def audit(self, freq, orig_response):
"""
Plugin entry point.
:param freq: A FuzzableRequest
"""
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener):
return
url = freq.get_url()
self.analyze_cors_security(url)
def audit(self, freq, orig_response):
"""
Plugin entry point.
:param freq: A FuzzableRequest
"""
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener):
return
url = freq.get_url()
self.analyze_cors_security(url)
def audit(self, freq, orig_response, debugging_id):
"""
Plugin entry point.
:param freq: A FuzzableRequest
:param orig_response: The HTTP response associated with the fuzzable request
:param debugging_id: A unique identifier for this call to audit()
"""
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener, debugging_id):
return
url = freq.get_url()
self.analyze_cors_security(url, debugging_id)
def audit(self, freq, orig_response, debugging_id):
"""
Plugin entry point.
:param freq: A FuzzableRequest
:param orig_response: The HTTP response associated with the fuzzable request
:param debugging_id: A unique identifier for this call to audit()
"""
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener, debugging_id):
return
url = freq.get_url()
self.analyze_cors_security(url, debugging_id)
def test_provides_cors_features_false(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
http_response = HTTPResponse(200, '', Headers(), url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
call_header = Headers({'Origin': 'www.w3af.org'}.items())
url_opener_mock.GET.assert_called_with(url, headers=call_header)
self.assertFalse(cors)
def test_provides_cors_features_false(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
http_response = HTTPResponse(200, '', Headers(), url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock, None)
call_header = Headers({'Origin': 'www.w3af.org'}.items())
url_opener_mock.GET.assert_called_with(url, headers=call_header)
self.assertFalse(cors)
def test_provides_cors_features_true(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items()
cors_headers = Headers(hdrs)
http_response = HTTPResponse(200, '', cors_headers, url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
url_opener_mock.GET.assert_called_with(url)
self.assertTrue(cors)
def test_provides_cors_features_true(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items()
cors_headers = Headers(hdrs)
http_response = HTTPResponse(200, '', cors_headers, url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock, None)
url_opener_mock.GET.assert_called_with(url, debugging_id=None)
self.assertTrue(cors)
