighPrecision
    217 security.csrf.source.trust.pattern=.*.qtestdev.com.*|.*.qtestnet.com.*
    218
    219 # thread executor

Restart qTest Service

  • Linux (non-Docker)
    $ systemctl start qtest
  • Windows
    C:\[path_to_qtestctl]>net start qtest

 

 

Configure CSRF for qTest Sessions

Stop qTest Service

  • Linux (non-Docker)- Access the current directory "qtestctl" where you've installed your latest version of Manager.
    systemctl stop qtest
  • Windows
    C:\[path_to_qtestctl]>net stop qtest

Modify qtestctl/sessions/build.gradle

  1. Edit file qtestctl/sessions/build.gradle
    a. Find with keywords (Line 220, at version 9.7.1)
    DB_CONNECTION: dbConnection,
    b. Add the CSRF_ALLOW_PATTERN below this line:
    DB_CONNECTION: dbConnection,
    [Add config here]
  2. Add CSRF_ALLOW_PATTERN config (Eg. Allow domain qtestdev.com and qtestnet.com)

    qtestctl/sessions/build.gradle

    220  DB_CONNECTION: dbConnection,
    221 CSRF_ALLOW_PATTERN: 'qtestdev.com|qtestnet.com',
    222 RESPONSE_HEADERS: "[" + buildCustomResponseHeadersJSONString() + "]"

Restart qTest Service

  • Linux (non-Docker)
    $ systemctl start qtest
  • Windows
    C:\[path_to_qtestctl]>net start qtest
Powered by Zendesk