def test_all(self):
for context in get_contexts():
found = False
expected_context_name = context.get_name()
for contexts in get_context(self.HTML, expected_context_name):
for calculated_context in contexts:
if calculated_context.get_name() == expected_context_name:
found = True
if not found:
msg = "The analysis for %s context failed, got %r instead."
msg = msg % (expected_context_name, get_context(self.HTML, expected_context_name))
self.assertTrue(False, msg)
def test_all(self):
for context in get_contexts():
found = False
expected_context_name = context.get_name()
for contexts in get_context(self.HTML, expected_context_name):
for calculated_context in contexts:
if calculated_context.get_name() == expected_context_name:
found = True
if not found:
msg = 'The analysis for %s context failed, got %r instead.'
msg = msg % (expected_context_name,
get_context(self.HTML, expected_context_name))
self.assertTrue(False, msg)
def test_payload_js2doublequote(self):
html = """
<html>
<input type="button" value="ClickMe" onClick="PAYLOAD">
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][1], ScriptText)
def test_payload_html_inside_comment(self):
html = """
<html>
<!-- <body>PAYLOAD</body> -->
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlComment)
def test_payload_html_inside_comment(self):
html = '''
<html>
<!-- <body>PAYLOAD</body> -->
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlComment)
def test_payload_js2doublequote(self):
html = '''
<html>
<input type="button" value="ClickMe" onClick="PAYLOAD">
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][1], ScriptText)
def test_payload_text_can_break(self):
html = """
<html>
<a>PAYLOAD<</a>
</html>
"""
context = get_context(html, "PAYLOAD<")[0][0]
self.assertTrue(context.can_break("PAYLOAD<"))
def test_payload_src(self):
html = '''
<html>
<img src="PAYLOAD" />
</html>
'''
context = get_context(html, 'PAYLOAD')[0][0]
self.assertTrue(context.is_executable())
def test_payload_href(self):
html = '''
<html>
<a href="PAYLOAD">foo</a>
</html>
'''
context = get_context(html, 'PAYLOAD')[0][0]
self.assertTrue(context.is_executable())
def test_payload_text_can_break(self):
html = '''
<html>
<a>PAYLOAD<</a>
</html>
'''
context = get_context(html, 'PAYLOAD<')[0][0]
self.assertTrue(context.can_break('PAYLOAD<'))
def test_payload_src(self):
html = """
<html>
<img src="PAYLOAD" />
</html>
"""
context = get_context(html, "PAYLOAD")[0][0]
self.assertTrue(context.is_executable())
def test_payload_href(self):
html = """
<html>
<a href="PAYLOAD">foo</a>
</html>
"""
context = get_context(html, "PAYLOAD")[0][0]
self.assertTrue(context.is_executable())
def test_payload_script_attr_value(self):
html = """
<html>
<script foo=PAYLOAD foo2=aaa>
bar
</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlAttr)
def test_payload_script_broken_double_close(self):
html = '''
<html>
<script>foo</script>
PAYLOAD
</script>
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_payload_text_with_end_quote(self):
html = """
<html>
<a>Quoting the great Linus Torvalds: PAYLOAD<"</a>
</html>
"""
context = get_context(html, "PAYLOAD<")[0][0]
self.assertIsInstance(context, HtmlText)
self.assertTrue(context.can_break("PAYLOAD<"))
def test_payload_script_attr_value(self):
html = '''
<html>
<script foo=PAYLOAD foo2=aaa>
bar
</script>
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlAttr)
def test_payload_text_with_end_quote(self):
html = '''
<html>
<a>Quoting the great Linus Torvalds: PAYLOAD<"</a>
</html>
'''
context = get_context(html, 'PAYLOAD<')[0][0]
self.assertIsInstance(context, HtmlText)
self.assertTrue(context.can_break('PAYLOAD<'))
def test_payload_script_broken_double_open(self):
html = '''
<html>
<script>foo
PAYLOAD
<script>bar</script>
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], ScriptText)
def test_payload_html_inside_script_with_comment(self):
html = '''
<html>
<script>
<!-- <body>PAYLOAD</body> -->
</script>
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], ScriptText)
def test_payload_script_single_quote2(self):
html = """
<html>
<script type="text/javascript">//<!--
init({login:'',foo:'PAYLOAD'})
</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptSingleQuote)
def test_payload_html_inside_script_with_comment(self):
html = """
<html>
