def test_store_fuzzable_request_two(self):
ds = DiskSet()
# Add a simple fr, without post-data
fr = FuzzableRequest(URL('http://example.com/?id=1'))
ds.add(fr)
# Add a fr with post-data
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds.add(fr)
# Compare
stored_fr = ds[1]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def _handle_go_tag_start(self, tag, tag_name, attrs):
self._inside_form = True
method = attrs.get('method', 'GET').upper()
action = attrs.get('href', None)
if action is None:
action = self._source_url
else:
action = self._decode_url(action)
try:
action = self._base_url.url_join(action, encoding=self._encoding)
except ValueError:
# The URL in the action is invalid, the best thing we can do
# is to guess, and our best guess is that the URL will be the
# current one.
action = self._source_url
# Create the form
f = FormParameters(encoding=self._encoding,
attributes=attrs,
hosted_at_url=self._source_url)
f.set_method(method)
f.set_action(action)
self._forms.append(f)
def _handle_go_tag_start(self, tag, tag_name, attrs):
self._inside_form = True
method = attrs.get('method', 'GET').upper()
action = attrs.get('href', None)
if action is None:
action = self._source_url
else:
action = self._decode_url(action)
try:
action = self._base_url.url_join(action,
encoding=self._encoding)
except ValueError:
# The URL in the action is invalid, the best thing we can do
# is to guess, and our best guess is that the URL will be the
# current one.
action = self._source_url
# Create the form
f = FormParameters(encoding=self._encoding,
attributes=attrs,
hosted_at_url=self._source_url)
f.set_method(method)
f.set_action(action)
self._forms.append(f)
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id):
url_fmt = 'http://example.com/product/%s'
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.set_action(URL(url_fmt % _id))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id):
url_fmt = 'http://example.com/product/%s'
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.set_action(URL(url_fmt % _id))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_form_encoding('multipart/form-data')
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/?id=number!username=string&address=string'
self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_form_encoding('multipart/form-data')
form_params.add_field_by_attr_items([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/?id=number!username=string&address=string'
self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def create_fuzzable_request(_id):
path_count = _id * 5
paths = [rand_alnum(9) for _ in xrange(path_count)]
url = 'http://example.com/%s' % '/'.join(paths)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL(url))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def _handle_form_tag_start(self, tag, attrs):
"""
Handle the form tags.
This method also looks if there are "pending inputs" in the
self._saved_inputs list and parses them.
"""
SGMLParser._handle_form_tag_start(self, tag, attrs)
# Get the 'method'
method = attrs.get('method', 'GET').upper()
# Get the action
action = attrs.get('action', None)
missing_action = action is None
# Get the encoding
form_encoding = attrs.get('enctype', DEFAULT_FORM_ENCODING)
if missing_action:
action = self._source_url
else:
action = self._decode_url(action)
try:
action = self._base_url.url_join(action, encoding=self._encoding)
except ValueError:
# The URL in the action is invalid, the best thing we can do
# is to guess, and our best guess is that the URL will be the
# current one.
action = self._source_url
# Create the form object and store everything for later use
form_params = FormParameters(encoding=self._encoding)
form_params.set_method(method)
form_params.set_action(action)
form_params.set_form_encoding(form_encoding)
self._forms.append(form_params)
# Now I verify if there are any input tags that were found
# outside the scope of a form tag
for inputattrs in self._saved_inputs:
# Parse them just like if they were found AFTER the
# form tag opening
if isinstance(inputattrs, dict):
self._handle_input_tag_inside_form('input', inputattrs)
# All parsed, remove them.
self._saved_inputs = []
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "file"), ("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def create_fuzzable_request(_id):
path_count = _id * 5
paths = [rand_alnum(9) for _ in xrange(path_count)]
url = 'http://example.com/%s' % '/'.join(paths)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.set_action(URL(url))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "file"), ("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def test_store_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds = DiskSet()
ds.add(fr)
stored_fr = ds[0]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_store_fuzzable_request(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds = DiskSet()
ds.add(fr)
stored_fr = ds[0]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def _handle_go_tag_start(self, tag, attrs):
# Find method
method = attrs.get('method', 'GET').upper()
# Find action
action = attrs.get('href', '')
if action:
self._inside_form = True
action = unicode(self._base_url.url_join(action))
action = URL(self._decode_url(action), encoding=self._encoding)
# Create the form
f = FormParameters(encoding=self._encoding)
f.set_method(method)
f.set_action(action)
self._forms.append(f)
else:
om.out.debug('WMLParser found a form without an action. '
'Javascript is being used.')
