?hdZddlZddlmcmZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZddlmZddlmZej2j4dZej2j4dZej2j4d Zej2j4d Zej2j4d Zej2j4d Z ej2j4d Z!ej2j4dZ"ej2j4dZ#y)a, test_security_penetration.py Purpose: Red-team level security penetration testing suite for the Flask camera management application. This file implements comprehensive security vulnerability testing to validate protection against common attack vectors including timing attacks, SQL injection, session hijacking, privilege escalation, and malicious input fuzzing. Follows OWASP testing guidelines and industry security standards to ensure robust defense against sophisticated attacks. Security Test Categories: - Timing attack resistance (username enumeration prevention) - SQL injection penetration testing with parameterized query validation - Session security (hijacking, fixation, token entropy) - CSRF token cryptographic strength analysis - File upload security and path traversal prevention - Rate limiting bypass techniques and header manipulation - Privilege escalation (horizontal and vertical) - Information disclosure through error messages and timing Test Philosophy: Each test simulates real-world attack scenarios with malicious payloads designed to exploit specific vulnerabilities. Tests validate both that attacks are blocked AND that security measures don't interfere with legitimate usage. All tests follow red-team methodology with comprehensive edge case coverage. N)patch)session)get_db)parse_ts_from_anyc ||j}|dd}gd}g}tdD]}tj}|j d|dd} tj} |j | |z | j } d } | | k(} | stjd | fd | | fd tjvstj| rtj| nd tj| tj| d z}dd|iz}ttj|dx} x} }  g}|D]/}tdD]}tj}|j d|dd} tj} |j | |z | j } d } | | k(} | stjd | fd | | fd tjvstj| rtj| nd tj| tj| d z}dd|iz}ttj|dx} x} }  2tj |}tj |}t#||z }t%d|dd|dd|dd|dk\rt%d|ddt%dyt%d|ddy)a Test that login timing is consistent regardless of username validity to prevent username enumeration. Security Risk: Timing differences between valid vs invalid usernames can allow attackers to enumerate valid usernames by measuring response times. Valid usernames trigger bcrypt operations while invalid ones fail immediately. Attack Scenario: Attacker measures login response times with various usernames to identify which ones exist in the system, then focuses brute-force attacks on valid accounts. regularusername) nonexistent1 fakeuser99 notreal123 /loginwrongpassword123r passworddata.==z3%(py2)s {%(py2)s = %(py0)s.status_code } == %(py5)sresponsepy0py2py5assert %(py7)spy7NzValid username avg: .4fzs, Invalid avg: z s, Diff: s皙?u;⚠️ SECURITY VULNERABILITY DETECTED: Timing difference zs allows username enumerationuT🔧 Recommendation: Implement secure_password_check() from security_enhancements.pyu&✅ Timing attack protection working: z s difference) test_clientrangetime perf_counterpostappend status_code @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanation statisticsmeanabsprint)app test_usersclear_rate_limitsclient valid_userinvalid_usernames valid_times_ start_timerend_time @py_assert1 @py_assert4 @py_assert3 @py_format6 @py_format8 invalid_timesr valid_avg invalid_avgtiming_differences [C:\Users\algun\Documents\ceba web\Ceba - Github\tests\security\test_security_penetration.py#test_login_timing_attack_resistancerJ,s __ FI&z2JDK 2Y&&( ;;x"*/ ; $$&8j01##*s*#s****#s******x***x***#***s*******M%qA**,J{{8$.3{H((*H  J!6 7'' .3 .'3. . . .'3 . . . . . .8 . . .8 . . .' . . .3 . . . . . . .