Project Date
Cucumber Audit 15 Sep 2023, 07:09

Feature Report

Steps Scenarios Features
Feature Passed Failed Skipped Pending Undefined Total Passed Failed Total Duration Status
Database Queries Threats 51 0 0 0 0 51 5 0 5 2.308 Passed
Feature Database Queries Threats
0.007
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.007
Tags: @InformationDisclosure
0.576
Unhandled database errors may lead to disclosure about database system version. This may be used to prepare an attack that uses known system vulnerabilities and characteristics of used DBMS.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.183
And the response content is under inspection 0.000
When I enter "' UNKNOWN SYNTAX; -- ." into a field selected by "input[name='username']" 0.042
And I enter "' UNKNOWN SYNTAX; -- ." into a field selected by "input[name='password']" 0.026
And I click on "form input[type='submit']" 0.323
Then the response should not contain "SQL" 0.000
And the response should not contain "Exception" 0.000
And the response should not contain "Stacktrace" 0.000
And the response should not contain "Traceback" 0.000
And the response should not match ".*[a-zA-Z0-9.]+:[0-9]+\).*" 0.000
And the response should not match "(?i).*line [0-9]+.*" 0.000
And the response should not match "(?i).*debug.*" 0.000
0.017
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.017
Tags: @InformationDisclosure
0.389
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.110
And the response content is under inspection 0.000
When I enter "' OR sleep(5000) -- ." into a field selected by "input[name='username']" 0.027
And I enter "' OR sleep(5000) -- ." into a field selected by "input[name='password']" 0.015
And I click on "form input[type='submit']" 0.234
Then the response time should not be longer than 5000 ms 0.000
0.024
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.023
Tags: @InformationDisclosure
0.445
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.097
And the response content is under inspection 0.000
When I enter "' || dbms_pipe.receive_message(('a'), 5) -- ." into a field selected by "input[name='username']" 0.037
And I enter "' || dbms_pipe.receive_message(('a'), 5) -- ." into a field selected by "input[name='password']" 0.042
And I click on "form input[type='submit']" 0.267
Then the response time should not be longer than 5000 ms 0.000
0.017
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.017
Tags: @InformationDisclosure
0.432
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.131
And the response content is under inspection 0.000
When I enter "' OR pg_sleep(5) -- ." into a field selected by "input[name='username']" 0.024
And I enter "' OR pg_sleep(5) -- ." into a field selected by "input[name='password']" 0.028
And I click on "form input[type='submit']" 0.246
Then the response time should not be longer than 5000 ms 0.000
0.008
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.008
Tags: @InformationDisclosure
0.389
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.111
And the response content is under inspection 0.000
When I enter "' OR WAITFOR DELAY '0:0:05' -- ." into a field selected by "input[name='username']" 0.022
And I enter "' OR WAITFOR DELAY '0:0:05' -- ." into a field selected by "input[name='password']" 0.032
And I click on "form input[type='submit']" 0.222
Then the response time should not be longer than 5000 ms 0.000