#!/bin/bash # # GALA-SEC-3: SQL Injection & Input Validation Adversarial Tests # # Target: 30-minute focused adversarial test # Attack Vectors: SQL injection, XSS, NoSQL injection, path traversal, null byte injection # # Usage: ./tests/Security/adversarial_injection_tests.sh [--api-base URL] # # Results saved to: /tmp/adversarial_injection_results.txt # set -euo pipefail # Configuration API_BASE="${API_BASE:-http://localhost:8000/api}" RESULTS_FILE="/tmp/adversarial_injection_results.txt" PASSED=0 FAILED=0 WARNINGS=0 # Parse command line args while [[ $# -gt 0 ]]; do case $1 in --api-base) API_BASE="$2" shift 2 ;; --help) echo "Usage: $0 [--api-base URL]" echo " --api-base URL API base URL (default: http://localhost:8000/api)" exit 0 ;; *) echo "Unknown option: $1" exit 1 ;; esac done # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # URL encode function using Python (handles all special chars) urlencode() { python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.stdin.read().strip(), safe=''))" <<< "$1" } # Initialize results file echo "=========================================================" > "$RESULTS_FILE" echo "GALA-SEC-3: Adversarial Injection Test Results" >> "$RESULTS_FILE" echo "=========================================================" >> "$RESULTS_FILE" echo "API Base: $API_BASE" >> "$RESULTS_FILE" echo "Started: $(date '+%Y-%m-%d %H:%M:%S')" >> "$RESULTS_FILE" echo "" >> "$RESULTS_FILE" log_test() { local test_name="$1" local status="$2" local details="${3:-}" if [[ "$status" == "PASS" ]]; then echo -e "${GREEN}[PASS]${NC} $test_name" echo "[PASS] $test_name" >> "$RESULTS_FILE" ((PASSED++)) || true elif [[ "$status" == "FAIL" ]]; then echo -e "${RED}[FAIL]${NC} $test_name" echo "[FAIL] $test_name" >> "$RESULTS_FILE" ((FAILED++)) || true elif [[ "$status" == "WARN" ]]; then echo -e "${YELLOW}[WARN]${NC} $test_name" echo "[WARN] $test_name" >> "$RESULTS_FILE" ((WARNINGS++)) || true fi if [[ -n "$details" ]]; then echo " Details: $details" echo " Details: $details" >> "$RESULTS_FILE" fi } check_response() { local response="$1" local http_code="$2" # Check for SQL error signatures if echo "$response" | grep -qiE "(SQLSTATE|syntax error|mysql_|sqlite3\.|ORA-[0-9]+|PG::|database error|constraint violation|Unknown column|Table.*doesn.t exist)"; then echo "SQLERROR" return 1 fi # Check for reflected XSS (unescaped script tags in JSON response) if echo "$response" | grep -qE ']*>|javascript:|onerror=|onload='; then echo "XSSREFLECTED" return 1 fi # Check for path traversal success (sensitive file contents) if echo "$response" | grep -qE "root:x:|/bin/bash|APP_KEY=|DB_PASSWORD=|MAIL_PASSWORD="; then echo "PATHTRAVERSAL" return 1 fi # Check for server error (500) which might indicate injection success if [[ "$http_code" == "500" ]]; then echo "SERVERERROR" return 1 fi echo "SAFE" return 0 } # ============================================================================== # 1. SQL INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "1. SQL INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "1. SQL INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" # Test 1.1: Event slug SQL injection echo "Testing: Event slug SQL injection..." # Pre-encoded SQL injection payloads for event slug declare -a SQL_SLUG_TESTS=( "'%20OR%20'1'%3D'1--" "';%20DROP%20TABLE%20events;--" "'%20UNION%20SELECT%20*%20FROM%20users--" "1;%20SELECT%20*%20FROM%20users--" "'%20AND%201%3D1--" "admin'--" ) for encoded_payload in "${SQL_SLUG_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "SAFE" ]]; then log_test "Event slug SQL injection: $encoded_payload" "PASS" "HTTP $http_code, safely handled" elif [[ "$result" == "SQLERROR" ]]; then log_test "Event slug SQL injection: $encoded_payload" "FAIL" "SQL error exposed in response" elif [[ "$result" == "SERVERERROR" ]]; then log_test "Event slug SQL injection: $encoded_payload" "WARN" "Server error (500) - may indicate vulnerability" else log_test "Event slug SQL injection: $encoded_payload" "PASS" "HTTP $http_code" fi done # Test 1.2: Search query SQL injection echo "" echo "Testing: Search query SQL injection..." declare -a SQL_SEARCH_TESTS=( "'%20UNION%20SELECT%20*%20FROM%20users--" "'%20OR%20'1'%3D'1--" "test'%20AND%20SLEEP(1)--" "1'%20OR%20EXISTS(SELECT%20*%20FROM%20users)--" ) for