def toggle_bookmark(self, cell, path, model):
"""Toggle bookmark."""
model[path][1] = not model[path][1]
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.toggle_mark(True)
return
def __init__(self, w3af, request_id, enableWidget=None, withManual=True,
withFuzzy=True, withCompare=True, withAudit=True, editableRequest=False,
editableResponse=False, widgname="default"):
# Create the window
RememberingWindow.__init__(self, w3af, "reqResWin",
_("w3af - HTTP Request/Response"),
"Browsing_the_Knowledge_Base")
# Create the request response viewer
rrViewer = reqResViewer(w3af, enableWidget, withManual, withFuzzy,
withCompare, withAudit, editableRequest,
editableResponse, widgname)
# Search the id in the DB
historyItem = HistoryItem()
historyItem.load(request_id)
# Set
rrViewer.request.show_object(historyItem.request)
rrViewer.response.show_object(historyItem.response)
rrViewer.show()
self.vbox.pack_start(rrViewer)
# Show the window
self.show()
def edit_tag(self, cell, path, new_text, model):
"""Edit tag."""
model[path][4] = new_text
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.update_tag(new_text, True)
return
def __init__(self,
w3af,
request_id,
enableWidget=None,
withManual=True,
withFuzzy=True,
withCompare=True,
withAudit=True,
editableRequest=False,
editableResponse=False,
widgname="default"):
# Create the window
RememberingWindow.__init__(self, w3af, "reqResWin",
_("w3af - HTTP Request/Response"),
"Browsing_the_Knowledge_Base")
# Create the request response viewer
rrViewer = reqResViewer(w3af, enableWidget, withManual, withFuzzy,
withCompare, withAudit, editableRequest,
editableResponse, widgname)
# Search the id in the DB
historyItem = HistoryItem()
historyItem.load(request_id)
# Set
rrViewer.request.show_object(historyItem.request)
rrViewer.response.show_object(historyItem.response)
rrViewer.show()
self.vbox.pack_start(rrViewer)
# Show the window
self.show()
def store_in_cache(request, response):
hi = HistoryItem()
# Set the request
headers = dict(request.headers)
headers.update(request.unredirected_hdrs)
req = createFuzzableRequestRaw(method=request.get_method(),
url=request.url_object,
postData=str(request.get_data() or ''),
headers=headers)
hi.request = req
# Set the response
resp = response
code, msg, hdrs, url, body, id = (resp.code, resp.msg, resp.info(),
resp.geturl(), resp.read(), resp.id)
# BUGBUG: This is where I create/log the responses that always have
# 0.2 as the time!
url_instance = url_object( url )
resp = httpResponse.httpResponse(code, body, hdrs, url_instance,
request.url_object, msg=msg, id=id,
alias=gen_hash(request))
hi.response = resp
# Now save them
try:
hi.save()
except KeyboardInterrupt, k:
raise k
def logHttp( self, request, response):
historyItem = HistoryItem()
try:
historyItem.request = request
historyItem.response = response
historyItem.save()
except KeyboardInterrupt, k:
raise k
def __init__(self, w3af, kbbrowser, ifilter):
super(FullKBTree, self).__init__(w3af,
ifilter,
'Knowledge Base',
strict=False)
self._historyItem = HistoryItem()
self.kbbrowser = kbbrowser
self.connect('cursor-changed', self._showDesc)
self.show()
def test_history_access(self):
self.count_plugin.loops = 1
self.w3afcore.start()
history_item = HistoryItem()
self.assertTrue(history_item.load(1))
self.assertEqual(history_item.id, 1)
self.assertEqual(history_item.get_request().get_uri().url_string,
'http://moth/')
self.assertEqual(history_item.get_response().get_uri().url_string,
'http://moth/')
def test_history_access(self):
self.count_plugin.loops = 1
self.w3afcore.start()
history_item = HistoryItem()
self.assertTrue(history_item.load(1))
self.assertEqual(history_item.id, 1)
self.assertEqual(history_item.get_request().get_uri().url_string,
'http://moth/')
self.assertEqual(history_item.get_response().get_uri().url_string,
'http://moth/')
def _impactDone(self, event, impact):
# Keep calling this from timeout_add until isSet
if not event.isSet():
return True
# We stop the throbber, and hide it
self.throbber.hide()
self.throbber.running(False)
# Analyze the impact
if impact.ok:
