def test_process(self):
with self.assertRaises(SystemExit):
with capture_sys_output() as (stdout, stderr):
self.proc_class([])
self.assertIn('too few arguments', stderr.getvalue())
with self.assertRaises(SystemExit):
with capture_sys_output() as (stdout, stderr):
self.proc_class(['unknown'])
self.assertIn("invalid choice: 'unknown'", stderr.getvalue())
with self.assertRaises(SystemExit):
with capture_sys_output() as (stdout, stderr):
self.proc_class(['json'])
self.assertIn('too few arguments', stderr.getvalue())
file_path = 'tests/unknown_mapping.json'
with self.assertRaises(IOError) as cm:
self.proc_class(['json', file_path])
self.assertIn("No such file or directory: '{}'".format(file_path),
cm.exception.message)
file_path = 'tests/mapping.json'
proc = self.proc_class(['json', file_path])
with open(file_path) as fd:
self.assertEquals(proc.current_mode.mapping,
json.loads(fd.read()))
def test_modes(self):
self.initialize_mode2_was_called = False
self.initialize_mode3_was_called = False
class Mode1(ProcessMode):
def set_arguments(self, subparser):
pass
class Mode2(Mode1):
def initialize(mode_self, arguments):
attr_format = 'initialize_{}_was_called'
name = attr_format.format(mode_self.__class__.__name__.lower())
setattr(self, name, True)
class Mode3(Mode2):
pass
class MyProcess(Process):
MODES = [Mode1, Mode2, Mode3]
with self.assertRaises(SystemExit):
with capture_sys_output() as (stdout, stderr):
MyProcess([])
self.assertIn('too few arguments', stderr.getvalue())
with self.assertRaises(SystemExit):
with capture_sys_output() as (stdout, stderr):
MyProcess(['unknown'])
self.assertIn("invalid choice: 'unknown'", stderr.getvalue())
proc = MyProcess(['mode1'])
for mode in [Mode1, Mode2, Mode3]:
self.assertIn(mode, proc.MODES)
self.assertTrue(isinstance(proc.current_mode, Mode1))
self.assertFalse(self.initialize_mode2_was_called)
self.assertFalse(self.initialize_mode3_was_called)
self.initialize_mode2_was_called = False
self.initialize_mode3_was_called = False
proc = MyProcess(['mode2'])
self.assertTrue(isinstance(proc.current_mode, Mode2))
self.assertTrue(self.initialize_mode2_was_called)
self.assertFalse(self.initialize_mode3_was_called)
self.initialize_mode2_was_called = False
self.initialize_mode3_was_called = False
proc = MyProcess(['mode3'])
self.assertTrue(isinstance(proc.current_mode, Mode3))
self.assertFalse(self.initialize_mode2_was_called)
self.assertTrue(self.initialize_mode3_was_called)
def test_get_dnskey_good(self):
output.setup(False, False)
with utils.capture_sys_output() as (stdout, stderr):
recs = dnssec.get_dnskey("cloudflare.com")
self.assertNotIn("Exception", stderr.getvalue())
self.assertTrue(len(recs) > 0)
def test_jira_user_reg(self):
url = "https://www.example.org/secure/Dashboard.jspa"
target_dir = os.path.dirname(os.path.realpath("__file__"))
path = os.path.join(target_dir, "tests/test_data/jira_registration.txt")
contents = Path(path).read_text()
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(
"https://www.example.org/secure/Signup!default.jspa",
text=contents,
status_code=200,
)
results = jira.check_jira_user_registration(url)
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(results)
self.assertTrue(len(results) > 0)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
self.assertTrue(
any("Jira User Registration Enabled" in r.message for r in results)
)
network.reset()
def test_jira_found(self):
url = "https://www.example.org/"
target_dir = os.path.dirname(os.path.realpath("__file__"))
path = os.path.join(target_dir, "tests/test_data/jira_dashboard.txt")
contents = Path(path).read_text()
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(url, text="body", status_code=200)
m.get(f"{url}secure/Dashboard.jspa", text=contents, status_code=200)
m.get(
f"{url}jira/secure/Dashboard.jspa", text="body", status_code=404
)
session = Session(None, url)
results, jira_url = jira.check_for_jira(session)
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(jira_url)
self.assertIsNotNone(results)
self.assertTrue(len(results) > 0)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
self.assertTrue(any("Jira Installation Found" in r.message for r in results))
self.assertTrue(any("v8.1.0-801000" in r.message for r in results))
network.reset()
