def _login(self, function_id): """ This is the method that actually calls the plugins in order to login to the web application. """ for plugin in self._consumer_plugins: debugging_id = rand_alnum(8) args = (plugin.get_name(), plugin.get_name(), debugging_id) msg = 'auth consumer is calling %s.has_active_session() and %s.login() (did:%s)' om.out.debug(msg % args) took_line = TookLine(self._w3af_core, 'auth', '_login', debugging_id=debugging_id) try: if not plugin.has_active_session(debugging_id=debugging_id): plugin.login(debugging_id=debugging_id) except Exception as e: self.handle_exception('auth', plugin.get_name(), None, e) took_line.send()
def _audit(self, function_id, plugin, fuzzable_request, orig_resp): """ Since threadpool's apply_async runs the callback only when the call to this method ends without any exceptions, it is *very important* to handle exceptions correctly here. Failure to do so will end up in _task_done not called, which will make has_pending_work always return True. Python 3 has an error_callback in the apply_async method, which we could use in the future. """ args = (plugin.get_name(), fuzzable_request.get_uri()) om.out.debug('%s.audit(%s)' % args) debugging_id = rand_alnum(8) took_line = TookLine(self._w3af_core, plugin.get_name(), 'audit', debugging_id=debugging_id, method_params={'uri': fuzzable_request.get_uri()}) try: plugin.audit_with_copy(fuzzable_request, orig_resp, debugging_id) except Exception, e: self.handle_exception('audit', plugin.get_name(), fuzzable_request, e)
def _run_one_plugin(self, plugin_name, http_response_id): """ :param plugin_name: Grep plugin name to run :param http_response_id: HTTP response ID :return: None """ plugin = self._get_plugin_from_name(plugin_name) if plugin is None: return request, response = self._get_request_response_from_id( http_response_id) if request is None: return self._run_observers(plugin_name, request, response) took_line = TookLine(self._w3af_core, plugin_name, 'grep', debugging_id=None, method_params={'uri': request.get_uri()}) try: plugin.grep_wrapper(request, response) except Exception, e: self.handle_exception('grep', plugin_name, request, e)
def test_took_simple(self): w3af_core = w3afCore() took_line = TookLine(w3af_core, 'plugin_name', 'method_name', debugging_id='ML7aEYsa', method_params={'test': 'yes'}) with patch('w3af.core.controllers.profiling.took_helper.om.out') as om_mock: took_line.send() self.assertEqual(om_mock.debug.call_count, 1) sent_message = om_mock.debug.call_args[0][0] self.assertRegexpMatches(sent_message, 'plugin_name.method_name\(test="yes",did="ML7aEYsa"\)' ' took .*? seconds to run \(.*? seconds / .*?% consuming CPU cycles\)')
def _login(self, function_id): """ This is the method that actually calls the plugins in order to login to the web application. """ for plugin in self._consumer_plugins: args = (plugin.get_name(), plugin.get_name()) om.out.debug('%s.is_logged() and %s.login()' % args) took_line = TookLine(self._w3af_core, plugin.get_name(), '_login') try: if not plugin.is_logged(): plugin.login() except Exception, e: self.handle_exception('auth', plugin.get_name(), None, e) took_line.send()
def _bruteforce(self, function_id, plugin, fuzzable_request): """ Since threadpool's apply_async runs the callback only when the call to this method ends without any exceptions, it is *very important* to handle exceptions correctly here. Failure to do so will end up in _task_done not called, which will make has_pending_work always return True. Python 3 has an error_callback in the apply_async method, which we could use in the future. :param fuzzable_request: The fuzzable request that (if suitable) will be bruteforced by @plugin. :return: A list of the URL's that have been successfully bruteforced """ res = set() # Logging args = (plugin.get_name(), fuzzable_request.get_uri()) om.out.debug('%s.bruteforce(%s)' % args) took_line = TookLine(self._w3af_core, plugin.get_name(), 'bruteforce', method_params={'uri': fuzzable_request.get_uri()}) # Status self._w3af_core.status.set_running_plugin('bruteforce', plugin.get_name()) self._w3af_core.status.set_current_fuzzable_request( 'bruteforce', fuzzable_request) # TODO: Report progress to the core. try: new_frs = plugin.bruteforce_wrapper(fuzzable_request) except Exception as e: self.handle_exception('bruteforce', plugin.get_name(), fuzzable_request, e) else: res.update(new_frs) took_line.send() return res
def _inner_consume(self, request, response): """ Run one plugin against a request/response. :param request: The HTTP request :param response: The HTTP response :return: None, results are saved to KB """ for plugin in self._consumer_plugins: took_line = TookLine(self._w3af_core, plugin.get_name(), 'grep', debugging_id=None, method_params={'uri': request.get_uri()}) try: plugin.grep_wrapper(request, response) except Exception, e: self.handle_exception('grep', plugin.get_name(), request, e) else: took_line.send()
def _inner_consume(self, function_id, plugin, request, response): """ Run one plugin against a request/response. :param function_id: The function ID added by @task_decorator :param plugin: The grep plugin to run :param request: The HTTP request :param response: The HTTP response :return: None, results are saved to KB """ took_line = TookLine(self._w3af_core, plugin.get_name(), 'grep', debugging_id=None, method_params={'uri': request.get_uri()}) try: plugin.grep_wrapper(request, response) except Exception, e: self.handle_exception('grep', plugin.get_name(), request, e)
def _discover_worker(self, function_id, plugin, fuzzable_request): """ This method runs @plugin with FuzzableRequest as parameter and returns new fuzzable requests and/or stores vulnerabilities in the knowledge base. Since threadpool's apply_async runs the callback only when the call to this method ends without any exceptions, it is *very important* to handle exceptions correctly here. Failure to do so will end up in _task_done not called, which will make has_pending_work always return True. Python 3 has an error_callback in the apply_async method, which we could use in the future. TODO: unit-test this method :return: A list with the newly found fuzzable requests. """ debugging_id = rand_alnum(8) args = (plugin.get_name(), fuzzable_request.get_uri(), debugging_id) om.out.debug('%s.discover(%s, did=%s)' % args) took_line = TookLine(self._w3af_core, plugin.get_name(), 'discover', debugging_id=debugging_id, method_params={'uri': fuzzable_request.get_uri()}) # Status reporting status = self._w3af_core.status status.set_running_plugin('crawl', plugin.get_name()) status.set_current_fuzzable_request('crawl', fuzzable_request) try: result = plugin.discover_wrapper(fuzzable_request, debugging_id) except BaseFrameworkException, e: msg = 'An exception was found while running "%s" with "%s": "%s" (did: %s)' args = (plugin.get_name(), fuzzable_request, debugging_id) om.out.error(msg % args, e)