We wanted to make a package to check for SQLi vulnerabilities for generic frameworks/specific to Flask as there are quite a few python applications that don't use ORM and are vulnerable to SQLi vulnerabilities.

What it does

A CLI tool which will help you analyze your python/flask app, using Pysa (a static analysis tool by facebook), In case sqli are found, they're displayed at runtime after running the analyze command.

How we built it

Protectsql is build on top of pysa, a part of the pyre-check project package (see more about pysa here). Additionally, since it's a CLI tool, we also make use of click (see more here). Tech Stack:

  • python
  • pysa
  • click
  • flask

Challenges we ran into

  • Understanding pysa documentation
  • Coming up with target frameworks vulnerable to sqli injections and how can we use pysa for them

Accomplishments that we're proud of

  • Successfully integrating Pysa using Click
  • Uploading package to PyPi
  • Testing successfully on example project and getting appropriate sqli vulnerabilities captured

What we learned

  • Using pysa for static analysis
  • Usage of click, the python CLI tool
  • Uploading our own package to PyPi

What's next for ProtectSql

We plan to add support to more lightweight framework which does not rely on ORM! As of now, Protectsql is published on PyPi and is ready for use. Anyone can contribute following our contribution rules and guidelines.

Built With

Share this project: