Skip to content

Chapter 2.1: SQL Injection - test#5

Open
nxvl wants to merge 11 commits into2.1-sql-injection/codefrom
2.1-sql-injection/test
Open

Chapter 2.1: SQL Injection - test#5
nxvl wants to merge 11 commits into2.1-sql-injection/codefrom
2.1-sql-injection/test

Conversation

@nxvl
Copy link
Owner

@nxvl nxvl commented Jul 6, 2019

Testing

Testing for SQL injections is a tedious job, it's mostly done by hand or using special scanners, like web scanners or SAST/DAST tools. For this chapter we will be writing a very simple fuzzer function and create unit tests that use them in order to test for injections.

The fuzzer helper looks like this:

import pytest

from psycopg2.errors import SyntaxError

def sqli_fuzzer(client, url, params):
    fail = False
    injections = ["'"]
    for injection in injections:
        for param in params:
            data = {k: 'foo' for k in params}
            data[param] = injection
            try:
                client.post(url, data=data)
            except SyntaxError:
                print('You seems to have an SQLi in %s for param %s' % (url, param))
                fail = True

    if fail:
        pytest.fail('Seems you are vulnerable to SQLi attacks')

After running pytest --tb=short we get:

============================= test session starts ==============================
platform linux -- Python 3.5.3, pytest-5.0.1, py-1.8.0, pluggy-0.12.0
rootdir: {...}
collected 1 item

tests/test_listings.py F                                                 [100%]

=================================== FAILURES ===================================
_________________________________ test_create __________________________________
tests/test_listings.py:6: in test_create
    sqli_fuzzer(client, '/listings/create', ['title', 'description'])
tests/helpers/sqlifuzzer.py:19: in sqli_fuzzer
    pytest.fail('Seems you are vulnerable to SQLi attacks')
E   Failed: Seems you are vulnerable to SQLi attacks
----------------------------- Captured stdout call -----------------------------
INSERT INTO listings (title, description) VALUES (''', 'foo')
You seems to have an SQLi in /listings/create for param title
INSERT INTO listings (title, description) VALUES ('foo', ''')
You seems to have an SQLi in /listings/create for param description
=========================== 1 failed in 0.32 seconds ===========================

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nxvl