def test_multipart_post(self):
boundary, post_data = multipart_encode([('a', 'bcd'), ], [])
multipart_boundary = 'multipart/form-data; boundary=%s'
headers = Headers([('content-length', str(len(post_data))),
('content-type', multipart_boundary % boundary)])
fr = FuzzableRequest.from_parts(self.url, headers=headers,
post_data=post_data, method='POST')
form_params = FormParameters()
form_params.add_input([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
expected_container = MultipartContainer(form_params)
expected_headers = Headers([('content-type',
multipart_boundary % boundary)])
self.assertEqual(fr.get_url(), self.url)
self.assertEqual(fr.get_headers(), expected_headers)
self.assertIn('multipart/form-data', fr.get_headers()['content-type'])
self.assertEqual(fr.get_method(), 'POST')
self.assertIsInstance(fr.get_raw_data(), MultipartContainer)
self.assertEqual(fr.get_raw_data(), expected_container)
def from_postdata(cls, headers, post_data):
if not MultipartContainer.is_multipart(headers):
raise ValueError('No multipart content-type header.')
environ = {'REQUEST_METHOD': 'POST'}
try:
fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data),
headers=headers.to_dict(),
environ=environ)
except ValueError:
raise ValueError('Failed to create MultipartContainer.')
else:
# Please note that the FormParameters is just a container for
# the information.
#
# When the FuzzableRequest is sent the framework calls get_data()
# which returns a string version of this object, properly encoded
# using multipart/form-data
#
# To make sure the web application properly decodes the request, we
# also include the headers in get_headers() which include the
# boundary
form_params = FormParameters()
for key in fs.list:
if key.filename is None:
form_params.add_input([('name', key.name),
('type', 'text'),
('value', key.file.read())])
else:
form_params.set_file_name(key.name, key.filename)
form_params.add_file_input([('name', key.name)])
return cls(form_params)
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_file_input([("name", file_var), ("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_input([("name", token.get_name()),
("type", "text"),
("value", token.get_value())])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def from_postdata(cls, headers, post_data):
if not MultipartContainer.is_multipart(headers):
raise ValueError('No multipart content-type header.')
environ = {'REQUEST_METHOD': 'POST'}
try:
fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data),
headers=headers.to_dict(), environ=environ)
except ValueError:
raise ValueError('Failed to create MultipartContainer.')
else:
# Please note that the FormParameters is just a container for
# the information.
#
# When the FuzzableRequest is sent the framework calls get_data()
# which returns a string version of this object, properly encoded
# using multipart/form-data
#
# To make sure the web application properly decodes the request, we
# also include the headers in get_headers() which include the
# boundary
form_params = FormParameters()
for key in fs.list:
if key.filename is None:
form_params.add_input([('name', key.name),
('type', 'text'),
('value', key.file.read())])
else:
form_params.set_file_name(key.name, key.filename)
form_params.add_file_input([('name', key.name)])
return cls(form_params)
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_file_input([("name", file_var), ("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_input([("name", token.get_value()),
("type", "text")])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def test_mutant_creation_repeated_parameter_name(self):
form_params = FormParameters()
form_params.add_input([("name", "id"), ("value", "")])
form_params.add_input([("name", "id"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://w3af.com/?foo=3'),
post_data=form,
method='GET')
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_dcs = [
'id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc',
'id=abc&id=3419'
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'GET')
def test_keep_sync(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
self.assertNotIn('address', form_params)
self.assertNotIn('address', form)
# Add to the form_params
form_params['address'] = ['']
self.assertIn('address', form_params)
self.assertIn('address', form)
# Add to the Form object
form['company'] = ['']
self.assertIn('company', form_params)
self.assertIn('company', form)
# Del from the Form object
del form['address']
self.assertNotIn('address', form)
self.assertNotIn('address', form_params)
# Del from the FormParams object
del form_params['company']
self.assertNotIn('company', form)
self.assertNotIn('company', form_params)
def test_login_form_utils(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
user_token, pass_token = form.get_login_tokens()
self.assertEqual(user_token.get_name(), 'username')
self.assertEqual(pass_token.get_name(), 'pwd')
self.assertEqual(user_token.get_value(), '')
self.assertEqual(pass_token.get_value(), '')
form.set_login_username('andres')
self.assertEqual(form['username'][0], 'andres')
self.assertEqual(form['pwd'][0], '')
form.set_login_username('pablo')
form.set_login_password('long-complex')
self.assertEqual(form['username'][0], 'pablo')
self.assertEqual(form['pwd'][0], 'long-complex')
self.assertIs(form.get_form_params(), form_params)
def test_mutant_creation_repeated_parameter_name(self):
form_params = FormParameters()
form_params.add_input([("name", "id"), ("value", "")])
form_params.add_input([("name", "id"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form,
method='GET')
created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [],
False,
self.fuzzer_config)
expected_dcs = ['id=def&id=3419',
'id=3419&id=def',
'id=3419&id=abc',
'id=abc&id=3419']
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'GET')
def create_form_params_helper(form_data):
"""
Creates a dc.Form object from a dict container
:param form_data: A list containing dicts representing a form's
internal structure
:return: A dc.Form object from `form_data`
"""
new_form_params = FormParameters()
for elem_data in form_data:
elem_type = elem_data['tagname']
attrs = elem_data.items()
if elem_type == 'input':
_type = elem_data['type']
if _type == 'radio':
new_form_params.add_radio(attrs)
elif _type == 'checkbox':
new_form_params.add_check_box(attrs)
elif _type in ('text', 'hidden'):
new_form_params.add_input(attrs)
elif elem_type == 'select':
new_form_params.add_select(elem_data['name'], elem_data['options'])
return new_form_params
def test_sent_post_data(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", """d'z"0""")])
form_params.add_input([("name", "address"), ("value", "")])
form = dc_from_form_params(form_params)
f = FuzzableRequest(URL('http://example.com/'), post_data=form)
self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_sent_post_data(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", """d'z"0""")])
form_params.add_input([("name", "address"), ("value", "")])
form = dc_from_form_params(form_params)
f = FuzzableRequest(URL('http://example.com/'), post_data=form)
self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_login_form_utils(self):
form = FormParameters()
form.add_input([("name", "username"), ("type", "text")])
form.add_input([("name", "pwd"), ("type", "password")])
self.assertTrue(form.is_login_form())
self.assertFalse(form.is_registration_form())
self.assertFalse(form.is_password_change_form())
self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_cpickle_simple(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
pickled_form = cPickle.loads(cPickle.dumps(form))
self.assertEqual(pickled_form.items(), form.items())
def test_dc_from_form_params_without_files_nor_enctype(self):
form_params = FormParameters()
form_params.add_input([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
urlencode_dc = dc_from_form_params(form_params)
self.assertIsInstance(urlencode_dc, URLEncodedForm)
self.assertEqual(urlencode_dc.get_file_vars(), [])
self.assertEqual(urlencode_dc['a'], ['bcd'])
def upload_file(self, _file):
form_params = FormParameters()
form_params.add_file_input([("name", "uploadedfile")])
form_params.add_input([("name", "MAX_FILE_SIZE"), ("type", "hidden"), ("value", "10000")])
mpc = MultipartContainer(form_params)
mpc["uploadedfile"][0] = _file
resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc), headers=Headers(mpc.get_headers()))
self.assertIn("was successfully uploaded", resp.get_body())
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_form_encoding('multipart/form-data')
form_params.add_input([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_dc_from_form_params_without_files_nor_enctype(self):
form_params = FormParameters()
form_params.add_input([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
urlencode_dc = dc_from_form_params(form_params)
self.assertIsInstance(urlencode_dc, URLEncodedForm)
self.assertEqual(urlencode_dc.get_file_vars(), [])
self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_form_copy(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("type", "text")])
form_params.add_input([("name", "pwd"), ("type", "password")])
form = Form(form_params)
form.set_token(('username', 0))
form_copy = copy.deepcopy(form)
self.assertEqual(form.get_token(), form_copy.get_token())
self.assertIsNot(None, form_copy.get_token())
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_input([('name', 'test'), ('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_input([('name', 'test'), ('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/?id=number!username=string&address=string'
self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_form_encoding('multipart/form-data')
form_params.add_input([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_upload_file_using_fuzzable_request(self):
form_params = FormParameters()
form_params.add_file_input([("name", "uploadedfile")])
