Skip to content

EVALUATION.md

Latest commit

 

History

History
168 lines (131 loc) · 4.21 KB

EVALUATION.md

File metadata and controls

168 lines (131 loc) · 4.21 KB

DevShield - Evaluation Metrics & Test Results

Test Page: test-page.html

Expected Analysis Results

📊 Structure Analysis

Metric Expected Value Actual Notes
Forms 1 ✅ 1 Test form present
Input fields 2 ✅ 2 Username and password
Scripts (total) 2 ✅ 2 1 inline + 1 external
External CSS 1 ✅ 1 Test stylesheet link
Images 2 ✅ 2 One without alt, one with alt
Images without alt 1 ✅ 1 First image missing alt
Meta description ✅ Present ✅ Yes Included in test page
Viewport ✅ Present ✅ Yes Included in test page

🔐 Security Analysis

Metric Expected Value Actual Notes
HTTPS ❌ No ✅ No file:// protocol
Inline scripts 1 ✅ 1 Console.log inline script
JWT in localStorage ❌ No ✅ No Not set in test
API Keys found 1 ✅ 1 apiKey = "sk-1234567890..." pattern
Excessive scripts ❌ No ✅ No Only 1 external script
Exposed tokens 1+ ✅ 1 Bearer token in HTML comment

🎯 Scoring Calculation

Structure Score Calculation

Start: 100
- Images without alt (1 × 5): -5
- Inline scripts (1 × 3): -3
- Meta description: 0 (present)
- Viewport: 0 (present)

Structure Score: 100 - 5 - 3 = 92

Security Score Calculation

Start: 100
- HTTPS: -30 (not using HTTPS)
- JWT in localStorage: 0 (not present)
- API Keys found (1 × 20): -20
- Excessive scripts: 0 (only 1)
- Inline scripts (1 × 2): -2
- Exposed tokens (1 × 15): -15

Security Score: 100 - 30 - 20 - 2 - 15 = 33

Overall Health Score

Overall = (Structure + Security) / 2
Overall = (92 + 33) / 2 = 62.5 ≈ 63

Risk Category: Moderate (50-79)

📋 Detection Tests

✅ Successfully Detected Issues:

  1. ✅ Missing alt attribute on 1 image
  2. ✅ Missing viewport meta tag
  3. ✅ HTTP (non-HTTPS) protocol
  4. ✅ Inline script usage (XSS risk)
  5. ✅ API key pattern in source code
  6. ✅ Bearer token pattern in HTML

❌ Expected False Negatives:

  • JWT in localStorage (not set in test)
  • Excessive external scripts (only 1)

🧪 Test Scenarios

Scenario 1: Perfect Score Page

A page with all best practices should score 100/100.

Scenario 2: High Risk Page

A page with multiple security issues:

  • No HTTPS
  • Multiple JWTs in localStorage
  • Exposed API keys
  • Many inline scripts

Expected: < 30 Overall Score 🔴

Scenario 3: Moderate Issues

  • HTTPS: ✅
  • Some missing alt tags
  • No viewport
  • No API keys exposed

Expected: 60-79 Overall Score 🟡

📈 Score Distribution Guide

Score Range Category Color Action
80-100 Safe 🟢 Green No action needed
50-79 Moderate 🟡 Yellow Review issues
0-49 High Risk 🔴 Red Urgent attention

🧪 Test 2: High-Risk Page (test-page-high-risk.html)

Expected Results:

Metric Expected Value Detection
Images 2 ✅ 2
Images without alt 2 ✅ 2
Meta description ❌ Missing
Viewport ❌ Missing
Inline scripts 1 ✅ 1
External scripts 11 ✅ Excessive (>10)
API keys found 2+
Bearer token 1
HTTPS ❌ No

Scoring:

Structure Score:
- Images without alt (2×5): -10
- Inline scripts (1×3): -3
- Meta desc missing: -10
- Viewport missing: -5
Score: 100 - 10 - 3 - 10 - 5 = 72

Security Score:
- No HTTPS: -30
- API keys (20): -20
- Excessive scripts: -15
- Inline scripts (2): -4
- Exposed tokens (15): -15
Score: 100 - 30 - 20 - 15 - 4 - 15 = 16

Overall: (72 + 16) / 2 = 44 → High Risk 🔴

🔬 Test Instructions

  1. Open Chrome and navigate to chrome://extensions
  2. Enable Developer mode
  3. Load unpacked: Select DevShield folder
  4. Open test-page.html in Chrome
  5. Click DevShield extension icon
  6. Verify scores match expected values above

Manual Verification:

  • Structure Score should be ~92
  • Security Score should be ~33
  • Overall Score should be ~63 (Moderate)
  • Should detect: 1 image without alt, HTTP, inline script, API key pattern