Security Testing

Security Testing Guide

Comprehensive security testing procedures for PATAS.

Overview

This guide covers security testing for:

• SQL injection prevention
• XSS protection
• CSRF protection
• Rate limiting bypass
• Authentication bypass
• Input validation

Automated Security Tests

Running Security Tests

# Run all security tests
pytest tests/test_security.py -v

# Run with coverage
pytest tests/test_security.py --cov=app --cov-report=html

Test Categories

1. SQL Injection Tests - test_sql_injection.py
2. Input Validation Tests - test_input_validation.py
3. Authentication Tests - test_authentication.py
4. Rate Limiting Tests - test_rate_limiting.py

Manual Security Tests

1. SQL Injection Testing

Test Cases

# Test 1: Classic SQL injection
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{"text": "test'; DROP TABLE messages; --", "lang": "en"}'

# Expected: Request should succeed without database modification

# Test 2: UNION-based injection
curl -X POST http://localhost:8000/api/v1/analyze \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{"messages": [{"id": "1 UNION SELECT * FROM users", "text": "test"}]}'

# Expected: Request should be rejected or sanitized

Verification

1. Check database tables are intact
2. Verify no unauthorized data access
3. Check logs for injection attempts

2. XSS Testing

Test Cases

# Test 1: Script injection in text
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{"text": "<script>alert(1)</script>", "lang": "en"}'

# Expected: Script tags should be escaped in response

# Test 2: Event handler injection
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{"text": "<img src=x onerror=alert(1)>", "lang": "en"}'

# Expected: HTML should be escaped

3. CSRF Testing

Test Cases

# Test 1: Cross-origin request without proper headers
curl -X POST http://localhost:8000/v1/classify \
  -H "Origin: http://evil.com" \
  -H "Content-Type: application/json" \
  -d '{"text": "test", "lang": "en"}'

# Expected: Should be blocked by CORS policy (in production)

Verification

1. Verify CORS headers are properly set
2. Check that cross-origin requests are blocked

4. Authentication Bypass Testing

Test Cases

# Test 1: Missing API key
curl -X POST http://localhost:8000/v1/classify \
  -H "Content-Type: application/json" \
  -d '{"text": "test", "lang": "en"}'

# Expected: 401 Unauthorized

# Test 2: Invalid API key
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: invalid-key" \
  -H "Content-Type: application/json" \
  -d '{"text": "test", "lang": "en"}'

# Expected: 403 Forbidden

# Test 3: SQL injection in API key
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: ' OR '1'='1" \
  -H "Content-Type: application/json" \
  -d '{"text": "test", "lang": "en"}'

# Expected: 403 Forbidden

5. Rate Limiting Bypass Testing

Test Cases

# Test 1: Rapid requests
for i in {1..100}; do
  curl -s -X POST http://localhost:8000/v1/classify \
    -H "X-API-Key: test-key" \
    -H "Content-Type: application/json" \
    -d '{"text": "test", "lang": "en"}'
done | grep -c "429"

# Expected: Should see 429 responses after limit exceeded

# Test 2: IP rotation attempt (requires multiple IPs)
# This should still be rate limited by API key

6. Input Validation Testing

Test Cases

# Test 1: Oversized input
python -c "print('A' * 1000000)" | \
  curl -X POST http://localhost:8000/v1/classify \
    -H "X-API-Key: test-key" \
    -H "Content-Type: application/json" \
    -d @-

# Expected: 413 or 400 error

# Test 2: Invalid JSON
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{invalid json}'

# Expected: 400 Bad Request

# Test 3: Invalid field types
curl -X POST http://localhost:8000/v1/classify \
  -H "X-API-Key: test-key" \
  -H "Content-Type: application/json" \
  -d '{"text": 12345, "lang": "en"}'

# Expected: 422 Validation Error

Security Scanning Tools

OWASP ZAP

# Run ZAP scan
docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t http://localhost:8000/openapi.json \
  -f openapi

SQLMap

# Test for SQL injection
sqlmap -u "http://localhost:8000/v1/classify" \
  --data='{"text":"test","lang":"en"}' \
  --headers="X-API-Key: test-key" \
  --headers="Content-Type: application/json"

Nikto

# Web server scan
nikto -h http://localhost:8000

Security Checklist

Pre-Deployment

• All SQL queries use parameterized statements
• Input validation on all endpoints
• API key authentication enforced
• Rate limiting configured
• CORS properly configured
• Error messages don't leak information
• PII redaction enabled
• HTTPS enforced (in production)

Post-Deployment

• Security scan completed (ZAP/Nikto)
• SQL injection testing passed
• Authentication bypass testing passed
• Rate limiting verified
• Log monitoring configured
• Incident response plan documented

Reporting Security Issues

If you discover a security vulnerability:

1. DO NOT create a public issue
2. Email security@example.com
3. Include detailed reproduction steps
4. Allow 90 days for fix before disclosure

References

• OWASP Testing Guide
• OWASP API Security Top 10
• CWE Top 25