Module: ApiTester::InjectionModule

Defined in:

lib/api-tester/modules/injection_module.rb

Class Method Summary

• .check_error(response, endpoint) ⇒ Object
• .check_response(response, endpoint) ⇒ Object
• .go(contract) ⇒ Object
• .inject_payload(endpoint, method) ⇒ Object

Class Method Details

.check_error(response, endpoint) ⇒ Object

# File 'lib/api-tester/modules/injection_module.rb', line 37

def self.check_error response, endpoint
  evaluator = ApiTester::ResponseEvaluator.new response.body, endpoint.bad_request_response
  missing_fields = evaluator.missing_fields
  extra_fields = evaluator.extra_fields
  response.code == endpoint.bad_request_response.code && missing_fields.size == 0 && extra_fields.size == 0
end

.check_response(response, endpoint) ⇒ Object

# File 'lib/api-tester/modules/injection_module.rb', line 33

def self.check_response(response, endpoint)
  response.code == 200 || check_error(response, endpoint)
end

.go(contract) ⇒ Object

# File 'lib/api-tester/modules/injection_module.rb', line 5

def self.go contract
  reports = []
  contract.endpoints.each do |endpoint|
    endpoint.methods.each do |method|
      reports.concat inject_payload endpoint, method
    end
  end
  reports
end

.inject_payload(endpoint, method) ⇒ Object

# File 'lib/api-tester/modules/injection_module.rb', line 15

def self.inject_payload endpoint, method
  reports = []
  sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities

  method.request.fields.each do |field|
    sql_injections.each do |injection|
      injection_value = "#{field.default_value}#{injection}"
      payload = method.request.altered_payload(field.name, injection_value)
      response = endpoint.call method, payload, method.request.default_headers          
      if(!check_response(response, endpoint)) then
        reports << InjectionReport.new("sql", endpoint.url, payload, response)
      end
    end
  end

  reports
end