def _breach_vulnerable():
token = tutil.random_token(16)
return {
'/': _gzip_test_controller(u'''
<html>
<body>
<form action="./post" method="post">
<input name="text" type="text" />
<input name="token" type="hidden" value="%s" />
</form>
</body>
</html>
''' % token),
'/post': tutil.TokenController(token)
}
def test_breach_vulnerable_urltoken():
token = tutil.random_token(16)
html = u'''
<html>
<body>
<form action="./post?token=%s" method="post">
<input name="text" type="text" />
</form>
</body>
</html>
''' % token
client = tutil.TestClient({
'/': _gzip_test_controller(html),
'/post': tutil.TokenController(token, method='get')
})
client.log.assert_count(1)