o <ý¤h¿Åã@s2dZddlZddlmmZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZddlmZddlmZejjdd„ƒZejjd d „ƒZejjd d „ƒZejjd d„ƒZejjdd„ƒZejjdd„ƒZ ejjdd„ƒZ!ejjdd„ƒZ"ejjdd„ƒZ#dS)a, test_security_penetration.py Purpose: Red-team level security penetration testing suite for the Flask camera management application. This file implements comprehensive security vulnerability testing to validate protection against common attack vectors including timing attacks, SQL injection, session hijacking, privilege escalation, and malicious input fuzzing. Follows OWASP testing guidelines and industry security standards to ensure robust defense against sophisticated attacks. Security Test Categories: - Timing attack resistance (username enumeration prevention) - SQL injection penetration testing with parameterized query validation - Session security (hijacking, fixation, token entropy) - CSRF token cryptographic strength analysis - File upload security and path traversal prevention - Rate limiting bypass techniques and header manipulation - Privilege escalation (horizontal and vertical) - Information disclosure through error messages and timing Test Philosophy: Each test simulates real-world attack scenarios with malicious payloads designed to exploit specific vulnerabilities. Tests validate both that attacks are blocked AND that security measures don't interfere with legitimate usage. All tests follow red-team methodology with comprehensive edge case coverage. éN)Úpatch)Úsession)Úget_db)Úparse_ts_from_anyc CsH|ƒ| ¡}|dd}gd¢}g}tdƒD]`}t ¡}|jd|ddœd} t ¡} | | |¡| j} d } | | k} | sqt d | fd | | f¡d t   ¡vsRt  | ¡rWt  | ¡nd t  | ¡t  | ¡d œ}dd|i}t t |¡ƒ‚d} } } qg}|D]g}tdƒD]`}t ¡}|jd|ddœd} t ¡} | | |¡| j} d } | | k} | sÜt d | fd | | f¡d t   ¡vs½t  | ¡rÂt  | ¡nd t  | ¡t  | ¡d œ}dd|i}t t |¡ƒ‚d} } } q‚q|t |¡}t |¡}t||ƒ}td|d›d|d›d|d›dƒ|dkrtd|d›dƒtdƒdStd|d›dƒdS)a Test that login timing is consistent regardless of username validity to prevent username enumeration. Security Risk: Timing differences between valid vs invalid usernames can allow attackers to enumerate valid usernames by measuring response times. Valid usernames trigger bcrypt operations while invalid ones fail immediately. Attack Scenario: Attacker measures login response times with various usernames to identify which ones exist in the system, then focuses brute-force attacks on valid accounts. ÚregularÚusername)Ú nonexistent1Ú fakeuser99Ú notreal123é ú/loginÚwrongpassword123©rÚpassword©Údataé.