# Lets check if we found any vulnerabilities
#
# TODO: I should actually show ALL THE REQUESTS generated by audit plugins...
# not just the ones with vulnerabilities.
#
for result in impact.result:
for itemId in result.getId():
historyItem = HistoryItem()
historyItem.load(itemId)
historyItem.updateTag(historyItem.tag + result.plugin_name)
historyItem.info = result.getDesc()
historyItem.save()
else:
if impact.exception.__class__ == w3afException:
msg = str(impact.exception)
elif impact.exception.__class__ == w3afMustStopException:
msg = "Stopped sending requests because " + str(impact.exception)
else:
raise impact.exception
# We stop the throbber, and hide it
self.throbber.hide()
self.throbber.running(False)
gtk.gdk.threads_enter()
helpers.friendlyException(msg)
gtk.gdk.threads_leave()
return False
def __init__(self, w3af, kbbrowser, ifilter):
super(FullKBTree, self).__init__(w3af, ifilter,
'Knowledge Base', strict=False)
self._historyItem = HistoryItem()
self.kbbrowser = kbbrowser
self.connect('cursor-changed', self._showDesc)
self.show()
def test_mark(self):
mark_id = random.randint(1, 499)
url = url_object('http://w3af.org/a/b/c.php')
for i in xrange(0, 500):
fr = FuzzReq(url, dc={'a': ['1']})
res = httpResponse(200, '<html>',{'Content-Type':'text/html'}, url, url)
h1 = HistoryItem()
h1.request = fr
res.setId(i)
h1.response = res
if i == mark_id:
h1.toggleMark()
h1.save()
h2 = HistoryItem()
h2.load(mark_id)
self.assertTrue(h2.mark)
def __init__(self):
OutputPlugin.__init__(self)
# These attributes hold the file pointers
self._file = None
# User configured parameters
self._file_name = 'report.xml'
self._timeFormat = '%a %b %d %H:%M:%S %Y'
self._longTimestampString = str(
time.strftime(self._timeFormat, time.localtime()))
self._timestampString = str(int(time.time()))
# List with additional xml elements
self._errorXML = []
# xml
self._xmldoc = xml.dom.minidom.Document()
self._topElement = self._xmldoc.createElement("w3afrun")
self._topElement.setAttribute("start", self._timestampString)
self._topElement.setAttribute("startstr", self._longTimestampString)
self._topElement.setAttribute("xmloutputversion", "2.0")
# Add in the version details
version_element = self._xmldoc.createElement("w3af-version")
version_data = self._xmldoc.createTextNode(
str(get_w3af_version.get_w3af_version()))
version_element.appendChild(version_data)
self._topElement.appendChild(version_element)
self._scanInfo = self._xmldoc.createElement("scaninfo")
# HistoryItem to get requests/responses
self._history = HistoryItem()
def test_clear(self):
url = URL("http://w3af.com/a/b/c.php")
request = HTTPRequest(url, data="a=1")
hdr = Headers([("Content-Type", "text/html")])
res = HTTPResponse(200, "<html>", hdr, url, url)
h1 = HistoryItem()
h1.request = request
res.set_id(1)
h1.response = res
h1.save()
table_name = h1.get_table_name()
db = get_default_temp_db_instance()
self.assertTrue(db.table_exists(table_name))
clear_result = h1.clear()
self.assertTrue(clear_result)
self.assertFalse(os.path.exists(h1._session_dir), "%s exists." % h1._session_dir)
# Changed the meaning of clear a little bit... now it simply removes
# all rows from the table, not the table itself
self.assertTrue(db.table_exists(table_name))
