module ApiTester::InjectionModule

Tests injection cases

Public Class Methods

check_error(response, endpoint) click to toggle source
# File lib/api-tester/modules/injection_module.rb, line 47
def self.check_error(response, endpoint)
  evaluator = ApiTester::ResponseEvaluator.new(
    actual_body: response.body,
    expected_fields: endpoint.bad_request_response
  )
  missing_fields = evaluator.missing_fields
  extra_fields = evaluator.extra_fields
  response.code == endpoint.bad_request_response.code &&
    missing_fields.size.zero? && extra_fields.size.zero?
end
check_response(response, endpoint) click to toggle source
# File lib/api-tester/modules/injection_module.rb, line 43
def self.check_response(response, endpoint)
  response.code == 200 || check_error(response, endpoint)
end
go(contract) click to toggle source
# File lib/api-tester/modules/injection_module.rb, line 8
def self.go(contract)
  reports = []
  contract.endpoints.each do |endpoint|
    endpoint.methods.each do |method|
      reports.concat inject_payload contract.base_url, endpoint, method
    end
  end
  reports
end
inject_payload(base_url, endpoint, method) click to toggle source
# File lib/api-tester/modules/injection_module.rb, line 18
def self.inject_payload(base_url, endpoint, method)
  reports = []
  sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities

  method.request.fields.each do |field|
    sql_injections.each do |injection|
      injection_value = "#{field.default_value}#{injection}"
      payload = method.request.altered_payload field_name: field.name,
                                               value: injection_value
      response = endpoint.call base_url: base_url,
                               method: method,
                               payload: payload,
                               headers: method.request.default_headers
      next if check_response(response, endpoint)

      reports << InjectionReport.new('sql',
                                     endpoint.url,
                                     payload,
                                     response)
    end
  end

  reports
end