RobotFrameWork with Eclipse - SSHLibrary doesn't seem to do anything. (based on book: Practical Security Automation and Testing)

Question

I am studying in the book: Practical Security Autmation and testing. on page [124] there is a script which uses RIDE with the SSHLibrary.

But I'm using Eclipse, so I tried to install it.

pip install wheel

pip install --upgrade robotframework-sshlibrary

did the trick, now you can start editting the .robot script.

I made it till the point: (so it is different from the book, but this works for Eclipse)

*** Settings ***
Library  SSHLibrary
*** Variables ***
${HOST_URL}  http://demo.testfire.net
${output}=  Execute Command  python sqlmap.py -u ${HOST_URL} --batch --banner

*** Test Cases ***
SQL Injection Testing
  Should Not Contain  ${output}  vulnerable

Now the problem is: it says 'passed' but when I alter the host_url in something I'm sure of it should fail it also says 'passed'. in other words: it doesn't seem to check or do anything.

I don't know what I am doing wrong here. need help.

It really depends on the content of sqlmap.py and what it returns. I guess if this fails for any reason, the `${output}` _won't_ contain "vulnerable", hence the test case passes. — pavelsaman, Jul 29 '20 at 09:39

score 3 · Accepted Answer · answered Jul 30 '20 at 05:21

3

You are not executing the command at all - keywords cannot be called in the Variables section. This line here

*** Variables ***
${HOST_URL}  http://demo.testfire.net
${output}=  Execute Command  python sqlmap.py -u ${HOST_URL} --batch --banner

will just create a string variable with that content. Move it inside the case (or in a keyword of its own)

*** Test Cases ***
SQL Injection Testing
    ${output}=  Execute Command  python sqlmap.py -u ${HOST_URL} --batch --banner
    Should Not Contain  ${output}  vulnerable

answered Jul 30 '20 at 05:21

Todor Minakov

19,097
3
55
60

Thank you Todor, that brings me a step further. – tijnn Jul 30 '20 at 16:35
But now the respons is; KEYWORD ${output} = SSHLibrary . Execute Command python sqlmap.py -u ${HOST_URL} --batch --banner Documentation: Executes command on the remote machine and returns its outputs. Start / End / Elapsed: 20200730 18:33:31.264 / 20200730 18:33:31.345 / 00:00:00.081 18:33:31.267 INFO Executing command 'python sqlmap.py -u http://demo.testfire.net --batch --banner'. 18:33:31.344 FAIL No open connection. – tijnn Jul 30 '20 at 16:35
Follow the steps in that book - there should be connection establishment before executing a command over the ssh. – Todor Minakov Jul 30 '20 at 16:37
The book is somewhat helpfull. What I've learned is that in security testing with test automation you don't have to learn every method of attack itselfs yourself, before you can security test with automation, because there are libraries that hit(check) a lot with 1 statement or call. So in that way the book helped. But what I think is a pitty, is that the book doesn't explain how the SSHLibrary works. Or, in better words: I think it is a pitty that the examples aren't any better then the ones that are presented. – tijnn Jul 30 '20 at 16:42

score 0 · Answer 2 · answered Jul 30 '20 at 17:05

I mixed the content of page 124 and 126 (of book: Practical Security Automation and Testing)

there is an error on page 126. The code at the ride image is actually that of the RBFW one.

this is how it turns up without errors:

*** Settings ***
Library  SSHLibrary
Library  Collections
Library  String
Library  RequestsLibrary
Library  OperatingSystem

*** Variables ***
${HOST_URL}  http://demo.testfire.net
${url}  http://demo.testfire.net
${SpiderScan}  http://localhost:8090/JSON/spider/action/scan/?zapapiformat=JSON&formatMethod=GETurl=${url}&maxChildren=&recurse=&ontextName=&subtreeOnly=

*** Test Cases ***
SQL Injection Testing
  Get Connection    host=http://demo.testfire.net
  ${output}=  Execute Command  python sqlmap.py -u ${HOST_URL} --batch --banner
  Should Not Contain  ${output}  vulnerable
  

ZAP Spider Scan
  [Tags]  get skip
  Create session   ZAP  ${SpiderScan}
  ${resp}=    Get Request     ZAP   /
  Should Be Equal As Strings    ${resp.status_code}    200

I skipped too fast reading over page [59]. So yes the OWASP ZAP has to be installed. download URL = https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project I deleted the first Testcase section and ran it with ZAP Spider Scan... It succeeded with ${SpiderScan} http://localhost:8090 but ran into an error with the complete JSON url — tijnn, Jul 31 '20 at 08:48

RobotFrameWork with Eclipse - SSHLibrary doesn't seem to do anything. (based on book: Practical Security Automation and Testing)

2 Answers2