def store_in_cache(request, response):
hi = HistoryItem()
# Set the request
req = create_fuzzable_request(request, add_headers=request.unredirected_hdrs)
hi.request = req
# Set the response
resp = httpResponse.from_httplib_resp(response, original_url=request.url_object)
resp.setId(response.id)
resp.setAlias(gen_hash(request))
hi.response = resp
# Now save them
try:
hi.save()
except KeyboardInterrupt, k:
raise k
def test_tag(self):
tag_id = random.randint(501, 999)
tag_value = createRandAlNum(10)
url = url_object('http://w3af.org/a/b/c.php')
for i in xrange(501, 1000):
fr = FuzzReq(url, dc={'a': ['1']})
res = httpResponse(200, '<html>',{'Content-Type':'text/html'}, url, url)
h1 = HistoryItem()
h1.request = fr
res.setId(i)
h1.response = res
if i == tag_id:
h1.updateTag(tag_value)
h1.save()
h2 = HistoryItem()
h2.load(tag_id)
self.assertEqual(h2.tag, tag_value)
def test_tag(self):
tag_id = random.randint(501, 999)
tag_value = rand_alnum(10)
url = URL("http://w3af.org/a/b/c.php")
for i in xrange(501, 1000):
request = HTTPRequest(url, data="a=1")
hdr = Headers([("Content-Type", "text/html")])
res = HTTPResponse(200, "<html>", hdr, url, url)
h1 = HistoryItem()
h1.request = request
res.set_id(i)
h1.response = res
if i == tag_id:
h1.update_tag(tag_value)
h1.save()
h2 = HistoryItem()
h2.load(tag_id)
self.assertEqual(h2.tag, tag_value)
def __init__(self, w3af, padding=10, time_refresh=False):
"""Init object."""
super(httpLogTab, self).__init__(w3af, "pane-httplogtab", 300)
self.w3af = w3af
self._padding = padding
self._lastId = 0
self._historyItem = HistoryItem()
if time_refresh:
gobject.timeout_add(1000, self.refresh_results)
# Create the main container
mainvbox = gtk.VBox()
mainvbox.set_spacing(self._padding)
# Add the menuHbox, Req/Res viewer and the R/R selector on the bottom
self._initSearchBox(mainvbox)
self._initFilterBox(mainvbox)
self._initReqResViewer(mainvbox)
mainvbox.show()
# Add everything
self.add(mainvbox)
self.show()
def store_in_cache(request, response):
# Create the http response object
resp = HTTPResponse.from_httplib_resp(response, original_url=request.url_object)
resp.set_id(response.id)
resp.set_alias(gen_hash(request))
hi = HistoryItem()
hi.request = request
hi.response = resp
# Now save them
try:
hi.save()
except Exception, ex:
msg = (
"Exception while inserting request/response to the"
" database: %s\nThe request/response that generated"
" the error is: %s %s %s" % (ex, resp.get_id(), request.get_uri(), resp.get_code())
)
om.out.error(msg)
raise Exception(msg)
def store_in_cache(request, response):
# Create the http response object
resp = HTTPResponse.from_httplib_resp(response,
original_url=request.url_object)
resp.set_id(response.id)
resp.set_alias(gen_hash(request))
hi = HistoryItem()
hi.request = request
hi.response = resp
# Now save them
try:
hi.save()
except sqlite3.Error, e:
msg = 'A sqlite3 error was raised: "%s".' % e
if 'disk' in str(e).lower():
msg += ' Please check if your disk is full.'
raise w3afMustStopException(msg)
def edit_tag(self, cell, path, new_text, model):
"""Edit tag."""
model[path][4] = new_text
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.update_tag(new_text, True)
return
def toggle_bookmark(self, cell, path, model):
"""Toggle bookmark."""
