"""Tests for the Analyzer module."""
import pytest
from intelliscan.modules.analyzer import Analyzer
def test_sqli_detection_dump(sample_injection_results):
analyzer = Analyzer([sample_injection_results[0]])
results = analyzer.run()
assert len(results) == 1
r = results[0]
assert r.label == "VULNERABLE"
assert r.severity == "HIGH"
assert "Data dump" in r.reason
def test_sqli_no_vulnerability(sample_injection_results):
analyzer = Analyzer([sample_injection_results[1]])
results = analyzer.run()
assert results[0].label == "NOT_VULNERABLE"
def test_baseline_suppresses_form_label_false_positive():
"""Dump signatures present in the benign baseline (e.g. the 'Username:' /
'Password:' form labels) must not be counted as an injected data dump."""
page = (
"
"
"Username and/or password incorrect."
)
entry = {
"target_url": "http://localhost:8080/vulnerabilities/brute/",
"method": "GET",
"vuln_type": "sqli",
"param": "username",
"payload": "' OR '1'='1",
"status_code": 200,
"response_len": len(page),
"response_body": page, # identical to baseline — no extra rows leaked
}
baselines = {"http://localhost:8080/vulnerabilities/brute/": page}
results = Analyzer([entry], baselines=baselines).run()
assert results[0].label == "NOT_VULNERABLE"
def test_baseline_still_flags_real_dump():
"""Rows leaked beyond the baseline are still detected as a dump."""
baseline = "" # one label in chrome
dumped = baseline + "First name: admin First name: gordon First name: pablo"
entry = {
"target_url": "http://localhost:8080/vulnerabilities/sqli/",
"method": "GET",
"vuln_type": "sqli",
"param": "id",
"payload": "' OR '1'='1",
"status_code": 200,
"response_len": len(dumped),
"response_body": dumped,
}
baselines = {"http://localhost:8080/vulnerabilities/sqli/": baseline}
results = Analyzer([entry], baselines=baselines).run()
assert results[0].label == "VULNERABLE"
assert "Data dump" in results[0].reason
def test_reflected_union_payload_not_a_dump():
"""A page that reflects a UNION payload verbatim (e.g. the stored-XSS
guestbook) must not be flagged as a SQLi data dump just because the payload
text itself contains 'information_schema'."""
payload = "' UNION SELECT null,table_name FROM information_schema.tables-- -"
# guestbook echoes the stored message twice (message list + retained input)
page = f"Message: {payload}
"
entry = {
"target_url": "http://localhost:8080/vulnerabilities/xss_s/",
"method": "POST",
"vuln_type": "sqli",
"param": "mtxMessage",
"payload": payload,
"status_code": 200,
"response_len": len(page),
"response_body": page,
}
baselines = {"http://localhost:8080/vulnerabilities/xss_s/": ""}
results = Analyzer([entry], baselines=baselines).run()
assert results[0].label == "NOT_VULNERABLE"
def test_sqli_mysql_error_detection():
"""MySQL error message triggers VULNERABLE classification."""
entry = {
"target_url": "http://example.com/page",
"method": "GET",
"vuln_type": "sqli",
"param": "id",
"payload": "' OR '1'='1",
"status_code": 500,
"response_len": 900,
"response_body": "You have an error in your SQL syntax near ''1'='1'",
}
results = Analyzer([entry]).run()
assert results[0].label == "VULNERABLE"
assert "sql error" in results[0].reason.lower()
def test_sqli_mssql_error_detection():
"""MSSQL 'Incorrect syntax near' triggers VULNERABLE classification."""
entry = {
"target_url": "http://example.com/page",
"method": "GET",
"vuln_type": "sqli",
"param": "q",
"payload": "' OR 1=1--",
"status_code": 500,
"response_len": 600,
"response_body": "Incorrect syntax near 'OR'. Unclosed quotation mark.",
}
results = Analyzer([entry]).run()
assert results[0].label == "VULNERABLE"
def test_sqli_postgres_error_detection():
"""PostgreSQL syntax error triggers VULNERABLE classification."""
entry = {
"target_url": "http://example.com/search",
"method": "GET",
"vuln_type": "sqli",
"param": "q",
"payload": "' UNION SELECT 1--",
"status_code": 500,
"response_len": 700,
"response_body": 'pg_query(): Query failed: ERROR: syntax error at or near "UNION"',
}
results = Analyzer([entry]).run()
assert results[0].label == "VULNERABLE"
def test_sqli_information_schema_leak():
"""INFORMATION_SCHEMA in response body indicates data exfiltration."""
entry = {
"target_url": "http://example.com/page",
"method": "GET",
"vuln_type": "sqli",
"param": "id",
"payload": "1 UNION SELECT table_name,2 FROM information_schema.tables--",
"status_code": 200,
"response_len": 2000,
"response_body": (
"information_schema information_schema information_schema " "users admins sessions"
),
}
results = Analyzer([entry]).run()
assert results[0].label == "VULNERABLE"
def test_xss_reflection(sample_injection_results):
analyzer = Analyzer([sample_injection_results[2]])
results = analyzer.run()
assert results[0].label == "VULNERABLE"
assert "reflected" in results[0].reason.lower()
def test_xss_partial_pattern_reflection():
"""Dangerous XSS token reflected even when full payload is sanitised."""
entry = {
"target_url": "http://example.com/greet",
"method": "GET",
"vuln_type": "xss_r",
"param": "name",
"payload": "",
"status_code": 200,
"response_len": 500,
"response_body": "Hello <script>alert(1), welcome!",
}
# body contains