& ,I//-0KI 34 3/? C?PPYZkloYppq rsD  KL]^aKbbA B de 67H6M\Z[c h ||j}gd}|D]}|jd|dd}|j}gd}||v} | stjd| fd||fd t j vstj|rtj|nd tj|tj|d z} tjd |jd |d zd| iz} ttj| dx}x} }|jdj} gd} | D]}|| v}|stjd|fd|| fdt j vstj|rtj|nddt j vstj| rtj| nddz}tjd|d|dzd|iz}ttj|d} |d}|jd|d|dd|jd|j5}|jd d!}ddd|dd"D]}|jd#|d$|dd%d&d'(}|j}d)d*g}||v} | stjd| fd||fd t j vstj|rtj|nd tj|tj|d z} tjd+|d zd| iz} ttj| dx}x} }|jd#|d,|d&d'(}|j}gd-}||v} | stjd| fd||fd t j vstj|rtj|nd tj|tj|d z} tjd.|d zd| iz} ttj| dx}x} }y#1swYxYw)/a Test all endpoints against SQL injection attempts with sophisticated payloads. Security Risk: SQL injection allows attackers to manipulate database queries, potentially accessing sensitive data, escalating privileges, or destroying data. Attack Scenarios: - Union-based injection to extract password hashes - Boolean-based blind injection for data extraction - Time-based blind injection for delayed responses - Second-order injection through stored data ) z4' UNION SELECT password_hash FROM users WHERE '1'='1z51' UNION SELECT username, password_hash FROM users --z' OR '1'='1' --z ' OR 1=1 --zadmin'--z'; WAITFOR DELAY '00:00:05' --zz' OR (SELECT COUNT(*) FROM users) > 0 AND (SELECT SUBSTRING(password_hash,1,1) FROM users WHERE username='admin') = 'a' --z'; DROP TABLE cameras; --z<'; UPDATE users SET is_admin=1 WHERE username='testuser'; --z' OR '1'='1' /*z"1'; DELETE FROM users WHERE '1'='1z%27%20OR%20%271%27%3D%271z' OR '1'='1rtestpassrr)rinz3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)srrzUnexpected response z for payload:  >assert %(py7)srNTas_text)z syntax errorsqlitedatabasetablecolumnselectunion password_hashnot inz%(py0)s not in %(py2)skeyword response_textrrz)SQL injection may have occurred - found 'z' in response for payload:  >assert %(py4)spy4rr r/ csrf_token/api/kamere/add?csrf_token=z Test Camera r  camera_id camera_nameapplication/jsonjson content_typerNz#Should reject malicious camera_id: 123456789012)rNirqz/Unexpected response for malicious camera_name: )r#r'r)r*r+r,r-r.r/_format_assertmsgr0r1get_datalowergetsession_transaction)r6r7r8r9malicious_payloadspayloadrr@rArBrCrDradangerous_keywordsr` @py_format3 @py_format5usersessrfs rItest_sql_injection_resistancerjs __ F8&;;x"/ ;  ##||#6|||#||||||x|||x|||#||||||:NxOcOcNddrszr{8||||||||!))$)7==? z)G-/ K K K7- K K K K K K7 K K K7 K K K K K K- K K K- K K K K3\]d\efABIAJ2K K K K K K K*& i D KK$$ K  JJsO  # # %XXlB/  &&bq);;! ?##bSzb#z1bbb#zbbbbbbxbbbxbbb#bbbzbbb5XY`Xa3bbbbbbbb;;! ?##x';x#';;xxx#';xxxxxxxxxxxxxx#xxx';xxx?novnw=xxxxxxxx)* & %s R''R1c |g}tdD]a}|j}|jd}|j5}|jdd}|r|j |dddct |} t | } t |} | | k(} | stjd| fd| | fdtjvstjt rtjt ndd tjvstjt rtjt nd d tjvstj|rtj|nd tj| tj| dtjvstjt rtjt ndd tjvstj|rtj|nd tj| d z} tjd d zd| iz}ttj|dx} x} x} } |r<|Dcgc] }t |}}t!|}d} || k\}|s tjd|fd|| fdtjvstjt rtjt nddtjvstj|rtj|ndtj|tj| dz}tjddzd|iz}ttj|dx}x}} dj#|}i}|D]}|j|ddz||<t |}d}||kD}|stjd|fd||fdtjvstj|rtj|ndtj|dz}tjd|d d!zd"|iz}ttj|dx}}|j}|jd|j5}t%|}|jdd}ddd|d#}|j'd$|d%|d&d'(}|j(}d)}||k(} | stjd| fd*||fd+tjvstj|rtj|nd+tj|tj|d,z}d-d.