Skip to content

Chapter 2.1: SQL Injection - test #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: 2.1-sql-injection/code
Choose a base branch
from
Open

Chapter 2.1: SQL Injection - test #5

wants to merge 11 commits into from

Conversation

nxvl
Copy link
Owner

@nxvl nxvl commented Jul 6, 2019

Testing

Testing for SQL injections is a tedious job, it's mostly done by hand or using special scanners, like web scanners or SAST/DAST tools. For this chapter we will be writing a very simple fuzzer function and create unit tests that use them in order to test for injections.

The fuzzer helper looks like this:

import pytest

from psycopg2.errors import SyntaxError

def sqli_fuzzer(client, url, params):
    fail = False
    injections = ["'"]
    for injection in injections:
        for param in params:
            data = {k: 'foo' for k in params}
            data[param] = injection
            try:
                client.post(url, data=data)
            except SyntaxError:
                print('You seems to have an SQLi in %s for param %s' % (url, param))
                fail = True

    if fail:
        pytest.fail('Seems you are vulnerable to SQLi attacks')

After running pytest --tb=short we get:

============================= test session starts ==============================
platform linux -- Python 3.5.3, pytest-5.0.1, py-1.8.0, pluggy-0.12.0
rootdir: {...}
collected 1 item

tests/test_listings.py F                                                 [100%]

=================================== FAILURES ===================================
_________________________________ test_create __________________________________
tests/test_listings.py:6: in test_create
    sqli_fuzzer(client, '/listings/create', ['title', 'description'])
tests/helpers/sqlifuzzer.py:19: in sqli_fuzzer
    pytest.fail('Seems you are vulnerable to SQLi attacks')
E   Failed: Seems you are vulnerable to SQLi attacks
----------------------------- Captured stdout call -----------------------------
INSERT INTO listings (title, description) VALUES (''', 'foo')
You seems to have an SQLi in /listings/create for param title
INSERT INTO listings (title, description) VALUES ('foo', ''')
You seems to have an SQLi in /listings/create for param description
=========================== 1 failed in 0.32 seconds ===========================

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nxvl