API tools faq
paste
Advertisement
dev017

sql.py

dev017
Aug 9th, 2023
128
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 6.10 KB | None | 0 0
raw download clone embed print report
  1. import unittest
  2. import requests
  3. import httpConstants  
  4. import ejs
  5.  
  6. proxyUrl = "http://ur-proxy"
  7. SAFE_BODY = {}  
  8. MALICIOUS_BODY = {}  
  9. template = ""  
  10. patterns = [{"description": ""}]  
  11.  
  12. SAFE_QUERY_STRING = "?username=tom&password=jones"
  13. SAFE_BODY = {
  14.     "username": "tom",
  15.     "password": "jones"
  16. }
  17. MALICIOUS_BODY = {
  18.     "username": "tom",
  19.     "password": "jones' OR 5=5"
  20. }
  21.  
  22. proxy_url = "http://localhost:" + str(config.proxyPort)
  23.  
  24. class TestSafeRequests(unittest.TestCase):
  25.  
  26.     def test_safe_get_no_params(self):
  27.         response = requests.get(proxy_url + "/default")
  28.         self.assertEqual(response.status_code, httpConstants.responseCodes.HTTP_SUCCESS_OK)
  29.         self.assertTrue(httpConstants.headers.HEADER_KEY_CONTENT in response.headers)
  30.         self.assertRegex(response.headers[httpConstants.headers.HEADER_KEY_CONTENT], httpConstants.headers.HEADER_VALUE_JSON_REGEX)
  31.         self.assertNotEqual(response.text, "")
  32.  
  33.     def test_safe_get_with_params(self):
  34.         response = requests.get(proxy_url + "/default" + SAFE_QUERY_STRING)
  35.         self.assertEqual(response.status_code, httpConstants.responseCodes.HTTP_SUCCESS_OK)
  36.         self.assertTrue(httpConstants.headers.HEADER_KEY_CONTENT in response.headers)
  37.         self.assertRegex(response.headers[httpConstants.headers.HEADER_KEY_CONTENT], httpConstants.headers.HEADER_VALUE_JSON_REGEX)
  38.         self.assertNotEqual(response.text, "")
  39.  
  40.     def test_safe_delete_with_params(self):
  41.         response = requests.delete(proxy_url + "/default" + SAFE_QUERY_STRING)
  42.         self.assertEqual(response.status_code, httpConstants.responseCodes.HTTP_SUCCESS_OK)
  43.         self.assertTrue(httpConstants.headers.HEADER_KEY_CONTENT in response.headers)
  44.         self.assertRegex(response.headers[httpConstants.headers.HEADER_KEY_CONTENT], httpConstants.headers.HEADER_VALUE_JSON_REGEX)
  45.         self.assertNotEqual(response.text, "")
  46.  
  47.     def test_safe_post_no_body(self):
  48.         response = requests.post(proxy_url + "/default")
  49.         self.assertEqual(response.status_code, httpConstants.responseCodes.HTTP_SUCCESS_OK)
  50.         self.assertTrue(httpConstants.headers.HEADER_KEY_CONTENT in response.headers)
  51.         self.assertRegex(response.headers[httpConstants.headers.HEADER_KEY_CONTENT], httpConstants.headers.HEADER_VALUE_JSON_REGEX)
  52.         self.assertNotEqual(response.text, "")
  53.  
  54.     def test_safe_post_with_body(self):
  55.         response = requests.post(proxy_url + "/default", json=SAFE_BODY)
  56.         self.assertEqual(response.status_code, httpConstants.responseCodes.HTTP_SUCCESS_OK)
  57.         self.assertTrue(httpConstants.headers.HEADER_KEY_CONTENT in response.headers)
  58.         self.assertRegex(response.headers[httpConstants.headers.HEADER_KEY_CONTENT], httpConstants.headers.HEADER_VALUE_JSON_REGEX)
  59.         self.assertNotEqual(response.text, "")
  60.  
  61. def test_safe_PUT():
  62.     response = requests.put(f"{proxyUrl}/default", json=SAFE_BODY)
  63.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  64.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  65.     assert httpConstants.headers.HEADER_VALUE_JSON_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  66.     assert response.text != ""
  67.  
  68. def test_GET_resource_not_found():
  69.     response = requests.get(f"{proxyUrl}/someNonexistentEndpoint")
  70.     assert response.status_code == httpConstants.responseCodes.HTTP_NOT_FOUND
  71.  
  72. def test_GET_server_error():
  73.     response = requests.get(f"{proxyUrl}/server_error")
  74.     assert response.status_code == httpConstants.responseCodes.HTTP_INTERNAL_SERVER_ERROR
  75.     assert response.text != ""
  76.  
  77. def test_basic_injection_GET():
  78.     response = requests.get(f"{proxyUrl}/default", params={"username": "tom", "password": "jones' OR 1=1"})
  79.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  80.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  81.     assert httpConstants.headers.HEADER_VALUE_TEXT_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  82.     assert response.text == ejs.render(template, {"description": patterns[0]["description"]})
  83.  
  84. def test_basic_injection_POST():
  85.     response = requests.post(f"{proxyUrl}/default", headers={httpConstants.headers.HEADER_KEY_CONTENT: httpConstants.headers.HEADER_VALUE_FORM}, json=MALICIOUS_BODY)
  86.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  87.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  88.     assert httpConstants.headers.HEADER_VALUE_JSON_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  89.     assert response.json()["message"] == patterns[0]["description"]
  90.  
  91. def test_basic_injection_PUT():
  92.     response = requests.put(f"{proxyUrl}/default", headers={httpConstants.headers.HEADER_KEY_CONTENT: httpConstants.headers.HEADER_VALUE_FORM}, json=MALICIOUS_BODY)
  93.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  94.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  95.     assert httpConstants.headers.HEADER_VALUE_JSON_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  96.     assert response.json()["message"] == patterns[0]["description"]
  97.  
  98. def test_basic_injection_DELETE():
  99.     response = requests.delete(f"{proxyUrl}/default", params={"username": "tom", "password": "jones' OR 1=1"})
  100.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  101.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  102.     assert httpConstants.headers.HEADER_VALUE_JSON_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  103.     assert response.json()["message"] == patterns[0]["description"]
  104.  
  105. def test_safe_GET_with_attributes():
  106.     response = requests.get(f"{proxyUrl}/customers/7/users/129")
  107.     assert response.status_code == httpConstants.responseCodes.HTTP_SUCCESS_OK
  108.     assert httpConstants.headers.HEADER_KEY_CONTENT in response.headers
  109.     assert httpConstants.headers.HEADER_VALUE_JSON_REGEX.match(response.headers[httpConstants.headers.HEADER_KEY_CONTENT])
  110.     assert response.text != ""
  111.  
  112. if __name__ == '__main__':
  113.     unittest.main()
  114.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!