def test_get_dnskey_none(self):
output.setup(False, False)
with utils.capture_sys_output() as (stdout, stderr):
recs = dnssec.get_dnskey("adamcaudill.com")
self.assertNotIn("Exception", stderr.getvalue())
self.assertTrue(len(recs) == 0)
def test_cve_2019_11043_false(self):
network.init("", "", "")
output.setup(False, False, False)
url = "https://www.example.org/"
p = command_line.build_parser()
ns = p.parse_args(args=["scan"])
s = Session(ns, url)
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(requests_mock.ANY, status_code=200)
m.head(requests_mock.ANY, status_code=200)
results = php.check_cve_2019_11043(
s, ["https://www.example.org/test/"]
)
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(results)
self.assertTrue(len(results) == 0)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
network.reset()
def test_get_info_message(self):
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
recs = api.get_info_message()
self.assertNotIn("Exception", stderr.getvalue())
self.assertTrue(len(recs) > 0)
def test_get_header_issues_dup_header(self):
network.init("", "", "")
output.setup(False, False, False)
# we are using www.google.com as they return multiple Set-Cookie headers
url = "https://www.google.com"
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
resp = requests.get(url)
results = http_basic.get_header_issues(
resp, network.http_build_raw_response(resp), url
)
self.assertIsNotNone(results)
self.assertTrue(len(results) > 0)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
self.assertTrue(
any(
"Header Set-Cookie set multiple times with different values"
in r.message
for r in results
)
)
def test_process_urls_maybe_valid(self):
parser = command_line.build_parser()
args, urls = parser.parse_known_args(["scan", "adamcaudill.com"])
with utils.capture_sys_output() as (stdout, stderr):
command_line.process_urls(urls)
self.assertEqual("", stderr.getvalue())
def test_process_urls_unknown_param(self):
parser = command_line.build_parser()
args, urls = parser.parse_known_args(["scan", "--dfghjk"])
with utils.capture_sys_output() as (stdout, stderr):
command_line.process_urls(urls)
self.assertIn("YAWAST Error: Invalid parameter", stderr.getvalue())
def test_process_urls_invalid_ftp(self):
parser = command_line.build_parser()
args, urls = parser.parse_known_args(["scan", "ftp://adamcaudill.com"])
with self.assertRaises(SystemExit):
with utils.capture_sys_output() as (stdout, stderr):
command_line.process_urls(urls)
self.assertIn("YAWAST Error: Invalid URL Specified", stderr.getvalue())
def test_check_open_ports_cli_bad_domain(self):
output.setup(False, False, False)
target_dir = os.path.dirname(os.path.realpath("__file__"))
path = os.path.join(target_dir, "tests/test_data/common_ports.json")
with utils.capture_sys_output() as (stdout, stderr):
_check_open_ports("invalidaksjdhkajshd.com",
"https://adamcaudill.com", path)
self.assertNotIn("Exception", stderr.getvalue())
def test_process_urls_empty(self):
parser = command_line.build_parser()
args, urls = parser.parse_known_args(["scan"])
with self.assertRaises(SystemExit):
with utils.capture_sys_output() as (stdout, stderr):
command_line.process_urls(urls)
self.assertIn("YAWAST Error: You must specify at least one URL.",
stderr.getvalue())
def test_build_parser(self):
parser = command_line.build_parser()
# make sure we got something back
self.assertIsNotNone(parser)
with self.assertRaises(SystemExit) as cm:
with utils.capture_sys_output() as (stdout, stderr):
parser.parse_known_args([""])
self.assertIn("yawast: error", stderr.getvalue())
def test_net_init_valid_proxy_alt(self):
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
network.init("127.0.0.1:1234", "", "")
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(network._requester)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
self.assertNotIn("Invalid proxy server specified", stdout.getvalue())
network.reset()
def test_wp_ident(self):
network.init("", "", "")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
try:
_, res = wordpress.identify(url)
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
self.assertTrue(any("Found WordPress" in r.message for r in res))
def test__get_vulnerability_info(self):
target_dir = os.path.dirname(os.path.realpath("__file__"))
