Michael Schiemer
fc3d7e6357
- Add comprehensive health check system with multiple endpoints - Add Prometheus metrics endpoint - Add production logging configurations (5 strategies) - Add complete deployment documentation suite: * QUICKSTART.md - 30-minute deployment guide * DEPLOYMENT_CHECKLIST.md - Printable verification checklist * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference * production-logging.md - Logging configuration guide * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation * README.md - Navigation hub * DEPLOYMENT_SUMMARY.md - Executive summary - Add deployment scripts and automation - Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment - Update README with production-ready features All production infrastructure is now complete and ready for deployment.
255 lines
7.2 KiB
PHP
255 lines
7.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Security\WafTests;
|
|
|
|
use Tests\Security\SecurityTestCase;
|
|
use App\Framework\Waf\WafEngine;
|
|
use App\Framework\Http\Method;
|
|
|
|
/**
|
|
* SQL Injection attack detection tests
|
|
*
|
|
* Tests WAF's ability to detect and block SQL injection attacks
|
|
*/
|
|
final readonly class SqlInjectionTest extends SecurityTestCase
|
|
{
|
|
public function __construct(
|
|
private WafEngine $wafEngine
|
|
) {}
|
|
|
|
/**
|
|
* Test WAF blocks SQL injection in query parameters
|
|
*/
|
|
public function testBlocksSqlInjectionInQueryParams(): void
|
|
{
|
|
$testCases = $this->generateSqlInjectionTestCases();
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($testCases as $testCase) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/users',
|
|
method: Method::GET,
|
|
queryParams: ['id' => $testCase['payload']]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = $testCase['description'];
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block " . count($failed) . " SQL injection attacks:\n" .
|
|
implode("\n", array_slice($failed, 0, 5))
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($testCases) . " SQL injection attacks in query params\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks SQL injection in POST data
|
|
*/
|
|
public function testBlocksSqlInjectionInPostData(): void
|
|
{
|
|
$testCases = $this->generateSqlInjectionTestCases();
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($testCases as $testCase) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/users',
|
|
method: Method::POST,
|
|
postData: [
|
|
'username' => $testCase['payload'],
|
|
'email' => 'test@example.com'
|
|
]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = $testCase['description'];
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block " . count($failed) . " SQL injection attacks in POST data:\n" .
|
|
implode("\n", array_slice($failed, 0, 5))
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($testCases) . " SQL injection attacks in POST data\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF blocks SQL injection in headers
|
|
*/
|
|
public function testBlocksSqlInjectionInHeaders(): void
|
|
{
|
|
$attacks = [
|
|
"' OR '1'='1",
|
|
"'; DROP TABLE users--",
|
|
"' UNION SELECT NULL--"
|
|
];
|
|
|
|
$blocked = 0;
|
|
$failed = [];
|
|
|
|
foreach ($attacks as $attack) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/users',
|
|
method: Method::GET,
|
|
headers: [
|
|
'X-Custom-Header' => $attack,
|
|
'User-Agent' => 'Mozilla/5.0'
|
|
]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
} else {
|
|
$failed[] = "Header injection: {$attack}";
|
|
}
|
|
}
|
|
|
|
if (!empty($failed)) {
|
|
throw new \RuntimeException(
|
|
"WAF failed to block SQL injection in headers:\n" .
|
|
implode("\n", $failed)
|
|
);
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($attacks) . " SQL injection attacks in headers\n";
|
|
}
|
|
|
|
/**
|
|
* Test WAF allows legitimate SQL-like strings
|
|
*/
|
|
public function testAllowsLegitimateStrings(): void
|
|
{
|
|
$legitimateStrings = [
|
|
"O'Reilly", // Apostrophe in name
|
|
"user@example.com", // Email
|
|
"What's up?", // Casual text with apostrophe
|
|
"Price: $10-20", // Price range
|
|
"SELECT * FROM table", // Code snippet in documentation field
|
|
];
|
|
|
|
$allowedCount = 0;
|
|
$falsePositives = [];
|
|
|
|
foreach ($legitimateStrings as $string) {
|
|
$request = $this->createLegitimateRequest(
|
|
uri: '/api/users',
|
|
method: Method::POST,
|
|
data: ['bio' => $string]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if (!$decision->shouldBlock()) {
|
|
$allowedCount++;
|
|
} else {
|
|
$falsePositives[] = $string;
|
|
}
|
|
}
|
|
|
|
if (!empty($falsePositives)) {
|
|
echo "⚠️ Warning: WAF has " . count($falsePositives) . " false positives:\n";
|
|
foreach ($falsePositives as $fp) {
|
|
echo " - {$fp}\n";
|
|
}
|
|
} else {
|
|
echo "✅ No false positives detected ({$allowedCount}/" . count($legitimateStrings) . " legitimate strings allowed)\n";
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Test WAF detects encoded SQL injection attempts
|
|
*/
|
|
public function testBlocksEncodedSqlInjection(): void
|
|
{
|
|
$encodedAttacks = [
|
|
urlencode("' OR '1'='1"),
|
|
urlencode("'; DROP TABLE users--"),
|
|
rawurlencode("' UNION SELECT NULL--"),
|
|
];
|
|
|
|
$blocked = 0;
|
|
|
|
foreach ($encodedAttacks as $attack) {
|
|
$request = $this->createAttackRequest(
|
|
uri: '/api/users',
|
|
method: Method::GET,
|
|
queryParams: ['search' => $attack]
|
|
);
|
|
|
|
$decision = $this->wafEngine->analyzeRequest($request);
|
|
|
|
if ($decision->shouldBlock()) {
|
|
$blocked++;
|
|
}
|
|
}
|
|
|
|
echo "✅ Blocked {$blocked}/" . count($encodedAttacks) . " encoded SQL injection attacks\n";
|
|
}
|
|
|
|
/**
|
|
* Run all SQL injection tests
|
|
*/
|
|
public function runAllTests(): array
|
|
{
|
|
$results = [];
|
|
|
|
try {
|
|
$this->testBlocksSqlInjectionInQueryParams();
|
|
$results['query_params'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['query_params'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksSqlInjectionInPostData();
|
|
$results['post_data'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['post_data'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksSqlInjectionInHeaders();
|
|
$results['headers'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['headers'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testAllowsLegitimateStrings();
|
|
$results['false_positives'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['false_positives'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
try {
|
|
$this->testBlocksEncodedSqlInjection();
|
|
$results['encoded_attacks'] = 'PASS';
|
|
} catch (\Exception $e) {
|
|
$results['encoded_attacks'] = 'FAIL: ' . $e->getMessage();
|
|
}
|
|
|
|
return $results;
|
|
}
|
|
}
|