# The TOML Structure:
#
# You can specify multiple different injection types if you want.
# [name] # any name you want, it is not important
# tokens = ["a string", ...]  # an injection string to add to the tokens list
# matches = ["a string", ...] # if on of these substrings (case insensitive) is found
#                             # in the parameter of the function then crash!
#                             # note that this is not a regex.
#
# [name.functions]
#     # multiple function targets to hook can be defined
#     function_name =   # name of the function you want to hook.
#                       # if the function name starts with 0x then
#                       # this is the QEMU Guest address of a
#                       # function you want to hook that does not
#                       # have a symbol.
#     {param = number}  # which parameter to the function contains the string
#                       # 0 = first, 1 = second, ... 0-5 are supported (depending on architecture)

[sql]
tokens = [ "'\"\"'\"\n", "\"1\" OR '1'=\"1\"" ]
matches = [ "'\"\"'\"", "1\" OR '1'=\"1" ]

[sql.functions]
sqlite3_exec = {param = 1}
PQexec = {param = 1}
PQexecParams = {param = 1}
mysql_query = {param = 1}
mysql_send_query = {param = 1}


# Command injection. Note that for most you will need a libc with debug symbols
# We do not need this as we watch the SYS_execve syscall, this is just an
# example.
[cmd]
tokens = [
    "'\"FUZZ\"'",
    "\";FUZZ;\"",
    "';FUZZ;'",
    "$(FUZZ)",
]
matches = ["'\"FUZZ\"'"]

[cmd.functions]
popen = {param = 0}
system = {param = 0}

# LDAP injection tests
[ldap]
tokens = ["*)(FUZZ=*))(|"]
matches = ["*)(FUZZ=*))(|"]

[ldap.functions]
ldap_search_ext = {param = 3}
ldap_search_ext_s = {param = 3}

# XSS injection tests
# This is a minimal example that only checks for libxml2
[xss]
tokens = ["'\"><FUZZ"]
matches = ["'\"><FUZZ"]
[xss.functions]
htmlReadMemory = {param = 0}