-
-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tests for error based sql injection #450
Closed
13Anthony
wants to merge
3
commits into
SasanLabs:master
from
13Anthony:Tests-for-errorBasedSQLInjection
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
108 changes: 108 additions & 0 deletions
108
...ain/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
package org.sasanlabs.service.vulnerability.sampleVulnerability; | ||
|
||
import org.sasanlabs.internal.utility.LevelConstants; | ||
import org.sasanlabs.internal.utility.Variant; | ||
import org.sasanlabs.internal.utility.annotations.AttackVector; | ||
import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; | ||
import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController; | ||
import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; | ||
import org.sasanlabs.vulnerability.types.VulnerabilityType; | ||
import org.springframework.http.ResponseEntity; | ||
import org.springframework.web.bind.annotation.RequestParam; | ||
|
||
/** | ||
* This is a sample vulnerability for helping developers in adding a new Vulnerability for | ||
* VulnerableApp | ||
* | ||
* @author KSASAN [email protected] | ||
*/ | ||
/** | ||
* {@code VulnerableAppRestController} annotation is similar to {@link | ||
* org.springframework.stereotype.Controller} Annotation | ||
*/ | ||
@VulnerableAppRestController( | ||
/** | ||
* "descriptionLabel" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/i18n/}. This descriptionLabel | ||
* will be shown in the UI as the description of the Vulnerability. It helps students to | ||
* learn about the vulnerability and can also include some of the useful references etc. | ||
*/ | ||
descriptionLabel = "SAMPLE_VULNERABILITY", | ||
/** | ||
* "value" parameter of annotation is used to create the request mapping. e.g. for the below | ||
* parameter value, /VulnerableApp/SampleVulnerability will be created as URI Path. | ||
*/ | ||
value = "SampleVulnerability") | ||
public class SampleVulnerability { | ||
|
||
/** | ||
* {@code AttackVector} annotation is used to create the Hints section in the User Interface. | ||
* This annotation can be mentioned multiple times in case the same vulnerability level | ||
*/ | ||
@AttackVector( | ||
/** | ||
* "vulnerabilityExposed" parameter is used to depict the Vulnerability exposed by the | ||
* level. For example say a level is exposing SQL_INJECTION. | ||
*/ | ||
vulnerabilityExposed = VulnerabilityType.SAMPLE_VULNERABILITY, | ||
/** | ||
* "description" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/i18n/}. This description | ||
* will be shown in the UI as hint to give some indication on how the level is handling | ||
* input to help user to crack the level. | ||
*/ | ||
description = "SAMPLE_VULNERABILITY_USER_INPUT_HANDLING_INJECTION", | ||
|
||
/** | ||
* "payload" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/attackvectors/*.properties}. This payload will be | ||
* shown in UI to help users find/exploit the vulnerability | ||
*/ | ||
payload = "NOT_APPLICABLE") | ||
/** | ||
* This annotation is similar to {@link RequestMapping} SpringBoot annotation. It will map the | ||
* endpoint to /VulnerableApp/SampleVulnerability/LEVEL_1 where LEVEL_1 is coming from the value | ||
* parameter. | ||
*/ | ||
@VulnerableAppRequestMapping( | ||
/** | ||
* "value" parameter is used to map the level to URI path | ||
* /VulnerableApp/SampleVulnerability/${value}. | ||
*/ | ||
value = LevelConstants.LEVEL_1, | ||
|
||
/** | ||
* "htmlTemplate" is used to load the UI for the level for taking input from the user. | ||
* It points to files in directory | ||
* src/main/resource/static/templates/${VulnerabilityName} e.g. | ||
* src/main/resource/static/templates/SampleVulnerability as ${htmlTemplate}.js, | ||
* ${htmlTemplate}.css, ${htmlTemplate}.html. e.g. in this case it will be: | ||
* src/main/resource/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability_Level1.js | ||
* etc | ||
* | ||
* <p>CSS, JS and HTML are all loaded to render the UI. | ||
*/ | ||
htmlTemplate = "LEVEL_1/SampleVulnerability") | ||
public GenericVulnerabilityResponseBean<String> sampleUnsecuredLevel(@RequestParam("name") String key) { | ||
/** Add Business logic here */ | ||
return new GenericVulnerabilityResponseBean<>("Not Implemented", true); | ||
} | ||
|
||
/** For secured level there is no need for {@link AttackVector} annotation. */ | ||
@VulnerableAppRequestMapping( | ||
value = LevelConstants.LEVEL_2, | ||
|
||
// Can reuse the same UI template in case it doesn't change between levels | ||
htmlTemplate = "LEVEL_1/SampleVulnerability", | ||
/** | ||
* "variant" parameter defines whether the level is secure or not and same is depicted | ||
* in the UI as a closed lock and open lock icon. Default value of the variant is | ||
* UNSECURE so in case a secure level is added, please add the variant as {@link | ||
* Variant#SECURE} | ||
*/ | ||
variant = Variant.SECURE) | ||
public GenericVulnerabilityResponseBean<String> sampleSecuredLevel(@RequestParam("name") String key) { | ||
/** Add Business logic here */ | ||
return new GenericVulnerabilityResponseBean<>("Not Implemented", true); | ||
} | ||
} |
16 changes: 16 additions & 0 deletions
16
src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#SampleVulnerability { | ||
color: black; | ||
text-align: center; | ||
} | ||
|
||
#fetchDetails { | ||
background: blueviolet; | ||
display: inline-block; | ||
padding: 8px 8px; | ||
margin: 10px; | ||
border: 2px solid transparent; | ||
border-radius: 3px; | ||
transition: 0.2s opacity; | ||
color: #FFF; | ||
font-size: 12px; | ||
} |
9 changes: 9 additions & 0 deletions
9
src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
<div id="SampleVulnerability"> | ||
<div> | ||
<div id="level_info"> | ||
This is a Sample Vulnerability. please add the UI components here. | ||
</div> | ||
<button id=fetchDetails>Click Here</button> | ||
<div id="response"></div> | ||
</div> | ||
</div> |
23 changes: 23 additions & 0 deletions
23
src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
function addingEventListenerToFetchData() { | ||
document | ||
.getElementById("fetchDetails") | ||
.addEventListener("click", function () { | ||
/** | ||
* getUrlForVulnerabilityLevel() method provides url to call the Vulnerability Level | ||
* of Sample Vulnerability. | ||
* e.g. /VulnerableApp/SampleVulnerability/LEVEL_1 for LEVEL_1 | ||
*/ | ||
let url = getUrlForVulnerabilityLevel(); | ||
/** | ||
* doGetAjaxCall() method is used to do the ajax get call to the Vulnerability Level | ||
*/ | ||
doGetAjaxCall(fetchDataCallback, url + "?name=dummyInput", true); | ||
}); | ||
} | ||
// Used to register event on the button or any other component | ||
addingEventListenerToFetchData(); | ||
|
||
//Callback function to handle the response and render in the UI | ||
function fetchDataCallback(data) { | ||
document.getElementById("response").innerHTML = data.content; | ||
} |
143 changes: 143 additions & 0 deletions
143
...sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerabilityTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
package org.sasanlabs.service.vulnerability.sqlInjection; | ||
|
||
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.Test; | ||
import org.mockito.Mockito; | ||
import org.sasanlabs.vulnerability.utils.Constants; | ||
import org.springframework.http.HttpStatus; | ||
import org.springframework.http.ResponseEntity; | ||
import org.springframework.jdbc.core.JdbcTemplate; | ||
import org.springframework.jdbc.core.PreparedStatementCreator; | ||
import org.springframework.jdbc.core.PreparedStatementSetter; | ||
import org.springframework.jdbc.core.ResultSetExtractor; | ||
|
||
import java.util.Collections; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
import static org.mockito.ArgumentMatchers.any; | ||
import static org.mockito.ArgumentMatchers.anyString; | ||