©ú==©z3%(py2)s {%(py2)s = %(py0)s.status_code } == %(py5)sÚresponse©Úpy0Úpy2Úpy5úassert %(py7)sÚpy7NézValid username avg: ú.4fzs, Invalid avg: z s, Diff: Úsçš™™™™™©?u;âš ï¸ SECURITY VULNERABILITY DETECTED: Timing difference zs allows username enumerationuT🔧 Recommendation: Implement secure_password_check() from security_enhancements.pyu&✅ Timing attack protection working: z s difference)Ú test_clientÚrangeÚtimeÚ perf_counterÚpostÚappendÚ status_codeÚ @pytest_arÚ_call_reprcompareÚ @py_builtinsÚlocalsÚ_should_repr_global_nameÚ _safereprÚAssertionErrorÚ_format_explanationÚ statisticsÚmeanÚabsÚprint)ÚappÚ test_usersÚclear_rate_limitsÚclientÚ valid_userÚinvalid_usernamesÚ valid_timesÚ_Ú start_timerÚend_timeÚ @py_assert1Ú @py_assert4Ú @py_assert3Ú @py_format6Ú @py_format8Ú invalid_timesrÚ valid_avgÚ invalid_avgÚtiming_difference©rGú9/var/www/html/tests/security/test_security_penetration.pyÚ#test_login_timing_attack_resistance,sF    þŒ  þŒø  " rIc Cs¤|ƒ| ¡}gd¢}|D]À}|jd|ddœd}|j}gd¢}||v} | sft d| fd||f¡d t ¡vs;t |¡r@t |¡nd t |¡t |¡d œ} t  d |j›d |›¡d d| i} t t  | ¡ƒ‚d}} }|j dd  ¡} gd¢} | D]R}|| v}|sÊt d|fd|| f¡dt ¡vs—t |¡rœt |¡nddt ¡vs¨t | ¡r­t | ¡nddœ}t  d|›d|›¡dd|i}t t  |¡ƒ‚d}qzq |d}|jd|d|ddœd| d¡| ¡}| d d!¡}Wdƒn1súwY|dd"…D]Ê}|jd#|›|d$|dd%…›d&œd'd(}|j}d)d*g}||v} | sht d| fd||f¡d t ¡vsAt |¡rFt |¡nd t |¡t |¡d œ} t  d+|›¡d d| i} t t  | ¡ƒ‚d}} }|jd#|›d,|d&œd'd(}|j}gd-¢}||v} | sÈt d| fd||f¡d t ¡vs¡t |¡r¦t |¡nd t |¡t |¡d œ} t  d.|›¡d d| i} t t  | ¡ƒ‚d}} }qdS)/aø Test all endpoints against SQL injection attempts with sophisticated payloads. Security Risk: SQL injection allows attackers to manipulate database queries, potentially accessing sensitive data, escalating privileges, or destroying data. Attack Scenarios: - Union-based injection to extract password hashes - Boolean-based blind injection for data extraction - Time-based blind injection for delayed responses - Second-order injection through stored data ) z4' UNION SELECT password_hash FROM users WHERE '1'='1z51' UNION SELECT username, password_hash FROM users --z' OR '1'='1' --z ' OR 1=1 --zadmin'--z'; WAITFOR DELAY '00:00:05' --zz' OR (SELECT COUNT(*) FROM users) > 0 AND (SELECT SUBSTRING(password_hash,1,1) FROM users WHERE username='admin') = 'a' --z'; DROP TABLE cameras; --z<'; UPDATE users SET is_admin=1 WHERE username='testuser'; --z' OR '1'='1' /*z"1'; DELETE FROM users WHERE '1'='1z%27%20OR%20%271%27%3D%271z' OR '1'='1r Útestpassrr)réé­©Úin©z3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)srrzUnexpected response z for payload: ú >assert %(py7)srNT©Úas_text)z syntax errorÚsqliteÚdatabaseÚtableÚcolumnÚselectÚunionÚ password_hash©únot in©z%(py0)s not in %(py2)sÚkeywordÚ response_text©rrz)SQL injection may have occurred - found 'z' in response for payload: ú >assert %(py4)sÚpy4rrrú/Ú csrf_tokenÚéú/api/kamere/add?csrf_token=z Test Camera r ©Ú camera_idÚ camera_nameúapplication/json©ÚjsonÚ content_typerKéôz#Should reject malicious camera_id: Ú 123456789012)éÈrKi™rnz/Unexpected response for malicious camera_name: )r!r%r'r(r)r*r+r,r-Ú_format_assertmsgr.r/Úget_dataÚlowerÚgetÚsession_transaction)r4r5r6r7Úmalicious_payloadsÚpayloadrr>r?r@rArBr^Údangerous_keywordsr]Ú @py_format3Ú @py_format5ÚuserÚsessrcrGrGrHÚtest_sql_injection_resistancejsN þ¦¢ÿ þ  ÿ þû¤ þû¨ìr}c- Cs†|ƒg}tdƒD],}| ¡}| d¡}| ¡}| dd¡}|r&| |¡Wdƒn1s0wYq t|ƒ} t| ƒ} t|ƒ} | | k} | sÉt d| fd| | f¡dt   ¡vs]t  t¡rbt  t¡ndd t   ¡vsnt  t¡rst  t¡nd d t   ¡vst  |¡r„t  |¡nd t  | ¡t  | ¡dt   ¡vs˜t  t¡rt  t¡ndd t   ¡vs©t  |¡r®t  |¡nd t  | ¡d œ} t  d ¡d d| i}tt |¡ƒ‚d} } } } |rždd„|Dƒ}t|ƒ}d} || k}|s5t d|fd|| f¡dt   ¡vsþt  t¡rt  t¡nddt   ¡vst  |¡rt  |¡ndt  |¡t  | ¡dœ}t  d¡dd|i}tt |¡ƒ‚d}}} d |¡}i}|D] }| |d¡d||<qDt|ƒ}d}||k}|sšt d|fd||f¡dt   ¡vsvt  |¡r{t  |¡ndt  |¡d œ}t  d!|›d"¡d#d$|i}tt |¡ƒ‚d}}| ¡}| d¡| ¡}t|ƒ}| dd¡}Wdƒn 1sÁwY|d%}|jd&|d'|d(d)œd*}|j}d+}||k} | st d| fd,||f¡d-t   ¡vsût  |¡rt  |¡nd-t  |¡t  |¡d.œ}d/d0|i}tt |¡ƒ‚d}} }| d¡| ¡}| dd¡} Wdƒn 1s;wY| sgt  d1¡d2d3d4t   ¡vsWt  | ¡r\t  | ¡nd4i}!tt |!¡ƒ‚| ¡Q}| d5¡}"d}|"|u}|s±t d6|fd7|"|f¡d8t   ¡vs‘t  |"¡r–t  |"¡nd8t  |¡d œ}t  d9¡d#d$|i}tt |¡ƒ‚d}}Wdƒn 1sÀwY| ¡}#|d:}$|#jd&|$d'|$d(d)œd*| ¡}%|% dd¡}&|% d5¡}'Wdƒn 1söwY|# ¡}(|( dd¡})|( d5¡}*Wdƒn 1swY|&|)k}|sht d;|fd<|&|)f¡d=t   ¡vs9t  |&¡r>t  |&¡nd=d>t   ¡vsLt  |)¡rQt  |)¡nd>d?œ}+t  d@¡dAdB|+i},tt |,¡ƒ‚d}|'|*k}|s·t d;|fd<|'|*f¡dCt   ¡vsˆt  |'¡rt  |'¡ndCdDt   ¡vs›t  |*¡r t  |*¡ndDd?œ}+t  dE¡dAdB|+i},tt |,¡ƒ‚d}d}|'|u}|sùt d6|fd7|'|f¡dCt   ¡vsÙt  |'¡rÞt  |'¡ndCt  |¡d œ}t  dF¡d#d$|i}tt |¡ƒ‚d}}d}|*|u}|s=t d6|fd7|*|f¡dDt   ¡vst  |*¡r"t  |*¡ndDt  |¡d œ}t  dG¡d#d$|i}tt |¡ƒ‚d}}dS)Haá Test session tokens cannot be hijacked, predicted, or reused across different contexts. Security Risk: Weak session management allows attackers to impersonate users by stealing, predicting, or reusing session tokens. Attack Scenarios: - Session token prediction through weak random number generation - Session fixation attacks by forcing specific session IDs - Cross-browser session reuse - Session token extraction from URLs or logs é2rbrcrdNr)zn%(py6)s {%(py6)s = %(py0)s(%(py4)s {%(py4)s = %(py1)s(%(py2)s) }) } == %(py11)s {%(py11)s = %(py8)s(%(py9)s) }ÚlenÚsetÚsession_tokens)rÚpy1rraÚpy6Úpy8Úpy9Úpy11zASession tokens are not unique - potential collision vulnerabilityz >assert %(py13)sÚpy13cSóg|]}t|ƒ‘qSrG©r©Ú.0ÚtokenrGrGrHÚ êóz5test_session_hijacking_protection..