1 thanos
Author: | Tasdik Rahman |
---|
2 About
A little taste of what can happen when you pass parameterized arguments in your query strings.
Will be using a GUI as an interface between the user and the database and try out different vulnerable strings and see if we can acess the database
NOTE:
Vulnerabilities (demo) | mitigated version |
---|---|
thanos/vulnerable | thanos/input-validation |
2.1 Plan of action
- [✓] Test for
SQL Injection
vulnerabilities - [✓] Test for
Input validation
techniques - [✓] Suggest fixes to the vulnerabilities found(if any)
- [✓] making the GUI using tkinter
- [ ] Writing testcases
2.2 Mitigation techniques
- [✓] Validating email entered by using custom regex
- [✓] Replacing the parameterized
SQL constructs
in the code and replace it with pythonic API
3 DEMO
NOTE This is the secure version of the demo. Refer the vulnerable one here
The database has the following user credentials in it
tasdik at Acer in ~/Dropbox/projects/thanos on input-validation
$ sqlite3 sare_log.db
-- Loading resources from /home/tasdik/.sqliterc
SQLite version 3.9.2 2015-11-02 18:31:45
Enter ".help" for usage hints.
sqlite> select * from users;
email name serial_no password
--------------- ---------- ---------- ----------
[email protected] Admin 1 admin123
[email protected] bar 2 foo123
[email protected] doe 3 john123
sqlite>
When you enter correct user credentials which are there in the database.
If a wrong user details are entered. Notice that the SQL statements don't get executed
SQL injection anybody?
The threat was mitigated as the malicious SQL query was not executed
4 Running it
Urm. So how do I run it?
4.1 Installing the dependencies
I prefer to use virtual environments for keeping the global python
interpreter clutter free. But you are free to do a system wide install for the dependencies.
You should have `make` installed on your system.
$ git clone https://github.com/prodicus/thanos && cd thanos
$ make install
If make install
gives you an error. Try this
$ pip install -r requirements.txt
4.2 Running it!
$ make run
Cleaning it up
$ make clean
4.3 When in doubt
$ make help
5 FAQ
5.1 Okay, But what does it do?
- So there's this database called
sare_log.db
, (which translates toall_people
in english). We have some users details stored inside this database. - We try to exploit the database testing for some common vulnerabilities like - SQL injection - input validation
- More to come
5.2 Will I be able to run it on my PC?
I have tested this on MAC and Linux based systems currently
5.3 What's with the name?
Nothing! It's just that I read a lot of Marvel comics.
5.4 The code looks messy!
Well, so does your mom!
Jokes apart. As I said, this is still a work in progress.
6 Contributing
Refer CONTRIBUTING.rst
6.1 Issues
This project is still work in progress so feel free to make PR or give suggestions by creating an issue
6.2 Contributers
Built with
7 Legal Stuff
Built and maintained by Tasdik Rahman released under the MIT License. See the bundled LICENSE file for more details.