def test_all(self): for context in get_contexts(): found = False expected_context_name = context.get_name() for contexts in get_context(self.HTML, expected_context_name): for calculated_context in contexts: if calculated_context.get_name() == expected_context_name: found = True if not found: msg = "The analysis for %s context failed, got %r instead." msg = msg % (expected_context_name, get_context(self.HTML, expected_context_name)) self.assertTrue(False, msg)
def test_all(self): for context in get_contexts(): found = False expected_context_name = context.get_name() for contexts in get_context(self.HTML, expected_context_name): for calculated_context in contexts: if calculated_context.get_name() == expected_context_name: found = True if not found: msg = 'The analysis for %s context failed, got %r instead.' msg = msg % (expected_context_name, get_context(self.HTML, expected_context_name)) self.assertTrue(False, msg)
def test_payload_js2doublequote(self): html = """ <html> <input type="button" value="ClickMe" onClick="PAYLOAD"> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][1], ScriptText)
def test_payload_html_inside_comment(self): html = """ <html> <!-- <body>PAYLOAD</body> --> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlComment)
def test_payload_html_inside_comment(self): html = ''' <html> <!-- <body>PAYLOAD</body> --> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlComment)
def test_payload_js2doublequote(self): html = ''' <html> <input type="button" value="ClickMe" onClick="PAYLOAD"> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][1], ScriptText)
def test_payload_text_can_break(self): html = """ <html> <a>PAYLOAD<</a> </html> """ context = get_context(html, "PAYLOAD<")[0][0] self.assertTrue(context.can_break("PAYLOAD<"))
def test_payload_src(self): html = ''' <html> <img src="PAYLOAD" /> </html> ''' context = get_context(html, 'PAYLOAD')[0][0] self.assertTrue(context.is_executable())
def test_payload_href(self): html = ''' <html> <a href="PAYLOAD">foo</a> </html> ''' context = get_context(html, 'PAYLOAD')[0][0] self.assertTrue(context.is_executable())
def test_payload_text_can_break(self): html = ''' <html> <a>PAYLOAD<</a> </html> ''' context = get_context(html, 'PAYLOAD<')[0][0] self.assertTrue(context.can_break('PAYLOAD<'))
def test_payload_src(self): html = """ <html> <img src="PAYLOAD" /> </html> """ context = get_context(html, "PAYLOAD")[0][0] self.assertTrue(context.is_executable())
def test_payload_href(self): html = """ <html> <a href="PAYLOAD">foo</a> </html> """ context = get_context(html, "PAYLOAD")[0][0] self.assertTrue(context.is_executable())
def test_payload_script_attr_value(self): html = """ <html> <script foo=PAYLOAD foo2=aaa> bar </script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlAttr)
def test_payload_script_broken_double_close(self): html = ''' <html> <script>foo</script> PAYLOAD </script> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_payload_text_with_end_quote(self): html = """ <html> <a>Quoting the great Linus Torvalds: PAYLOAD<"</a> </html> """ context = get_context(html, "PAYLOAD<")[0][0] self.assertIsInstance(context, HtmlText) self.assertTrue(context.can_break("PAYLOAD<"))
def test_payload_script_attr_value(self): html = ''' <html> <script foo=PAYLOAD foo2=aaa> bar </script> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlAttr)
def test_payload_text_with_end_quote(self): html = ''' <html> <a>Quoting the great Linus Torvalds: PAYLOAD<"</a> </html> ''' context = get_context(html, 'PAYLOAD<')[0][0] self.assertIsInstance(context, HtmlText) self.assertTrue(context.can_break('PAYLOAD<'))
def test_payload_script_broken_double_open(self): html = ''' <html> <script>foo PAYLOAD <script>bar</script> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], ScriptText)
def test_payload_html_inside_script_with_comment(self): html = ''' <html> <script> <!-- <body>PAYLOAD</body> --> </script> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], ScriptText)
def test_payload_script_single_quote2(self): html = """ <html> <script type="text/javascript">//<!-- init({login:'',foo:'PAYLOAD'}) </script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptSingleQuote)
