def _create_instance_from_form_params(data_container_cls, params):
form_params = FormParameters()
for param_name, param_value in params.iteritems():
form_params.add_field_by_attrs({'name': param_name, 'value': param_value})
return data_container_cls(form_params)
def test_keep_sync(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertNotIn('address', form_params)
self.assertNotIn('address', form)
# Add to the form_params
form_params['address'] = ['']
self.assertIn('address', form_params)
self.assertIn('address', form)
# Add to the Form object
form['company'] = ['']
self.assertIn('company', form_params)
self.assertIn('company', form)
# Del from the Form object
del form['address']
self.assertNotIn('address', form)
self.assertNotIn('address', form_params)
# Del from the FormParams object
del form_params['company']
self.assertNotIn('company', form)
self.assertNotIn('company', form_params)
def test_login_form_utils(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
user_token, pass_token = form.get_login_tokens()
self.assertEqual(user_token.get_name(), 'username')
self.assertEqual(pass_token.get_name(), 'pwd')
self.assertEqual(user_token.get_value(), '')
self.assertEqual(pass_token.get_value(), '')
form.set_login_username('andres')
self.assertEqual(form['username'][0], 'andres')
self.assertEqual(form['pwd'][0], '')
form.set_login_username('pablo')
form.set_login_password('long-complex')
self.assertEqual(form['username'][0], 'pablo')
self.assertEqual(form['pwd'][0], 'long-complex')
self.assertIs(form.get_form_params(), form_params)
def test_login_form_utils(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
user_token, pass_token = form.get_login_tokens()
self.assertEqual(user_token.get_name(), 'username')
self.assertEqual(pass_token.get_name(), 'pwd')
self.assertEqual(user_token.get_value(), '')
self.assertEqual(pass_token.get_value(), '')
form.set_login_username('andres')
self.assertEqual(form['username'][0], 'andres')
self.assertEqual(form['pwd'][0], '')
form.set_login_username('pablo')
form.set_login_password('long-complex')
self.assertEqual(form['username'][0], 'pablo')
self.assertEqual(form['pwd'][0], 'long-complex')
self.assertIs(form.get_form_params(), form_params)
def test_keep_sync(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
self.assertNotIn('address', form_params)
self.assertNotIn('address', form)
# Add to the form_params
form_params['address'] = ['']
self.assertIn('address', form_params)
self.assertIn('address', form)
# Add to the Form object
form['company'] = ['']
self.assertIn('company', form_params)
self.assertIn('company', form)
# Del from the Form object
del form['address']
self.assertNotIn('address', form)
self.assertNotIn('address', form_params)
# Del from the FormParams object
del form_params['company']
self.assertNotIn('company', form)
self.assertNotIn('company', form_params)
def test_login_form_utils(self):
form = FormParameters()
form.add_field_by_attrs({'name': 'username', 'type': 'text'})
form.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def test_login_form_utils(self):
form = FormParameters()
form.add_field_by_attrs({'name': 'username', 'type': 'text'})
form.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def test_cpickle_simple(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
pickled_form = cPickle.loads(cPickle.dumps(form))
self.assertEqual(pickled_form.items(), form.items())
def _create_instance_from_form_params(data_container_cls, params):
form_params = FormParameters()
for param_name, param_value in params.iteritems():
form_params.add_field_by_attrs({
'name': param_name,
'value': param_value
})
return data_container_cls(form_params)
def test_cpickle_simple(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
pickled_form = cPickle.loads(cPickle.dumps(form))
self.assertEqual(pickled_form.items(), form.items())
def test_form_copy(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
form.set_token(('username', 0))
form_copy = copy.deepcopy(form)
self.assertEqual(form.get_token(), form_copy.get_token())
self.assertIsNot(None, form_copy.get_token())
def test_form_copy(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'type': 'text'})
form_params.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form = Form(form_params)
form.set_token(('username', 0))
form_copy = copy.deepcopy(form)
self.assertEqual(form.get_token(), form_copy.get_token())
self.assertIsNot(None, form_copy.get_token())
def test_mutant_iter_bound_tokens(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username',
'value': '',
'type': 'password'})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form = Form(form_params)
for form_copy, _ in form.iter_bound_tokens():
self.assertIsInstance(form_copy, Form)
self.assertEquals(form_copy.items(), form.items())
self.assertEquals(form_copy.get_parameter_type('username'),
INPUT_TYPE_PASSWD)
def test_mutant_iter_bound_tokens(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username',
'value': '',
'type': 'password'})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form = Form(form_params)
for form_copy, _ in form.iter_bound_tokens():
self.assertIsInstance(form_copy, Form)
self.assertEquals(form_copy.items(), form.items())
self.assertEquals(form_copy.get_parameter_type('username'),
INPUT_TYPE_PASSWD)
def test_mutant_smart_fill_simple(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'value': ''})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form_params['username'][0] = DataToken('username', '', ('username', 0))
form = Form(form_params)
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
self.assertIs(form.get_form_params(), form_params)
def create_form_params_helper(form_data):
"""
Creates a dc.Form object from a dict container
