Here's a basic plan. I'm happy to produce anything resembling success, it's a Uni project. Pseudo code is great.
Spider the site.
Search for forms on each page.
Submit each form without filling in the details to elicit a guaranteed fail.
Fill in the first field on the form with '-- .
Submit the form and compare the response to the fail (elicited by 3).
If response (elicited by 5) is different (than fail) then assume vulnerability.
If same (response = fail) then return to 4. but move to the next field.
If no more fields remain, move to another page.
...
However, 6. is clearly both the critical part of the application and wrong. For example, a page might respond like this
Error: '-- is not a valid user name.
Where in stage 4. the response was
Error: is not a valid user name.
Or
Error: username must be a minimum of 6 characters.
It seems like at (4), you want to try sending some benign values first so you can see what type of page is returned under normal conditions.
For example, generate a random three-letter "user name" and submit it. You'll probably get a response like "Error: bfw is not a valid user name". or "Error: username too short".
Once you've done that, you can send your string attempting SQL injection and see if the result is qualitatively different. So if you send '-- and get the same result as you did when you sent your random benign "username", it's probably not vulnerable. On the other hand, if you get a response back that's different and includes text like "Warning, you have an error in your SQL at line 1..." then it's probably vulnerable. (It doesn't have to spit out warnings for you to conclude it's vulnerable, though. Even a generic error page might indicate vulnerability if it's substantially different to the response you got from your benign data.)
"SQL Injection Attacks and Defense" by Justin Clarke.
Offers a number of tests to discover and confirm SQL injection vulnerabilities, here's my summary of page 65.
Error triggering
"Send ' or '-- and expect to receive an error."
An error message or 500 server error indicates vulnerability. Responses tidily containing ' or '-- (as in user ' or '-- is not available with that password...) probably aren't vulnerable unless its a stack-trace.
Always true condition
"Send 1' or '1'='1 or 1') or ('1'='1 and expect to receive every entry in the database."
A site can be assumed to be vulnerable when the response code is 200 and the attack string is not received in the response. Pages containing the word 'error' or the attack string indicate resistance, as does a 500.
No condition
"Send value' or '1'='2 or value') or ('1'='2 and expect a vulnerable app to respond as though it had only received value."
Always false condition
"1' and '1'='2 or 1') and ('1'='2. If successful, it returns no rows from the table."
Microsoft SQL Server concatenation
"1' or 'ab'='a'+'b or 1') or ('ab'='a'+'b. If successful, it returns the same
information as an always true condition"
MySQL concatenation
"1' or 'ab'='a' 'b or 1') or ('ab'='a' 'b. If successful, it returns the same
information as an always true condition"
Oracle concatenation
"1' or 'ab'='a'||'b or 1') or ('ab'='a'||'b. If successful, it returns the same
information as an always true condition"
Further examples are included throughout the book.
Related
I have an interface with a list of users and a possibility to add a new one. I want to assert that this user is new (i.e. its email is not already used). So I should check that we have no message pop-up.
checkMailIsNotUsed: () =>
Task.where('#actor checks mail present message is absent',
Ensure.that(UsersList.messageArea, not(isVisible()))),
However this message area could be visible but not with the error messsage I don't expect. So I am looking for, in case above ensure fails, a way to ensure that the text does not include 'already exists'.
Ensure.that(Text.of(UsersList.messageArea), includes('already exists'))),
However if the first 'ensure' is false, everything stops. There is no 'or' or equivalent at the Ensure level. I need to do the second Ensure if first one fails.
How could I do that ?
Thanks in advance.
In my E2E test, I'am using the mail-listener2 to retrieve e-mails. It works fine, except one issue which is driving me crazy and just can't solve it... I have been searching and found different topics and issues regarding this library/package, but just couldn't really find the fix for that.
Following:
I use the function in more than one spec file (register, login, confirmation etc.), and this means that when retrieving the emails, I get from time to time the wrong one. In other words, the function reads the last e-mail in the Inbox which normally belongs to the first test.
Or sometimes the e-mail comes in the Inbox a little bit later that the function is reading them, so it reads the wrong one.
And as I do have an expectation in my it() function:
expect(email.subject).toEqual("subject for e-mail 1");
expect(email['headers'].to).toEqual( userEmail );
therefore the test breaks, and it get following error:
- Expected 'user registration' to equal 'user confirmation'.
- Failed: Cannot read property '1' of null
- Expected 'john.doe#foo.de' to equal 'jane.doe#foo.com'.
- Failed: Cannot read property '1' of null
Is there a way how to force the function reads just the specific email per subject and per user?
