#!/bin/bash set -uo pipefail # SEC-201: Security penetration test covering key attack vectors. # Covers: auth bypass, session management, input validation, path traversal, # SSRF, command injection, session fixation, container escape. # Runs all tests directly against the backend HTTP API (no SSH needed for curl). HOST="${1:-192.168.1.228}" PASSWORD="${2:-password123}" BACKEND="http://$HOST:5678" SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}" SSH_CMD="ssh -i $SSH_KEY -o StrictHostKeyChecking=no -o ConnectTimeout=10 archipelago@$HOST" PASS=0 FAIL=0 RESULTS=() log() { echo -e "\033[1;34m[SEC]\033[0m $*"; } pass() { echo -e "\033[1;32m[PASS]\033[0m $*"; PASS=$((PASS + 1)); RESULTS+=("PASS: $*"); } fail() { echo -e "\033[1;31m[FAIL]\033[0m $*"; FAIL=$((FAIL + 1)); RESULTS+=("FAIL: $*"); } SESSION="" CSRF="" # Login and extract session + CSRF token get_auth() { local login_out login_out=$(curl -sv "$BACKEND/rpc/v1" \ -X POST -H 'Content-Type: application/json' \ -d "{\"method\":\"auth.login\",\"params\":{\"password\":\"$PASSWORD\"}}" 2>&1 || true) SESSION=$(echo "$login_out" | grep -i "set-cookie.*session=" | sed 's/.*session=//;s/;.*//' | head -1) CSRF=$(echo "$login_out" | grep -i "set-cookie.*csrf_token=" | sed 's/.*csrf_token=//;s/;.*//' | head -1) } rpc_raw() { local method="$1" params="${2:-{}}" curl -s --max-time 10 -X POST "$BACKEND/rpc/v1" \ -H 'Content-Type: application/json' \ -d "{\"method\":\"$method\",\"params\":$params}" 2>/dev/null || echo "" } rpc_auth() { local method="$1" params="${2:-{}}" curl -s --max-time 10 -X POST "$BACKEND/rpc/v1" \ -H 'Content-Type: application/json' \ -H "Cookie: session=$SESSION; csrf_token=$CSRF" \ -H "X-CSRF-Token: $CSRF" \ -d "{\"method\":\"$method\",\"params\":$params}" 2>/dev/null || echo "" } main() { log "=== Security Penetration Test ===" echo "" # 1. Authentication bypass — unauthenticated access to protected endpoints log "1. Auth bypass — calling protected RPC without session..." local result result=$(rpc_raw "container-list") if echo "$result" | grep -qi '"code":401\|unauthorized'; then pass "Protected endpoints reject unauthenticated requests" else fail "container-list accessible without authentication" fi # 2. Auth bypass — invalid session token log "2. Auth bypass — invalid session token..." SESSION="fake-session-token-12345" CSRF="fake-csrf" result=$(rpc_auth "container-list") if echo "$result" | grep -qi '"code":401\|unauthorized\|"code":403'; then pass "Invalid session tokens are rejected" else fail "Invalid session token accepted" fi # 3. Auth bypass — wrong password log "3. Auth bypass — wrong password..." result=$(curl -s --max-time 10 -X POST "$BACKEND/rpc/v1" \ -H 'Content-Type: application/json' \ -d '{"method":"auth.login","params":{"password":"wrongpassword"}}' 2>/dev/null || echo "") if echo "$result" | grep -q '"error"'; then pass "Wrong password correctly rejected" else fail "Wrong password accepted" fi # Get valid session for further tests log "Getting valid session..." get_auth if [ ${#SESSION} -lt 10 ]; then log "WARNING: Could not get valid session (len=${#SESSION})" fi echo "" # 5. Input validation — SQL injection attempt in RPC params log "5. Input validation — SQL injection in params..." result=$(rpc_auth "identity.get" "{\"id\":\"1; DROP TABLE identities; --\"}") if echo "$result" | grep -qi "drop table\|sql\|syntax error"; then fail "Possible SQL injection vulnerability" else pass "SQL injection attempt handled safely" fi # 6. Input validation — XSS in params log "6. Input validation — XSS in params..." result=$(rpc_auth "identity.create" "{\"name\":\"\",\"purpose\":\"personal\"}") if echo "$result" | grep -q '