-
Notifications
You must be signed in to change notification settings - Fork 0
Testing the Server Endpoints
This document describes the testing of the Server Endpoints
We performed the penetration testing of the server side application by using sqlmap. To use sqlmap we had to collect the list of endpoints, configure sqlmap, and perform the attacks.
The requests made to the server side might contain user defined in three places:
- In the URI as a path variable. An example is the
GET /caff/{id}
URI that gets the data of a CAFF with the user supplied id. - In the URI as query parameters. GET requests might have query parameters, mainly to configure search criteria, or pagination. An example is the
GET /caff?pageSize=100&offset=0
query that lists all CAFFs paginated. - In the body of the request. The API receives information in POST and PUT requests with
multipart/form-data
encoding. An example is thePOST /caff
endpoint that creates a CAFF.
Unfortunately, sqlmap does not support multipart/form-data
requests out-of-the box. However, it is able to process request files, which can contain arbitrary requests. Combining this feature with the feature of defining arbitrary injection points, we were able to generate request files for our endpoints, that mark the possible injection points to the application.
The result of the penetration testing can be seen in the table below. Please note, that these request files contain bearer tokens and id-s, that need to be replaced in a new testing environment!
Endpoint | Request file | Vulnerable for SQL injection |
---|---|---|
POST /auth/login |
file | NO |
POST /auth/register |
file | NO |
POST /auth/passwordReset |
file | NO |
GET /user |
file | NO |
POST /user |
file | NO |
GET /user/{id} |
file | NO |
PUT /user/{id} |
file | NO |
DELETE /user/{id} |
file | NO |
GET /caff |
file | NO |
GET /caff/{id} |
file | NO |
GET /caff/{id}/download |
file | NO |
GET /caff/{id}/preview |
file | NO |
PUT /caff/{id} |
file | NO |
DELETE /caff/{id} |
file | NO |
GET /caff/{id}/comment |
file | NO |
POST /caff/{id}/comment |
file | NO |
GET /caff/{id}/comment/{id} |
file | NO |
PUT /caff/{id}/comment/{id} |
file | NO |
DELETE /caff/{id}/comment/{id} |
file | NO |
As it can be seen, sqlmap did not find any endpoints susceptible to SQL Injection attacks.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System