def test_simple_int_param_in_qs(self):
specification_as_string = IntParamQueryString().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is not
# required, thus we get two operations, one for the parameter with
# a value and another without the parameter
self.assertEqual(len(data), 2)
#
# Assertions on call #1
#
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
#
# Assertions on call #2
#
data_i = data[1]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets?limit=42'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
def test_simple_int_param_in_qs(self):
specification_as_string = IntParamQueryString().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is not
# required, thus we get two operations, one for the parameter with
# a value and another without the parameter
self.assertEqual(len(data), 2)
(spec, api_resource_name, resource, operation_name, operation,
parameters) = data[0]
self.assertEqual(api_resource_name, 'pets')
self.assertEqual(operation_name, 'findPets')
self.assertEqual(operation.consumes, [u'application/json'])
self.assertEqual(operation.produces, [u'application/json'])
self.assertEqual(operation.path_name, '/pets')
# Now we check the parameters for the operation
self.assertEqual(len(operation.params), 1)
param = operation.params.get('limit')
self.assertEqual(param.param_spec['required'], False)
self.assertEqual(param.param_spec['in'], 'query')
self.assertEqual(param.param_spec['type'], 'integer')
self.assertEqual(param.fill, None)
# And check the second one too
(spec, api_resource_name, resource, operation_name, operation,
parameters) = data[1]
self.assertEqual(len(operation.params), 1)
param = operation.params.get('limit')
self.assertEqual(param.param_spec['required'], False)
self.assertEqual(param.param_spec['in'], 'query')
self.assertEqual(param.param_spec['type'], 'integer')
self.assertEqual(param.fill, 42)
class TestOpenAPIFindAllEndpointsWithAuth(PluginTest):
target_url = 'http://w3af.org/'
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'crawl': (PluginConfig(
'open_api',
('query_string_auth', 'api_key=0x12345',
PluginConfig.QUERY_STRING),
), )
}
}
}
MOCK_RESPONSES = [
MockResponse('http://w3af.org/swagger.json',
IntParamQueryString().get_specification())
]
def test_find_all_endpoints_with_auth(self):
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
#
# Since we configured authentication we should only get one of the Info
#
infos = self.kb.get('open_api', 'open_api')
self.assertEqual(len(infos), 1, infos)
info_i = infos[0]
self.assertEqual(info_i.get_name(), 'Open API specification found')
#
# Now check that we found all the fuzzable requests
#
fuzzable_requests = self.kb.get_all_known_fuzzable_requests()
self.assertEqual(len(fuzzable_requests), 4)
# Remove the /swagger.json and /
fuzzable_requests = [
f for f in fuzzable_requests
if f.get_url().get_path() not in ('/swagger.json', '/')
]
# Order them to be able to easily assert things
def by_path(fra, frb):
return cmp(fra.get_url().url_string, frb.get_url().url_string)
fuzzable_requests.sort(by_path)
#
# Assertions on call #1
#
fuzzable_request = fuzzable_requests[0]
e_url = 'http://w3af.org/api/pets?api_key=0x12345'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
#
# Assertions on call #2
#
fuzzable_request = fuzzable_requests[1]
e_url = 'http://w3af.org/api/pets?limit=42&api_key=0x12345'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
def test_parameter_handler_simple_int_param_in_qs(self):
specification_as_string = IntParamQueryString().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
self.check_parameter_setting(handler)