Beispiel #1
0
    def test_pickle(self):
        original = JSONContainer(COMPLEX_OBJECT)

        e_headers = [('Content-Type', 'application/json')]
        self.assertEquals(original.get_headers(), e_headers)

        clone = pickle.loads(pickle.dumps(original))
        self.assertEquals(original, clone)
        self.assertEquals(clone.get_headers(), e_headers)

        original = JSONContainer(COMPLEX_OBJECT)
        original.set_header('Content-Type', 'application/vnd.w3af+json')

        e_headers = [('Content-Type', 'application/vnd.w3af+json')]
        self.assertEquals(original.get_headers(), e_headers)

        clone = pickle.loads(pickle.dumps(original))
        self.assertEquals(original, clone)
        self.assertEquals(clone.get_headers(), e_headers)

        original = JSONContainer(COMPLEX_OBJECT)
        original.set_header('X-Foo-Header', 'Bar')

        e_headers = [('Content-Type', 'application/json'),
                     ('X-Foo-Header', 'Bar')]
        self.assertEquals(original.get_headers(), e_headers)

        clone = pickle.loads(pickle.dumps(original))
        self.assertEquals(original, clone)
        self.assertEquals(clone.get_headers(), e_headers)
Beispiel #2
0
    def test_headers(self):
        jcont = JSONContainer(COMPLEX_OBJECT)

        e_headers = [('Content-Type', 'application/json')]
        self.assertEquals(jcont.get_headers(), e_headers)

        jcont.set_header('Content-Type', 'application/vnd.w3af+json')
        e_headers = [('Content-Type', 'application/vnd.w3af+json')]
        self.assertEquals(jcont.get_headers(), e_headers)

        jcont.set_header('X-Foo-Header', 'Bar')
        e_headers = [('Content-Type', 'application/vnd.w3af+json'),
                     ('X-Foo-Header', 'Bar')]
        self.assertEquals(jcont.get_headers(), e_headers)

        headers = {
            'Content-Type': 'application/vnd.w3af+json',
            'X-Foo-Header': 'Bar'
        }
        jcont = JSONContainer(COMPLEX_OBJECT, headers)

        e_headers = [('Content-Type', 'application/vnd.w3af+json'),
                     ('X-Foo-Header', 'Bar')]
        self.assertEquals(jcont.get_headers(), e_headers)

        jcont.set_header('X-Foo-Header', '42')
        e_headers = [('Content-Type', 'application/vnd.w3af+json'),
                     ('X-Foo-Header', '42')]
        self.assertEquals(jcont.get_headers(), e_headers)

        jcont = JSONContainer(COMPLEX_OBJECT, None)
        e_headers = [('Content-Type', 'application/json')]
        self.assertEquals(jcont.get_headers(), e_headers)
Beispiel #3
0
    def test_wrong_headers(self):
        jcont = JSONContainer(COMPLEX_OBJECT)

        with self.assertRaises(TypeError):
            jcont.set_header(1, 'Foo')

        with self.assertRaises(TypeError):
            jcont.set_header('Foo', 1)

        with self.assertRaises(TypeError):
            JSONContainer(COMPLEX_OBJECT, 'Foo')

        with self.assertRaises(TypeError):
            JSONContainer(COMPLEX_OBJECT, [])
Beispiel #4
0
    def test_create_mutants_array(self):
        dc = JSONContainer(ARRAY)
        freq = FuzzableRequest(self.url, post_data=dc, method='POST')

        created_mutants = JSONMutant.create_mutants(freq, self.payloads, [],
                                                    False, self.fuzzer_config)

        expected_dcs = ['["xyz", 3, 2.1]', '["www", 3, 2.1]']

        created_dcs = [str(i.get_dc()) for i in created_mutants]
        created_post_datas = [i.get_data() for i in created_mutants]

        self.assertEqual(set(created_dcs), set(expected_dcs))
        self.assertEqual(set(created_dcs), set(created_post_datas))

        token = created_mutants[0].get_token()
        self.assertEqual(token.get_name(), 'list-0-string')
        self.assertEqual(token.get_original_value(), 'abc')

        token = created_mutants[1].get_token()
        self.assertEqual(token.get_name(), 'list-0-string')
        self.assertEqual(token.get_original_value(), 'abc')

        for m in created_mutants:
            self.assertIsInstance(m, JSONMutant)

        for m in created_mutants:
            self.assertEqual(m.get_method(), 'POST')
Beispiel #5
0
    def test_create_mutants_9116(self):
        payment_data = {'transaction_amount': 100,
                        'reason': 'Title of what you are paying for',
                        'installments': 1,
                        'payment_method_id': 'visa',
                        'token': '16faba8617708',
                        'external_reference': '1234',
                        'random_anti_anti_double_click': 11577513359,
                        'extra_charge': None}
        payment_data = json.dumps(payment_data)

        dc = JSONContainer(payment_data)
        freq = FuzzableRequest(self.url, post_data=dc, method='POST')

        created_mutants = JSONMutant.create_mutants(freq, self.payloads, [],
                                                    False, self.fuzzer_config)

        expected_dcs = ['{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "www", "installments": 1, "payment_method_id": "visa", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "xyz", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "www", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "xyz", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "xyz", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "xyz", "installments": 1, "payment_method_id": "visa", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "www", "extra_charge": null}',
                        '{"transaction_amount": 100, "external_reference": "www", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}']

        created_dcs = [str(i.get_dc()) for i in created_mutants]
        created_post_datas = [i.get_data() for i in created_mutants]

        self.assertEqual(set(created_dcs), set(expected_dcs))
        self.assertEqual(set(created_dcs), set(created_post_datas))

