def test_no_model_json_object_complex_nested_in_body(self):
specification_as_string = ComplexDereferencedNestedModel(
).get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = (
'{"pet": {"owner": {"name": {"last": "Smith", "first": "56"},'
' "address": {"postalCode": "90210", "street1": "Bonsai Street 123",'
' "street2": "Bonsai Street 123", "state": "AK",'
' "city": "Buenos Aires"}}, "type": "cat", "name": "John",'
' "birthdate": "2017-06-30"}}')
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_array_with_model_items_param_in_json(self):
specification_as_string = ArrayModelItems().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://petstore.swagger.io/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = '{"pets": [{"tag": "7", "name": "John"}]}'
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_string_param_header(self):
specification_as_string = StringParamHeader().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://petstore.swagger.io/api/pets'
e_headers = Headers([('X-Foo-Header', '56'),
('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_no_model_json_object_complex_nested_in_body(self):
specification_as_string = ComplexDereferencedNestedModel().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ('{"pet": {"owner": {"name": {"last": "Smith", "first": "56"},'
' "address": {"postalCode": "90210", "street1": "Bonsai Street 123",'
' "street2": "Bonsai Street 123", "state": "AK",'
' "city": "Buenos Aires"}}, "type": "cat", "name": "John",'
' "birthdate": "2017-06-30"}}')
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_string_param_header(self):
specification_as_string = StringParamHeader().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://petstore.swagger.io/api/pets'
e_headers = Headers([('X-Foo-Header', '56'),
('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_model_param_nested_allOf_in_json(self):
specification_as_string = NestedModel().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = '{"pet": {"tag": "7", "name": "John", "id": 42}}'
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_array_with_model_items_param_in_json(self):
specification_as_string = ArrayModelItems().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://petstore.swagger.io/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = '{"pets": [{"tag": "7", "name": "John"}]}'
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_model_param_nested_allOf_in_json(self):
specification_as_string = NestedModel().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = '{"pet": {"tag": "7", "name": "John", "id": 42}}'
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def parse(self):
"""
Extract all the API endpoints using the bravado Open API parser
"""
specification_handler = SpecificationHandler(self.get_http_response())
for data in specification_handler.get_api_information():
request_factory = RequestFactory(*data)
fuzzable_request = request_factory.get_fuzzable_request()
if not self._should_audit(fuzzable_request):
continue
self.api_calls.append(fuzzable_request)
def parse(self):
"""
Extract all the API endpoints using the bravado Open API parser
"""
specification_handler = SpecificationHandler(self.get_http_response())
for data in specification_handler.get_api_information():
request_factory = RequestFactory(*data)
fuzzable_request = request_factory.get_fuzzable_request()
if not self._should_audit(fuzzable_request):
continue
self.api_calls.append(fuzzable_request)
def parse(self):
"""
Extract all the API endpoints using the bravado Open API parser.
The method also looks for all parameters which are passed to endpoints via headers,
and stores them in to the fuzzable request
"""
self._specification_handler = SpecificationHandler(
self.get_http_response(),
validate_swagger_spec=self.validate_swagger_spec)
for data in self._specification_handler.get_api_information():
try:
request_factory = RequestFactory(*data)
fuzzable_request = request_factory.get_fuzzable_request(
self.discover_fuzzable_headers,
self.discover_fuzzable_url_parts)
except Exception, e:
#
# This is a strange situation because parsing of the OpenAPI
# spec can fail awfully for one of the operations but succeed
# for the rest.
#
# Usually we would simply stop processing the document, but it
# is better to a) provide value to the user, and b) warn him
# so that they can report the issue and improve w3af
#
# Just crashing wouldn't provide any value to the user
#
tb = get_traceback()
path, filename, _function, line = get_exception_location(tb)
spec_url = self.get_http_response().get_url()
msg = (
'Failed to generate a fuzzable request for one of the'
' OpenAPI operations. The parser will continue with the'
' next operation. The OpenAPI specification is at "%s" and'
' the exception was: "%s" at %s/%s:%s():%s.')
args = (spec_url, e, path, filename, _function, line)
om.out.error(msg % args)
else:
if not self._should_audit(fuzzable_request):
continue
self.api_calls.append(fuzzable_request)
def test_simple_int_param_in_qs(self):
specification_as_string = IntParamQueryString().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is not
# required, thus we get two operations, one for the parameter with
# a value and another without the parameter
self.assertEqual(len(data), 2)
#
# Assertions on call #1
#
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
#
# Assertions on call #2
#
data_i = data[1]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets?limit=42'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
def parse(self):
"""
Extract all the API endpoints using the bravado Open API parser.
