Sqli starter #1391
Sqli starter #1391
Conversation
| "SQLiMySQLBodyEM", | ||
| 100 | ||
| ) { args -> | ||
| setOption(args, "security", "true") |
There was a problem hiding this comment.
we will need an experimental EMConfig option for SQLi, which should be off by default (until we run experiments)
| <dependency> | ||
| <groupId>mysql</groupId> | ||
| <artifactId>mysql-connector-java</artifactId> | ||
| </dependency> |
There was a problem hiding this comment.
why are those dependencies here? they point of having separated modules for E2E for different databases was to avoid possible conflicts and configuration when starting spring (as it scans the classpath)
| fun getVulnerableForSSRF() : Boolean = getResultValue(VULNERABLE_SSRF)?.toBoolean() ?: false | ||
|
|
||
| fun setResponseTime(responseTime: Long) = addResultValue(RESPONSE_TIME, responseTime.toString()) | ||
| fun getResponseTime(): Long = getResultValue(RESPONSE_TIME)?.toLong() ?: 0 |
There was a problem hiding this comment.
in case of errors, this is not going to be set (same as status code). so maybe better to return a nullable, ie, Long?
| return true | ||
| } | ||
|
|
||
| // Simple SQLi payloads |
There was a problem hiding this comment.
/** */, so it gets into the documentation of the variable
| { t, res -> | ||
| rcr.setResponseTime(t) | ||
| }, | ||
| {createInvocation(a, chainState, cookies, tokens).invoke()} |
There was a problem hiding this comment.
the createInvocation() should be not counted. rather save it to variable call, and then measure time of call.invoke()
| actionResults: List<ActionResult>, | ||
| fv: FitnessValue | ||
| ) { | ||
| if (!config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) { |
There was a problem hiding this comment.
xss??? also need a check on SQLi, which would be off by default, as still experimental.
however, maybe we should avoid long checks like:
!config.xss || !config.isEnabledFaultCategory(DefinedFaultCategory.XSS)
where the check for config.xss (and new !config.sqli) should be done inside isEnabledFaultCategory. eg something like:
fun isEnabledFaultCategory(category: FaultCategory) : Boolean{
if(category==DefinedFaultCategory.XSS && !xss){
return false;
}
return category !in getDisabledOracleCodesList()
}
| // continue | ||
| // } | ||
|
|
||
| if(r.getResponseTime() < config.sqlInjectionMaxResponseTimeMs && !r.getTimedout()){ |
There was a problem hiding this comment.
this is tricky, as there might be long executing tests regardless of SQLi, and still not timingout.
first, need to check if SQLi payload is in the test.
then, likely we need a new value in RestCallResult to mark the increase in time after the payload. recall what wrote in notes.txt (if unclear, we can have a meeting about it)
| val hasInvalidChars = leafGene.invalidChars.any { payload.contains(it) } | ||
| if(!hasInvalidChars){ | ||
| // append the SQLi payload value | ||
| leafGene.value = leafGene.value + payload |
There was a problem hiding this comment.
the gene might have length constraints. still need to validate such constraints would not break the validity. furthermore, the StringGene might not be be in use due to tainted value. might need to call getPhenotype() to make sure that leafGene.value is indeed in use
| copy.modifySampleType(SampleType.SECURITY) | ||
| copy.ensureFlattenedStructure() | ||
|
|
||
| val evaluatedIndividual = fitness.computeWholeAchievedCoverageForPostProcessing(copy) |
There was a problem hiding this comment.
here we need check the execution time before and after the injection, to see if it was successful. but, then, reexecuting the tests would lose such info :( we need to think of a way to handle this properly (i don't have an easy solution right now)
|
|
||
| @Experimental | ||
| @Cfg("Maximum response time (in milliseconds) to consider a potential SQL Injection vulnerability.") | ||
| var sqlInjectionMaxResponseTimeMs = 2000 |
There was a problem hiding this comment.
recall notes.txt, there are 2 values to handle (there called N and K)
There was a problem hiding this comment.
also need experimental config parameter for SQLi, false by default
No description provided.