form_params["uploadedfile"][0] = NamedStringIO("file content", name="test.txt")
form_params.add_input([("name", "MAX_FILE_SIZE"), ("type", "hidden"), ("value", "10000")])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc, method="POST")
resp = self.opener.send_mutant(freq)
self.assertIn("was successfully uploaded", resp.get_body())
def test_dc_from_form_params_with_files(self):
form_params = FormParameters()
form_params.set_file_name('b', 'hello.txt')
form_params.add_file_input([('name', 'b')])
form_params.add_input([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), ['b'])
self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/?id=number!username=string&address=string'
self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_mutant_iter_bound_tokens(self):
form_params = FormParameters()
form_params.add_input([("name", "username"),
("value", ""),
("type", "password")])
form_params.add_input([("name", "address"), ("value", "")])
form = Form(form_params)
for form_copy, _ in form.iter_bound_tokens():
self.assertIsInstance(form_copy, Form)
self.assertEquals(form_copy.items(), form.items())
self.assertEquals(form_copy.get_parameter_type('username'),
FormParameters.INPUT_TYPE_PASSWD)
def test_dc_from_form_params_with_files(self):
form_params = FormParameters()
form_params.set_file_name('b', 'hello.txt')
form_params.add_file_input([('name', 'b')])
form_params.add_input([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), ['b'])
self.assertEqual(mpdc['a'], ['bcd'])
def upload_file(self, _file):
form_params = FormParameters()
form_params.add_file_input([('name', 'uploadedfile')])
form_params.add_input([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
mpc['uploadedfile'][0] = _file
resp = self.opener.POST(self.MOTH_FILE_UP_URL,
data=str(mpc),
headers=Headers(mpc.get_headers()))
self.assertIn('was successfully uploaded', resp.get_body())
def test_mutant_smart_fill_simple(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params['username'][0] = DataToken('username', '', ('username', 0))
form = Form(form_params)
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
self.assertIs(form.get_form_params(), form_params)
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_found_at(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
'The sent post-data was: "username=&address=" '\
'which modifies the "username" parameter.'
self.assertEqual(m.found_at(), expected)
def test_mutant_creation(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_dcs = [
'username=def&address=Bonsai%20Street%20123',
'username=abc&address=Bonsai%20Street%20123',
'username=John8212&address=def', 'username=John8212&address=abc'
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[1].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
token = created_mutants[3].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'PUT')
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "file"), ("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def test_found_at(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
'The sent post-data was: "username=&address=" '\
'which modifies the "username" parameter.'
self.assertEqual(m.found_at(), expected)
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "file"), ("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring,
QueryString([('id', ['1'])]))
def test_mutant_creation(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [],
False,
self.fuzzer_config)
expected_dcs = ['username=def&address=Bonsai%20Street%20123',
'username=abc&address=Bonsai%20Street%20123',
'username=John8212&address=def',
'username=John8212&address=abc']
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[1].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
token = created_mutants[3].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'PUT')
def test_upload_file_using_fuzzable_request(self):
form_params = FormParameters()
form_params.add_file_input([('name', 'uploadedfile')])
form_params['uploadedfile'][0] = NamedStringIO('file content',
name='test.txt')
form_params.add_input([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.MOTH_FILE_UP_URL,
post_data=mpc,
method='POST')
resp = self.opener.send_mutant(freq)
self.assertIn('was successfully uploaded', resp.get_body())
def test_from_form_default(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
# Without a method
#form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
def test_from_form_default(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
# Without a method
#form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
def test_form_file_post_no_files(self):
cf_singleton.save("fuzzable_headers", [])
cf_singleton.save("fuzz_cookies", False)
cf_singleton.save("fuzz_url_filenames", False)
cf_singleton.save("fuzzed_files_extension", "gif")
cf_singleton.save("fuzz_form_files", True) # This one changed
cf_singleton.save("fuzz_url_parts", False)
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL("http://www.w3af.com/?id=3"), post_data=form, method="PUT")
