""" VoiceForge Security Test Suite Automated penetration testing scripts for OWASP Top 10 vulnerabilities. Usage: python security_tests.py --base-url http://localhost:8000 IMPORTANT: Only run against test/dev environments you own! """ import argparse import requests import json import re from typing import Dict, List, Any class SecurityTester: """Automated security testing for VoiceForge API.""" def __init__(self, base_url: str): self.base_url = base_url.rstrip('/') self.results: List[Dict[str, Any]] = [] self.session = requests.Session() def log_result(self, test_name: str, passed: bool, details: str): """Log test result.""" status = "āœ… PASS" if passed else "āŒ FAIL" print(f"{status}: {test_name}") if not passed: print(f" Details: {details}") self.results.append({ "test": test_name, "passed": passed, "details": details }) # ========================================================================= # INJECTION TESTS (OWASP A03:2021) # ========================================================================= def test_sql_injection(self): """Test for SQL injection vulnerabilities.""" print("\n[1] SQL Injection Tests") print("-" * 40) payloads = [ "' OR '1'='1", "'; DROP TABLE users;--", "1' UNION SELECT * FROM users--", "admin'--", "1; SELECT * FROM users WHERE '1'='1", ] # Test login endpoint for payload in payloads: try: response = self.session.post( f"{self.base_url}/api/v1/auth/login", json={"email": payload, "password": payload}, timeout=5 ) # Check for SQL error messages (bad sign if exposed) suspicious_patterns = [ "sql", "syntax", "query", "sqlite", "mysql", "postgres", "ORA-", "ODBC", "exception" ] response_text = response.text.lower() leaked = any(p in response_text for p in suspicious_patterns) if leaked: self.log_result( f"SQL Injection ({payload[:20]}...)", False, "Database error message leaked in response" ) return except requests.exceptions.RequestException: pass self.log_result("SQL Injection", True, "No SQL errors leaked") def test_xss_injection(self): """Test for Cross-Site Scripting vulnerabilities.""" print("\n[2] XSS Injection Tests") print("-" * 40) payloads = [ "", "", "javascript:alert('XSS')", "", "{{7*7}}", # Template injection ] for payload in payloads: try: # Test text input (TTS endpoint) response = self.session.post( f"{self.base_url}/api/v1/tts/synthesize", json={"text": payload, "voice": "en-US-JennyNeural"}, timeout=10 ) # Check if payload is reflected without encoding if payload in response.text and "