def test_analyze_cookies_collect_uniq(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=def'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': '123=456'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=456'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 2)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')),
0)
def test_analyze_cookies_https_value_over_http(self):
body = ''
url = URL('https://www.w3af.com/')
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=defjkluio; secure; httponly;'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
# Receive the cookie over HTTPS
self.plugin.grep(request, response)
url = URL('http://www.w3af.com/?id=defjkluio')
headers = Headers({'content-type': 'text/html'}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
# Send the cookie over HTTP as a parameter value
self.plugin.grep(request, response)
security = kb.kb.get('analyze_cookies', 'security')
self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 1)
self.assertEqual(len(security), 1)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')),
0)
names = [i.get_name() for i in security]
self.assertIn('Secure cookies over insecure channel', names)
def test_basic(self):
resp1 = HTTPResponse(200, 'abc', self.headers, self.url, self.url)
resp2 = HTTPResponse(200, 'abc', self.headers, self.url, self.url)
parser1 = self.dpc.get_document_parser_for(resp1)
parser2 = self.dpc.get_document_parser_for(resp2)
self.assertEqual(id(parser1), id(parser2))
def test_ssn_empty_string(self):
body = ''
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, self.url, self.url, _id=1)
self.plugin._already_inspected = set()
self.plugin.grep(self.request, response)
self.assertEquals(len(kb.kb.get('ssn', 'ssn')), 0)
def test_clamav_workers(self, *args):
WAIT_TIME = 3
DELTA = WAIT_TIME * 0.1
# Prepare the mocked plugin
def wait(x, y):
time.sleep(WAIT_TIME)
self.plugin._is_properly_configured = Mock(return_value=True)
self.plugin._scan_http_response = wait
self.plugin._report_result = lambda x: 42
start_time = time.time()
for i in xrange(3):
body = ''
url = URL('http://www.w3af.com/%s' % i)
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
# Let the worker pool wait for the clamd response, this is done by
# the core when run in a real scan
self.plugin.worker_pool.close()
self.plugin.worker_pool.join()
end_time = time.time()
time_spent = end_time - start_time
findings = kb.kb.get('clamav', 'malware')
self.assertEqual(len(findings), 0, findings)
self.assertLessEqual(time_spent, WAIT_TIME + DELTA)
def test_find_vulns_case03(self):
'''
Test case in which we set vulnerables policies for
"sandbox","reflected-xss" directives using valid values.
'''
header_value = "sandbox allow-* allow-forms allow-same-origin " \
"allow-scripts allow-top-navigation;"\
"reflected-xss allow;"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
vulns = find_vulns(http_response)
self.assertEqual(len(vulns), 2)
#>>>"sandbox"
self.assertEqual(len(vulns[CSP_DIRECTIVE_SANDBOX]), 2)
warn_msg = "Directive 'sandbox' apply no restrictions."
self.assertTrue(vulns[CSP_DIRECTIVE_SANDBOX][0].desc, warn_msg)
self.assertTrue(vulns[CSP_DIRECTIVE_SANDBOX][1].desc, warn_msg)
#>>>"reflected-xss"
self.assertEqual(len(vulns[CSP_DIRECTIVE_XSS]), 1)
warn_msg = "Directive 'reflected-xss' instruct user agent to "\
"disable its active protections against reflected XSS."
self.assertTrue(self._vuln_exists(warn_msg, vulns[CSP_DIRECTIVE_XSS]))
def test_find_vulns_case02(self):
'''
Test case in which we set vulnerables policies for "sandbox",
"script-nonce","plugin-types","reflected-xss" directives
using invalid values.
