Project Date
Cucumber Audit 15 Sep 2023, 07:24

Feature Report

Steps Scenarios Features
Feature Passed Failed Skipped Pending Undefined Total Passed Failed Total Duration Status
Database Queries Threats 51 0 0 0 0 51 5 0 5 2.237 Passed
Feature Database Queries Threats
0.015
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.005
And app running on "http://localhost.:8000/consumer/" has already started 0.010
Tags: @InformationDisclosure
0.462
Unhandled database errors may lead to disclosure about database system version. This may be used to prepare an attack that uses known system vulnerabilities and characteristics of used DBMS.
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.125
And the response content is under inspection 0.000
When I enter "' UNKNOWN SYNTAX; -- ." into a field selected by "input[name='username']" 0.051
And I enter "' UNKNOWN SYNTAX; -- ." into a field selected by "input[name='password']" 0.024
And I click on "form input[type='submit']" 0.260
Then the response should not contain "SQL" 0.000
And the response should not contain "Exception" 0.000
And the response should not contain "Stacktrace" 0.000
And the response should not contain "Traceback" 0.000
And the response should not match ".*[a-zA-Z0-9.]+:[0-9]+\).*" 0.000
And the response should not match "(?i).*line [0-9]+.*" 0.000
And the response should not match "(?i).*debug.*" 0.000
0.029
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.029
Tags: @InformationDisclosure
0.415
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.117
And the response content is under inspection 0.000
When I enter "' OR sleep(5000) -- ." into a field selected by "input[name='username']" 0.057
And I enter "' OR sleep(5000) -- ." into a field selected by "input[name='password']" 0.024
And I click on "form input[type='submit']" 0.214
Then the response time should not be longer than 5000 ms 0.000
0.009
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.009
Tags: @InformationDisclosure
0.452
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.097
And the response content is under inspection 0.000
When I enter "' || dbms_pipe.receive_message(('a'), 5) -- ." into a field selected by "input[name='username']" 0.049
And I enter "' || dbms_pipe.receive_message(('a'), 5) -- ." into a field selected by "input[name='password']" 0.038
And I click on "form input[type='submit']" 0.266
Then the response time should not be longer than 5000 ms 0.000
0.010
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.009
Tags: @InformationDisclosure
0.394
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.123
And the response content is under inspection 0.000
When I enter "' OR pg_sleep(5) -- ." into a field selected by "input[name='username']" 0.028
And I enter "' OR pg_sleep(5) -- ." into a field selected by "input[name='password']" 0.033
And I click on "form input[type='submit']" 0.207
Then the response time should not be longer than 5000 ms 0.000
0.026
Given only whitelisted traffic is allowed 0.000
And traffic matching "https?://localhost.:8000.*" is allowed 0.000
And app running on "http://localhost.:8000/consumer/" has already started 0.026
Tags: @InformationDisclosure
0.421
If the SQL Queries are creates by simple concatenation, there is a risk that an attacker could inject a malicious code into said queries. This SQL Injection can be used to obtain
Before io.github.multicatch.cucumber.audit.NavigationStepDefs.<init>(NavigationStepDefs.kt:14) 0.000
Given I am on "http://localhost.:8000/accounts/login" 0.130
And the response content is under inspection 0.000
When I enter "' OR WAITFOR DELAY '0:0:05' -- ." into a field selected by "input[name='username']" 0.049
And I enter "' OR WAITFOR DELAY '0:0:05' -- ." into a field selected by "input[name='password']" 0.029
And I click on "form input[type='submit']" 0.211
Then the response time should not be longer than 5000 ms 0.000