张翔
213 lines
5.3 KiB
Python
213 lines
5.3 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
安全测试模块演示脚本
|
|
|
|
展示安全测试的核心功能。
|
|
"""
|
|
|
|
from core.security import (
|
|
SQLInjectionDetector,
|
|
XSSDetector,
|
|
CSRFProtector,
|
|
InputSanitizer,
|
|
PasswordStrengthChecker,
|
|
SecurityHeaders,
|
|
SecurityAuditLogger,
|
|
SecurityScanner,
|
|
)
|
|
|
|
|
|
def demo_sql_injection_detection():
|
|
"""演示SQL注入检测"""
|
|
print("\n" + "="*60)
|
|
print("演示1: SQL注入检测")
|
|
print("="*60)
|
|
|
|
detector = SQLInjectionDetector()
|
|
|
|
test_cases = [
|
|
("' OR '1'='1", True),
|
|
("'; DROP TABLE users; --", True),
|
|
("1' AND 1=1 --", True),
|
|
("normal_username", False),
|
|
("user@example.com", False),
|
|
]
|
|
|
|
for input_str, expected in test_cases:
|
|
result = detector.detect(input_str)
|
|
status = "✅" if result.is_injection == expected else "❌"
|
|
print(f"{status} 输入: {input_str[:30]:<30} -> 检测: {result.is_injection}")
|
|
|
|
|
|
def demo_xss_detection():
|
|
"""演示XSS检测"""
|
|
print("\n" + "="*60)
|
|
print("演示2: XSS检测")
|
|
print("="*60)
|
|
|
|
detector = XSSDetector()
|
|
|
|
test_cases = [
|
|
("<script>alert('xss')</script>", True),
|
|
("<img src=x onerror=alert('xss')>", True),
|
|
("javascript:alert('xss')", True),
|
|
("<div>正常内容</div>", False),
|
|
("普通文本", False),
|
|
]
|
|
|
|
for input_str, expected in test_cases:
|
|
result = detector.detect(input_str)
|
|
status = "✅" if result.is_xss == expected else "❌"
|
|
print(f"{status} 输入: {input_str[:30]:<30} -> 检测: {result.is_xss}")
|
|
|
|
|
|
def demo_csrf_protection():
|
|
"""演示CSRF防护"""
|
|
print("\n" + "="*60)
|
|
print("演示3: CSRF防护")
|
|
print("="*60)
|
|
|
|
protector = CSRFProtector()
|
|
|
|
# 生成Token
|
|
token = protector.generate_token("user123")
|
|
print(f"✅ 生成Token: {token[:30]}...")
|
|
|
|
# 验证有效Token
|
|
is_valid = protector.validate_token("user123", token)
|
|
print(f"✅ 验证有效Token: {is_valid}")
|
|
|
|
# 验证无效Token
|
|
is_valid = protector.validate_token("user123", "invalid_token")
|
|
print(f"✅ 验证无效Token: {is_valid}")
|
|
|
|
|
|
def demo_input_sanitization():
|
|
"""演示输入净化"""
|
|
print("\n" + "="*60)
|
|
print("演示4: 输入净化")
|
|
print("="*60)
|
|
|
|
sanitizer = InputSanitizer()
|
|
|
|
test_cases = [
|
|
"<script>alert('xss')</script>",
|
|
"<p>正常段落</p>",
|
|
"<img src=x onerror=alert('xss')>",
|
|
]
|
|
|
|
for input_str in test_cases:
|
|
result = sanitizer.sanitize_html(input_str)
|
|
print(f"✅ 输入: {input_str[:35]:<35}")
|
|
print(f" 输出: {result[:35]:<35}")
|
|
|
|
|
|
def demo_password_strength():
|
|
"""演示密码强度检查"""
|
|
print("\n" + "="*60)
|
|
print("演示5: 密码强度检查")
|
|
print("="*60)
|
|
|
|
checker = PasswordStrengthChecker()
|
|
|
|
passwords = [
|
|
"123",
|
|
"password",
|
|
"Password123",
|
|
"P@ssw0rd!2024",
|
|
]
|
|
|
|
for password in passwords:
|
|
result = checker.check(password)
|
|
print(f"✅ 密码: {password:<20} -> 强度: {result.strength:<10} 评分: {result.score}")
|
|
|
|
|
|
def demo_security_headers():
|
|
"""演示安全头部"""
|
|
print("\n" + "="*60)
|
|
print("演示6: 安全HTTP头部")
|
|
print("="*60)
|
|
|
|
headers = SecurityHeaders()
|
|
security_headers = headers.get_headers()
|
|
|
|
for key, value in security_headers.items():
|
|
print(f"✅ {key}: {value}")
|
|
|
|
|
|
def demo_security_audit_log():
|
|
"""演示安全审计日志"""
|
|
print("\n" + "="*60)
|
|
print("演示7: 安全审计日志")
|
|
print("="*60)
|
|
|
|
logger = SecurityAuditLogger()
|
|
|
|
# 记录安全事件
|
|
logger.log_event(
|
|
event_type="SQL_INJECTION_ATTEMPT",
|
|
source_ip="192.168.1.1",
|
|
details={"input": "' OR '1'='1"}
|
|
)
|
|
logger.log_event(
|
|
event_type="XSS_ATTEMPT",
|
|
source_ip="192.168.1.2",
|
|
details={"input": "<script>alert('xss')</script>"}
|
|
)
|
|
print("✅ 记录2个安全事件")
|
|
|
|
# 查询安全事件
|
|
events = logger.get_events()
|
|
print(f"✅ 事件数量: {len(events)}")
|
|
|
|
# 获取统计
|
|
stats = logger.get_stats()
|
|
print(f"✅ 统计: {stats}")
|
|
|
|
|
|
def demo_security_scanner():
|
|
"""演示综合安全扫描"""
|
|
print("\n" + "="*60)
|
|
print("演示8: 综合安全扫描")
|
|
print("="*60)
|
|
|
|
scanner = SecurityScanner()
|
|
|
|
test_data = {
|
|
"username": "' OR '1'='1",
|
|
"comment": "<script>alert('xss')</script>",
|
|
"email": "test@example.com",
|
|
}
|
|
|
|
report = scanner.scan(test_data)
|
|
print(f"✅ 扫描数据项: {report.total_scanned}")
|
|
print(f"✅ 发现威胁: {len(report.threats)}")
|
|
print(f"✅ 扫描耗时: {report.scan_time:.4f}s")
|
|
|
|
for threat in report.threats:
|
|
print(f" - {threat.threat_type}: {threat.level.value}")
|
|
|
|
|
|
def main():
|
|
"""主函数"""
|
|
print("\n" + "="*60)
|
|
print("安全测试模块演示")
|
|
print("="*60)
|
|
|
|
demo_sql_injection_detection()
|
|
demo_xss_detection()
|
|
demo_csrf_protection()
|
|
demo_input_sanitization()
|
|
demo_password_strength()
|
|
demo_security_headers()
|
|
demo_security_audit_log()
|
|
demo_security_scanner()
|
|
|
|
print("\n" + "="*60)
|
|
print("✅ 所有演示完成!")
|
|
print("="*60)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|