'''
header_value = "sandbox allow-invalid; script-nonce aaa,bbb;"\
"plugin-types app/titi application/pdf; reflected-xss disallow;"
hrds = {CSP_HEADER_W3C: header_value}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
vulns = find_vulns(http_response)
self.assertEqual(len(vulns), 4)
#>>>"sandbox"
self.assertEqual(len(vulns[CSP_DIRECTIVE_SANDBOX]), 1)
warn_msg = "Directive 'sandbox' specify invalid value: 'allow-invalid'."
self.assertTrue(
self._vuln_exists(warn_msg, vulns[CSP_DIRECTIVE_SANDBOX]))
#>>>"script-nonce"
self.assertEqual(len(vulns[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
warn_msg = "Directive 'script-nonce' is defined "\
"but nonce contains invalid character (','|';')."
self.assertTrue(
self._vuln_exists(warn_msg, vulns[CSP_DIRECTIVE_SCRIPT_NONCE]))
#>>>"reflected-xss"
self.assertEqual(len(vulns[CSP_DIRECTIVE_XSS]), 1)
warn_msg = "Directive 'reflected-xss' specify invalid value: 'disallow'."
self.assertTrue(self._vuln_exists(warn_msg, vulns[CSP_DIRECTIVE_XSS]))
#>>>"plugins-types"
self.assertEqual(len(vulns[CSP_DIRECTIVE_PLUGIN_TYPES]), 1)
warn_msg = "Directive 'plugin-types' specify invalid mime type: 'app/titi'."
self.assertTrue(
self._vuln_exists(warn_msg, vulns[CSP_DIRECTIVE_PLUGIN_TYPES]))
def _new_no_content_resp(self, uri, log_it=False):
'''
Return a new NO_CONTENT HTTPResponse object. Optionally call the
subscribed log handlers
:param uri: URI string or request object
:param log_it: Boolean that indicated whether to log request
and response.
'''
# accept a URI or a Request object
if isinstance(uri, URL):
req = HTTPRequest(uri)
elif isinstance(uri, HTTPRequest):
req = uri
else:
msg = 'The uri parameter of ExtendedUrllib._new_content_resp() has to be'\
' of HTTPRequest of URL type.'
raise Exception(msg)
# Work,
no_content_response = HTTPResponse(NO_CONTENT, '', Headers(), uri,
uri, msg='No Content')
if log_it:
# This also assigns the id to both objects.
LogHandler.log_req_resp(req, no_content_response)
if no_content_response.id is None:
no_content_response.id = seq_gen.inc()
return no_content_response
def test_blank_body_code(self):
body = ''
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(401, body, headers, self.url, self.url, _id=1)
request = FuzzableRequest(self.url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('blank_body', 'blank_body')), 0)
def _build_http_response(body_content, content_type):
headers = Headers()
headers[u'content-type'] = content_type
url = URL('http://w3af.com')
return HTTPResponse(200, body_content, headers, url, url, charset='utf-8')
def test_retrieve_csp_policies_with_policies_case04(self):
'''
Test case in which 4 policies are specified using 4 differents CSP
headers and in which 1 is specified using report only CSP header.
Test in which we want only mandatory policies.
'''
hrds = {}
hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + \
" trust.sample.com"
hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_SCRIPT + \
" report.sample.com"
csp_headers = Headers(hrds.items())
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
policies = retrieve_csp_policies(http_response)
self.assertEqual(len(policies), 3)
self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0],
"trust.sample.com")
def test_bug_13_Dec_2012(self):
url1 = URL('http://w3af.com/foo/')
url2 = URL('http://w3af.com/bar/')
body = '<a href="?id=1">1</a>'
resp1 = HTTPResponse(200, body, self.headers, url1, url1)
resp2 = HTTPResponse(200, body, self.headers, url2, url2)
parser1 = self.dpc.get_document_parser_for(resp1)
parser2 = self.dpc.get_document_parser_for(resp2)
self.assertNotEqual(id(parser1), id(parser2))
_, parsed_refs_1 = parser1.get_references()
_, parsed_refs_2 = parser2.get_references()
self.assertEqual(parsed_refs_1, parsed_refs_2)
def test_blank_body_method(self):
body = ''
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, self.url, self.url, _id=1)
request = FuzzableRequest(self.url, method='ARGENTINA')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('ssn', 'ssn')), 0)
def profile_me():
'''
To be profiled
'''
for _ in xrange(1):
for counter in xrange(1, 5):
file_name = 'test-' + str(counter) + '.html'
