Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⛏️ Write a test to check whether we can create/update an object with invalid UPI Id #630

Open
5 tasks
ankush-jain-akto opened this issue Oct 9, 2023 · 6 comments
Open
5 tasks

⛏️ Write a test to check whether we can create/update an object with invalid UPI Id #630

ankush-jain-akto opened this issue Oct 9, 2023 · 6 comments
Assignees
@the1andonlymanojos
Labels
hacktoberfest yaml requires yaml knowledge

Comments

@ankush-jain-akto
Copy link
Contributor

💭 Introduction:
We want to test to check whether an attacker can create/update entity with an invalid UPI Id.

🎯 Requirements:

  1. Filters - API with UPI ID as an input in GET query parameter or JSON body parameter

  2. Execute - It should replace the value with

  • special characters
  • A very long string (> 255 characters)
  • Use whitespaces
  • Invalid UPI
  • A negative integer
  • A very long integer causing integer overflow
  • Zero
  • NULL
  1. Validation - If the application responds with a exception trace, it is a vulnerability.

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

  • Ask to be assigned to the issue.
  • Wait to be assigned. We will try to assign in less than 2 hours.
  • Signup for Akto
  • Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
  • Submit both the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.
@Ankita28g Ankita28g added hackfest Hackathon - 24th march to 3rd april yaml requires yaml knowledge hacktoberfest and removed hackfest Hackathon - 24th march to 3rd april labels Oct 10, 2023
@the1andonlymanojos
Copy link

Hi!

I would like to be assigned this issue. this is my first time participating in Hacktoberfest, I am a CS undergrad student and would like to contribute

@ankush-jain-akto
Copy link
Contributor Author

Hi @the1andonlymanojos - Assigned it to you. Good luck 👍
Let me know, happy to come on a call and help 😃

@the1andonlymanojos
Copy link

akto-api-security/tests-library#19

@SanjeedhaShriya
Copy link

Hey, I'd like to work on this issue.

@the1andonlymanojos
Copy link

akto-api-security/tests-library#19

is the PR alright? is anything wrong with it?

@avneesh-akto
Copy link
Contributor

@the1andonlymanojos

  1. Test template has some missing fields.
  2. Refer this template https://github.com/akto-api-security/tests-library/blob/master/Local-File-Inclusion/LFIInParameter.yaml. Instead of copy pasting multiple "req" you can use them once with lists.
  3. You are just filtering endpoints based on UPI_ID but not extracting them to a variable to be used in execution phase.

Make sure to run the template on a sample API before you make the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@the1andonlymanojos the1andonlymanojos

Labels
hacktoberfest yaml requires yaml knowledge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ankush-jain-akto @Ankita28g @avneesh-akto @SanjeedhaShriya @the1andonlymanojos