feat(security): implement automated SQLi validation suite for API authentication

[anaghwadhwa123]

Description

This PR introduces an automated security testing script, test-sql-injection.sh, located within the injection test documentation directory. This tool is designed to proactively identify SQL injection vulnerabilities within the doubtfire-api authentication endpoints. By moving beyond static documentation, this "Executable Documentation" allows developers to run real-world attack simulations against their local environments to ensure compliance with our security standards.

Type of change

• New feature (non-breaking change which adds functionality)
• Documentation (update or new)

How Has This Been Tested?

The script was tested through a local simulation and environment probe:

• Verified the script correctly identifies when the target API is online vs. offline.
• Ran the suite against a mock listener to verify that status codes (200, 401, 500) and response body keywords (e.g., "token") correctly trigger the intended VULNERABLE VS SECURE output.
• Verified execution in a Bash environment and confirmed that file permissions (chmod +x) allow for seamless execution.

Testing Checklist

• Tested in latest Chrome
• Tested in latest Safari
• Tested in latest Firefox

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have requested a review from ... on the Pull Request

[netlify]

✅ Deploy Preview for ontrackdocumentation ready!

Name	Link
🔨 Latest commit	80014ed
🔍 Latest deploy log	https://app.netlify.com/projects/ontrackdocumentation/deploys/6a097792254cea00086019c6
😎 Deploy Preview	https://deploy-preview-79--ontrackdocumentation.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[lgr2002]

Looks good overall, I think making the SQL injection testing executable is a useful addition. However, two things,I noticed the new script seems to remove some existing features like CLI options, valid credential checks, timeout handling, testing both username and password fields, and Nikto integration. Maybe it would be worth keeping those parts if they are still useful?

Also, the detection logic might be a bit broad since checking for 'user' in the response could cause false positives. Maybe it could check for a clearer successful login response, such as a status code and auth token.

[anaghwadhwa123]

Looks good overall, I think making the SQL injection testing executable is a useful addition. However, two things,I noticed the new script seems to remove some existing features like CLI options, valid credential checks, timeout handling, testing both username and password fields, and Nikto integration. Maybe it would be worth keeping those parts if they are still useful?

Also, the detection logic might be a bit broad since checking for 'user' in the response could cause false positives. Maybe it could check for a clearer successful login response, such as a status code and auth token.

Thank you for your feedback Leeon. I've re-implemented the CLI options, timeout handling, and Nikto integration. I also updated the detection logic to specifically look for authentication tokens rather than just general user strings to prevent false positives.

[Roeenk27]

Good PR, making the SQLi tests executable is a nice improvement and the feedback from Leeon was addressed well. Good work.

[jmirchh75]

Changes as per Leeon's feedback make it solid. Previous issues were fixed which I didn't get a chance to comment on, which would have been found via testing. Looks good.

[SteveDala]

Revert this file to the version against thoth-tech:main. Package-lock changes are outside of the scope of this PR.

[SteveDala]

What does this file have to do with SQLi validation suite?

[SteveDala]

What does this file have to do with SQLi validation suite?

[SteveDala]

Please double check if all the files here are within the scope of the PR.