Merge pull request #30 from AikidoSec/lowercase-input-and-queries-before-si-detection

Enhance SQL injection detection and improve regex handling

Author: willem-delbare

Aikido.Zen.Core/Api/Models/ReportingAPIResponse.cs

@@ -53,6 +53,6 @@ public class ReportingAPIResponse : APIResponse
         /// <summary>
         /// Gets the regex pattern for blocked user agents.
         /// </summary>
-        public Regex BlockedUserAgentsRegex => new Regex(BlockedUserAgents);
+        public Regex BlockedUserAgentsRegex => BlockedUserAgents != null ? new Regex(BlockedUserAgents) : null;
     }
 }

Aikido.Zen.Core/Vulnerabilities/SQLInjectionDetector.cs

@@ -10,13 +10,16 @@ public class SQLInjectionDetector
     {
         /// <summary>
         /// Detects potential SQL injection vulnerabilities in a query string
+        /// the query and userInput are converted to lowercase before being processed
         /// </summary>
         /// <param name="query">The SQL query to analyze</param>
         /// <param name="userInput">The user input to check for injection attempts</param>
         /// <param name="dialect">The SQL dialect identifier</param>
         /// <returns>True if SQL injection is detected, false otherwise</returns>
         public static bool IsSQLInjection(string query, string userInput, SQLDialect dialect)
         {
+            query = query?.ToLower();
+            userInput = userInput?.ToLower();
             return ZenInternals.IsSQLInjection(query, userInput, dialect.ToRustDialectInt());
         }
     }

Aikido.Zen.Test/testdata/data.SQLInjectionDetector.json

@@ -10,7 +10,7 @@
         "command": "SELECT * FROM users WHERE id = '1'; DROP TABLE users; -- '",
         "dialect": 0,
         "userInput": "1'; DROP TABLE users; -- ",
-        "description": "ATTACK: Command chaining with comment", 
+        "description": "ATTACK: Command chaining with comment",
         "isInjection": true
     },
     {
@@ -52,7 +52,7 @@
         "command": "INSERT INTO dbo.pets (pet_name, owner) VALUES ('Malicious Pet', 'Aikido Security'), ('Gru from the Minions', 'Evil Corp'); -- '",
         "dialect": 7,
         "userInput": "Malicious Pet', 'Aikido Security'), ('Gru from the Minions', 'Evil Corp'); -- ",
-        "description": "ATTACK: Microsoft SQL injection with multiple values", 
+        "description": "ATTACK: Microsoft SQL injection with multiple values",
         "isInjection": true
     },
     {
@@ -89,5 +89,47 @@
         "userInput": "' OR 1=1 -- ",
         "description": "SAFE: PostgreSQL named dollar sign quotes",
         "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'USER'",
+        "dialect": 0,
+        "userInput": "USER",
+        "description": "SAFE: Uppercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'user'",
+        "dialect": 0,
+        "userInput": "USER",
+        "description": "SAFE: Lowercase query with uppercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'user'",
+        "dialect": 0,
+        "userInput": "user",
+        "description": "SAFE: Uppercase query with lowercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'USER'",
+        "dialect": 0,
+        "userInput": "user",
+        "description": "SAFE: Uppercase query and user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'user' OR 1=1 --",
+        "dialect": 0,
+        "userInput": "USER' OR 1=1 --",
+        "description": "ATTACK: Uppercase user input with SQL injection",
+        "isInjection": true
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'user' OR 1=1 --",
+        "dialect": 0,
+        "userInput": "user' OR 1=1 --",
+        "description": "ATTACK: Uppercase query with lowercase user input and SQL injection",
+        "isInjection": true
     }
 ]