model[path][1] = not model[path][1]
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.toggle_mark(True)
return
def test_save_load(self):
i = random.randint(1, 499)
url = url_object('http://w3af.com/a/b/c.php')
fr = FuzzReq(url, dc={'a': ['1']})
res = httpResponse(200, '<html>',{'Content-Type':'text/html'}, url, url)
h1 = HistoryItem()
h1.request = fr
res.setId(i)
h1.response = res
h1.save()
h2 = HistoryItem()
h2.load(i)
self.assertEqual(h1.request, h2.request)
self.assertEqual(h1.response.body, h2.response.body)
def __init__(self):
baseOutputPlugin.__init__(self)
if not kb.kb.getData('gtkOutput', 'db') == []:
# Restore it from the kb
self._db = kb.kb.getData('gtkOutput', 'db')
self.queue = kb.kb.getData('gtkOutput', 'queue')
else:
self.queue = Queue.Queue()
kb.kb.save('gtkOutput', 'queue' , self.queue)
# Create DB and add tables
sessionName = cf.cf.getData('sessionName')
dbName = os.path.join(get_home_dir(), 'sessions', 'db_' + sessionName)
# Just in case the directory doesn't exist...
try:
os.mkdir(os.path.join(get_home_dir() , 'sessions'))
except OSError, oe:
# [Errno 17] File exists
if oe.errno != 17:
msg = 'Unable to write to the user home directory: ' + get_home_dir()
raise w3afException( msg )
self._db = DB()
# Check if the database already exists
if os.path.exists(dbName):
# Find one that doesn't exist
for i in xrange(100):
newDbName = dbName + '-' + str(i)
if not os.path.exists(newDbName):
dbName = newDbName
break
# Create DB!
self._db.open(dbName)
# Create table
historyItem = HistoryItem(self._db)
self._db.createTable(historyItem.getTableName(),
historyItem.getColumns(),
historyItem.getPrimaryKeyColumns())
kb.kb.save('gtkOutput', 'db', self._db)
def test_save_load(self):
i = random.randint(1, 499)
url = URL("http://w3af.com/a/b/c.php")
request = HTTPRequest(url, data="a=1")
hdr = Headers([("Content-Type", "text/html")])
res = HTTPResponse(200, "<html>", hdr, url, url)
h1 = HistoryItem()
h1.request = request
res.set_id(i)
h1.response = res
h1.save()
h2 = HistoryItem()
h2.load(i)
self.assertEqual(h1.request, h2.request)
self.assertEqual(h1.response.body, h2.response.body)
def test_delete(self):
i = random.randint(1, 499)
url = url_object('http://w3af.com/a/b/c.php')
fr = FuzzReq(url, dc={'a': ['1']})
res = httpResponse(200, '<html>',{'Content-Type':'text/html'}, url, url)
h1 = HistoryItem()
h1.request = fr
res.setId(i)
h1.response = res
h1.save()
h1.delete(i)
try:
h2 = h1.read(i)
except:
h2 = None
self.assertEqual(h2, None)
def _impact_done(self, event, impact):
# Keep calling this from timeout_add until isSet
if not event.isSet():
return True
# We stop the throbber, and hide it
self.throbber.hide()
self.throbber.running(False)
# Analyze the impact
if impact.ok:
