def test_mutant_creation_repeated_parameter_name(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://w3af.com/?foo=3'),
post_data=form,
method='GET')
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_dcs = [
'id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc',
'id=abc&id=3419'
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'GET')
def test_mutant_creation_qs_and_postdata(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "password"),
("value", "")])
url = URL('http://moth/foo.bar?action=login')
form = URLEncodedForm(form_params)
freq = FuzzableRequest(url, post_data=form)
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
created_dcs = [str(i.get_dc()) for i in created_mutants]
expected_dcs = [
'username=abc&password=FrAmE30.', 'username=John8212&password=abc',
'username=def&password=FrAmE30.', 'username=John8212&password=def'
]
self.assertEqual(created_dcs, expected_dcs)
for m in created_mutants:
self.assertEqual(m.get_uri(), url)
def _handle_go_tag_start(self, tag, tag_name, attrs):
self._inside_form = True
method = attrs.get('method', 'GET').upper()
action = attrs.get('href', None)
if action is None:
action = self._source_url
else:
action = self._decode_url(action)
try:
action = self._base_url.url_join(action,
encoding=self._encoding)
except ValueError:
# The URL in the action is invalid, the best thing we can do
# is to guess, and our best guess is that the URL will be the
# current one.
action = self._source_url
# Create the form
f = FormParameters(encoding=self._encoding,
attributes=attrs,
hosted_at_url=self._source_url)
f.set_method(method)
f.set_action(action)
self._forms.append(f)
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_file_input([("name", file_var), ("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_input([("name", token.get_name()),
("type", "text"),
("value", token.get_value())])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def test_tmb_variants(self):
# 'top-middle-bottom' mode variants
def filter_tmb(values):
if len(values) > 3:
values = (values[0], values[len(values) / 2], values[-1])
return values
bigform_data = form_with_radio + form_select_misc
clean_data = get_grouped_data(bigform_data)
new_bigform = create_form_params_helper(bigform_data)
total_variants = 2 * 2 * 3
variants_set = set()
variants = [v for v in new_bigform.get_variants(mode=MODE_TMB)]
for i, form_variant in enumerate(variants):
# First element must be the created `new_bigform`
if i == 0:
self.assertIs(new_bigform, form_variant)
continue
for name, values in clean_data.items():
tmb_values = filter_tmb(values)
self.assertIn(form_variant[name][0], tmb_values)
variants_set.add(repr(form_variant))
# Ensure we actually got the expected number of variants
f = FormParameters()
self.assertEquals(len(variants), total_variants + 1)
# Variants shouldn't appear duplicated
self.assertEquals(len(variants_set), total_variants)
def create_form_params_helper(form_data):
"""
Creates a dc.Form object from a dict container
:param form_data: A list containing dicts representing a form's
internal structure
:return: A dc.Form object from `form_data`
"""
new_form_params = FormParameters()
for elem_data in form_data:
elem_type = elem_data['tagname']
attrs = elem_data.items()
if elem_type == 'input':
_type = elem_data['type']
if _type == 'radio':
new_form_params.add_radio(attrs)
elif _type == 'checkbox':
new_form_params.add_check_box(attrs)
elif _type in ('text', 'hidden'):
new_form_params.add_input(attrs)
elif elem_type == 'select':
new_form_params.add_select(elem_data['name'], elem_data['options'])
return new_form_params
def test_store_fuzzable_request_two(self):
ds = DiskSet()
# Add a simple fr, without post-data
fr = FuzzableRequest(URL('http://example.com/?id=1'))
ds.add(fr)
# Add a fr with post-data
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds.add(fr)
# Compare
stored_fr = ds[1]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def from_postdata(cls, headers, post_data):
if not MultipartContainer.is_multipart(headers):
raise ValueError('No multipart content-type header.')
environ = {'REQUEST_METHOD': 'POST'}
try:
fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data),
headers=headers.to_dict(),
environ=environ)
except ValueError:
raise ValueError('Failed to create MultipartContainer.')
