#!/bin/bash # ==================================================================================== # GALA-SEC-1: Payment Security & Business Logic Adversarial Test Suite # ==================================================================================== # Epic: GALA-SEC (Adversarial Security Testing) # Story: GALA-SEC-1 - Payment Security & Business Logic Exploits # Target: 30-minute focused adversarial test # Risk Mitigation: Price manipulation, double-spending, quantity exploits, coupon abuse # Date: 2026-01-20 # ==================================================================================== # Configuration - can be overridden via environment variables API_BASE="${API_BASE:-http://localhost:8100/api}" RESULTS_FILE="/tmp/adversarial_payment_results.txt" VERBOSE="${VERBOSE:-false}" PASSED=0 FAILED=0 WARNINGS=0 # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color echo "=== GALA-SEC-1: Adversarial Payment Security Tests ===" | tee $RESULTS_FILE echo "Date: $(date)" | tee -a $RESULTS_FILE echo "API Base: $API_BASE" | tee -a $RESULTS_FILE echo "" | tee -a $RESULTS_FILE # ==================================================================================== # Helper Functions # ==================================================================================== pass() { echo -e "${GREEN}PASS${NC}: $1" echo "PASS: $1" >> $RESULTS_FILE ((PASSED++)) } fail() { echo -e "${RED}FAIL${NC}: $1" echo "FAIL: $1" >> $RESULTS_FILE ((FAILED++)) } warn() { echo -e "${YELLOW}WARN${NC}: $1" echo "WARN: $1" >> $RESULTS_FILE ((WARNINGS++)) } info() { echo -e "INFO: $1" echo "INFO: $1" >> $RESULTS_FILE } # Make API request and capture response # Usage: make_request METHOD ENDPOINT [DATA] [HEADERS] make_request() { local method=$1 local endpoint=$2 local data=$3 local extra_headers=$4 local curl_opts="-s -w '\n%{http_code}'" if [ "$VERBOSE" == "true" ]; then curl_opts="-v -w '\n%{http_code}'" fi if [ -n "$extra_headers" ]; then curl_opts="$curl_opts $extra_headers" fi if [ "$method" == "GET" ]; then response=$(curl $curl_opts "$API_BASE$endpoint" 2>&1) elif [ "$method" == "POST" ]; then response=$(curl $curl_opts -X POST -H "Content-Type: application/json" -d "$data" "$API_BASE$endpoint" 2>&1) elif [ "$method" == "DELETE" ]; then response=$(curl $curl_opts -X DELETE -H "Content-Type: application/json" -d "$data" "$API_BASE$endpoint" 2>&1) fi status=$(echo "$response" | tail -n 1 | tr -d "'") body=$(echo "$response" | sed '$d') echo "$status|$body" } # Extract JSON field json_get() { echo "$1" | jq -r "$2" 2>/dev/null } # Generate random session ID gen_session() { echo "adv-test-session-$(date +%s)-$RANDOM" } # Generate idempotency key gen_idemp() { uuidgen 2>/dev/null || cat /proc/sys/kernel/random/uuid 2>/dev/null || echo "idemp-$(date +%s%N)-$RANDOM" } # ==================================================================================== # Prerequisite: Get a valid event ID for testing # ==================================================================================== echo "" echo "=== Prerequisite: Finding test event ===" # Find an event with available seats response=$(make_request GET "/events") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" != "200" ]; then echo "SKIP: Cannot fetch events list (status: $status)" echo "Tests require a running API server at $API_BASE" exit 1 fi # Get first event TEST_EVENT_ID=$(json_get "$body" '.data[0].id' 2>/dev/null) TEST_EVENT_SLUG=$(json_get "$body" '.data[0].slug' 2>/dev/null) if [ -z "$TEST_EVENT_ID" ] || [ "$TEST_EVENT_ID" == "null" ]; then echo "SKIP: No events found in database" echo "Please create test events before running security tests" exit 1 fi info "Using test event: ID=$TEST_EVENT_ID, SLUG=$TEST_EVENT_SLUG" # Get