# Lets check if we found any vulnerabilities
#
# TODO: I should actually show ALL THE REQUESTS generated by audit plugins...
# not just the ones with vulnerabilities.
#
for result in impact.result:
# TODO: I'm not sure when this is None bug it appeared in Trac bug #167736
if result.get_id() is not None:
for itemId in result.get_id():
historyItem = HistoryItem()
historyItem.load(itemId)
historyItem.update_tag(historyItem.tag +
result.plugin_name)
historyItem.info = result.get_desc()
historyItem.save()
else:
if impact.exception.__class__ == w3afException:
msg = str(impact.exception)
elif impact.exception.__class__ == w3afMustStopException:
msg = "Stopped sending requests because " + \
str(impact.exception)
elif impact.exception.__class__ == w3afMustStopOnUrlError:
msg = "Not sending requests because " + str(impact.exception)
else:
raise impact.exception
# We stop the throbber, and hide it
self.throbber.hide()
self.throbber.running(False)
gtk.gdk.threads_enter()
helpers.FriendlyExceptionDlg(msg)
gtk.gdk.threads_leave()
return False
def test_clear_clear(self):
url = URL("http://w3af.com/a/b/c.php")
request = HTTPRequest(url, data="a=1")
hdr = Headers([("Content-Type", "text/html")])
res = HTTPResponse(200, "<html>", hdr, url, url)
h1 = HistoryItem()
h1.request = request
res.set_id(1)
h1.response = res
h1.save()
h1.clear()
h1.clear()
def test_delete(self):
i = random.randint(1, 499)
url = URL("http://w3af.com/a/b/c.php")
request = HTTPRequest(url, data="a=1")
hdr = Headers([("Content-Type", "text/html")])
res = HTTPResponse(200, "<html>", hdr, url, url)
res.set_id(i)
h1 = HistoryItem()
h1.request = request
h1.response = res
h1.save()
fname = h1._get_fname_for_id(i)
self.assertTrue(os.path.exists(fname))
h1.delete(i)
self.assertRaises(DBException, h1.read, i)
self.assertFalse(os.path.exists(fname))
def __init__(self, w3af, padding=10, time_refresh=False):
"""Init object."""
super(httpLogTab, self).__init__(w3af, "pane-httplogtab", 300)
self.w3af = w3af
self._padding = padding
self._lastId = 0
self._historyItem = HistoryItem()
if time_refresh:
gobject.timeout_add(1000, self.refresh_results)
# Create the main container
mainvbox = gtk.VBox()
mainvbox.set_spacing(self._padding)
# Add the menuHbox, Req/Res viewer and the R/R selector on the bottom
self._initSearchBox(mainvbox)
self._initFilterBox(mainvbox)
self._initReqResViewer(mainvbox)
mainvbox.show()
# Add everything
self.add(mainvbox)
self.show()
def store_in_cache(request, response):
# Create the http response object
resp = HTTPResponse.from_httplib_resp(response,
original_url=request.url_object)
resp.set_id(response.id)
resp.set_alias(gen_hash(request))
hi = HistoryItem()
hi.request = request
hi.response = resp
# Now save them
try:
hi.save()
except sqlite3.Error, e:
msg = 'A sqlite3 error was raised: "%s".' % e
if 'disk' in str(e).lower():
msg += ' Please check if your disk is full.'
raise w3afMustStopException(msg)
def store_in_cache(request, response):
# Create the http response object
resp = HTTPResponse.from_httplib_resp(response,
original_url=request.url_object)
resp.set_id(response.id)
resp.set_alias(gen_hash(request))
hi = HistoryItem()
hi.request = request
hi.response = resp
# Now save them
try:
hi.save()
except Exception, ex:
msg = ('Exception while inserting request/response to the'
' database: %s\nThe request/response that generated'
' the error is: %s %s %s' %
(ex, resp.get_id(), request.get_uri(), resp.get_code()))
om.out.error(msg)
raise
def __init__(self, w3af):
super(KBBrowser, self).__init__(w3af, "pane-kbbrowser", 250)
# Internal variables:
#
# Here I save the request and response ids to be used in the page control
self.req_res_ids = []
