1   thanos

Author:	Tasdik Rahman

Contents

• 1   thanos
• 2   About
  • 2.1   Plan of action
  • 2.2   Mitigation techniques
• 3   DEMO
• 4   Running it
  • 4.1   Installing the dependencies
  • 4.2   Running it!
  • 4.3   When in doubt
• 5   FAQ
  • 5.1   Okay, But what does it do?
  • 5.2   Will I be able to run it on my PC?
  • 5.3   What's with the name?
  • 5.4   The code looks messy!
• 6   Contributing
  • 6.1   Issues
  • 6.2   Contributers
• 7   Legal Stuff

2   About

[Back to top]

A little taste of what can happen when you pass parameterized arguments in your query strings.

Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database

NOTE:

Vulnerabilities (demo)	mitigated version
thanos/vulnerable	thanos/input-validation

2.1   Plan of action

• [✓] Test for SQL Injection vulnerabilities
• [✓] Test for Input validation techniques
• [✓] Suggest fixes to the vulnerabilities found(if any)
• [✓] making the GUI using tkinter
• [ ] Writing testcases

2.2   Mitigation techniques

• [✓] Validating email entered by using custom regex
• [✓] Replacing the parameterized SQL constructs in the code and replace it with pythonic API

3   DEMO

NOTE This is the secure version of the demo. Refer the vulnerable one here

The database has the following user credentials in it

tasdik at Acer in ~/Dropbox/projects/thanos on input-validation
$ sqlite3 sare_log.db
-- Loading resources from /home/tasdik/.sqliterc

SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> select * from users;
email            name        serial_no   password
---------------  ----------  ----------  ----------
admin@gmail.com  Admin       1           admin123
foo@outlook.com  bar         2           foo123
john@yahoo.com   doe         3           john123
sqlite>

When you enter correct user credentials which are there in the database.

If a wrong user details are entered. Notice that the SQL statements don't get executed

SQL injection anybody?

The threat was mitigated as the malicious SQL query was not executed

4   Running it

[Back to top]

Urm. So how do I run it?

4.1   Installing the dependencies

I prefer to use virtual environments for keeping the global python interpreter clutter free. But you are free to do a system wide install for the dependencies.

You should have `make` installed on your system.

$ git clone https://github.com/prodicus/thanos && cd thanos
$ make install

If make install gives you an error. Try this

$ pip install -r requirements.txt

4.2   Running it!

$ make run

Cleaning it up

$ make clean

4.3   When in doubt

$ make help

5   FAQ

[Back to top]

5.1   Okay, But what does it do?

• So there's this database called sare_log.db, (which translates to all_people in english). We have some users details stored inside this database.
• We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
• More to come

5.2   Will I be able to run it on my PC?

I have tested this on MAC and Linux based systems currently

5.3   What's with the name?

Nothing! It's just that I read a lot of Marvel comics.

5.4   The code looks messy!

Well, so does your mom!

Jokes apart. As I said, this is still a work in progress.

6   Contributing

[Back to top]

Refer CONTRIBUTING.rst

6.1   Issues

[Back to top]

This project is still work in progress so feel free to make PR or give suggestions by creating an issue

6.2   Contributers

[Back to top]

Built with ♥ and after a lot of marshmellows by

• Tasdik Rahman (@tasdikrahman)
• Nitesh Sharma
• Gaurab Chakraborty
• Keerthika Shekhar

7   Legal Stuff

[Back to top]

Built and maintained by Tasdik Rahman released under the MIT License. See the bundled LICENSE file for more details.