File Coverage

lib/ThreatDetector/Handlers/SQLInjection.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition	2	2	100.0
subroutine	7	7	100.0
pod	0	2	0.0
total	31	34	91.1

line	stmt	bran	cond	sub	pod	time	code
1							package ThreatDetector::Handlers::SQLInjection;
2
3	3			3		112335	use strict;
	3					13
	3					170
4	3			3		21	use warnings;
	3					6
	3					171
5	3			3		13	use Exporter 'import';
	3					4
	3					86
6	3			3		493	use JSON;
	3					9826
	3					18
7	3			3		394	use Time::HiRes qw(gettimeofday);
	3					5
	3					18
8
9							our $VERBOSE = 0;
10							our @EXPORT_OK = qw(handle_sql_injection get_sqli_events);
11							our @SQLI_EVENTS;
12							our $VERSION = '0.04';
13
14							sub handle_sql_injection {
15	3			3	0	143298	my ($entry) = @_;
16	3					34	my ($sec, $micro) = gettimeofday();
17
18							my $alert = {
19							timestamp => "$sec.$micro",
20							type => 'sql_injection',
21							ip => $entry->{ip},
22							method => $entry->{method},
23							uri => $entry->{uri},
24							status => $entry->{status},
25							user_agent => $entry->{user_agent},
26	3		100			42	referer => $entry->{referer} \|\| '',
27							};
28
29	3					6	push @SQLI_EVENTS, $alert;
30	3	50				12	print encode_json($alert) . "\n" if $VERBOSE;
31							}
32
33							sub get_sqli_events {
34	2			2	0	12	return @SQLI_EVENTS;
35							}
36
37							1;
38
39							=head1 NAME
40
41							ThreatDetector::Handlers::SQLInjection - Handler for SQL injection attempts
42
43							=head1 SYNOPSIS
44
45							use ThreatDetector::Handlers::SQLInjection qw(handle_sql_injection);
46
47							handle_sql_injection($entry);
48
49							=head1 DESCRIPTION
50
51							Emits a JSON-formatted alert when a request appears to contain SQL injection payloads. Common indicators include suspicious keywords (e.g., `SELECT`, `UNION`), tautologies, comment markers, or known SQLi functions.
52
53							=head1 AUTHOR
54
55							Jason Hall
56
57							=cut