Doc/Injection Test Audit#36
Conversation
-Injection Test report
❌ Deploy Preview for ontrackdocumentation failed.
|
|
Hello Iris, I have reviewed your documentation and script. Your documentation is well structured and in the appropriate format as dictated in Doubtfire's documentation. Your script functions well and provided similar results to what is listed in your documentation, i.e. the fields are resistant to SQL injection. My only suggestion is to avoid hardcoding the URLs into the script and make them input fields. This would make your work more customizable to the developer running the tests. Thank you for the opportunity to review your work. |
Added command-line options for easier customization Changed all hardcoded URLs to use the variables defined at the top of the script - Updated curl commands to use `$TARGET_URL` instead of hardcoded URLs
ibi420
left a comment
ibi420
left a comment
There was a problem hiding this comment.
Iris, upon reviewing your recent submission, I confirm the successful integration of my suggestion. Your work is commendable. Thank you for the opportunity to provide feedback.
This comment was marked as duplicate.
This comment was marked as duplicate.
atharv02-git
left a comment
atharv02-git
left a comment
There was a problem hiding this comment.
Hi @theiris6, I just finished running your test-sql-injection.sh script against my local OnTrack instance, and here's my review:
What I tested:
-
Checked endpoint reachability using curl
I confirmed that the/api/authendpoint is active and correctly rejects unsupported methods. I got a 405 Not Allowed, which is expected for a GET request.
-
Ran the full SQL Injection test script
- Valid credentials worked correctly; received an auth token.
- All 6 injection attempts on both the username and password fields were properly blocked with 401 responses.
- Error messages were sanitized, and no sensitive info was leaked.
- Nikto scan was skipped on my end (not installed), but the manual tests gave high confidence.
Improvement:
I also noticed that you’ve taken Ibi’s earlier feedback into account and updated the script to remove hardcoded values replacing them with variables, a config file, and CLI flags. That’s a great touch and makes the script much more reusable and developer-friendly.
Overall, this is a really well-done PR. Your documentation is clear, and the script is really functional, flexible and easy to use. Happy to approve this! 🫡
4 participants
Description
This PR adds a comprehensive SQL Injection vulnerability assessment to the security documentation section. It includes a detailed report outlining the vulnerability, test methodologies, results, and recommended actions, along with an automated test script for future security checks.
The assessment found that the application successfully blocks all common SQL injection attack patterns, with all test cases returning appropriate error codes and sanitized error messages. The Nikto security scanner detected no SQL injection vulnerabilities. Some HTTP security headers improvements were identified as potential enhancements.
Fixes # (issue)
Type of change
How Has This Been Tested?
The test-sql-injection.sh script performs the following tests:
1. Baseline Authentication Verification
2. Username Field SQL Injection Tests
3. Password Field SQL Injection Tests
4. Nikto Security Scan
Testing Checklist
Checklist