mutants = create_mutants(freq, self.payloads)
self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2]))
self.assertTrue(all(isinstance(m, PostDataMutant) for m in mutants[4:]))
self.assertTrue(all(m.get_method() == "PUT" for m in mutants))
expected_uris = {
"http://www.w3af.com/?id=abc",
"http://www.w3af.com/?id=def",
"http://www.w3af.com/?id=3",
"http://www.w3af.com/?id=3",
"http://www.w3af.com/?id=3",
"http://www.w3af.com/?id=3",
}
created_uris = set([i.get_uri().url_string for i in mutants])
self.assertEqual(expected_uris, created_uris)
expected_dcs = {
"id=abc",
"id=def",
"username=abc&address=Bonsai%20Street%20123",
"username=def&address=Bonsai%20Street%20123",
"username=John8212&address=abc",
"username=John8212&address=def",
}
created_dcs = set([str(i.get_dc()) for i in mutants])
self.assertEqual(created_dcs, expected_dcs)
def test_store_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds = DiskSet()
ds.add(fr)
stored_fr = ds[0]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_store_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds = DiskSet()
ds.add(fr)
stored_fr = ds[0]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_mutant_smart_fill_with_file(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "file"), ("type", "file")])
form = Form(form_params)
form['username'][0] = DataToken('username', '', ('username', 0))
form.smart_fill()
self.assertEqual(form['username'], ['', ])
self.assertEqual(form['address'], ['Bonsai Street 123', ])
self.assertIsInstance(form['username'][0], DataToken)
str_file = form['file'][0]
self.assertEqual(str_file.name[-4:], '.gif')
self.assertIn('GIF', str_file)
self.assertIs(form.get_form_params(), form_params)
def test_form_file_post_no_files(self):
cf_singleton.save('fuzzable_headers', [])
cf_singleton.save('fuzz_cookies', False)
cf_singleton.save('fuzz_url_filenames', False)
cf_singleton.save('fuzzed_files_extension', 'gif')
cf_singleton.save('fuzz_form_files', True) # This one changed
cf_singleton.save('fuzz_url_parts', False)
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
mutants = create_mutants(freq, self.payloads)
self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2]))
self.assertTrue(all(
isinstance(m, PostDataMutant) for m in mutants[4:]))
self.assertTrue(all(m.get_method() == 'PUT' for m in mutants))
expected_uris = {
'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3'
}
created_uris = set([i.get_uri().url_string for i in mutants])
self.assertEqual(expected_uris, created_uris)
expected_dcs = {
'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123',
'username=def&address=Bonsai%20Street%20123',
'username=John8212&address=abc', 'username=John8212&address=def'
}
created_dcs = set([str(i.get_dc()) for i in mutants])
self.assertEqual(created_dcs, expected_dcs)
def test_multipart_post(self):
boundary, post_data = multipart_encode([("a", "bcd")], [])
multipart_boundary = "multipart/form-data; boundary=%s"
headers = Headers([("content-length", str(len(post_data))), ("content-type", multipart_boundary % boundary)])
fr = FuzzableRequest.from_parts(self.url, headers=headers, post_data=post_data, method="POST")
form_params = FormParameters()
form_params.add_input([("name", "a"), ("type", "text"), ("value", "bcd")])
expected_container = MultipartContainer(form_params)
expected_headers = Headers([("content-type", multipart_boundary % boundary)])
self.assertEqual(fr.get_url(), self.url)
self.assertEqual(fr.get_headers(), expected_headers)
self.assertIn("multipart/form-data", fr.get_headers()["content-type"])
self.assertEqual(fr.get_method(), "POST")
self.assertIsInstance(fr.get_raw_data(), MultipartContainer)
self.assertEqual(fr.get_raw_data(), expected_container)
def test_mutant_creation_file(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "default")])
form_params.add_file_input([("name", "file_upload")])
form = MultipartContainer(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/upload'),
post_data=form, method='POST')
payloads = [file(__file__)]
created_mutants = PostDataMutant.create_mutants(freq, payloads,
['file_upload', ],
False,
self.fuzzer_config)
self.assertEqual(len(created_mutants), 1, created_mutants)
mutant = created_mutants[0]
self.assertIsInstance(mutant.get_token().get_value(), file)
self.assertEqual(mutant.get_dc()['username'][0], 'default')
def test_mutant_creation_file(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "default")])
form_params.add_file_input([("name", "file_upload")])
form = MultipartContainer(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/upload'),
post_data=form,
method='POST')
payloads = [file(__file__)]
created_mutants = PostDataMutant.create_mutants(
freq, payloads, [
'file_upload',
], False, self.fuzzer_config)
self.assertEqual(len(created_mutants), 1, created_mutants)
mutant = created_mutants[0]
self.assertIsInstance(mutant.get_token().get_value(), file)
self.assertEqual(mutant.get_dc()['username'][0], 'default')