:param form_data: A list containing dicts representing a form's
internal structure
:return: A dc.Form object from `form_data`
"""
new_form_params = FormParameters()
for elem_data in form_data:
new_form_params.add_field_by_attrs(elem_data)
return new_form_params
def test_mutant_smart_fill_simple(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'value': ''})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form_params['username'][0] = DataToken('username', '', ('username', 0))
form = Form(form_params)
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
self.assertIs(form.get_form_params(), form_params)
def create_form_params_helper(form_data):
"""
Creates a dc.Form object from a dict container
:param form_data: A list containing dicts representing a form's
internal structure
:return: A dc.Form object from `form_data`
"""
new_form_params = FormParameters()
for elem_data in form_data:
new_form_params.add_field_by_attrs(elem_data)
return new_form_params
def test_get_form_id(self):
action = URL('http://www.w3af.com/action')
hosted_at_url = URL('http://www.w3af.com/')
attributes = {'class': 'form-main'}
form = FormParameters(method='GET', action=action,
attributes=attributes,
hosted_at_url=hosted_at_url)
form.add_field_by_attrs({'name': 'username', 'type': 'text'})
form.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form_id = form.get_form_id()
self.assertEqual(form_id.action, action)
self.assertEqual(form_id.attributes, attributes)
self.assertEqual(form_id.method, 'GET')
self.assertEqual(form_id.hosted_at_url, hosted_at_url)
self.assertEqual(form_id.inputs, ['username', 'pwd'])
def test_get_form_id(self):
action = URL('http://www.w3af.com/action')
hosted_at_url = URL('http://www.w3af.com/')
attributes = {'class': 'form-main'}
form = FormParameters(method='GET', action=action,
attributes=attributes,
hosted_at_url=hosted_at_url)
form.add_field_by_attrs({'name': 'username', 'type': 'text'})
form.add_field_by_attrs({'name': 'pwd', 'type': 'password'})
form_id = form.get_form_id()
self.assertEqual(form_id.action, action)
self.assertEqual(form_id.attributes, attributes)
self.assertEqual(form_id.method, 'GET')
self.assertEqual(form_id.hosted_at_url, hosted_at_url)
self.assertEqual(form_id.inputs, ['username', 'pwd'])
def from_postdata(cls, headers, post_data):
if not MultipartContainer.is_multipart(headers):
raise ValueError('No multipart content-type header.')
environ = {'REQUEST_METHOD': 'POST'}
try:
fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data),
headers=headers.to_dict(),
environ=environ)
except ValueError:
raise ValueError('Failed to create MultipartContainer.')
else:
# Please note that the FormParameters is just a container for
# the information.
#
# When the FuzzableRequest is sent the framework calls get_data()
# which returns a string version of this object, properly encoded
# using multipart/form-data
#
# To make sure the web application properly decodes the request, we
# also include the headers in get_headers() which include the
# boundary
form_params = FormParameters()
for key in fs.list:
if key.filename is None:
attrs = {
'type': INPUT_TYPE_TEXT,
'name': key.name,
'value': key.file.read()
}
form_params.add_field_by_attrs(attrs)
else:
attrs = {
'type': INPUT_TYPE_FILE,
'name': key.name,
'value': key.file.read(),
'filename': key.filename
}
form_params.add_field_by_attrs(attrs)
form_params.set_file_name(key.name, key.filename)
return cls(form_params)
def test_mutant_smart_fill_with_file(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'value': ''})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form_params.add_field_by_attrs({'name': 'file', 'type': 'file'})
form = Form(form_params)
form['username'][0] = DataToken('username', '', ('username', 0))
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
str_file = form['file'][0]
self.assertEqual(str_file.name[-4:], '.gif')
self.assertIn('GIF', str_file)
self.assertIs(form.get_form_params(), form_params)
def test_mutant_smart_fill_with_file(self):
form_params = FormParameters()
form_params.add_field_by_attrs({'name': 'username', 'value': ''})
form_params.add_field_by_attrs({'name': 'address', 'value': ''})
form_params.add_field_by_attrs({'name': 'file', 'type': 'file'})
form = Form(form_params)
form['username'][0] = DataToken('username', '', ('username', 0))
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
str_file = form['file'][0]
self.assertEqual(str_file.name[-4:], '.gif')
self.assertIn('GIF', str_file)
self.assertIs(form.get_form_params(), form_params)
def from_postdata(cls, headers, post_data):
if not MultipartContainer.content_type_matches(headers):
raise ValueError('No multipart content-type header.')
environ = {'REQUEST_METHOD': 'POST'}
try:
fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data),
headers=headers.to_dict(),
environ=environ)
except ValueError:
raise ValueError('Failed to create MultipartContainer.')
else:
# Please note that the FormParameters is just a container for
# the information.
#
# When the FuzzableRequest is sent the framework calls get_data()
# which returns a string version of this object, properly encoded
# using multipart/form-data
#
# To make sure the web application properly decodes the request, we
# also include the headers in get_headers() which include the
# boundary
form_params = FormParameters()
for key in fs.list:
if key.filename is None:
attrs = {'type': INPUT_TYPE_TEXT,
'name': key.name,
'value': key.file.read()}
form_params.add_field_by_attrs(attrs)
else:
attrs = {'type': INPUT_TYPE_FILE,
'name': key.name,
'value': key.file.read(),
'filename': key.filename}
form_params.add_field_by_attrs(attrs)
form_params.set_file_name(key.name, key.filename)
return cls(form_params)