Yes, you can find this documented on node-imap (which is used by mail-listener2). Search for the paragraph/bullet on search within that package, here's a snippet to help you find it:
For criteria types that require arguments, use an array instead of just the string criteria type name (e.g. ['FROM', 'foo#bar.com']).
Below that, they list several other search criteria you can use, they have to/from for your user criteria, and subject for that one. So applying this to mail-listener2, you would use this in the searchFilter property:
mailListener = new MailListener({
...(other options),
searchFilter: [['FROM', 'automated#message.com'], ['SUBJECT', 'subject for e-mail 1']],
});
And if you need different search criteria for different tests, you can start a new mail-listener session for each test with the new searchFilter criteria.
Is it possible to specify some kind of "OR" (alternative) clause in Cucumber?
I.e. if I have two valid responses to some event I would like my test to pass if either of them happens.
Something like that:
"When I press a button"
"Then I should see the text 'Boo'"
"Or I should see the text 'Foo'"
My particular scenario is a login screen. When I try to log in with some random password, I should see an error message "invalid password" if the server is working or a message "network error" if it is not.
You can't really define OR functionality using the Gherkin but you can pass in a list and check that one of the values in the list matches what was returned.
Define list:
Then the greeting service response will contain one of the following messages
|Hello how are you doing?|
|Welcome to the front door!|
|How has your day been?|
|Come right on in!|
Check list:
#Then("the get messages service response will contain one of the following messages")
public void text_matching_one_of_the_following(List<String> greetingMessages){
boolean success = false;
for(String message : greetingMessages){
assertTrue(textMatchesResponse(message));
}
}
OR is not supported. You can use Given, When, Then, And and But. Please refer to http://docs.behat.org/en/v2.5/guides/1.gherkin.html
But perhaps you could make use of the But keyword to achieve what you are looking for.
I'm building a Node.js application on the express.js framework with CouchDB as a database. I'm utilizing CouchDB's session api for maintaining session state, and various databases for different sections of data.
On essentially every request my application code makes a request to Couch and then if there's an error (with Node) I can respond appropriately, by logging the error and redirecting to a 404 page or something like that. But if I get a CouchDB error, Node wouldn't consider it an error, it would consider that data. Now that's totally fine with me as long as CouchDB can only return this format:
{
"error": "illegal_database_name",
"reason": "Only lowercase characters (a-z), digits (0-9), and any of the characters _, $, (, ), +, -, and / are allowed. Must begin with a letter."
}
A JSON doc with two properties, error and reason. That's fine I can parse it and return the appropriate message; quite gracefully actually.
BUT! Is that all I can expect from CouchDB, or is there another way Couch might fail, that wouldn't yield a JSON doc with those two fields (properties)?
dscape's information of relying on the response codes is correct, and in most situations you will get an object with error and reason. The bulk-document errors are the only place I can think of where neither of these will be true. If just one document fails then you'll still get a 200, but you'll get the error/reason within the array element corresponding to the document that failed. See the docs for more info on that.
This is a multi faceted question, but any help is appreciated
Background:
I have a Application Definition with 6 entities using SSO
The database back end is Firebird through ODBC
All the data is coming from stored procedures
Questions:
1 While trying to implement one or any of the entities from the BDC in a Business Data List web part I get the following error: "An error occurred while retrieving data from . Administrators, see the server log for more information." It only happens when I have fields that are null, in this instance a field that was declared as a string.
2.When I check the logs, it's a System.OverFlowException.
3.If I change it so the output from the procedure is a blank string, I suddenly get "The title property of entity is set to an invalid value"
4.The error from the logs after changing to a blank string is "Exception handed to HandleXslException.HandleException System.ArgumentException: '.', hexadecimal value 0x00, is an invalid character"
What gives? It worked last night without issue until a record appeared that had a null value in one of the string field. Now, even replacing the null value with something generic is still giving me the title property invalid error.
Most puzzling: If I change the query so that the rows with what would be a null or blank string aren't in the query, the error goes away. But, if I add them back and replace the null string with anything, the error comes back. What the !##$? How does it know I've replaced a null value with something else before the records are returned to the XmlReader?
I've run into this exact scenario and it brought back some angry/confused moments. As you said in your comment:
I set the encoding to be unicode on all varchar and char outputs and it fixed it. The lack of encoding caused there to be null characters (not a null record, but one null character) for that column and Sharepoint could not parse the field. Changed the encoding, and everything works.
It took me a couple days of swearing at the computer before we took it down to the metal and discovered the unicode issue. I don't even know when it changed but we realized the same thing and all was right with the world again.