Reputation: 21
Example query to use to test for cypher injection?
I'm new to neo4j and have been tasked with writing some cypher injection tests. We are using parameterization but i'm writing tests in case someone changed it to use string concat. I need an example query to check for in my tests but I'm not completely sure what would be a good one. I was thinking of using MATCH (n) DETACH DELETE n for deleting all nodes and relationships but I wasn't sure if I needed to add a quote at the beginning or something so that it would end the string and run the query? As in "MATCH (n) DETACH DELETE n. Would that work or is there something better I could use? Thanks for any help!
Upvotes: 2
Views: 489
Answers (1)
Reputation: 4052
This query is different from what you asked:
These are two ways to get user:
- String concatenation:
"MATCH (u:USER) WHERE u.id = " + id + " RETURN u"
- Parametrized:
"MATCH (u:USER) WHERE u.id = {id} RETURN u"
You can check by passing the value of id in both queries like:
1 OR 1=1
Or worst value for id like:
1 OR 1=1
WITH u
DETACH DELETE u
Upvotes: 1
Related Questions
- How do I inject an entire object into a Cypher Query using NodeJS
- Neo4j Cypher Queries
- Valid Cypher query without running it in Neo4j
- how to dry run neo4j cypher queries
- Cypher Query support
- Seemingly straightforward Neo4j cypher query fails to execute
- Cypher Insert Querying Neo4J
- What is the appropriate cypher query?
- Neo4j/Cypher test data request
- Trying to run Cypher Queries on a simple Neo4j database