path = os.path.join(target_dir,
"tests/test_data/ssl_labs_analyze_data.json")
with open(path) as json_file:
body = json.load(json_file)
try:
for ep in body["endpoints"]:
with utils.capture_sys_output() as (stdout, stderr):
_get_vulnerability_info(ep, "http://adamcaudill.com")
except Exception as error:
print(error)
self.assertIsNone(error)
def test_net_init_invalid_header(self):
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
network.init("", "", "AUTH123")
_ = network.http_get("http://example.com")
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(network._requester)
self.assertNotIn("Exception", stderr.getvalue())
self.assertIn("Error", stdout.getvalue())
self.assertIn("header must be in NAME=VALUE format", stdout.getvalue())
network.reset()
def test_find_backup_ext(self):
network.init("", "", "")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
try:
http.reset()
_, _ = file_search.find_backups(
[url, f"{url}readme.html", f"{url}#test"]
)
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
def test_wp_json_user_enum(self):
network.init("", "", "")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
try:
res = wordpress.check_json_user_enum(url)
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
self.assertTrue(
any("WordPress WP-JSON User Enumeration" in r.message for r in res)
)
def test_check_404(self):
network.init("", "", "X-Test=123")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(requests_mock.ANY, text="body", status_code=200)
try:
file, _, _, _ = network.check_404_response(url)
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
def test_check_put(self):
network.init("", "", "")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.put(requests_mock.ANY, text="body", status_code=200)
try:
res = network.http_put(url, "data")
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
self.assertIsNotNone(res)
def test_pwd_rst_get_driver(self):
url = "https://example.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
p = command_line.build_parser()
ns = p.parse_args(args=["scan"])
s = Session(ns, url)
try:
driver = _get_driver(s, url)
except Exception as error:
self.assertIsNone(error)
self.assertIsInstance(driver, WebDriver)
self.assertIn("<h1>Example Domain</h1>", driver.page_source)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
def test_find_backup_ext_all(self):
network.init("", "", "")
url = "https://adamcaudill.com/"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(requests_mock.ANY, text="body", status_code=200)
m.head(requests_mock.ANY, status_code=200)
try:
http.reset()
_, res = file_search.find_backups([url, f"{url}test/readme.html"])
except Exception as error:
self.assertIsNone(error)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
self.assertTrue(any("Found backup file" in r.message for r in res))
def test_ds_store(self):
url = "https://www.example.org/"
try:
output.setup(False, True, True)
with utils.capture_sys_output() as (stdout, stderr):
with requests_mock.Mocker() as m:
m.get(requests_mock.ANY, content=b"\0\0\0\1Bud1\0", status_code=200)
results = file_search.find_ds_store([url])
except Exception as error:
self.assertIsNone(error)
self.assertIsNotNone(results)
self.assertTrue(len(results) > 0)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stdout.getvalue())
self.assertTrue(any(".DS_Store File Found" in r.message for r in results))
network.reset()
def test_pwd_rst_find_field(self):
url = "https://underhandedcrypto.com/wp-login.php?action=lostpassword"
output.setup(False, False, False)
with utils.capture_sys_output() as (stdout, stderr):
p = command_line.build_parser()
ns = p.parse_args(args=["scan"])
s = Session(ns, url)
try:
driver = _get_driver(s, url)
element = _find_user_field(driver)
except Exception as error:
self.assertIsNone(error)
self.assertIsInstance(driver, WebDriver)
self.assertIsInstance(element, WebElement)
self.assertIn("Username or Email Address", driver.page_source)
self.assertNotIn("Exception", stderr.getvalue())
self.assertNotIn("Error", stderr.getvalue())
self.assertEqual("user_login", element.get_attribute("id"))
def test_print_header(self):
with utils.capture_sys_output() as (stdout, stderr):
main.print_header()
self.assertIn("(v%s)" % get_version(), stdout.getvalue())