import static org.mockito.Mockito.doReturn; | ||
import static org.mockito.Mockito.eq; | ||
import static org.mockito.Mockito.verify; | ||
|
||
class ErrorBasedSQLInjectionVulnerabilityTest { | ||
|
||
private ErrorBasedSQLInjectionVulnerability errorBasedSQLInjectionVulnerability; | ||
private JdbcTemplate template; | ||
|
||
@BeforeEach | ||
void setUp() { | ||
template = Mockito.mock(JdbcTemplate.class); | ||
|
||
// Mock database | ||
doReturn(null) | ||
.when(template) | ||
.query(anyString(), (ResultSetExtractor<?>) any()); | ||
doReturn(null) | ||
.when(template) | ||
.query( | ||
anyString(), | ||
(PreparedStatementSetter) any(), | ||
(ResultSetExtractor<?>) any()); | ||
|
||
errorBasedSQLInjectionVulnerability = new ErrorBasedSQLInjectionVulnerability(template); | ||
} | ||
|
||
@Test | ||
void doesCarInformationExistsLevel1_ExpectParamEscaped() { | ||
// Act | ||
final Map<String, String> queryParams = Collections.singletonMap("id", "1"); | ||
errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel1(queryParams); | ||
|
||
// Assert | ||
verify(template) | ||
.query( | ||
eq("select * from cars where id=1"), | ||
(ResultSetExtractor<?>) any()); | ||
} | ||
|
||
@Test | ||
void doesCarInformationExistsLevel2_ExpectParamEscaped() { | ||
// Act | ||
final Map<String, String> queryParams = Collections.singletonMap("id", "1"); | ||
errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel2(queryParams); | ||
|
||
// Assert | ||
verify(template) | ||
.query( | ||
eq("select * from cars where id='1'"), | ||
(ResultSetExtractor<?>) any()); | ||
} | ||
|
||
@Test | ||
void doesCarInformationExistsLevel3_ExpectParamEscaped() { | ||
// Act | ||
final Map<String, String> queryParams = Collections.singletonMap("id", "1'"); | ||
errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel3(queryParams); | ||
|
||
// Assert | ||
verify(template) | ||
.query( | ||
eq("select * from cars where id='1'"), | ||
(ResultSetExtractor<?>) any()); | ||
} | ||
|
||
@Test | ||
void doesCarInformationExistsLevel4_ExpectValidResponse() { | ||
// Arrange | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put(Constants.ID, "1'"); | ||
|
||
// Mock the response entity | ||
ResponseEntity<String> mockResponseEntity = ResponseEntity.status(HttpStatus.OK).body("Sample response"); | ||
doReturn(mockResponseEntity) | ||
.when(template) | ||
.query( | ||
Mockito.any(PreparedStatementCreator.class), | ||
Mockito.any(PreparedStatementSetter.class), | ||
Mockito.any(ResultSetExtractor.class)); | ||
|
||
// Act | ||
ResponseEntity<String> response = errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel4(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals("Sample response", response.getBody()); | ||
verify(template) | ||
.query( | ||
Mockito.any(PreparedStatementCreator.class), | ||
Mockito.any(PreparedStatementSetter.class), | ||
Mockito.any(ResultSetExtractor.class)); | ||
} | ||
|
||
@Test | ||
void doesCarInformationExistsLevel5_ExpectValidResponse() { | ||
// Arrange | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put(Constants.ID, "1"); | ||
|
||
// Mock the response entity | ||
ResponseEntity<String> mockResponseEntity = ResponseEntity.status(HttpStatus.OK).body("Sample response"); | ||
doReturn(mockResponseEntity) | ||
.when(template) | ||
.query( | ||
Mockito.any(PreparedStatementCreator.class), | ||
Mockito.any(PreparedStatementSetter.class), | ||
Mockito.any(ResultSetExtractor.class)); | ||
|
||
// Act | ||
ResponseEntity<String> response = errorBasedSQLInjectionVulnerability.doesCarInformationExistsLevel5(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals("Sample response", response.getBody()); | ||
verify(template) | ||
.query( | ||
Mockito.any(PreparedStatementCreator.class), | ||
Mockito.any(PreparedStatementSetter.class), | ||
Mockito.any(ResultSetExtractor.class)); | ||
} | ||
|
||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't checkin sample vulnerability related files. Check in only the test file.