UNPKG

aimless-sdk

Version:

Enhanced Runtime Application Self-Protection (RASP) and API Fuzzing Engine with advanced threat detection, behavioral analysis, and intelligent response scoring for Node.js applications

github.com/CamozDevelopment/Aimless-Security

CamozDevelopment/Aimless-Security

100 lines (87 loc) ā€¢ 3.15 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// Test SQL injection attacks against the demo server async function testAttack(name, url) { console.log(`\nšŸ” Testing: ${name}`); console.log(` URL: ${url}`); try { const response = await fetch(url); const status = response.status; const data = await response.json(); if (status === 403) { console.log(` āœ… BLOCKED (403 Forbidden)`); console.log(` Message: ${data.message || data.error}`); return 'BLOCKED'; } else if (status === 200) { if (data.warning) { console.log(` āŒ VULNERABLE (200 OK) - Attack succeeded!`); console.log(` Warning: ${data.warning}`); console.log(` Exposed ${data.users.length} users:`, data.users.map(u => u.username).join(', ')); return 'VULNERABLE'; } else { console.log(` āœ… ALLOWED (Normal query)`); console.log(` Found ${data.users.length} users`); return 'ALLOWED'; } } else { console.log(` āš ļø Unexpected status: ${status}`); return 'UNKNOWN'; } } catch (error) { console.log(` āŒ ERROR: ${error.message}`); return 'ERROR'; } } async function runTests() { console.log('\n=== SQL Injection Protection Test Suite ===\n'); console.log('Testing Aimless SDK v1.3.3 middleware protection...\n'); const tests = [ { name: 'Normal Query (should allow)', url: 'http://localhost:3000/api/search?username=admin' }, { name: 'Single Quote Attack (should block)', url: "http://localhost:3000/api/search?username=admin'" }, { name: 'OR 1=1 Attack (should block)', url: "http://localhost:3000/api/search?username=' OR '1'='1" }, { name: 'Comment Injection (should block)', url: "http://localhost:3000/api/search?username=admin'--" }, { name: 'Classic SQL Injection (should block)', url: "http://localhost:3000/api/search?username=' OR 1=1--" } ]; const results = []; for (const test of tests) { const result = await testAttack(test.name, test.url); results.push({ name: test.name, result }); await new Promise(resolve => setTimeout(resolve, 500)); // Small delay between tests } console.log('\n=== Test Results Summary ===\n'); let passed = 0; let failed = 0; results.forEach((r, i) => { const expected = i === 0 ? 'ALLOWED' : 'BLOCKED'; const status = r.result === expected ? 'āœ…' : 'āŒ'; console.log(`${status} ${r.name}: ${r.result} (Expected: ${expected})`); if (r.result === expected) { passed++; } else { failed++; } }); console.log(`\nšŸ“Š Results: ${passed}/${tests.length} tests passed`); if (failed > 0) { console.log('\nāš ļø SECURITY WARNING: Some attacks were NOT blocked!'); console.log('šŸ”§ This indicates the middleware is not properly protecting the application.'); process.exit(1); } else { console.log('\nāœ… All tests passed! Application is properly protected.'); process.exit(0); } } runTests();