def test_payload_html_inside_script_with_comment(self): html = """ <html> <script> <!-- <body>PAYLOAD</body> --> </script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptText)
def test_payload_script_single_quote(self): html = """ <html> <script foo='PAYLOAD'> bar </script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlAttrSingleQuote)
def test_payload_script_broken_double_close(self): html = """ <html> <script>foo</script> PAYLOAD </script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload(self): html = ''' <html> <body> &added=blah111%3C1%3E<br>::::: blahPAYLOAD<br>::::: ::::: </body> </html> ''' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_payload_script_broken_double_open(self): html = """ <html> <script>foo PAYLOAD <script>bar</script> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptText)
def test_payload(self): html = """ <html> <body> &added=blah111%3C1%3E<br>::::: blahPAYLOAD<br>::::: ::::: </body> </html> """ self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload_script_single_quote2(self): html = ''' <html> <script type="text/javascript">//<!-- init({login:'',foo:'PAYLOAD'}) </script> </html> ''' self.assertIsInstance( get_context(html, 'PAYLOAD')[0][0], ScriptSingleQuote)
def test_payload_script_single_quote(self): html = ''' <html> <script foo='PAYLOAD'> bar </script> </html> ''' self.assertIsInstance( get_context(html, 'PAYLOAD')[0][0], HtmlAttrSingleQuote)
def test_style_comment_case01(self): style_comment = """ <html> <head> <style> /* Hello STYLE_COMMENT world * */ </style> </head> </html> """ self.assertEqual( get_context(style_comment, StyleComment().get_name())[0][1].get_name(), StyleComment().get_name() )
def test_style_comment_case01(self): style_comment = ''' <html> <head> <style> /* Hello STYLE_COMMENT world * */ </style> </head> </html> ''' self.assertEqual( get_context(style_comment, StyleComment().get_name())[0][1].get_name(), StyleComment().get_name())
def test_style_comment_case02(self): style_comment = """ <html> <head> <style> /* Hello world * */ </style> <style> PAYLOAD </style> </head> </html> """ self.assertEqual(get_context(style_comment, "PAYLOAD")[0][0].get_name(), StyleText().get_name())
def test_style_comment_case02(self): style_comment = ''' <html> <head> <style> /* Hello world * */ </style> <style> PAYLOAD </style> </head> </html> ''' self.assertEqual( get_context(style_comment, 'PAYLOAD')[0][0].get_name(), StyleText().get_name())
def _analyze_persistent_result(self, fuzzable_request, response): ''' After performing an HTTP request to "fuzzable_request" and getting "response" analyze if the response contains any of the information sent by any of the mutants. :return: None, Vuln (if any) are saved to the kb. ''' response_body = response.get_body() for mutant, mutant_response_id in self._xss_mutants: mod_value = mutant.get_mod_value() for contexts in get_context(response_body, mod_value): for context in contexts: if context.is_executable() or context.can_break(mod_value): self._report_persistent_vuln(mutant, response, mutant_response_id, mod_value, fuzzable_request) break
def _analyze_echo_result(self, mutant, response): ''' Do we have a reflected XSS? :return: None, record all the results in the kb. ''' # Add data for the persistent xss checking if self._check_persistent_xss: self._xss_mutants.append((mutant, response.id)) with self._plugin_lock: if self._has_bug(mutant): return mod_value = mutant.get_mod_value() for contexts in get_context(response.get_body(), mod_value): for context in contexts: if context.is_executable() or context.can_break(mod_value): self._report_vuln(mutant, response, mod_value) return
def test_html_inside_js(self): self.assertEqual( get_context(self.HTML, HtmlText().get_name())[2][0].get_name(), ScriptSingleQuote().get_name())
def test_payload_only_payload(self): html = "PAYLOAD" self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload_empty(self): html = "" self.assertEqual(get_context(html, "PAYLOAD"), [])
def test_payload_empty(self): html = '' self.assertEqual(get_context(html, 'PAYLOAD'), [])
def test_payload_only_payload(self): html = 'PAYLOAD' self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_html_inside_js(self): self.assertEqual(get_context(self.HTML, HtmlText().get_name())[2][0].get_name(), ScriptSingleQuote().get_name())