Rust-Libinjection rs: libinjection-rs — Rust bindings for libinjection

libinjection-rs Documentation Build Status

Rust bindings for libinjection.

How to use

  • Add libinjection to dependencies of Cargo.toml:
libinjection = "0.2"
  • Import crate:
extern crate libinjection;

use libinjection::{sqli, xss};


  • SQLi Detection:
let (is_sqli, fingerprint) = sqli("' OR '1'='1' --").unwrap();
assert_eq!("s&sos", fingerprint);

Fingerprints: Please refer to fingerprints.txt.

  • XSS Detection:
let is_xss = xss("<script type='text/javascript'>alert('xss');</script>").unwrap();


  • [SECURITY] Undetectable Time-Base Injection
    [SECURITY] Undetectable Time-Base Injection

    Jan 15, 2019


    libinection-rs unable to detect time base sql inection,

    1 - Payload 1'=sleep(10)='1

    let (is_sqli, fingerprint) = sqli("1'=sleep(10)='1").unwrap();
    assert!(is_sqli); // false
    assert_eq!("s&sos", fingerprint);

    2- Payloads used to determine database version '=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1

    let (is_sqli, fingerprint) = sqli("'=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1").unwrap();
    assert!(is_sqli); // false
    assert_eq!("s&sos", fingerprint);

    Thanks, Ramin - kernel security engineering Best regards,

  • [SECURITY] Possible DOM Base XSS
    [SECURITY] Possible DOM Base XSS

    Jan 15, 2019


    Methods for bypass libinjection-rs of DOM base XSS

    1- javascript:alert(eval("2*3"));


    PoC :;

              var redirectUrl = getUrlParameter('returnURL');
              window.parent.location.href = redirectUrl;

    2- a tag when user click button and trigger alert :).

    	 <a href="javascript:alert(1);"> click me </a>

    3- title value

         `<img id="testz" title="javascript:alert(1)">`

    Real example :


    source image :


    json = "0.11.13"
    libinjection = "0.1"
    extern crate json;
    extern crate libinjection;
    use libinjection::{xss};
    fn main() {
        let data = object!{
            "foo" => "javascript:alert(1);",
        let is_xss = xss("javascript:alert(1);").unwrap();
        let is_xss_2 = xss(&data.dump()).unwrap();
        let is_xss_3 = xss("<img id='testz' title='javascript:alert(1)'>").unwrap();
        println!("{}", data); 
        println!("{}", is_xss); // false
        println!("{}", is_xss_2); // false
        println!("{}", is_xss_3); // false

    Thanks, Ramin - kernel security engineering Best regards,

  • build error on mac os
    build error on mac os

    Dec 11, 2019

    When I try to build on my machine (macOS 10.14.6, rustc 1.40.0-nightly).

    I get an unable to clone libinjection error. I've included a trace below, but wondering if there are any special steps I need to take to get it to build locally? Thanks!

     ✘  ~/code/libinjection-rs   master  cargo build
       Compiling libinjection v0.1.1 (/Users/me/code/libinjection-rs)
    error: failed to run custom build command for `libinjection v0.1.1 (/Users/me/code/libinjection-rs)`
    Caused by:
      process didn't exit successfully: `/Users/me/code/libinjection-rs/target/debug/build/libinjection-e6642227de8a378d/build-script-build` (exit code: 101)
    --- stderr
    thread 'main' panicked at 'unable to clone libinjection',
    stack backtrace:
       0: backtrace::backtrace::libunwind::trace
                 at /Users/runner/.cargo/registry/src/
       1: backtrace::backtrace::trace_unsynchronized
                 at /Users/runner/.cargo/registry/src/
       2: std::sys_common::backtrace::_print_fmt
                 at src/libstd/sys_common/
       3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
                 at src/libstd/sys_common/
       4: core::fmt::write
                 at src/libcore/fmt/
       5: std::io::Write::write_fmt
                 at src/libstd/io/
       6: std::sys_common::backtrace::_print
                 at src/libstd/sys_common/
       7: std::sys_common::backtrace::print
                 at src/libstd/sys_common/
       8: std::panicking::default_hook::{{closure}}
                 at src/libstd/
       9: std::panicking::default_hook
                 at src/libstd/
      10: std::panicking::rust_panic_with_hook
                 at src/libstd/
      11: std::panicking::begin_panic
                 at /rustc/38048763e885a3ee139abf39d59a530b16484150/src/libstd/
      12: build_script_build::main
                 at ./
  • Replace sed use with perl to fix macOS builds
    Replace sed use with perl to fix macOS builds

    Aug 5, 2020

  • Change bindings to build from newer libinjection fork
    Change bindings to build from newer libinjection fork

    Oct 29, 2020

    The current version of libinjection is built from client9/libinjection which was last updated on Mar 12, 2018.

    There is a newer fork libinjection/libinjection which, at the time of writing, has a few changes and bug fixes, with the latest commit being 14 days ago.