# This is to search the DB and print the different request and responses as they are
# requested from the page control, "_pageChange" method.
self._historyItem = HistoryItem()
# the filter to the tree
filterbox = gtk.HBox()
self.filters = {}
def make_but(label, signal, initial):
but = gtk.CheckButton(label)
but.set_active(initial)
but.connect("clicked", self.type_filter, signal)
self.filters[signal] = initial
but.show()
filterbox.pack_start(but, expand=False, fill=False, padding=2)
make_but("Vulnerabilities", "vuln", True)
make_but("Informations", "info", True)
filterbox.show()
# the kb tree
self.kbtree = FullKBTree(w3af, self, self.filters)
# all in the first pane
scrollwin21 = gtk.ScrolledWindow()
scrollwin21.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin21.add(self.kbtree)
scrollwin21.show()
# the filter and tree box
treebox = gtk.VBox()
treebox.pack_start(filterbox, expand=False, fill=False)
treebox.pack_start(scrollwin21)
treebox.show()
# the explanation
explan_tv = gtk.TextView()
explan_tv.set_editable(False)
explan_tv.set_cursor_visible(False)
explan_tv.set_wrap_mode(gtk.WRAP_WORD)
self.explanation = explan_tv.get_buffer()
explan_tv.show()
scrollwin22 = gtk.ScrolledWindow()
scrollwin22.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin22.add_with_viewport(explan_tv)
scrollwin22.show()
# The request/response viewer
self.rrV = reqResViewer.reqResViewer(w3af, withAudit=False)
self.rrV.set_sensitive(False)
# Create the title label to show the request id
self.title0 = gtk.Label()
self.title0.show()
# Create page changer to handle info/vuln objects that have MORE THAN ONE
# related request/response
self.pagesControl = entries.PagesControl(w3af, self._pageChange, 0)
self.pagesControl.deactivate()
self._pageChange(0)
centerbox = gtk.HBox()
centerbox.pack_start(self.pagesControl, True, False)
# Add everything to a vbox
vbox_rrv_centerbox = gtk.VBox()
vbox_rrv_centerbox.pack_start(self.title0, False, True)
vbox_rrv_centerbox.pack_start(self.rrV, True, True)
vbox_rrv_centerbox.pack_start(centerbox, False, False)
# and show
vbox_rrv_centerbox.show()
self.pagesControl.show()
centerbox.show()
# And now put everything inside the vpaned
vpanedExplainAndView = entries.RememberingVPaned(
w3af, "pane-kbbexplainview", 100)
vpanedExplainAndView.pack1(scrollwin22)
vpanedExplainAndView.pack2(vbox_rrv_centerbox)
vpanedExplainAndView.show()
# pack & show
self.pack1(treebox)
self.pack2(vpanedExplainAndView)
self.show()
class KBBrowser(entries.RememberingHPaned):
'''Show the Knowledge Base, with the filter and the tree.
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af):
super(KBBrowser, self).__init__(w3af, "pane-kbbrowser", 250)
# Internal variables:
#
# Here I save the request and response ids to be used in the page control
self.req_res_ids = []