é ©ú>=©z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } >= %(py6)sÚminÚ token_lengths©rr‚Úpy3rƒz4Session tokens too short - vulnerable to brute forceú >assert %(py8)sr„rér ©ú>©z%(py0)s > %(py3)sÚ unique_chars©rr–z-Poor character distribution in tokens - only z unique charactersú >assert %(py5)srrr rrrrrrrrrrzNo CSRF token after loginz >assert %(py0)srÚpost_login_csrfÚuser_id©úis not©z%(py0)s is not %(py3)sÚlogged_in_user_idz)User not logged in after successful loginÚlimited)ú!=)z%(py0)s != %(py2)sÚtoken1Útoken2r_zGSession tokens shared between clients - critical security vulnerabilityr`raÚuser1_idÚuser2_idz User IDs shared between sessionszUser1 session has no user_idzUser2 session has no user_id)r"r!rtrur&r€rr(r)r*r+r,r-rqr.r/r“ÚjoinÚidr%r')-r4r5r6rÚir7rr|rcr@Ú @py_assert5Ú @py_assert10Ú @py_assert7Ú @py_format12Ú @py_format14r”Ú @py_assert2r?Ú @py_format7Ú @py_format9Ú all_charsÚ char_countsÚcharrœr>Ú @py_format4rAÚclient1Úinitial_session_idÚ initial_csrfr{rBrŸÚ @py_format1r¤Úclient2Úuser2Úsess1r§r©Úsess2r¨rªryrzrGrGrHÚ!test_session_hijacking_protectionÊs|     €ý€þ8À   þ þ  ÿN  Šþ þ   þ   þžžˆŒrÂc$ s(|ƒg}g}tdƒD]1}| ¡}| |¡| d¡}| ¡}| dd¡}|r-| |¡Wdƒn1s7wYq t|ƒ} d} | | k} | s“t d| fd| | f¡d t  ¡vs^t  t¡rct  t¡nd d t  ¡vsot  |¡rtt  |¡nd t  | ¡t  | ¡d œ} t  d ¡d d| i} t t | ¡ƒ‚d} } } t|ƒ}dt|ƒt|ƒ}d} || k}|sët d|fd|| f¡dt  ¡vsÄt  |¡rÉt  |¡ndt  | ¡dœ}t  d|dd›d¡dd|i}t t |¡ƒ‚d}} dd„|Dƒ}t|ƒ}t|ƒ}d} || k}|sBt d|fd|| f¡dt  ¡vst  |¡r#t  |¡ndt  | ¡dœ}t  d|›d ¡dd|i}t t |¡ƒ‚d}} d!} || k}|sŠt d"|fd#|| f¡d$t  ¡vsft  |¡rkt  |¡nd$t  | ¡dœ}t  d%|›d&¡dd|i}t t |¡ƒ‚d}} d |¡}t|ƒ}ttjtjd'ƒ}||}t|ƒ} d} | | k} | st d| fd(| | f¡d t  ¡vsÉt  t¡rÎt  t¡nd d)t  ¡vsÜt  |¡rát  |¡nd)t  | ¡t  | ¡d œ} t  d*|›¡d d| i} t t | ¡ƒ‚d} } } t|ƒ} d+} | | k} | sjt d| fd| | f¡d t  ¡vs-t  t¡r2t  t¡nd d,t  ¡vs@t  |¡rEt  |¡nd,t  | ¡t  | ¡d œ} t  d-t|ƒ›d.¡d d| i} t t | ¡ƒ‚d} } } i}|D] }| |d¡d||<qtt|ƒ‰‡fd/d„| ¡Dƒ}ddl‰t‡fd0d1„|Dƒƒ }ˆ t|ƒ¡}||}d2} || k}|sñt d3|fd4|| f¡d5t  ¡vsÌt  |¡rÑt  |¡nd5t  | ¡dœ}t  d6|d7›d8¡dd|i}t t |¡ƒ‚d}} |d}| ¡}| dd¡} Wdƒn 1swY| ¡}!