35 tests cover SQL injection, XSS, command injection, and LDAP injection detection.
Injection detection is enabled by default and scans all input locations:
# config.yaml
injection_detection:
enabled: true
scan_locations:
- query_parameters
- path_parameters
- headers
- body
patterns:
sql_injection: true
xss: true
command_injection: true
ldap_injection: true
xpath_injection: truecurl "http://localhost:8080/users?search=' UNION SELECT * FROM passwords --"HTTP/1.1 400 Bad Request
{"error": "SQL injection pattern detected", "code": "SQL_INJECTION_BLOCKED", "location": "query.search"}Classic SQL injection patterns including UNION SELECT are detected and blocked in all input fields.
curl -X POST -d '{"username": "admin\' OR \'1\'=\'1"}' http://localhost:8080/loginBoolean-based SQL injection attempts are detected regardless of quote style or spacing.
curl -X POST -d '{"comment": "<script>alert(document.cookie)</script>"}' http://localhost:8080/comments{"error": "XSS pattern detected", "code": "XSS_BLOCKED"}Cross-site scripting attempts using script tags are blocked before reaching the backend.
curl -X POST -d '{"bio": "<img src=x onerror=alert(1)>"}' http://localhost:8080/profileHTML event handlers (onerror, onclick, onload) are detected and blocked.
curl -X POST -d '{"filename": "test.txt; rm -rf / #"}' http://localhost:8080/files{"error": "Command injection pattern detected", "code": "CMD_INJECTION_BLOCKED"}Shell command injection patterns (;, |, &&, ||, $()) are detected and blocked.
curl -X POST -d '{"username": "*)(uid=*))(|(uid=*"}' http://localhost:8080/searchLDAP injection patterns attempting to manipulate LDAP queries are detected and blocked.