seat availability for the event response=$(make_request GET "/seats/status/$TEST_EVENT_ID") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" != "200" ]; then warn "Cannot get seat status (status: $status) - using placeholder seat IDs" TEST_SEAT_1="test-seat-001" TEST_SEAT_2="test-seat-002" TEST_SEAT_3="test-seat-003" SEAT_PRICE_1=100.00 else # Extract available seats TEST_SEAT_1=$(json_get "$body" '.data.seats_by_status.available[0].seat_id' 2>/dev/null) TEST_SEAT_2=$(json_get "$body" '.data.seats_by_status.available[1].seat_id' 2>/dev/null) TEST_SEAT_3=$(json_get "$body" '.data.seats_by_status.available[2].seat_id' 2>/dev/null) SEAT_PRICE_1=$(json_get "$body" '.data.seats_by_status.available[0].price' 2>/dev/null) if [ -z "$TEST_SEAT_1" ] || [ "$TEST_SEAT_1" == "null" ]; then warn "No available seats found - some tests may fail" TEST_SEAT_1="placeholder-seat-001" SEAT_PRICE_1=100.00 fi fi info "Test seats: SEAT_1=$TEST_SEAT_1, PRICE=$SEAT_PRICE_1" echo "" # ==================================================================================== # SECTION 1: PRICE MANIPULATION ATTACKS # ==================================================================================== echo "=== SECTION 1: Price Manipulation Attacks ===" | tee -a $RESULTS_FILE echo "" # Test 1.1: Extremely low price override echo -n "Test 1.1: Extreme low price (EUR 0.01 for EUR $SEAT_PRICE_1 seat)... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\", \"seat_pricing\": { \"$TEST_SEAT_1\": 0.01 } }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "422" ]; then pass "Extreme low price rejected with 422 (price validation)" elif [ "$status" == "200" ]; then # Check if database price was used hold_price=$(json_get "$body" '.data.total_price') if [ "$hold_price" == "0.01" ]; then fail "SECURITY VULNERABILITY: Server accepted fraudulent price EUR 0.01" else pass "Server accepted request but used database price (EUR $hold_price)" # Clean up: release the hold hold_token=$(json_get "$body" '.data.hold_token') make_request DELETE "/seats/hold" "{\"hold_token\": \"$hold_token\"}" > /dev/null 2>&1 fi else warn "Unexpected status $status - review manually" fi # Test 1.2: Negative price injection echo -n "Test 1.2: Negative price injection (EUR -50)... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\", \"seat_pricing\": { \"$TEST_SEAT_1\": -50.00 } }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "422" ]; then pass "Negative price rejected with 422 (validation error)" elif [ "$status" == "200" ]; then fail "SECURITY VULNERABILITY: Server accepted negative price" else warn "Status $status returned - expected 422" fi # Test 1.3: Zero price booking echo -n "Test 1.3: Zero price booking attempt... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\", \"seat_pricing\": { \"$TEST_SEAT_1\": 0.00 } }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "422" ]; then pass "Zero price rejected with 422" elif [ "$status" == "200" ]; then hold_price=$(json_get "$body" '.data.total_price') if [ "$hold_price" == "0" ] || [ "$hold_price" == "0.00" ]; then fail "SECURITY VULNERABILITY: Server accepted zero price booking" else pass "Server used database price (EUR $hold_price) instead of zero" hold_token=$(json_get "$body" '.data.hold_token') make_request DELETE "/seats/hold" "{\"hold_token\": \"$hold_token\"}" > /dev/null 2>&1 fi else warn "Status $status returned" fi # Test 1.4: Large number overflow attempt echo -n "Test 1.4: Large number overflow attack (EUR 99999999999999)... