def test_store_fuzzable_request_two(self): ds = DiskSet() # Add a simple fr, without post-data fr = FuzzableRequest(URL('http://example.com/?id=1')) ds.add(fr) # Add a fr with post-data form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds.add(fr) # Compare stored_fr = ds[1] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def _handle_go_tag_start(self, tag, tag_name, attrs): self._inside_form = True method = attrs.get('method', 'GET').upper() action = attrs.get('href', None) if action is None: action = self._source_url else: action = self._decode_url(action) try: action = self._base_url.url_join(action, encoding=self._encoding) except ValueError: # The URL in the action is invalid, the best thing we can do # is to guess, and our best guess is that the URL will be the # current one. action = self._source_url # Create the form f = FormParameters(encoding=self._encoding, attributes=attrs, hosted_at_url=self._source_url) f.set_method(method) f.set_action(action) self._forms.append(f)
def _handle_go_tag_start(self, tag, tag_name, attrs): self._inside_form = True method = attrs.get('method', 'GET').upper() action = attrs.get('href', None) if action is None: action = self._source_url else: action = self._decode_url(action) try: action = self._base_url.url_join(action, encoding=self._encoding) except ValueError: # The URL in the action is invalid, the best thing we can do # is to guess, and our best guess is that the URL will be the # current one. action = self._source_url # Create the form f = FormParameters(encoding=self._encoding, attributes=attrs, hosted_at_url=self._source_url) f.set_method(method) f.set_action(action) self._forms.append(f)
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id): url_fmt = 'http://example.com/product/%s' form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.set_action(URL(url_fmt % _id)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id): url_fmt = 'http://example.com/product/%s' form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.set_action(URL(url_fmt % _id)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_method('POST') form_params.set_form_encoding('multipart/form-data') form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_method('POST') form_params.set_form_encoding('multipart/form-data') form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def create_fuzzable_request(_id): path_count = _id * 5 paths = [rand_alnum(9) for _ in xrange(path_count)] url = 'http://example.com/%s' % '/'.join(paths) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL(url)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def _handle_form_tag_start(self, tag, attrs): """ Handle the form tags. This method also looks if there are "pending inputs" in the self._saved_inputs list and parses them. """ SGMLParser._handle_form_tag_start(self, tag, attrs) # Get the 'method' method = attrs.get('method', 'GET').upper() # Get the action action = attrs.get('action', None) missing_action = action is None # Get the encoding form_encoding = attrs.get('enctype', DEFAULT_FORM_ENCODING) if missing_action: action = self._source_url else: action = self._decode_url(action) try: action = self._base_url.url_join(action, encoding=self._encoding) except ValueError: # The URL in the action is invalid, the best thing we can do # is to guess, and our best guess is that the URL will be the # current one. action = self._source_url # Create the form object and store everything for later use form_params = FormParameters(encoding=self._encoding) form_params.set_method(method) form_params.set_action(action) form_params.set_form_encoding(form_encoding) self._forms.append(form_params) # Now I verify if there are any input tags that were found # outside the scope of a form tag for inputattrs in self._saved_inputs: # Parse them just like if they were found AFTER the # form tag opening if isinstance(inputattrs, dict): self._handle_input_tag_inside_form('input', inputattrs) # All parsed, remove them. self._saved_inputs = []
def test_from_form_POST(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_from_form_POST(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def create_fuzzable_request(_id): path_count = _id * 5 paths = [rand_alnum(9) for _ in xrange(path_count)] url = 'http://example.com/%s' % '/'.join(paths) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL(url)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def test_store_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds = DiskSet() ds.add(fr) stored_fr = ds[0] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_store_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds = DiskSet() ds.add(fr) stored_fr = ds[0] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def _handle_go_tag_start(self, tag, attrs): # Find method method = attrs.get('method', 'GET').upper() # Find action action = attrs.get('href', '') if action: self._inside_form = True action = unicode(self._base_url.url_join(action)) action = URL(self._decode_url(action), encoding=self._encoding) # Create the form f = FormParameters(encoding=self._encoding) f.set_method(method) f.set_action(action) self._forms.append(f) else: om.out.debug('WMLParser found a form without an action. ' 'Javascript is being used.')