else:
# Please note that the FormParameters is just a container for
# the information.
#
# When the FuzzableRequest is sent the framework calls get_data()
# which returns a string version of this object, properly encoded
# using multipart/form-data
#
# To make sure the web application properly decodes the request, we
# also include the headers in get_headers() which include the
# boundary
form_params = FormParameters()
for key in fs.list:
if key.filename is None:
form_params.add_input([('name', key.name),
('type', 'text'),
('value', key.file.read())])
else:
form_params.set_file_name(key.name, key.filename)
form_params.add_file_input([('name', key.name)])
return cls(form_params)
def test_tmb_variants_large(self):
"""
Note that this test has several changes from test_tmb_variants:
* It uses form_select_misc_large, which exceeds the form's
TOP_VARIANTS = 15
* Doesn't use filter_tmb since variants are based on a "random pick"
"""
bigform_data = (form_with_radio +
form_select_cars +
form_select_misc_large)
clean_data = get_grouped_data(bigform_data)
new_bigform = create_form_params_helper(bigform_data)
total_variants = 2 * 3 * 3 * 3
variants_set = set()
variants = [v for v in new_bigform.get_variants(mode=MODE_TMB)]
# Please note that this depends completely in form.SEED AND
# form.TOP_VARIANTS
RANDOM_PICKS = {1: ('volvo', 'black', 'd', 'female'),
2: ('volvo', 'blue', 'i', 'male'),
3: ('volvo', 'blue', 'f', 'female'),
4: ('volvo', 'black', 'g', 'female'),
5: ('volvo', 'black', 'm', 'male'),
6: ('volvo', 'black', 'l', 'male'),
7: ('volvo', 'blue', 'b', 'female'),
8: ('volvo', 'blue', 'e', 'female'),
9: ('volvo', 'black', 'c', 'male'),
10: ('volvo', 'black', 'a', 'female'),
11: ('volvo', 'blue', 'e', 'male'),
12: ('volvo', 'black', 'j', 'male'),
13: ('volvo', 'blue', 'c', 'male'),
14: ('volvo', 'black', 'a', 'male'),
15: ('volvo', 'black', 'i', 'female')}
for i, form_variant in enumerate(variants):
# First element must be the created `new_bigform`
if i == 0:
self.assertIs(new_bigform, form_variant)
continue
option = []
for name, values in clean_data.items():
form_value = form_variant[name][0]
option.append(form_value)
current_option = RANDOM_PICKS[i]
self.assertEqual(tuple(option), current_option)
variants_set.add(repr(form_variant))
# Ensure we actually got the expected number of variants
f = FormParameters()
expected = min(total_variants, f.TOP_VARIANTS)
self.assertEquals(len(variants), expected + 1)
# Variants shouldn't appear duplicated
self.assertEquals(len(variants_set), expected)
def test_login_form_utils(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
user_token, pass_token = form.get_login_tokens()
self.assertEqual(user_token.get_name(), 'username')
self.assertEqual(pass_token.get_name(), 'pwd')
self.assertEqual(user_token.get_value(), '')
self.assertEqual(pass_token.get_value(), '')
form.set_login_username('andres')
self.assertEqual(form['username'][0], 'andres')
self.assertEqual(form['pwd'][0], '')
form.set_login_username('pablo')
form.set_login_password('long-complex')
self.assertEqual(form['username'][0], 'pablo')
self.assertEqual(form['pwd'][0], 'long-complex')
self.assertIs(form.get_form_params(), form_params)
def test_tmb_variants(self):
# 'top-middle-bottom' mode variants
def filter_tmb(values):
if len(values) > 3:
values = (values[0], values[len(values) / 2], values[-1])
return values
bigform_data = form_with_radio + form_select_misc
clean_data = get_gruped_data(bigform_data)
new_bigform = create_form_params_helper(bigform_data)
total_variants = 2 * 2 * 3
variants_set = set()
for i, form_variant in enumerate(new_bigform.get_variants(mode="tmb")):
if i == 0: # First element must be the created `new_bigform`
self.assertEquals(id(new_bigform), id(form_variant))
continue
for name, values in clean_data.items():
tmb_values = filter_tmb(values)
msg = 'Failed to find "%s" in "%s"' % (form_variant[name][0],
tmb_values)
self.assertTrue(form_variant[name][0] in tmb_values, msg)
variants_set.add(repr(form_variant))
# Ensure we actually got the expected number of variants
f = FormParameters()
expected = min(total_variants, f.TOP_VARIANTS)
