def _has_no_bug(self, fuzz_req, varname='', pname='', kb_varname=''):
'''
Test if the current combination of `fuzz_req`, `varname` hasn't
already been reported to the knowledge base.
:param fuzz_req: A FuzzableRequest like object.
:param varname: Typically the name of the injection parameter.
:param pname: The name of the plugin that presumably reported
the vulnerability. Defaults to self.name.
:param kb_varname: The name of the variable in the kb, where
the vulnerability was saved. Defaults to self.name.
'''
with self._plugin_lock:
if not varname:
if hasattr(fuzz_req, 'get_var'):
varname = fuzz_req.get_var()
else:
raise ValueError("Invalid arg 'varname': %s" % varname)
pname = pname or self.get_name()
kb_varname = kb_varname or pname
vulns = kb.kb.get(pname, kb_varname)
for vuln in vulns:
if vuln.get_var() == varname and\
fuzz_req.get_dc().keys() == vuln.get_dc().keys() and\
are_variants(vuln.get_uri(), fuzz_req.get_uri()):
return False
return True
def _need_more_variants(self, new_reference):
"""
@new_reference: The new URL that we want to see if its a variant of at most MAX_VARIANTS
references stored in self._already_crawled.
@return: True if I need more variants of ref.
Basically, the idea is to crawl the whole website, but if we are crawling a site like
youtube.com that has A LOT of links with the form:
- http://www.youtube.com/watch?v=xwLNu5MHXFs
- http://www.youtube.com/watch?v=JEzjwifH4ts
- ...
- http://www.youtube.com/watch?v=something_here
Then we don't actually want to follow all the links to all the videos! So we are going
to follow a decent number of variant URLs (in this case, video URLs) to see if we can
find something interesting in those links, but after a fixed number of variants, we will
start ignoring all those variants.
"""
number_of_variants = 0
for reference in self._already_crawled:
if are_variants(reference, new_reference):
number_of_variants += 1
if number_of_variants > MAX_VARIANTS:
msg = 'Ignoring new reference "' + new_reference + '" (it is simply a variant).'
om.out.debug(msg)
return False
return True
def test_same_param_diff_value_type(self):
self.assertFalse(
are_variants(URL('http://w3af.com/foo.php?id=1111'),
URL('http://w3af.com/foo.php?id=spam')))
def test_same_params_diff_values(self):
self.assertTrue(
are_variants(URL('http://w3af.com/foo.php?id=1&foo=bar'),
URL('http://w3af.com/foo.php?id=333&foo=spam')))
def test_diff_domain_params(self):
self.assertFalse(
are_variants(URL('http://w3af.com/foo.php?id=1&foo=bar'),
URL('http://w3af.org/foo.php?id=1')))
def test_diff_domain(self):
self.assertFalse(
are_variants(URL('http://w3af.com/foo.php?id=1'),
URL('http://bonsai-sec.com/foo.php?id=1')))
def test_diff_file_param(self):
self.assertFalse(
are_variants(URL('http://w3af.com/bar.php?id=1'),
URL('http://w3af.com/foo.php?foo=1')))
def test_diff_params(self):
self.assertFalse(
are_variants(URL('http://w3af.com/foo.php?x=1'),
URL('http://w3af.com/foo.php?y=1')))
def test_eq(self):
self.assertTrue(
are_variants(URL('http://w3af.com/foo.php'),
URL('http://w3af.com/foo.php')))
def test_same_param_diff_value_type(self):
self.assertFalse(are_variants(URL('http://w3af.com/foo.php?id=1111'),
URL('http://w3af.com/foo.php?id=spam')))
def test_same_params_diff_values(self):
self.assertTrue(
are_variants(URL('http://w3af.com/foo.php?id=1&foo=bar'),
URL('http://w3af.com/foo.php?id=333&foo=spam')))
def test_diff_domain_params(self):
self.assertFalse(
are_variants(URL('http://w3af.com/foo.php?id=1&foo=bar'),
URL('http://w3af.org/foo.php?id=1')))
def test_diff_domain(self):
self.assertFalse(are_variants(URL('http://w3af.com/foo.php?id=1'),
URL('http://bonsai-sec.com/foo.php?id=1')))
def test_diff_file_param(self):
self.assertFalse(are_variants(URL('http://w3af.com/bar.php?id=1'),
URL('http://w3af.com/foo.php?foo=1')))
def test_diff_params(self):
self.assertFalse(are_variants(URL('http://w3af.com/foo.php?x=1'),
URL('http://w3af.com/foo.php?y=1')))
def test_eq(self):
self.assertTrue(are_variants(URL('http://w3af.com/foo.php'),
URL('http://w3af.com/foo.php')))