|iz} ttj| dx}x} }|jd|j5}|jdd}!ddd!s{tjd/d0zd1d2tjvstj|!rtj|!nd2iz}"ttj|"|j5}|jd3}#d}|#|u}|stjd4|fd5|#|fd6tjvstj|#rtj|#nd6tj|dz}tjd7d!zd"|iz}ttj|dx}}ddd|j}$|d8}%|$j'd$|%d%|%d&d'(|j5}&|&jdd}'|&jd3}(ddd|$j5})|)jdd}*|)jd3}+ddd'*k7}|stjd9|fd:|'|*fd;tjvstj|'rtj|'nd;dd?zd@|,iz}-ttj|-d}(+k7}|stjd9|fd:|(|+fdAtjvstj|(rtj|(ndAdBtjvstj|+rtj|+ndBd=z},tjdCd?zd@|,iz}-ttj|-d}d}|(|u}|stjd4|fd5|(|fdAtjvstj|(rtj|(ndAtj|dz}tjdDd!zd"|iz}ttj|dx}}d}|+|u}|stjd4|fd5|+|fdBtjvstj|+rtj|+ndBtj|dz}tjdEd!zd"|iz}ttj|dx}}y#1swY xYwcc}w#1swYxYw#1swYuxYw#1swY xYw#1swYxYw#1swYxYw)Fa Test session tokens cannot be hijacked, predicted, or reused across different contexts. Security Risk: Weak session management allows attackers to impersonate users by stealing, predicting, or reusing session tokens. Attack Scenarios: - Session token prediction through weak random number generation - Session fixation attacks by forcing specific session IDs - Cross-browser session reuse - Session token extraction from URLs or logs 2rerfrgNr)zn%(py6)s {%(py6)s = %(py0)s(%(py4)s {%(py4)s = %(py1)s(%(py2)s) }) } == %(py11)s {%(py11)s = %(py8)s(%(py9)s) }lensetsession_tokens)rpy1rrdpy6py8py9py11zASession tokens are not unique - potential collision vulnerabilityz >assert %(py13)spy13 >=z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } >= %(py6)smin token_lengthsrrpy3rz4Session tokens too short - vulnerable to brute force >assert %(py8)srrr >z%(py0)s > %(py3)s unique_charsrrz-Poor character distribution in tokens - only z unique characters >assert %(py5)srrrr rrrrrrrrrzNo CSRF token after loginz >assert %(py0)srpost_login_csrfuser_idis notz%(py0)s is not %(py3)slogged_in_user_idz)User not logged in after successful loginlimited)!=)z%(py0)s != %(py2)stoken1token2rbzGSession tokens shared between clients - critical security vulnerabilityrcrduser1_iduser2_idz User IDs shared between sessionszUser1 session has no user_idzUser2 session has no user_id)r$r#rwrxr(rrr*r+r,r-r.r/rtr0r1rjoinidr'r)).r6r7r8rir9rrrfrB @py_assert5 @py_assert10 @py_assert7 @py_format12 @py_format14tokenr @py_assert2rA @py_format7 @py_format9 all_chars char_countscharrr@ @py_format4rCclient1initial_session_id initial_csrfr~rDr @py_format1rclient2user2sess1rrsess2rrr|r}s. rI!test_session_hijacking_protectionrskN 2Y"::c?  ' ' )T,3J%%j1* ) >"3" #s>': #': : #':33ss>>" #ss>>':<1?@U @=!_R_!R'___!R______s___s______=___=___!___R___)________GGN+  D +a 81 || fd?tjvst j|rt j|nd?t j|t j| d@z}t jdA|j6dBzdC|iz}%tt j|%dx}x}$} y#1swY xYwcc}wcc}w#1swYVxYw#1swY5xYw)Dag Test CSRF tokens are cryptographically secure with sufficient entropy. Security Risk: Weak CSRF tokens can be predicted or brute-forced, allowing attackers to bypass CSRF protection. Attack Scenarios: - Token prediction through weak randomness - Token collision through birthday attacks - Token extraction and reuse drerfrgNZrrrtokensrz1Failed to generate sufficient tokens for analysisrrrrr)z%(py0)s == %(py3)scollision_raterz CSRF token collision detected - z.2fz% collision raterrr)z%(py0)s >= %(py3)s min_lengthzCSRF tokens too short: z chars (minimum 32 required))<=)z%(py0)s <= %(py3)s max_lengthzCSRF tokens too long: z chars (maximum 256 recommended)z-_z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)sunexpected_charsz+CSRF tokens contain unexpected characters: r