encoded_payload in "${SQL_SEARCH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events?search=$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "SAFE" ]]; then log_test "Search query SQL injection: $encoded_payload" "PASS" elif [[ "$result" == "SQLERROR" ]]; then log_test "Search query SQL injection: $encoded_payload" "FAIL" "SQL error exposed" else log_test "Search query SQL injection: $encoded_payload" "PASS" "HTTP $http_code" fi done # Test 1.3: Filter parameter SQL injection echo "" echo "Testing: Filter parameter SQL injection..." for encoded_payload in "${SQL_SEARCH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events?status=$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "SAFE" ]]; then log_test "Filter param SQL injection: $encoded_payload" "PASS" elif [[ "$result" == "SQLERROR" ]]; then log_test "Filter param SQL injection: $encoded_payload" "FAIL" "SQL error exposed" else log_test "Filter param SQL injection: $encoded_payload" "PASS" fi done # Test 1.4: JSON body SQL injection (newsletter subscription) echo "" echo "Testing: JSON body SQL injection..." declare -a SQL_JSON_TESTS=( "test@test.com' OR '1'='1--" "'; DROP TABLE newsletter;--" "test@test.com' UNION SELECT password FROM users--" ) for payload in "${SQL_JSON_TESTS[@]}"; do # Properly escape for JSON json_payload=$(echo "$payload" | sed 's/\\/\\\\/g' | sed 's/"/\\"/g') response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/newsletter/subscribe" \ -H "Content-Type: application/json" \ -d "{\"email\":\"$json_payload\",\"consent_marketing\":true}" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") # Expect 422 validation error for invalid email, not SQL error if [[ "$http_code" == "422" ]] || [[ "$http_code" == "400" ]]; then log_test "JSON body SQL injection: ${payload:0:40}..." "PASS" "Validation rejected (HTTP $http_code)" elif [[ "$result" == "SQLERROR" ]]; then log_test "JSON body SQL injection: ${payload:0:40}..." "FAIL" "SQL error exposed" else log_test "JSON body SQL injection: ${payload:0:40}..." "PASS" "HTTP $http_code" fi done # Test 1.5: Numeric ID SQL injection echo "" echo "Testing: Numeric ID SQL injection..." declare -a SQL_NUMERIC_TESTS=( "1%20OR%201%3D1" "1;%20DROP%20TABLE%20events" "1%20UNION%20SELECT%20*%20FROM%20users" "-1%20OR%201%3D1" "1'%20OR%20'1'%3D'1" ) for encoded_payload in "${SQL_NUMERIC_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/venue/template/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "SQLERROR" ]]; then log_test "Numeric ID SQL injection: $encoded_payload" "FAIL" "SQL error exposed" else log_test "Numeric ID SQL injection: $encoded_payload" "PASS" "HTTP $http_code" fi done # ============================================================================== # 2. XSS (CROSS-SITE SCRIPTING) TESTS # ============================================================================== echo "" echo "=========================================================" echo "2. XSS (CROSS-SITE SCRIPTING) TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "2. XSS TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" # Test 2.1: Event slug XSS reflection echo "" echo "Testing: Event slug XSS reflection..." declare -a XSS_SLUG_TESTS=( "%3Cscript%3Ealert('xss')%3C%2Fscript%3E" "%3Cimg%20src%3Dx%20onerror%3Dalert('xss')%3E" "%3Ciframe%20src%3D%22javascript:alert('xss')%22%3E%3C%2Fiframe%3E" "%3Csvg%20onload%3Dalert('xss')%3E" "javascript:alert('xss')" ) for encoded_payload in "${XSS_SLUG_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "XSSREFLECTED" ]]; then log_test "Event slug XSS: ${encoded_payload:0:30}..." "FAIL" "Unescaped XSS payload in response" else log_test "Event slug XSS: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code, payload not reflected" fi done # Test 2.2: Waitlist submission XSS echo "" echo "Testing: Waitlist submission XSS..." declare -a XSS_NAME_TESTS=( "" "" "JohnDoe" ) for payload in "${XSS_NAME_TESTS[@]}"; do json_payload=$(echo "$payload" | sed 's/"/\\"/g') response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/waitlist" \ -H "Content-Type: application/json" \ -d "{\"event_id\":1,\"full_name\":\"$json_payload\",\"email\":\"test@test.com\"}" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "XSSREFLECTED" ]]; then log_test "Waitlist XSS: ${payload:0:30}..." "FAIL" "XSS reflected" else log_test "Waitlist XSS: ${payload:0:30}..." "PASS" "HTTP $http_code" fi done # Test 2.3: Blog slug XSS echo "" echo "Testing: Blog slug XSS..." for encoded_payload in "${XSS_SLUG_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/blogs/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "XSSREFLECTED" ]]; then log_test "Blog slug XSS: ${encoded_payload:0:30}..." "FAIL" "XSS reflected" else log_test "Blog slug XSS: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # Test 2.4: Page slug XSS echo "" echo "Testing: Page slug XSS..." for encoded_payload in "${XSS_SLUG_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/pages/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "XSSREFLECTED" ]]; then log_test "Page slug XSS: ${encoded_payload:0:30}..." "FAIL" "XSS reflected" else log_test "Page slug XSS: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # ============================================================================== # 3. NOSQL INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "3. NOSQL INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "3. NOSQL INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" # Note: This Laravel app uses MySQL, but test for defense-in-depth echo "" echo "Testing: NoSQL injection in JSON body..." declare -a NOSQL_TESTS=( '{"event_id":{"$ne":null},"seat_ids":["test"]}' '{"event_id":{"$gt":""},"seat_ids":["test"]}' '{"event_id":{"$regex":".*"},"seat_ids":["test"]}' ) for payload in "${NOSQL_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/seats/hold" \ -H "Content-Type: application/json" \ -d "$payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') # Expect 422 validation error (event_id should be integer) if [[ "$http_code" == "422" ]] || [[ "$http_code" == "400" ]]; then log_test "NoSQL injection: ${payload:0:40}..." "PASS" "Validation rejected (HTTP $http_code)" elif [[ "$http_code" == "500" ]]; then log_test "NoSQL injection: ${payload:0:40}..." "WARN" "Server error - investigate" else log_test "NoSQL injection: ${payload:0:40}..." "PASS" "HTTP $http_code" fi done # ============================================================================== # 4. PATH TRAVERSAL TESTS # ============================================================================== echo "" echo "=========================================================" echo "4. PATH TRAVERSAL TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "4. PATH TRAVERSAL TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" # Test 4.1: Event slug path traversal echo "" echo "Testing: Event slug path traversal..." declare -a PATH_TESTS=( "..%2F..%2F..%2Fetc%2Fpasswd" "....%2F%2F....%2F%2F....%2F%2Fetc%2Fpasswd" "..%5C..%5C..%5Cetc%5Cpasswd" "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" "..%252f..%252f..%252fetc%252fpasswd" "..%2F..%2F..%2F.env" "..%2F..%2F..%2Fconfig%2Fdatabase.php" "..%2F..%2F..%2Fstorage%2Flogs%2Flaravel.log" ) for encoded_payload in "${PATH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "PATHTRAVERSAL" ]]; then log_test "Event path traversal: ${encoded_payload:0:30}..." "FAIL" "File contents exposed!" elif [[ "$http_code" == "404" ]] || [[ "$http_code" == "400" ]]; then log_test "Event path traversal: ${encoded_payload:0:30}..." "PASS" "Safely rejected (HTTP $http_code)" else log_test "Event path traversal: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # Test 4.2: Venue template path traversal echo "" echo "Testing: Venue template path traversal..." for encoded_payload in "${PATH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/venue/template/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "PATHTRAVERSAL" ]]; then log_test "Venue path traversal: ${encoded_payload:0:30}..." "FAIL" "File contents exposed!" else log_test "Venue path traversal: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # Test 4.3: CMS files path traversal echo "" echo "Testing: CMS files path traversal..." for encoded_payload in "${PATH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/cms-files/$encoded_payload/serve" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "PATHTRAVERSAL" ]]; then