张翔
261c45b4d9
阶段五:性能和安全测试 - 创建负载测试脚本:模拟正常用户访问模式 - 创建压力测试脚本:测试系统极限性能 - 创建SQL注入测试脚本:验证SQL注入防护 - 创建XSS防护测试脚本:验证XSS防护 - 添加测试脚本到package.json 阶段六:文档和培训 - 更新README.md:添加监控和告警文档 - 添加性能测试文档和命令 - 添加安全测试文档和命令 - 添加Docker部署文档 - 添加生产环境配置文档 - 添加备份和恢复文档
84 lines
2.2 KiB
JavaScript
84 lines
2.2 KiB
JavaScript
import http from 'k6/http';
|
|
import { check } from 'k6';
|
|
|
|
export const options = {
|
|
thresholds: {
|
|
checks: ['rate==1.0'], // 所有安全检查必须通过
|
|
},
|
|
};
|
|
|
|
const BASE_URL = __ENV.BASE_URL || 'http://localhost:3000';
|
|
|
|
const sqlInjectionPayloads = [
|
|
"' OR '1'='1",
|
|
"' OR '1'='1' --",
|
|
"' OR '1'='1' /*",
|
|
"' OR 1=1 --",
|
|
"admin'--",
|
|
"admin'/*",
|
|
"' UNION SELECT NULL--",
|
|
"1' ORDER BY 1--",
|
|
"'; DROP TABLE users--",
|
|
"'; INSERT INTO users--",
|
|
"' OR SLEEP(5)--",
|
|
"1' AND SLEEP(5)--",
|
|
"'; WAITFOR DELAY '0:0:5'--",
|
|
"1'; EXEC xp_cmdshell('dir')--",
|
|
"'; EXEC master..xp_cmdshell 'dir'--",
|
|
];
|
|
|
|
export default function () {
|
|
let allPassed = true;
|
|
|
|
sqlInjectionPayloads.forEach((payload) => {
|
|
const testCases = [
|
|
{
|
|
name: 'Contact Form - SQL Injection',
|
|
url: `${BASE_URL}/api/contact`,
|
|
method: 'POST',
|
|
body: JSON.stringify({
|
|
name: payload,
|
|
email: 'test@example.com',
|
|
phone: '13800138000',
|
|
message: 'Test message',
|
|
}),
|
|
},
|
|
{
|
|
name: 'Search - SQL Injection',
|
|
url: `${BASE_URL}/api/search?q=${encodeURIComponent(payload)}`,
|
|
method: 'GET',
|
|
},
|
|
];
|
|
|
|
testCases.forEach((testCase) => {
|
|
let res;
|
|
if (testCase.method === 'POST') {
|
|
res = http.post(testCase.url, testCase.body, {
|
|
headers: { 'Content-Type': 'application/json' },
|
|
tags: { name: testCase.name },
|
|
});
|
|
} else {
|
|
res = http.get(testCase.url, {
|
|
tags: { name: testCase.name },
|
|
});
|
|
}
|
|
|
|
const passed = check(res, {
|
|
'status is 200 or 400 or 422': (r) => [200, 400, 422].includes(r.status),
|
|
'no SQL error in response': (r) => !r.body.includes('SQL') && !r.body.includes('syntax error'),
|
|
'no database error in response': (r) => !r.body.includes('database') && !r.body.includes('mysql'),
|
|
'no stack trace in response': (r) => !r.body.includes('stack trace') && !r.body.includes('Error:'),
|
|
});
|
|
|
|
if (!passed) {
|
|
allPassed = false;
|
|
console.error(`SQL Injection test failed for payload: ${payload}`);
|
|
}
|
|
});
|
|
});
|
|
|
|
if (!allPassed) {
|
|
throw new Error('SQL Injection tests failed');
|
|
}
|
|
}
|