self.assertEquals(i, expected)
# Variants shouldn't appear duplicated
self.assertEquals(len(variants_set), expected)
def test_keep_sync(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
self.assertNotIn('address', form_params)
self.assertNotIn('address', form)
# Add to the form_params
form_params['address'] = ['']
self.assertIn('address', form_params)
self.assertIn('address', form)
# Add to the Form object
form['company'] = ['']
self.assertIn('company', form_params)
self.assertIn('company', form)
# Del from the Form object
del form['address']
self.assertNotIn('address', form)
self.assertNotIn('address', form_params)
# Del from the FormParams object
del form_params['company']
self.assertNotIn('company', form)
self.assertNotIn('company', form_params)
def test_login_form_utils(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
user_token, pass_token = form.get_login_tokens()
self.assertEqual(user_token.get_name(), 'username')
self.assertEqual(pass_token.get_name(), 'pwd')
self.assertEqual(user_token.get_value(), '')
self.assertEqual(pass_token.get_value(), '')
form.set_login_username('andres')
self.assertEqual(form['username'][0], 'andres')
self.assertEqual(form['pwd'][0], '')
form.set_login_username('pablo')
form.set_login_password('long-complex')
self.assertEqual(form['username'][0], 'pablo')
self.assertEqual(form['pwd'][0], 'long-complex')
self.assertIs(form.get_form_params(), form_params)
def test_keep_sync(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertNotIn('address', form_params)
self.assertNotIn('address', form)
# Add to the form_params
form_params['address'] = ['']
self.assertIn('address', form_params)
self.assertIn('address', form)
# Add to the Form object
form['company'] = ['']
self.assertIn('company', form_params)
self.assertIn('company', form)
# Del from the Form object
del form['address']
self.assertNotIn('address', form)
self.assertNotIn('address', form_params)
# Del from the FormParams object
del form_params['company']
self.assertNotIn('company', form)
self.assertNotIn('company', form_params)
def test_multipart_post(self):
boundary, post_data = multipart_encode([
('a', 'bcd'),
], [])
multipart_boundary = 'multipart/form-data; boundary=%s'
headers = Headers([('content-length', str(len(post_data))),
('content-type', multipart_boundary % boundary)])
fr = FuzzableRequest.from_parts(self.url,
headers=headers,
post_data=post_data,
method='POST')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
expected_container = MultipartContainer(form_params)
expected_headers = Headers([('content-type',
multipart_boundary % boundary)])
self.assertEqual(fr.get_url(), self.url)
self.assertEqual(fr.get_headers(), expected_headers)
self.assertIn('multipart/form-data', fr.get_headers()['content-type'])
self.assertEqual(fr.get_method(), 'POST')
self.assertIsInstance(fr.get_raw_data(), MultipartContainer)
self.assertEqual(fr.get_raw_data(), expected_container)
def test_all_variants(self):
# 'all' mode variants
bigform_data = form_with_radio + form_select_misc
clean_data = get_grouped_data(bigform_data)
new_bigform = create_form_params_helper(bigform_data)
total_variants = 2 * 5 * 10
variants_set = set()
for i, form_variant in enumerate(new_bigform.get_variants(mode=MODE_ALL)):
# First element must be the created `new_bigform`
if i == 0:
self.assertIs(new_bigform, form_variant)
continue
for name, all_values in clean_data.items():
self.assertIn(form_variant[name][0], all_values)
variants_set.add(repr(form_variant))
# Ensure we actually got the expected number of variants
f = FormParameters()
expected = min(total_variants, f.TOP_VARIANTS)
self.assertEquals(expected, i)
# Variants shouldn't duplicated
self.assertEquals(expected, len(variants_set))
def test_is_suitable(self):
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
res = HTTPResponse(200, 'body', headers, url, url)
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
url_sends_cookie = URL(
get_w3af_moth_http('/w3af/core/cookie_handler/set-cookie.php'))
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'test'),
('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertTrue(suitable)