log_test "CMS path traversal: ${encoded_payload:0:30}..." "FAIL" "File contents exposed!" else log_test "CMS path traversal: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # Test 4.4: Ticket download path traversal echo "" echo "Testing: Ticket download path traversal..." for encoded_payload in "${PATH_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/tickets/$encoded_payload/download" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "PATHTRAVERSAL" ]]; then log_test "Ticket path traversal: ${encoded_payload:0:30}..." "FAIL" "File contents exposed!" else log_test "Ticket path traversal: ${encoded_payload:0:30}..." "PASS" "HTTP $http_code" fi done # ============================================================================== # 5. NULL BYTE INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "5. NULL BYTE INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "5. NULL BYTE INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" # Test 5.1: Event slug null byte injection echo "" echo "Testing: Event slug null byte injection..." declare -a NULL_TESTS=( "valid-event%00.php" "valid-event%00.txt" "valid-slug%00%2F..%2F..%2Fetc%2Fpasswd" "test%00..%2F..%2F.env" "image%00.php" ) for encoded_payload in "${NULL_TESTS[@]}"; do response=$(curl -s -w "\n%{http_code}" "$API_BASE/events/$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') result=$(check_response "$body" "$http_code") if [[ "$result" == "PATHTRAVERSAL" ]]; then log_test "Null byte injection: $encoded_payload" "FAIL" "File access via null byte!" elif [[ "$http_code" == "404" ]] || [[ "$http_code" == "400" ]]; then log_test "Null byte injection: $encoded_payload" "PASS" "Safely rejected (HTTP $http_code)" else log_test "Null byte injection: $encoded_payload" "PASS" "HTTP $http_code" fi done # Test 5.2: Email field null byte injection echo "" echo "Testing: Email field null byte injection..." declare -a NULL_EMAIL_TESTS=( "test%00@evil.com" "test@test.com%00@evil.com" "admin%00@test.com" ) for payload in "${NULL_EMAIL_TESTS[@]}"; do # URL decode for JSON body decoded_payload=$(echo "$payload" | sed 's/%00/\\u0000/g') response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/newsletter/subscribe" \ -H "Content-Type: application/json" \ -d "{\"email\":\"$decoded_payload\",\"consent_marketing\":true}" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') if [[ "$http_code" == "422" ]] || [[ "$http_code" == "400" ]]; then log_test "Email null byte: $payload" "PASS" "Validation rejected (HTTP $http_code)" else log_test "Email null byte: $payload" "PASS" "HTTP $http_code" fi done # ============================================================================== # 6. COMMAND INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "6. COMMAND INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "6. COMMAND INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" echo "" echo "Testing: Command injection in event slug..." declare -a CMD_TESTS=( "%3B%20ls%20-la" "%7C%20cat%20%2Fetc%2Fpasswd" "%60id%60" "%24(whoami)" "%3B%20sleep%202" ) for encoded_payload in "${CMD_TESTS[@]}"; do start_time=$(date +%s) response=$(curl -s -w "\n%{http_code}" --max-time 10 "$API_BASE/events/$encoded_payload" 2>/dev/null || echo -e "\n000") end_time=$(date +%s) duration=$((end_time - start_time)) http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') # Check for time-based injection (sleep commands) if [[ $duration -ge 5 ]]; then log_test "Command injection (time-based): ${encoded_payload:0:20}..." "FAIL" "Response took ${duration}s (possible sleep injection)" elif echo "$body" | grep -qE "(uid=|root:|/bin/bash|/bin/sh)"; then log_test "Command injection: ${encoded_payload:0:20}..." "FAIL" "Command output in response!" else log_test "Command injection: ${encoded_payload:0:20}..." "PASS" "HTTP $http_code, ${duration}s" fi done # ============================================================================== # 7. HEADER INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "7. HEADER INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "7. HEADER INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" echo "" echo "Testing: CRLF injection in headers..." declare -a