Testing Fundamentalstesting~10 mins

SQL injection testing in Testing Fundamentals - Test Execution Trace

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Test Overview

This test checks if the login form is vulnerable to SQL injection by entering a malicious input. It verifies that the system does not allow unauthorized access using SQL injection.

Test Code - Selenium with Python unittest

Testing Fundamentals

import unittest
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC

class TestSQLInjection(unittest.TestCase):
    def setUp(self):
        self.driver = webdriver.Chrome()
        self.driver.get('http://example.com/login')

    def test_sql_injection_login(self):
        driver = self.driver
        # Find username and password fields
        username_field = WebDriverWait(driver, 10).until(
            EC.presence_of_element_located((By.ID, 'username'))
        )
        password_field = driver.find_element(By.ID, 'password')

        # Enter SQL injection string
        username_field.clear()
        username_field.send_keys("' OR '1'='1'")
        password_field.clear()
        password_field.send_keys("anything")

        # Click login button
        login_button = driver.find_element(By.ID, 'login-btn')
        login_button.click()

        # Wait for response and check for login failure message
        error_message = WebDriverWait(driver, 10).until(
            EC.presence_of_element_located((By.ID, 'login-error'))
        )

        # Assert that error message is displayed, meaning injection failed
        self.assertTrue(error_message.is_displayed(), "SQL Injection succeeded, vulnerability found")

    def tearDown(self):
        self.driver.quit()

if __name__ == '__main__':
    unittest.main()

Execution Trace - 9 Steps

Step	Action	System State	Assertion	Result
1	Test starts and opens Chrome browser	Browser opened at 'http://example.com/login' showing login form with username, password fields and login button	-	PASS
2	Find username input field by ID 'username'	Username input field is present and ready for input	WebDriverWait confirms presence of username field	PASS
3	Find password input field by ID 'password'	Password input field is present and ready for input	-	PASS
4	Enter SQL injection string "' OR '1'='1'" into username field	Username field contains malicious input	-	PASS
5	Enter 'anything' into password field	Password field contains input	-	PASS
6	Find and click login button by ID 'login-btn'	Login button clicked, form submitted	-	PASS
7	Wait for error message element with ID 'login-error' to appear	Error message displayed on page indicating login failure	Check that error message is displayed to confirm login failed	PASS
8	Assert error message is displayed to verify SQL injection did not bypass login	Test confirms login failure message is visible	assertTrue(error_message.is_displayed())	PASS
9	Close browser and end test	Browser closed	-	PASS

Failure Scenario

Failing Condition: The login form is vulnerable and accepts the SQL injection input, allowing unauthorized access.

Execution Trace Quiz - 3 Questions

Test your understanding

What does the test verify after clicking the login button with SQL injection input?

AThat the login button is disabled

BThat the user is logged in successfully

CThat an error message is displayed indicating login failure

DThat the password field is cleared

Key Result

Always verify that input fields are protected against SQL injection by checking that malicious inputs do not bypass authentication and that proper error messages appear.