file_path = os.path.join('plugins', 'tests', 'grep',
'data', file_name)
body = file(file_path).read()
hdrs = Headers({'Content-Type': 'text/html'}.items())
response = HTTPResponse(200,
body,
hdrs,
URL(self.url_str + str(counter)),
URL(self.url_str + str(counter)),
_id=random.randint(1, 5000))
request = FuzzableRequest(self.url_inst)
for pinst in self._plugins:
pinst.grep(request, response)
for pinst in self._plugins:
pinst.end()
def test_check_case09(self):
is_vuln = IsVulnerableHelper(200, 301, re.compile('def'),
re.compile('xyz'), re.compile('spam'))
url = URL('http://moth/')
http_response = HTTPResponse(301, 'hello world abc def', Headers(),
url, url)
self.assertTrue(is_vuln.check(http_response))
def test_ajax_empty(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 0)
def test_wsdl_greper_positive(self):
body = 'ABC ' * 100
body += '/s:sequence'
body += '</br> ' * 50
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, self.url, self.url, _id=1)
self.plugin.grep(self.request, response)
self.assertEqual(len(kb.kb.get('wsdl_greper', 'wsdl')), 1)
def test_ajax_broken_2(self):
body = '<html><head><script>xhr = new XMLHttpRequest(); xhr.open(GET, "data.txt", true);'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_ajax_two(self):
body = '<script> ... xhr = new XMLHttpRequest(); ... xhr = new ActiveXObject("Microsoft.XMLHTTP"); ... </script>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_provides_csp_features_no_case01(self):
'''
Test case in which site do not provides CSP features.
'''
hrds = {}.items()
csp_headers = Headers(hrds)
http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
self.assertFalse(provides_csp_features(http_response))
def test_oracle_long(self):
body = 'ABC ' * 10000
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('oracle', 'oracle')), 0)
def test_find_credit_card_html(self):
body = '<a> 378282246310005</a>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 1)
def test_http_auth_detect_simple(self):
body = ''
hdrs = {'content-type': 'text/html', 'www-authenticate': 'realm-w3af'}
hdrs = Headers(hdrs.items())
response = HTTPResponse(401, body, hdrs, self.url, self.url, _id=1)
self.plugin.grep(self.request, response)
self.assertEqual(len(kb.kb.get('http_auth_detect', 'auth')), 1)
self.assertEqual(len(kb.kb.get('http_auth_detect', 'userPassUri')), 0)
def test_private_ip_broken_html(self):
body = '<html><head>192.168.1.1</html>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_private_ip_find_10(self):
body = 'header 10.2.34.2 footer'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_invalid_check_not_find_credit_card_spaces(self):
body = '3566 0020 2036 0705'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 0)
def test_strange_http_codes(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
request = FuzzableRequest(url, method='GET')
resp_200 = HTTPResponse(200, body, headers, url, url, _id=1)
resp_404 = HTTPResponse(404, body, headers, url, url, _id=1)
KNOWN_GOOD = [resp_200, resp_404]
resp_999 = HTTPResponse(999, body, headers, url, url, _id=1)
resp_123 = HTTPResponse(123, body, headers, url, url, _id=1)
resp_567 = HTTPResponse(567, body, headers, url, url, _id=1)
resp_666 = HTTPResponse(666, body, headers, url, url, _id=1)
resp_777 = HTTPResponse(777, body, headers, url, url, _id=1)
KNOWN_BAD = [resp_999, resp_123, resp_567, resp_666, resp_777]
for resp in KNOWN_GOOD:
kb.kb.cleanup()
self.plugin.grep(request, resp)
self.assertEquals(len(kb.kb.get('strange_http_codes',
'strange_http_codes')), 0)
for resp in KNOWN_BAD:
kb.kb.cleanup()
self.plugin.grep(request, resp)
self.assertEquals(len(kb.kb.get('strange_http_codes',
'strange_http_codes')), 1)
def test_none(self):
body = '<an object="1"> <or applet=2> <apple>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('objects', 'objects')), 0)
def test_no_code_disclosure_blank(self, *args):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(
len(kb.kb.get('code_disclosure', 'code_disclosure')), 0)
def test_ASP_code_disclosure(self, *args):
body = 'header <% Response.Write("Hello World!") %> footer'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(
len(kb.kb.get('code_disclosure', 'code_disclosure')), 1)