        for m in created_mutants:
            m.set_token_value('abc')
    def test_copy_container_with_token(self):
        jcont = JSONContainer(ARRAY)
        dcc_tokens = [(dcc, token) for dcc, token in jcont.iter_bound_tokens()]

        dc, token = dcc_tokens[0]
        self.assertIsNotNone(dc.get_token())

        dc_copy = copy.deepcopy(dc)
        self.assertIsNotNone(dc_copy.get_token())
Beispiel #7
0
    def test_create_mutants_empty_payload(self):
        dc = JSONContainer(COMPLEX_OBJECT)
        freq = FuzzableRequest(self.url, post_data=dc, method='POST')

        created_mutants = JSONMutant.create_mutants(freq, [''], [], False,
                                                    self.fuzzer_config)

        for m in created_mutants:
            m.set_token_value('abc')
Beispiel #8
0
    def test_headers_immutable(self):
        jcont = JSONContainer(OBJECT)

        e_headers = [('Content-Type', 'application/json')]
        headers = jcont.get_headers()
        self.assertEquals(headers, e_headers)

        headers.append(('X-Foo-Header', 'Bar'))
        self.assertEquals(jcont.get_headers(), e_headers)
    def test_iter_bound_tokens_array(self):
        jcont = JSONContainer(ARRAY)
        dcc_tokens = [(dcc, token) for dcc, token in jcont.iter_bound_tokens()]

        for dcc, token in dcc_tokens:
            self.assertIsInstance(dcc, JSONContainer)
            self.assertIsInstance(token, DataToken)
            self.assertIs(token, dcc.token)

        EXPECTED_TOKENS = [('list-0-string', 'abc')]
        token_data = [(t.get_name(), t.get_value()) for dcc, t in dcc_tokens]
        self.assertEqual(EXPECTED_TOKENS, token_data)
Beispiel #10
0
    def test_object_null_value(self):
        jcont = JSONContainer(OBJECT_NULL)
        dcc_tokens = [(dcc, token) for dcc, token in jcont.iter_bound_tokens()]

        for dcc, token in dcc_tokens:
            self.assertIsInstance(dcc, JSONContainer)
            self.assertIsInstance(token, DataToken)
            self.assertIs(token, dcc.token)

        EXPECTED_TOKENS = [('object-key-null', None)]
        token_data = [(t.get_name(), t.get_value()) for dcc, t in dcc_tokens]
        self.assertEqual(EXPECTED_TOKENS, token_data)
Beispiel #11
0
    def test_basic(self):
        jcont = JSONContainer(COMPLEX_OBJECT)
        dcc_tokens = [(dcc, token) for dcc, token in jcont.iter_bound_tokens()]

        for dcc, token in dcc_tokens:
            self.assertIsInstance(dcc, JSONContainer)
            self.assertIsInstance(token, DataToken)
            self.assertIs(token, dcc.token)

        EXPECTED_TOKENS = [('object-second_key-list-0-string', 'abc'),
                           ('object-key-string', 'value')]
        token_data = [(t.get_name(), t.get_value()) for dcc, t in dcc_tokens]
        self.assertEqual(EXPECTED_TOKENS, token_data)
Beispiel #12
0
    def test_found_at(self):
        dc = JSONContainer(COMPLEX_OBJECT)
        freq = FuzzableRequest(self.url, post_data=dc, method='PUT')

        m = JSONMutant(freq)
        m.get_dc().set_token(('object-second_key-list-0-string', ))

        expected = '"http://www.w3af.com/", using HTTP method PUT.' \
                   ' The sent JSON-data was: "...object-second_key-list-' \
                   '0-string=abc..."'
        self.assertEqual(m.found_at(), expected)

        headers = m.get_headers()
        self.assertIn('Content-Type', headers)
        self.assertEqual(headers['Content-Type'], 'application/json')
Beispiel #13
0
    def test_iter_bound_tokens_modify_during_iter(self):
        jcont = JSONContainer(ARRAY)
        idx = None
        tokens = []

        for idx, (dcc, token) in enumerate(jcont.iter_bound_tokens()):
            self.assertIsInstance(dcc, JSONContainer)
            self.assertIsInstance(token, DataToken)
            self.assertIs(token, dcc.token)

            token.set_value('xyz')
            tokens.append(token)

        self.assertEqual(idx, 0)

        EXPECTED_TOKENS = [('list-0-string', 'xyz')]
        token_data = [(t.get_name(), t.get_value()) for t in tokens]

        self.assertEqual(EXPECTED_TOKENS, token_data)
        self.assertEqual(str(dcc), ARRAY.replace('abc', 'xyz'))
Beispiel #14
0
    def test_mutant_copy_9116(self):
        dc = JSONContainer(COMPLEX_OBJECT)
        freq = FuzzableRequest(self.url, post_data=dc, method='POST')

        created_mutants = JSONMutant.create_mutants(freq, self.payloads, [],
                                                    False, self.fuzzer_config)

        payload = 'def'

        m = created_mutants[0]

        dc = m.get_dc()
        dc_copy = copy.deepcopy(dc)
        self.assertEqual(dc_copy.get_token(), dc.get_token())

        mcopy = m.copy()
        token = mcopy.get_token()
        mcopy.set_token_value(payload)

        self.assertIsNotNone(m.get_token())
        self.assertIsNotNone(token)
        self.assertEqual(mcopy.get_token_value(), payload)
Beispiel #15
0
 def test_copy_container_no_token(self):
     dc = JSONContainer(COMPLEX_OBJECT)
     dc_copy = copy.deepcopy(dc)
     self.assertEqual(dc, dc_copy)
Beispiel #16
0
 def test_copy(self):
     dc = JSONContainer(COMPLEX_OBJECT)
     self.assertEqual(dc, copy.deepcopy(dc))