def test_from_form_GET(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form) self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) uri_1 = fr.get_uri() uri_2 = fr.get_uri() self.assertIs(uri_1, uri_2)
def _handle_go_tag_start(self, tag, attrs): # Find method method = attrs.get('method', 'GET').upper() # Find action action = attrs.get('href', '') if action: self._inside_form = True action = unicode(self._base_url.url_join(action)) action = URL(self._decode_url(action), encoding=self._encoding) # Create the form f = FormParameters(encoding=self._encoding) f.set_method(method) f.set_action(action) self._forms.append(f) else: om.out.debug('WMLParser found a form without an action. ' 'Javascript is being used.')
def test_from_form_GET(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form) self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) uri_1 = fr.get_uri() uri_2 = fr.get_uri() self.assertIs(uri_1, uri_2)
def test_store_fuzzable_request_two(self): ds = DiskSet() # Add a simple fr, without post-data fr = FuzzableRequest(URL('http://example.com/?id=1')) ds.add(fr) # Add a fr with post-data form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds.add(fr) # Compare stored_fr = ds[1] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_generate_all(self): fuzzer_config = {'fuzz_form_files': True, 'fuzzed_files_extension': 'gif'} form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest.from_form(form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = FileContentMutant.create_mutants(freq, self.payloads, [], False, fuzzer_config) self.assertEqual(len(generated_mutants), 2, generated_mutants) _, file_payload_abc, _ = get_template_with_payload('gif', 'abc') _, file_payload_def, _ = get_template_with_payload('gif', 'def') file_abc = NamedStringIO(file_payload_abc, 'upload.gif') file_def = NamedStringIO(file_payload_def, 'upload.gif') form_1 = MultipartContainer(copy.deepcopy(form_params)) form_2 = MultipartContainer(copy.deepcopy(form_params)) form_1['image'] = [file_abc] form_1['username'] = ['John8212'] form_1['address'] = ['Bonsai Street 123'] form_2['image'] = [file_def] form_2['username'] = ['John8212'] form_2['address'] = ['Bonsai Street 123'] expected_forms = [form_1, form_2] boundary = get_boundary() noop = '1' * len(boundary) expected_data = [encode_as_multipart(f, boundary) for f in expected_forms] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_abc, str_file) str_file = generated_forms[1]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_def, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_generate_all(self): fuzzer_config = { 'fuzz_form_files': True, 'fuzzed_files_extension': 'gif' } form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest.from_form(form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = FileContentMutant.create_mutants( freq, self.payloads, [], False, fuzzer_config) self.assertEqual(len(generated_mutants), 2, generated_mutants) _, file_payload_abc, _ = get_template_with_payload('gif', 'abc') _, file_payload_def, _ = get_template_with_payload('gif', 'def') file_abc = NamedStringIO(file_payload_abc, 'upload.gif') file_def = NamedStringIO(file_payload_def, 'upload.gif') form_1 = MultipartContainer(copy.deepcopy(form_params)) form_2 = MultipartContainer(copy.deepcopy(form_params)) form_1['image'] = [file_abc] form_1['username'] = ['John8212'] form_1['address'] = ['Bonsai Street 123'] form_2['image'] = [file_def] form_2['username'] = ['John8212'] form_2['address'] = ['Bonsai Street 123'] expected_forms = [form_1, form_2] boundary = get_boundary() noop = '1' * len(boundary) expected_data = [ encode_as_multipart(f, boundary) for f in expected_forms ] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [ str(f).replace(f.boundary, noop) for f in generated_forms ] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_abc, str_file) str_file = generated_forms[1]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_def, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])