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\", \"seat_pricing\": { \"$TEST_SEAT_1\": 99999999999999.99 } }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "422" ] || [ "$status" == "400" ]; then pass "Large number rejected with $status" elif [ "$status" == "200" ]; then hold_price=$(json_get "$body" '.data.total_price') pass "Server handled large number (used price: EUR $hold_price)" hold_token=$(json_get "$body" '.data.hold_token') make_request DELETE "/seats/hold" "{\"hold_token\": \"$hold_token\"}" > /dev/null 2>&1 else warn "Status $status returned - review for crash/error handling" fi echo "" # ==================================================================================== # SECTION 2: DOUBLE-SPENDING / TOKEN REUSE ATTACKS # ==================================================================================== echo "=== SECTION 2: Double-Spending / Token Reuse ===" | tee -a $RESULTS_FILE echo "" # Test 2.1: Reuse hold_id for multiple confirmations echo -n "Test 2.1: Hold token reuse attack... " # First, create a valid hold SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" != "200" ]; then warn "Cannot create initial hold (status $status) - skipping token reuse test" else hold_token=$(json_get "$body" '.data.hold_token') # First confirmation attempt response=$(make_request POST "/seats/confirm" "{ \"hold_token\": \"$hold_token\", \"customer_name\": \"Test Customer 1\", \"customer_email\": \"test1@example.com\", \"customer_phone\": \"+1234567890\" }") status1=$(echo "$response" | cut -d'|' -f1) # Second confirmation attempt (attack - reuse same token) response=$(make_request POST "/seats/confirm" "{ \"hold_token\": \"$hold_token\", \"customer_name\": \"Attacker\", \"customer_email\": \"attacker@evil.com\", \"customer_phone\": \"+9999999999\" }") status2=$(echo "$response" | cut -d'|' -f1) if [ "$status2" == "400" ] || [ "$status2" == "404" ] || [ "$status2" == "409" ] || [ "$status2" == "410" ]; then pass "Token reuse rejected (second attempt: $status2)" elif [ "$status2" == "200" ] || [ "$status2" == "201" ]; then fail "SECURITY VULNERABILITY: Same hold confirmed twice" else warn "Second confirmation returned $status2 - review manually" fi fi # Test 2.2: Idempotency key reuse for different requests echo -n "Test 2.2: Idempotency key reuse attack... " IDEMP_KEY=$(gen_idemp) # First request with idempotency key SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_2\"], \"session_id\": \"$SESSION\" }" "-H 'Payment-Idempotency-Key: $IDEMP_KEY'") status1=$(echo "$response" | cut -d'|' -f1) body1=$(echo "$response" | cut -d'|' -f2-) if [ "$status1" == "200" ]; then token1=$(json_get "$body1" '.data.hold_token') # Second request with SAME idempotency key but DIFFERENT seat (attack) SESSION2=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_3\"], \"session_id\": \"$SESSION2\" }" "-H 'Payment-Idempotency-Key: $IDEMP_KEY'") status2=$(echo "$response" | cut -d'|' -f1) body2=$(echo "$response" | cut -d'|' -f2-) if [ "$status2" == "400" ] || [ "$status2" == "409" ]; then pass "Idempotency key reuse detected and rejected" elif [ "$status2" == "200" ]; then token2=$(json_get "$body2" '.data.hold_token') if [ "$token1" == "$token2" ]; then pass "Idempotency enforced (same token returned)" else warn "Different holds created with same idempotency key - review policy" fi else warn "Status $status2 returned - review manually" fi # Cleanup make_request DELETE "/seats/hold" "{\"hold_token\": \"$token1\"}" > /dev/null 2>&1 else warn "Initial hold failed (status $status1) - skipping idempotency test" fi echo "" # ==================================================================================== # SECTION 3: QUANTITY MANIPULATION ATTACKS # ==================================================================================== echo "=== SECTION 3: Quantity Manipulation ===" | tee -a $RESULTS_FILE echo "" # Test 3.1: Empty seat array echo -n "Test 3.1: Empty seat array (zero quantity)... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [], \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) if [ "$status" == "422" ]; then pass "Empty seat array rejected with 422" else fail "Empty seat array returned status $status (expected 422)" fi # Test 3.2: Massive quantity request (1000 seats) echo -n "Test 3.2: Massive quantity request (1000 fake seats)... " FAKE_SEATS="" for i in $(seq 1 1000); do FAKE_SEATS="$FAKE_SEATS\"fake-seat-$i\"," done FAKE_SEATS="[${FAKE_SEATS%,}]" SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": $FAKE_SEATS, \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) if [ "$status" == "413" ] || [ "$status" == "422" ] || [ "$status" == "400" ]; then pass "Massive quantity rejected with $status" elif [ "$status" == "200" ]; then fail "SECURITY VULNERABILITY: Server accepted 1000 seats" else warn "Status $status returned - review for proper error handling" fi # Test 3.3: Invalid seat_ids format (not array) echo -n "Test 3.3: Invalid seat_ids format (string instead of array)... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": \"single-string-not-array\", \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) if [ "$status" == "422" ]; then pass "Invalid format rejected with 422" else warn "Status $status returned (expected 422 validation error)" fi # Test 3.4: Exceed per-order limit (if event has max_no_of_tickets) echo -n "Test 3.4: Exceed per-order limit (15 seats for max 10)... " # Generate 15 different seat IDs MANY_SEATS="" for i in $(seq 1 15); do MANY_SEATS="$MANY_SEATS\"exceed-limit-$i\"," done MANY_SEATS="[${MANY_SEATS%,}]" SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": $MANY_SEATS, \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "413" ]; then pass "Per-order limit enforced with 413" elif [ "$status" == "422" ]; then # Could be validation error (seats don't exist) or limit error error_msg=$(json_get "$body" '.message') if echo "$error_msg" | grep -iq "too many\|limit\|maximum"; then pass "Per-order limit enforced with 422" else pass "Rejected with 422 (likely invalid seat IDs)" fi else warn "Status $status - may not have per-order limit configured" fi echo "" # ==================================================================================== # SECTION 4: COUPON / DISCOUNT STACKING ATTACKS # ==================================================================================== echo "=== SECTION 4: Coupon/Discount Stacking ===" | tee -a $RESULTS_FILE echo "" # Test 4.1: Invalid coupon code echo -n "Test 4.1: Invalid coupon code... " response=$(make_request POST "/coupons/validate" "{ \"code\": \"FAKE_NONEXISTENT_CODE_123\", \"event_id\": $TEST_EVENT_ID, \"subtotal\": 100.00 }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "200" ]; then valid=$(json_get "$body" '.data.valid') if [ "$valid" == "false" ]; then pass "Invalid coupon properly rejected (valid=false)" else fail "SECURITY ISSUE: Invalid coupon returned valid=true" fi elif [ "$status" == "422" ]; then pass "Invalid coupon rejected with 422" else warn "Status $status returned" fi # Test 4.2: Apply coupon to booking echo -n "Test 4.2: Apply coupon code during hold... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\", \"coupon_code\": \"FAKE_COUPON\" }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "422" ]; then pass "Invalid coupon rejected during hold" elif [ "$status" == "200" ]; then # May succeed if coupon is optional coupon_applied=$(json_get "$body" '.data.coupon_applied') if [ "$coupon_applied" == "true" ]; then fail "SECURITY ISSUE: Fake coupon was applied" else pass "Hold succeeded, fake coupon ignored" fi hold_token=$(json_get "$body" '.data.hold_token') make_request DELETE "/seats/hold" "{\"hold_token\": \"$hold_token\"}" > /dev/null 2>&1 else warn "Status $status returned" fi # Test 4.3: SQL injection via coupon code echo -n "Test 4.3: SQL injection via coupon code... " response=$(make_request POST "/coupons/validate" "{ \"code\": \"' OR '1'='1\", \"event_id\": $TEST_EVENT_ID, \"subtotal\": 100.00 }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "200" ]; then valid=$(json_get "$body" '.data.valid') if [ "$valid" == "false" ]; then pass "SQL injection attempt safely handled (valid=false)" else fail "SECURITY VULNERABILITY: SQL injection may have succeeded" fi elif [ "$status" == "422" ] || [ "$status" == "400" ]; then pass "SQL injection rejected with $status" elif [ "$status" == "500" ]; then fail "SECURITY ISSUE: SQL injection caused server error" else warn "Status $status returned" fi echo "" # ==================================================================================== # SECTION 5: COMBINED ATTACK VECTORS # ==================================================================================== echo "=== SECTION 5: Combined Attack Vectors ===" | tee -a $RESULTS_FILE echo "" # Test 5.1: Low price + high quantity echo -n "Test 5.1: Combined low price + high quantity... " ATTACK_SEATS="" for i in $(seq 1 100); do ATTACK_SEATS="$ATTACK_SEATS\"attack-seat-$i\"," done ATTACK_SEATS="[${ATTACK_SEATS%,}]" ATTACK_PRICING="" for i in $(seq 1 100); do ATTACK_PRICING="$ATTACK_PRICING\"attack-seat-$i\": 0.01," done ATTACK_PRICING="{${ATTACK_PRICING%,}}" SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": $ATTACK_SEATS, \"session_id\": \"$SESSION\", \"seat_pricing\": $ATTACK_PRICING }") status=$(echo "$response" | cut -d'|' -f1) if [ "$status" == "413" ] || [ "$status" == "422" ]; then pass "Combined attack rejected with $status" elif [ "$status" == "200" ]; then fail "SECURITY VULNERABILITY: Combined attack succeeded" else pass "Attack rejected with status $status" fi # Test 5.2: Session token length check echo -n "Test 5.2: Hold token entropy check... " SESSION=$(gen_session) response=$(make_request POST "/seats/hold" "{ \"event_id\": $TEST_EVENT_ID, \"seat_ids\": [\"$TEST_SEAT_1\"], \"session_id\": \"$SESSION\" }") status=$(echo "$response" | cut -d'|' -f1) body=$(echo "$response" | cut -d'|' -f2-) if [ "$status" == "200" ]; then hold_token=$(json_get "$body" '.data.hold_token') token_len=${#hold_token} if [ "$token_len" -ge 32 ]; then pass "Hold token has sufficient entropy ($token_len chars)" elif [ "$token_len" -ge 16 ]; then warn "Hold token may be guessable ($token_len chars, recommend 32+)" else fail "SECURITY ISSUE: Hold token too short ($token_len chars) - easily guessable" fi # Cleanup make_request DELETE "/seats/hold" "{\"hold_token\": \"$hold_token\"}" > /dev/null 2>&1 else warn "Could not test token entropy (hold failed with $status)" fi echo "" # ==================================================================================== # Summary # ==================================================================================== echo "=== TEST SUMMARY ===" | tee -a $RESULTS_FILE echo "" | tee -a $RESULTS_FILE echo -e "${GREEN}PASSED: $PASSED${NC}" | tee -a $RESULTS_FILE echo -e "${RED}FAILED: $FAILED${NC}" | tee -a $RESULTS_FILE echo -e "${YELLOW}WARNINGS: $WARNINGS${NC}" | tee -a $RESULTS_FILE echo "" | tee -a $RESULTS_FILE TOTAL=$((PASSED + FAILED)) if [ $TOTAL -gt 0 ]; then PASS_RATE=$((PASSED * 100 / TOTAL)) echo "Pass rate: $PASS_RATE%" | tee -a $RESULTS_FILE fi echo "" | tee -a $RESULTS_FILE echo "Results saved to: $RESULTS_FILE" | tee -a $RESULTS_FILE echo "Full log: /tmp/adversarial_payment_results.txt" # Exit code based on failures if [ $FAILED -gt 0 ]; then exit 1 else exit 0 fi