The method also looks for all parameters which are passed to endpoints via headers,
and stores them in to the fuzzable request
"""
specification_handler = SpecificationHandler(self.get_http_response(),
self.no_validation)
for data in specification_handler.get_api_information():
try:
request_factory = RequestFactory(*data)
fuzzable_request = request_factory.get_fuzzable_request(self.discover_fuzzable_headers)
except Exception, e:
#
# This is a strange situation because parsing of the OpenAPI
# spec can fail awfully for one of the operations but succeed
# for the rest.
#
# Usually we would simply stop processing the document, but it
# is better to a) provide value to the user, and b) warn him
# so that they can report the issue and improve w3af
#
# Just crashing wouldn't provide any value to the user
#
tb = get_traceback()
path, filename, _function, line = get_exception_location(tb)
spec_url = self.get_http_response().get_url()
msg = ('Failed to generate a fuzzable request for one of the'
' OpenAPI operations. The parser will continue with the'
' next operation. The OpenAPI specification is at "%s" and'
' the exception was: "%s" at %s/%s:%s():%s.')
args = (spec_url, e, path, filename, _function, line)
om.out.error(msg % args)
else:
if not self._should_audit(fuzzable_request):
continue
self.api_calls.append(fuzzable_request)
def test_simple_int_param_in_path(self):
specification_as_string = IntParamPath().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets/42'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_raw_data(), '')
def test_no_params(self):
specification_as_string = NoParams().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/random'
e_headers = Headers()
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_raw_data(), '')
def test_simple_int_param_in_path(self):
specification_as_string = IntParamPath().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets/42'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_raw_data(), '')
def test_no_params(self):
specification_as_string = NoParams().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/random'
e_headers = Headers()
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_raw_data(), '')
def test_model_with_int_param_json_example_value(self):
specification_as_string = IntParamWithExampleJson().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is
# required and there is only one parameter, so there is no second
# operation with the optional parameters filled in.
self.assertEqual(len(data), 1)
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://petstore.swagger.io/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '{"pet": {"count": 666999}}')
def test_simple_int_param_in_qs(self):
specification_as_string = IntParamQueryString().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
# The specification says that this query string parameter is not
# required, thus we get two operations, one for the parameter with
# a value and another without the parameter
self.assertEqual(len(data), 2)
#
# Assertions on call #1
#
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
#
# Assertions on call #2
#
data_i = data[1]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://w3af.org/api/pets?limit=42'
e_headers = Headers([('Content-Type', 'application/json')])
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), '')
def test_dereferenced_pet_store(self):
# See: dereferenced_pet_store.json , which was generated using
# http://bigstickcarpet.com/swagger-parser/www/index.html#
specification_as_string = DereferencedPetStore().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 3)
#
# Assertions on call #1
#
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets/John'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
#
# Assertions on call #2
#
data_i = data[1]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
#
# Assertions on call #3
#
data_i = data[2]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ('{"pet": {"owner": {"name": {"last": "Smith", "first": "56"},'
' "address": {"postalCode": "90210", "street1": "Bonsai Street 123",'
' "street2": "Bonsai Street 123", "state": "AK",'
' "city": "Buenos Aires"}}, "type": "cat", "name": "John",'
' "birthdate": "2017-06-30"}}')
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
def test_dereferenced_pet_store(self):
# See: dereferenced_pet_store.json , which was generated using
# http://bigstickcarpet.com/swagger-parser/www/index.html#
specification_as_string = DereferencedPetStore().get_specification()
http_response = self.generate_response(specification_as_string)
handler = SpecificationHandler(http_response)
data = [d for d in handler.get_api_information()]
self.assertEqual(len(data), 3)
#
# Assertions on call #1
#
data_i = data[0]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets/John'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
#
# Assertions on call #2
#
data_i = data[1]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = ''
self.assertEqual(fuzzable_request.get_method(), 'GET')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)
#
# Assertions on call #3
#
data_i = data[2]
factory = RequestFactory(*data_i)
fuzzable_request = factory.get_fuzzable_request()
e_url = 'http://www.w3af.com/swagger.json/pets'
e_headers = Headers([('Content-Type', 'application/json')])
e_data = (
'{"pet": {"owner": {"name": {"last": "Smith", "first": "56"},'
' "address": {"postalCode": "90210", "street1": "Bonsai Street 123",'
' "street2": "Bonsai Street 123", "state": "AK",'
' "city": "Buenos Aires"}}, "type": "cat", "name": "John",'
' "birthdate": "2017-06-30"}}')
self.assertEqual(fuzzable_request.get_method(), 'POST')
self.assertEqual(fuzzable_request.get_uri().url_string, e_url)
self.assertEqual(fuzzable_request.get_headers(), e_headers)
self.assertEqual(fuzzable_request.get_data(), e_data)