Module: ApiTester::InjectionModule

Defined in:
lib/api-tester/modules/injection_module.rb

Overview

Tests injection cases

Class Method Summary collapse

Class Method Details

.check_error(response, endpoint) ⇒ Object 



47
48
49
50
51
52
53
54
55
56
 
# File 'lib/api-tester/modules/injection_module.rb', line 47

def self.check_error(response, endpoint)
  evaluator = ApiTester::ResponseEvaluator.new(
    actual_body: response.body,
    expected_fields: endpoint.bad_request_response
  )
  missing_fields = evaluator.missing_fields
  extra_fields = evaluator.extra_fields
  response.code == endpoint.bad_request_response.code &&
    missing_fields.size.zero? && extra_fields.size.zero?
end

.check_response(response, endpoint) ⇒ Object 



43
44
45
 
# File 'lib/api-tester/modules/injection_module.rb', line 43

def self.check_response(response, endpoint)
  response.code == 200 || check_error(response, endpoint)
end

.go(contract) ⇒ Object 



8
9
10
11
12
13
14
15
16
 
# File 'lib/api-tester/modules/injection_module.rb', line 8

def self.go(contract)
  reports = []
  contract.endpoints.each do |endpoint|
    endpoint.methods.each do |method|
      reports.concat inject_payload contract.base_url, endpoint, method
    end
  end
  reports
end

.inject_payload(base_url, endpoint, method) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'lib/api-tester/modules/injection_module.rb', line 18

def self.inject_payload(base_url, endpoint, method)
  reports = []
  sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities

  method.request.fields.each do |field|
    sql_injections.each do |injection|
      injection_value = "#{field.default_value}#{injection}"
      payload = method.request.altered_payload field_name: field.name,
                                               value: injection_value
      response = endpoint.call base_url: base_url,
                               method: method,
                               payload: payload,
                               headers: method.request.default_headers
      next if check_response(response, endpoint)

      reports << InjectionReport.new('sql',
                                     endpoint.url,
                                     payload,
                                     response)
    end
  end

  reports
end