def test_login_form_utils(self):
form = FormParameters()
form.add_input([("name", "username"), ("type", "text")])
form.add_input([("name", "pwd"), ("type", "password")])
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def test_tmb_variants_large(self):
"""
Note that this test has several changes from test_tmb_variants:
* It uses form_select_misc_large, which exceeds the form's
TOP_VARIANTS = 15
* Doesn't use filter_tmb since variants are based on a "random pick"
"""
bigform_data = form_with_radio + form_select_cars + \
form_select_misc_large
clean_data = get_gruped_data(bigform_data)
new_bigform = create_form_params_helper(bigform_data)
total_variants = 2 * 3 * 3 * 3
variants_set = set()
# Please note that this depends completely in form.SEED AND
# form.TOP_VARIANTS
RANDOM_PICKS = {1: ('volvo', 'black', 'd', 'female'),
2: ('volvo', 'blue', 'i', 'male'),
3: ('volvo', 'blue', 'f', 'female'),
4: ('volvo', 'black', 'g', 'female'),
5: ('volvo', 'black', 'm', 'male'),
6: ('volvo', 'black', 'l', 'male'),
7: ('volvo', 'blue', 'b', 'female'),
8: ('volvo', 'blue', 'e', 'female'),
9: ('volvo', 'black', 'c', 'male'),
10: ('volvo', 'black', 'a', 'female'),
11: ('volvo', 'blue', 'e', 'male'),
12: ('volvo', 'black', 'j', 'male'),
13: ('volvo', 'blue', 'c', 'male'),
14: ('volvo', 'black', 'a', 'male'),
15: ('volvo', 'black', 'i', 'female')
}
for i, form_variant in enumerate(new_bigform.get_variants(mode="tmb")):
if i == 0: # First element must be the created `new_bigform`
self.assertEquals(id(new_bigform), id(form_variant))
continue
for name, values in clean_data.items():
current_random_values = RANDOM_PICKS[i]
msg = 'Failed to find "%s" in "%s"' % (
form_variant[name][0], current_random_values)
self.assertTrue(
form_variant[name][0] in current_random_values, msg)
variants_set.add(repr(form_variant))
# Ensure we actually got the expected number of variants
f = FormParameters()
expected = min(total_variants, f.TOP_VARIANTS)
self.assertEquals(i, expected)
# Variants shouldn't appear duplicated
self.assertEquals(len(variants_set), expected)
def test_sent_post_data(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", """d'z"0""")])
form_params.add_input([("name", "address"), ("value", "")])
form = dc_from_form_params(form_params)
f = FuzzableRequest(URL('http://example.com/'), post_data=form)
self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_login_form_utils(self):
form = FormParameters()
form.add_field_by_attrs({'name': 'username', 'type': 'text'})
form.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def _create_instance_from_form_params(data_container_cls, params):
form_params = FormParameters()
for param_name, param_value in params.iteritems():
form_params.add_field_by_attrs({
'name': param_name,
'value': param_value
})
return data_container_cls(form_params)
def test_cpickle_simple(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
pickled_form = cPickle.loads(cPickle.dumps(form))
self.assertEqual(pickled_form.items(), form.items())
def test_cpickle_simple(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
pickled_form = cPickle.loads(cPickle.dumps(form))
self.assertEqual(pickled_form.items(), form.items())
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_nor_enctype(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
urlencode_dc = dc_from_form_params(form_params)
self.assertIsInstance(urlencode_dc, URLEncodedForm)
self.assertEqual(urlencode_dc.get_file_vars(), [])
self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_form_copy(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
form.set_token(('username', 0))
form_copy = copy.deepcopy(form)
self.assertEqual(form.get_token(), form_copy.get_token())
self.assertIsNot(None, form_copy.get_token())
def create_fuzzable_request(_id):
url_fmt = 'http://example.com/product/%s'
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.set_action(URL(url_fmt % _id))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_form_encoding('multipart/form-data')
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_input([('name', 'test'), ('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