|! ¡ }| |d<Wdƒn 1s,wY|!jd9| ›d:d;d<œd=d>}|j}d?d@g} || v}"|"sŒt dA|"fdB|| f¡dCt  ¡vsdt  |¡rit  |¡ndCt  |¡t  | ¡dDœ}t  dE|j›¡dFdG|i}#t t |#¡ƒ‚d}}"} dS)Hag Test CSRF tokens are cryptographically secure with sufficient entropy. Security Risk: Weak CSRF tokens can be predicted or brute-forced, allowing attackers to bypass CSRF protection. Attack Scenarios: - Token prediction through weak randomness - Token collision through birthday attacks - Token extraction and reuse édrbrcrdNéZrr’rÚtokensr•z1Failed to generate sufficient tokens for analysisr—r„r˜rr)z%(py0)s == %(py3)sÚcollision_raterz CSRF token collision detected - z.2fz% collision rateržrcSrˆrGr‰rŠrGrGrHrWrŽz8test_csrf_token_entropy_and_strength..r)z%(py0)s >= %(py3)sÚ min_lengthzCSRF tokens too short: z chars (minimum 32 required)é)ú<=)z%(py0)s <= %(py3)sÚ max_lengthzCSRF tokens too long: z chars (maximum 256 recommended)z-_©z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)sÚunexpected_charsz+CSRF tokens contain unexpected characters: r rœz"Insufficient character diversity: z unique charscsg|]}|ˆ‘qSrGrG)r‹Úcount)Ú total_charsrGrHrprŽc3s&|]}|dkr|ˆ |¡VqdS)rN)Úlog2)r‹Úp)ÚmathrGrHÚ ts€$z7test_csrf_token_entropy_and_strength..gš™™™™™é?r™r›Ú entropy_ratiozLow entropy in CSRF tokens: z.3fz (should be > 0.8)rfroÚTestrgrjrkré“rMrOrrz*CSRF token reuse should be prevented, got rPr)r"r!r&rtrurr(r)r*r+r,r-rqr.r/r€r“Úmaxr«ÚstringÚ ascii_lettersÚdigitsÚvaluesrÑÚsumrÏr%r')$r4r6rÅÚclientsr­r7rr|rŒr³r®r?r´rµÚ unique_tokensrÆr>r¹rAr”rÇrÊr¶rœÚexpected_charsrÌÚ char_freqr¸Ú frequenciesÚentropyÚ max_entropyrÓÚoriginal_tokenÚ new_clientr@rBrG)rÑrÎrHÚ$test_csrf_token_entropy_and_strength2sh       €ý€¸ ÈÎ’ ÿ  ÿ þªråc"Csü|ƒ| ¡}|d}|jd|d|ddœd| d¡| ¡}| dd ¡}Wd ƒn1s3wYgd ¢}|D]} |jd |›d | idd} | j} gd¢} | | v} | s—t d| fd| | f¡dt ¡vspt  | ¡rut  | ¡ndt  | ¡t  | ¡dœ}t  d| ›¡dd|i}t t  |¡ƒ‚d } } } | jdd ¡}gd¢}| jdvrM|  ¡}|rMd|vrM|d ¡}d}||v}|st d|fd||f¡t  |¡dt ¡vsãt  |¡rèt  |¡ndd œ}t  d!| ›¡d"d#|i}t t  |¡ƒ‚d }}d$}||v}|sIt d|fd||f¡t  |¡dt ¡vs*t  |¡r/t  |¡ndd œ}t  d!| ›¡d"d#|i}t t  |¡ƒ‚d }}q>gd%¢}|D]ñ}| d&|›¡} | j} gd'¢} | | v} | sªt d| fd| | f¡dt ¡vsƒt  | ¡rˆt  | ¡ndt  | ¡t  | ¡dœ}t  d(|›¡dd|i}t t  |¡ƒ‚d } } } | jdd}d)}||v}|sùt d|fd||f¡t  |¡d*t ¡vsÚt  |¡rßt  |¡nd*d œ}t  d+|›¡d"d#|i}t t  |¡ƒ‚d }}d,}||v}|s@t d|fd||f¡t  |¡d*t ¡vs!t  |¡r&t  |¡nd*d œ}t  d-|›¡d"d#|i}t t  |¡ƒ‚d }}qTd.}|jd/|›|d0d1œddd2d3}tj |d4|›d5¡}zzt|d6ƒ }| |¡Wd ƒn 1s|wYd7|›d5}| d8|›¡} | j} gd9¢} | | v} | sØt d| fd| | f¡dt ¡vs´t  | ¡r¹t  | ¡ndt  | ¡t  | ¡dœ}t  d:¡dd|i}t t  |¡ƒ‚d } } } Wn tyéYnwd7|›d5}z‚d;d| d?d@¡dAd g} | D]b}!| dB|!›¡} | j} gd¢} | | v} | sht d| fd| | f¡dt ¡vsalert('xss').jpgz'; DROP TABLE images; --.jpgz test.jpgaCvery_long_filename_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpgz .htaccessz web.configz/slika?rel=User-photos/)rprKrÕréz,Unexpected response for malicious filename: z