def test_from_form_GET(self):
form_params = FormParameters()
form_params.add_input([("name", "username"), ("value", "abc")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
uri_1 = fr.get_uri()
uri_2 = fr.get_uri()
self.assertIs(uri_1, uri_2)
def _handle_go_tag_start(self, tag, attrs):
# Find method
method = attrs.get('method', 'GET').upper()
# Find action
action = attrs.get('href', '')
if action:
self._inside_form = True
action = unicode(self._base_url.url_join(action))
action = URL(self._decode_url(action),
encoding=self._encoding)
# Create the form
f = FormParameters(encoding=self._encoding)
f.set_method(method)
f.set_action(action)
self._forms.append(f)
else:
om.out.debug('WMLParser found a form without an action. '
'Javascript is being used.')
def test_from_form_GET(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
uri_1 = fr.get_uri()
uri_2 = fr.get_uri()
self.assertIs(uri_1, uri_2)
def test_store_fuzzable_request_two(self):
ds = DiskSet()
# Add a simple fr, without post-data
fr = FuzzableRequest(URL('http://example.com/?id=1'))
ds.add(fr)
# Add a fr with post-data
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds.add(fr)
# Compare
stored_fr = ds[1]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_generate_all(self):
fuzzer_config = {'fuzz_form_files': True,
'fuzzed_files_extension': 'gif'}
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_input([("name", "username"), ("value", "")])
form_params.add_input([("name", "address"), ("value", "")])
form_params.add_file_input([("name", "image"), ("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest.from_form(form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = FileContentMutant.create_mutants(freq,
self.payloads,
[], False,
fuzzer_config)
self.assertEqual(len(generated_mutants), 2, generated_mutants)
_, file_payload_abc, _ = get_template_with_payload('gif', 'abc')
_, file_payload_def, _ = get_template_with_payload('gif', 'def')
file_abc = NamedStringIO(file_payload_abc, 'upload.gif')
file_def = NamedStringIO(file_payload_def, 'upload.gif')
form_1 = MultipartContainer(copy.deepcopy(form_params))
form_2 = MultipartContainer(copy.deepcopy(form_params))
form_1['image'] = [file_abc]
form_1['username'] = ['John8212']
form_1['address'] = ['Bonsai Street 123']
form_2['image'] = [file_def]
form_2['username'] = ['John8212']
form_2['address'] = ['Bonsai Street 123']
expected_forms = [form_1, form_2]
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [encode_as_multipart(f, boundary) for f in expected_forms]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_abc, str_file)
str_file = generated_forms[1]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_def, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_generate_all(self):
fuzzer_config = {
'fuzz_form_files': True,
'fuzzed_files_extension': 'gif'
}
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.add_field_by_attr_items([("name", "image"),
("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest.from_form(form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = FileContentMutant.create_mutants(
freq, self.payloads, [], False, fuzzer_config)
self.assertEqual(len(generated_mutants), 2, generated_mutants)
_, file_payload_abc, _ = get_template_with_payload('gif', 'abc')
_, file_payload_def, _ = get_template_with_payload('gif', 'def')
file_abc = NamedStringIO(file_payload_abc, 'upload.gif')
file_def = NamedStringIO(file_payload_def, 'upload.gif')
form_1 = MultipartContainer(copy.deepcopy(form_params))
form_2 = MultipartContainer(copy.deepcopy(form_params))
form_1['image'] = [file_abc]
form_1['username'] = ['John8212']
form_1['address'] = ['Bonsai Street 123']
form_2['image'] = [file_def]
form_2['username'] = ['John8212']
form_2['address'] = ['Bonsai Street 123']
expected_forms = [form_1, form_2]
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [
encode_as_multipart(f, boundary) for f in expected_forms
]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [
str(f).replace(f.boundary, noop) for f in generated_forms
]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_abc, str_file)
str_file = generated_forms[1]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_def, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