CRLF_TESTS=( "test%0d%0aX-Injected:%20true" "test%0aSet-Cookie:%20injected=true" ) for encoded_payload in "${CRLF_TESTS[@]}"; do # Test in X-Custom-Header response=$(curl -s -D- -o/dev/null "$API_BASE/events" \ -H "X-Custom-Test: Mozilla/5.0 $encoded_payload" 2>/dev/null || echo "") if echo "$response" | grep -qi "X-Injected"; then log_test "CRLF injection: ${encoded_payload:0:30}..." "FAIL" "Header injection successful!" else log_test "CRLF injection: ${encoded_payload:0:30}..." "PASS" "Headers not injectable" fi done # ============================================================================== # 8. LDAP INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "8. LDAP INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "8. LDAP INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" echo "" echo "Testing: LDAP injection in search..." declare -a LDAP_TESTS=( "*)(uid=*))(|(uid=*" "admin)(&)" "*(|(password=*))" ) for payload in "${LDAP_TESTS[@]}"; do encoded_payload=$(urlencode "$payload") response=$(curl -s -w "\n%{http_code}" "$API_BASE/events?search=$encoded_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') # Check for LDAP-specific errors if echo "$body" | grep -qiE "(ldap|invalid dn|bad search filter)"; then log_test "LDAP injection: ${payload:0:30}..." "WARN" "LDAP-related error in response" else log_test "LDAP injection: ${payload:0:30}..." "PASS" "HTTP $http_code" fi done # ============================================================================== # 9. XML/XXE INJECTION TESTS # ============================================================================== echo "" echo "=========================================================" echo "9. XML/XXE INJECTION TESTS" echo "=========================================================" echo "" >> "$RESULTS_FILE" echo "9. XML/XXE INJECTION TESTS" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" echo "" echo "Testing: XXE injection in Content-Type..." # Test if XML is accepted (potential XXE vector) xxe_payload=']>&xxe;' response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/seats/hold" \ -H "Content-Type: application/xml" \ -d "$xxe_payload" 2>/dev/null || echo -e "\n000") http_code=$(echo "$response" | tail -1) body=$(echo "$response" | sed '$d') if echo "$body" | grep -qE "root:"; then log_test "XXE injection: file:///etc/passwd" "FAIL" "File contents exposed via XXE!" elif [[ "$http_code" == "415" ]] || [[ "$http_code" == "422" ]]; then log_test "XXE injection: file:///etc/passwd" "PASS" "XML not accepted (HTTP $http_code)" else log_test "XXE injection: file:///etc/passwd" "PASS" "HTTP $http_code" fi # ============================================================================== # SUMMARY # ============================================================================== echo "" echo "=========================================================" echo "TEST SUMMARY" echo "=========================================================" TOTAL=$((PASSED + FAILED + WARNINGS)) echo "" >> "$RESULTS_FILE" echo "=========================================================" >> "$RESULTS_FILE" echo "SUMMARY" >> "$RESULTS_FILE" echo "---------------------------------------------------------" >> "$RESULTS_FILE" echo "Total Tests: $TOTAL" >> "$RESULTS_FILE" echo "Passed: $PASSED" >> "$RESULTS_FILE" echo "Failed: $FAILED" >> "$RESULTS_FILE" echo "Warnings: $WARNINGS" >> "$RESULTS_FILE" echo "Completed: $(date '+%Y-%m-%d %H:%M:%S')" >> "$RESULTS_FILE" echo "=========================================================" >> "$RESULTS_FILE" echo -e "${GREEN}Passed:${NC} $PASSED" echo -e "${RED}Failed:${NC} $FAILED" echo -e "${YELLOW}Warnings:${NC} $WARNINGS" echo "" echo "Results saved to: $RESULTS_FILE" # Calculate pass rate if [[ $TOTAL -gt 0 ]]; then PASS_RATE=$((PASSED * 100 / TOTAL)) echo "" echo "Pass Rate: $PASS_RATE%" echo "Pass Rate: $PASS_RATE%" >> "$RESULTS_FILE" fi # Exit with appropriate code if [[ $FAILED -gt 0 ]]; then echo "" echo -e "${RED}CRITICAL: $FAILED injection vulnerabilities detected!${NC}" exit 1 elif [[ $WARNINGS -gt 0 ]]; then echo "" echo -e "${YELLOW}WARNING: $WARNINGS potential issues require investigation${NC}" exit 2 else echo "" echo -e "${GREEN}SUCCESS: All injection tests passed!${NC}" exit 0 fi