def test_found_at(self): dc = JSONContainer(COMPLEX_OBJECT) freq = FuzzableRequest(self.url, post_data=dc, method='PUT') m = JSONMutant(freq) m.get_dc().set_token(('object-second_key-list-0-string',)) expected = '"http://www.w3af.com/", using HTTP method PUT.'\ ' The sent JSON-data was: "...object-second_key-list-'\ '0-string=abc..."' self.assertEqual(m.found_at(), expected) headers = m.get_headers() self.assertIn('Content-Type', headers) self.assertEqual(headers['Content-Type'], 'application/json')
def test_create_mutants_array(self): dc = JSONContainer(ARRAY) freq = FuzzableRequest(self.url, post_data=dc, method='POST') created_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['["xyz", 3, 2.1]', '["www", 3, 2.1]'] created_dcs = [str(i.get_dc()) for i in created_mutants] created_post_datas = [i.get_data() for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) self.assertEqual(set(created_dcs), set(created_post_datas)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'list-0-string') self.assertEqual(token.get_original_value(), 'abc') token = created_mutants[1].get_token() self.assertEqual(token.get_name(), 'list-0-string') self.assertEqual(token.get_original_value(), 'abc') for m in created_mutants: self.assertIsInstance(m, JSONMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'POST')
def test_create_mutants_9116(self): payment_data = {'transaction_amount': 100, 'reason': 'Title of what you are paying for', 'installments': 1, 'payment_method_id': 'visa', 'token': '16faba8617708', 'external_reference': '1234', 'random_anti_anti_double_click': 11577513359, 'extra_charge': None} payment_data = json.dumps(payment_data) dc = JSONContainer(payment_data) freq = FuzzableRequest(self.url, post_data=dc, method='POST') created_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "www", "installments": 1, "payment_method_id": "visa", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "xyz", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "www", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "xyz", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "xyz", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "xyz", "installments": 1, "payment_method_id": "visa", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "1234", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "www", "extra_charge": null}', '{"transaction_amount": 100, "external_reference": "www", "random_anti_anti_double_click": 11577513359, "token": "16faba8617708", "reason": "Title of what you are paying for", "installments": 1, "payment_method_id": "visa", "extra_charge": null}'] created_dcs = [str(i.get_dc()) for i in created_mutants] created_post_datas = [i.get_data() for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) self.assertEqual(set(created_dcs), set(created_post_datas)) for m in created_mutants: m.set_token_value('abc')
def test_json_mutant_create_mutants_not(self): freq = JSONPostDataRequest(URL('http://www.w3af.com/?id=3')) freq.set_dc('a=1&b=foo') generated_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 0, generated_mutants)
def test_create_mutants_empty_payload(self): dc = JSONContainer(COMPLEX_OBJECT) freq = FuzzableRequest(self.url, post_data=dc, method='POST') created_mutants = JSONMutant.create_mutants(freq, [''], [], False, self.fuzzer_config) for m in created_mutants: m.set_token_value('abc')
def test_json_mutant_create_mutants(self): freq = JSONPostDataRequest(URL('http://www.w3af.com/?id=3')) freq.set_dc({"a": "b", "c": "d"}) generated_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 4, generated_mutants) m0 = generated_mutants[0] self.assertEqual(m0.get_data(), '{"a": "abc", "c": "d"}') m1 = generated_mutants[1] self.assertEqual(m1.get_data(), '{"a": "53", "c": "d"}') m2 = generated_mutants[2] self.assertEqual(m2.get_data(), '{"a": "b", "c": "abc"}') m3 = generated_mutants[3] self.assertEqual(m3.get_data(), '{"a": "b", "c": "53"}')
def test_found_at(self): dc = JSONContainer(COMPLEX_OBJECT) freq = FuzzableRequest(self.url, post_data=dc, method='PUT') m = JSONMutant(freq) m.get_dc().set_token(('object-second_key-list-0-string', )) expected = '"http://www.w3af.com/", using HTTP method PUT.' \ ' The sent JSON-data was: "...object-second_key-list-' \ '0-string=abc..."' self.assertEqual(m.found_at(), expected) headers = m.get_headers() self.assertIn('Content-Type', headers) self.assertEqual(headers['Content-Type'], 'application/json')
def test_mutant_copy_9116(self): dc = JSONContainer(COMPLEX_OBJECT) freq = FuzzableRequest(self.url, post_data=dc, method='POST') created_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) payload = 'def' m = created_mutants[0] dc = m.get_dc() dc_copy = copy.deepcopy(dc) self.assertEqual(dc_copy.get_token(), dc.get_token()) mcopy = m.copy() token = mcopy.get_token() mcopy.set_token_value(payload) self.assertIsNotNone(m.get_token()) self.assertIsNotNone(token) self.assertEqual(mcopy.get_token_value(), payload)