rz"Insufficient character diversity: z unique charsc3RK|]}|dkDs |j|z yw)rN)log2).0pmaths rI z7test_csrf_token_entropy_and_strength..ts%B[AE1tyy|#[s ''g?rr entropy_ratiozLow entropy in CSRF tokens: z.3fz (should be > 0.8)rirrTestrjrmrnrrPrRrrz*CSRF token reuse should be prevented, got rSr)r$r#r(rwrxrr*r+r,r-r.r/rtr0r1rrmaxrstring ascii_lettersdigitsvaluesrsumrr'r))'r6r8rclientsrr9rrrrrrArr unique_tokensrr@rrCrrrrrexpected_charsr char_freqr total_charscount frequenciesentropy max_entropyroriginal_token new_clientrBrDrs' @rI$test_csrf_token_entropy_and_strengthr2sFG 3Z"v::c?  ' ' )THH\2.E e$* )  v;Q"Q;" QQQ;"QQQQQQ3QQQ3QQQQQQvQQQvQQQ;QQQ"QQQQQQQQQQQKM#m,s6{:;Nk>Q kkk>Qkkkkkk>kkk>kkkQkkk"B>RUCUVYBZZj kkkkkkk.44VESZVM4]#J]#J_: ___:______:___:______6zlB^_______c: ccc:cccccc:ccc:cccccc 6zlBbcccccccIy>L-- =DEN#n4  gAg A %ggg Agggggg3ggg3gggggggggggg gggAggg)TUeTf'gggggggg | ii  "iii iiiiii3iii3iiiiii|iii|iii iiiiii&H\IZH[[h$iiiiiiiiI#--a014 $i.K4=4D4D4FG4F55;&4FKGB[BBBG))C -.Kk)Md=3 ddd=3dddddd=ddd=ddd3ddd">}S>QQc dddddddQZF  # # %,3 &"J  ' ' )T+\ *!<^@H   rC:r : -rrr :rrrrrr8rrr8rrr rrr:rrr1[\d\p\p[q/rrrrrrrrI* )52H & % * )s0&f!!f.5 f3f8 g!f+ 8ggcx||j}|d}|jd|d|dd|jd|j5}|jdd }d d d gd }|D]} |jd d | id} | j} gd} | | v} | st j d| fd| | fdtjvst j| rt j| ndt j| t j| dz}t jd| dzd|iz}tt j|d x} x} } | jdj}gd}| jdvs3| j!}|sGd|vsM|dj}d}||v}|st j d|fd||ft j|dtjvst j|rt j|ndd z}t jd!| d"zd#|iz}tt j|d x}}d$}||v}|st j d|fd||ft j|dtjvst j|rt j|ndd z}t jd!| d"zd#|iz}tt j|d x}}gd%}|D]}|jd&|} | j} gd'} | | v} | st j d| fd| | fdtjvst j| rt j| ndt j| t j| dz}t jd(|dzd|iz}tt j|d x} x} } | jd}d)}||v}|st j d|fd||ft j|d*tjvst j|rt j|nd*d z}t jd+|d"zd#|iz}tt j|d x}}d,}||v}|st j d|fd||ft j|d*tjvst j|rt j|nd*d z}t jd-|d"zd#|iz}tt j|d x}}d.}|jd/|d0d1dd2d3z}t"j$j'|d4|d5} t)|d65}|j+|d d d d7|d5}|jd8|} | j} gd9} | | v} | st j d| fd| | fdtjvst j| rt j| ndt j| t j| dz}t jd:dzd|iz}tt j|d x} x} } d7|d5} d;dz|j3d?d@dAd g} | D]}!|jdB|!} | j} gd} | | v} | st j d| fd| | fdtjvst j| rt j| ndt j| t j| dz}t jdC|!d dDdEdzd|iz}tt j|d x} x} } y #1swYxYw#1swYCxYw#t,$rYYwxYw#t4$rYy wxYw)Fa Test file upload security including path traversal prevention and malicious file handling. Security Risk: Insecure file handling allows path traversal attacks, malicious file uploads, and potential remote code execution. Attack Scenarios: - Path traversal to access files outside allowed directories - Upload of executable files (PHP, JSP, etc.) - Filename injection with special characters - Oversized file uploads (DoS) rrr rrrrerfrgN)z../../../etc/passwdz$..\..\..\windows\system32\config\samz....//....//....//etc/passwdz$User-photos/../../sensitive_file.txtzUser-photos/../app.pyz'%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdz#..%252f..%252f..%252fetc%252fpasswd/api/image/delete?csrf_token=relrmrnrNrrPrRrrzPath traversal not blocked: rSrTrT)z access deniedzpermission deniedzfile not found forbidden)rNrmessageetcr])z%(py1)s not in %(py3)s)rrz.Path traversal response reveals system paths: rrwindows) ztest.phpztest.jspztest.aspztest.pyz!.jpgz'; DROP TABLE images; --.jpgz test.jpgaCvery_long_filename_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpgz .htaccessz web.configz/slika?rel=User-photos/)rsrNrrz,Unexpected response for malicious filename: z