- 1 thanos
- 2 About
- 3 DEMO
- 4 Running it
- 5 FAQ
- 6 Contributing
- 7 Legal Stuff
A little taste of what can happen when you pass parameterized arguments in your query strings.
Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database
|Vulnerabilities (demo)||mitigated version|
2.1 Plan of action
- [✓] Test for
- [✓] Test for
- [✓] Suggest fixes to the vulnerabilities found(if any)
- [✓] making the GUI using tkinter
- [ ] Writing testcases
2.2 Mitigation techniques
- [✓] Validating email entered by using custom regex
- [✓] Replacing the parameterized
SQL constructsin the code and replace it with pythonic API
NOTE This is the secure version of the demo. Refer the vulnerable one here
The database has the following user credentials in it
tasdik at Acer in ~/Dropbox/projects/thanos on input-validation $ sqlite3 sare_log.db -- Loading resources from /home/tasdik/.sqliterc SQLite version 3.9.2 2015-11-02 18:31:45 Enter ".help" for usage hints. sqlite> select * from users; email name serial_no password --------------- ---------- ---------- ---------- email@example.com Admin 1 admin123 firstname.lastname@example.org bar 2 foo123 email@example.com doe 3 john123 sqlite>
When you enter correct user credentials which are there in the database.
If a wrong user details are entered. Notice that the SQL statements don't get executed
SQL injection anybody?
The threat was mitigated as the malicious SQL query was not executed
4 Running it
Urm. So how do I run it?
4.1 Installing the dependencies
I prefer to use virtual environments for keeping the global
python interpreter clutter free. But you are free to do a system wide install for the dependencies.
You should have `make` installed on your system.
$ git clone https://github.com/prodicus/thanos && cd thanos $ make install
make install gives you an error. Try this
$ pip install -r requirements.txt
4.2 Running it!
$ make run
Cleaning it up
$ make clean
4.3 When in doubt
$ make help
5.1 Okay, But what does it do?
- So there's this database called
sare_log.db, (which translates to
all_peoplein english). We have some users details stored inside this database.
- We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
- More to come
5.2 Will I be able to run it on my PC?
I have tested this on MAC and Linux based systems currently
5.3 What's with the name?
Nothing! It's just that I read a lot of Marvel comics.
5.4 The code looks messy!
Well, so does your mom!
Jokes apart. As I said, this is still a work in progress.
This project is still work in progress so feel free to make PR or give suggestions by creating an issue