<script>
<!-- <body>PAYLOAD</body> -->
</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptText)
def test_payload_script_single_quote(self):
html = """
<html>
<script foo='PAYLOAD'>
bar
</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlAttrSingleQuote)
def test_payload_script_broken_double_close(self):
html = """
<html>
<script>foo</script>
PAYLOAD
</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload(self):
html = '''
<html>
<body>
&added=blah111%3C1%3E<br>::::: blahPAYLOAD<br>::::: :::::
</body>
</html>
'''
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_payload_script_broken_double_open(self):
html = """
<html>
<script>foo
PAYLOAD
<script>bar</script>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], ScriptText)
def test_payload(self):
html = """
<html>
<body>
&added=blah111%3C1%3E<br>::::: blahPAYLOAD<br>::::: :::::
</body>
</html>
"""
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload_script_single_quote2(self):
html = '''
<html>
<script type="text/javascript">//<!--
init({login:'',foo:'PAYLOAD'})
</script>
</html>
'''
self.assertIsInstance(
get_context(html, 'PAYLOAD')[0][0], ScriptSingleQuote)
def test_payload_script_single_quote(self):
html = '''
<html>
<script foo='PAYLOAD'>
bar
</script>
</html>
'''
self.assertIsInstance(
get_context(html, 'PAYLOAD')[0][0], HtmlAttrSingleQuote)
def test_style_comment_case01(self):
style_comment = """
<html>
<head>
<style>
/*
Hello STYLE_COMMENT world
* */
</style>
</head>
</html>
"""
self.assertEqual(
get_context(style_comment, StyleComment().get_name())[0][1].get_name(), StyleComment().get_name()
)
def test_style_comment_case01(self):
style_comment = '''
<html>
<head>
<style>
/*
Hello STYLE_COMMENT world
* */
</style>
</head>
</html>
'''
self.assertEqual(
get_context(style_comment,
StyleComment().get_name())[0][1].get_name(),
StyleComment().get_name())
def test_style_comment_case02(self):
style_comment = """
<html>
<head>
<style>
/*
Hello world
* */
</style>
<style>
PAYLOAD
</style>
</head>
</html>
"""
self.assertEqual(get_context(style_comment, "PAYLOAD")[0][0].get_name(), StyleText().get_name())
def test_style_comment_case02(self):
style_comment = '''
<html>
<head>
<style>
/*
Hello world
* */
</style>
<style>
PAYLOAD
</style>
</head>
</html>
'''
self.assertEqual(
get_context(style_comment, 'PAYLOAD')[0][0].get_name(),
StyleText().get_name())
def _analyze_persistent_result(self, fuzzable_request, response):
'''
After performing an HTTP request to "fuzzable_request" and getting
"response" analyze if the response contains any of the information sent
by any of the mutants.
:return: None, Vuln (if any) are saved to the kb.
'''
response_body = response.get_body()
for mutant, mutant_response_id in self._xss_mutants:
mod_value = mutant.get_mod_value()
for contexts in get_context(response_body, mod_value):
for context in contexts:
if context.is_executable() or context.can_break(mod_value):
self._report_persistent_vuln(mutant, response,
mutant_response_id,
mod_value,
fuzzable_request)
break
def _analyze_echo_result(self, mutant, response):
'''
Do we have a reflected XSS?
:return: None, record all the results in the kb.
'''
# Add data for the persistent xss checking
if self._check_persistent_xss:
self._xss_mutants.append((mutant, response.id))
with self._plugin_lock:
if self._has_bug(mutant):
return
mod_value = mutant.get_mod_value()
for contexts in get_context(response.get_body(), mod_value):
for context in contexts:
if context.is_executable() or context.can_break(mod_value):
self._report_vuln(mutant, response, mod_value)
return
def test_html_inside_js(self):
self.assertEqual(
get_context(self.HTML,
HtmlText().get_name())[2][0].get_name(),
ScriptSingleQuote().get_name())
def test_payload_only_payload(self):
html = "PAYLOAD"
self.assertIsInstance(get_context(html, "PAYLOAD")[0][0], HtmlText)
def test_payload_empty(self):
html = ""
self.assertEqual(get_context(html, "PAYLOAD"), [])
def test_payload_empty(self):
html = ''
self.assertEqual(get_context(html, 'PAYLOAD'), [])
def test_payload_only_payload(self):
html = 'PAYLOAD'
self.assertIsInstance(get_context(html, 'PAYLOAD')[0][0], HtmlText)
def test_html_inside_js(self):
self.assertEqual(get_context(self.HTML, HtmlText().get_name())[2][0].get_name(), ScriptSingleQuote().get_name())
