Skip to content
input-validati…
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.rst

1   thanos

Build Status percentagecov grade Requirements Status License

http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Author:Tasdik Rahman

2   About

[Back to top]

A little taste of what can happen when you pass parameterized arguments in your query strings.

Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database

NOTE:

Vulnerabilities (demo) mitigated version
thanos/vulnerable thanos/input-validation

2.1   Plan of action

  • [✓] Test for SQL Injection vulnerabilities
  • [✓] Test for Input validation techniques
  • [✓] Suggest fixes to the vulnerabilities found(if any)
  • [✓] making the GUI using tkinter
  • [ ] Writing testcases

2.2   Mitigation techniques

  • [✓] Validating email entered by using custom regex
  • [✓] Replacing the parameterized SQL constructs in the code and replace it with pythonic API

3   DEMO

NOTE This is the secure version of the demo. Refer the vulnerable one here

The database has the following user credentials in it

tasdik at Acer in ~/Dropbox/projects/thanos on input-validation
$ sqlite3 sare_log.db
-- Loading resources from /home/tasdik/.sqliterc

SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> select * from users;
email            name        serial_no   password
---------------  ----------  ----------  ----------
admin@gmail.com  Admin       1           admin123
foo@outlook.com  bar         2           foo123
john@yahoo.com   doe         3           john123
sqlite>

When you enter correct user credentials which are there in the database.

If a wrong user details are entered. Notice that the SQL statements don't get executed

SQL injection anybody?

The threat was mitigated as the malicious SQL query was not executed

4   Running it

[Back to top]

Urm. So how do I run it?

4.1   Installing the dependencies

I prefer to use virtual environments for keeping the global python interpreter clutter free. But you are free to do a system wide install for the dependencies.

You should have `make` installed on your system.

$ git clone https://github.com/prodicus/thanos && cd thanos
$ make install

If make install gives you an error. Try this

$ pip install -r requirements.txt

4.2   Running it!

$ make run

Cleaning it up

$ make clean

4.3   When in doubt

$ make help

5   FAQ

[Back to top]

5.1   Okay, But what does it do?

  • So there's this database called sare_log.db, (which translates to all_people in english). We have some users details stored inside this database.
  • We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
  • More to come

5.2   Will I be able to run it on my PC?

I have tested this on MAC and Linux based systems currently

5.3   What's with the name?

Nothing! It's just that I read a lot of Marvel comics.

5.4   The code looks messy!

Well, so does your mom!

Jokes apart. As I said, this is still a work in progress.

6   Contributing

[Back to top]

Refer CONTRIBUTING.rst

6.1   Issues

[Back to top]

This project is still work in progress so feel free to make PR or give suggestions by creating an issue

6.2   Contributers

[Back to top]

Built with and after a lot of marshmellows by

7   Legal Stuff

[Back to top]

Built and maintained by Tasdik Rahman released under the MIT License. See the bundled LICENSE file for more details.

About

A dead simple demonstration of SQL injection in an SQLite database

Resources

License

Releases

No releases published
You can’t perform that action at this time.