Improve WAVSEP score for SQL injection by at least 20%

[andresriancho]

User story

As a user I want w3af to find as many SQL injection vulnerabilities as possible.

Conditions of satisfaction

• [x] Unittests for all SQL sections of WAVSEP need to be written
  • [x] Evaluation of SQL Injection Detection Accuracy - GET - Erroneous 500 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - GET - Erroneous 200 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - GET - 200 Responses With Differentiation
  • [x] Evaluation of SQL Injection Detection Accuracy - GET - Identical 200 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - POST - Erroneous 500 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - POST - Erroneous 200 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - POST - 200 Responses With Differentiation
  • [x] Evaluation of SQL Injection Detection Accuracy - POST - Identical 200 Responses
  • [x] Evaluation of SQL Injection Detection Accuracy - GET - Erroneous 200 Responses - Exotic Test Cases
  • [x] Evaluation of SQL Injection Detection Accuracy - POST - Erroneous 200 Responses - Exotic Test Cases
• [x] Improve coverage by ~20%
• [x] Add coverage for:
  • [x] /active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Identical/
  • [x] Case04-InjectionInUpdate-Numeric-TimeDelayExploit-200Identical.jsp
  • [x] Case05-InjectionInUpdate-String-TimeDelayExploit-200Identical.jsp
  • [x] Case07-InjectionInUpdate-NumericWithoutQuotes-TimeDelayExploit-200Identical.jsp
  • [x] Case08-InjectionInUpdate-DateWithoutQuotes-TimeDelayExploit-200Identical.jsp
• [x] Try to identify the minimal payload test for which all WAVSEP tests PASS by removing them from blind_sqli_time_delay.py and running nosetests w3af/plugins/tests/audit/test_sqli.py
• [x] Make tests stable!
  • Failed build https://circleci.com/gh/andresriancho/w3af/2522 PASS most of the time
  • Analysis shows the the detection fails because of ExtendedUrllib error rate is at 4% which leads to (note the 0.2 time):
  • Need to analyze using tcpdump to understand who's failing (wavsep or w3af)

(Test id: 139848028003088) 4.05064296722 > 0.2 > 1.99437300364 (Test id: 139848028003088) Failed to control HTTP response delay for URL http://127.0.0.1:8098/active/SQL-Injection/SInjection-Detection-Evaluation-GET-200Identical/Case08-InjectionInUpdate-DateWithoutQuotes-TimeDelayExploit-200Identical.jsp - parameter "transactionDate" for 2 seconds using <ExactDelay (fmt:1 OR (SELECT * FROM (SELECT(SLEEP(%s)))foo), delta:0, mult:1)>, response wait time was: 0.2 seconds and response ID: 498.

Notes

Related with "Install WAVSEP in CircleCI" #919 Related with "Improve WAVSEP score for XSS" #37

[andresriancho]

Multiple tests are failing, I'm guessing this is CircleCI's fault. More debugging is needed...