# This is to search the DB and print the different request and responses as they are
# requested from the page control, "_pageChange" method.
self._historyItem = HistoryItem()
# the filter to the tree
filterbox = gtk.HBox()
self.filters = {}
def make_but(label, signal, initial):
but = gtk.CheckButton(label)
but.set_active(initial)
but.connect("clicked", self.type_filter, signal)
self.filters[signal] = initial
but.show()
filterbox.pack_start(but, expand=False, fill=False, padding=2)
make_but("Vulnerabilities", "vuln", True)
make_but("Informations", "info", True)
filterbox.show()
# the kb tree
self.kbtree = FullKBTree(w3af, self, self.filters)
# all in the first pane
scrollwin21 = gtk.ScrolledWindow()
scrollwin21.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin21.add(self.kbtree)
scrollwin21.show()
# the filter and tree box
treebox = gtk.VBox()
treebox.pack_start(filterbox, expand=False, fill=False)
treebox.pack_start(scrollwin21)
treebox.show()
# the explanation
explan_tv = gtk.TextView()
explan_tv.set_editable(False)
explan_tv.set_cursor_visible(False)
explan_tv.set_wrap_mode(gtk.WRAP_WORD)
self.explanation = explan_tv.get_buffer()
explan_tv.show()
scrollwin22 = gtk.ScrolledWindow()
scrollwin22.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin22.add_with_viewport(explan_tv)
scrollwin22.show()
# The request/response viewer
self.rrV = reqResViewer.reqResViewer(w3af, withAudit=False)
self.rrV.set_sensitive(False)
# Create the title label to show the request id
self.title0 = gtk.Label()
self.title0.show()
# Create page changer to handle info/vuln objects that have MORE THAN ONE
# related request/response
self.pagesControl = entries.PagesControl(w3af, self._pageChange, 0)
self.pagesControl.deactivate()
self._pageChange(0)
centerbox = gtk.HBox()
centerbox.pack_start(self.pagesControl, True, False)
# Add everything to a vbox
vbox_rrv_centerbox = gtk.VBox()
vbox_rrv_centerbox.pack_start(self.title0, False, True)
vbox_rrv_centerbox.pack_start(self.rrV, True, True)
vbox_rrv_centerbox.pack_start(centerbox, False, False)
# and show
vbox_rrv_centerbox.show()
self.pagesControl.show()
centerbox.show()
# And now put everything inside the vpaned
vpanedExplainAndView = entries.RememberingVPaned(
w3af, "pane-kbbexplainview", 100)
vpanedExplainAndView.pack1(scrollwin22)
vpanedExplainAndView.pack2(vbox_rrv_centerbox)
vpanedExplainAndView.show()
# pack & show
self.pack1(treebox)
self.pack2(vpanedExplainAndView)
self.show()
def type_filter(self, button, ptype):
'''Changes the filter of the KB in the tree.'''
self.filters[ptype] = button.get_active()
self.kbtree.set_filter(self.filters)
def _pageChange(self, page):
'''
Handle the page change in the page control.
'''
# Only do something if I have a list of request and responses
if self.req_res_ids:
request_id = self.req_res_ids[page]
try:
historyItem = self._historyItem.read(request_id)
except:
# the request brought problems
self.rrV.request.clear_panes()
self.rrV.response.clear_panes()
self.rrV.set_sensitive(False)
self.title0.set_markup("<b>Error</b>")
else:
self.title0.set_markup("<b>Id: %d</b>" % request_id)
self.rrV.request.show_object(historyItem.request)
self.rrV.response.show_object(historyItem.response)
self.rrV.set_sensitive(True)
def __init__(self, w3af, initial_request=None):
super(FuzzyRequests,
self).__init__(w3af, "fuzzyreq", "w3af - Fuzzy Requests",
"Fuzzy_Requests")
self.w3af = w3af
self.historyItem = HistoryItem()
mainhbox = gtk.HBox()
# To store the responses
self.responses = []
# ---- left pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox, False, False)
# we create the buttons first, to pass them
analyzBut = gtk.Button("Analyze")
self.sendPlayBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendStopBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_STOP, "Stops the request being sent")
self.sSB_state = helpers.PropagateBuffer(
self.sendStopBut.set_sensitive)
self.sSB_state.change(self, False)
# Fix content length checkbox
self._fix_content_lengthCB = gtk.CheckButton(
'Fix content length header')
self._fix_content_lengthCB.set_active(True)
self._fix_content_lengthCB.show()
# request
self.originalReq = reqResViewer.requestPart(
self,
w3af, [
analyzBut.set_sensitive, self.sendPlayBut.set_sensitive,
functools.partial(self.sSB_state.change, "rRV")
],
editable=True,
widgname="fuzzyrequest")
if initial_request is None:
self.originalReq.show_raw(FUZZY_REQUEST_EXAMPLE, '')
else:
(initialUp, initialDn) = initial_request
self.originalReq.show_raw(initialUp, initialDn)
# Add the right button popup menu to the text widgets
rawTextView = self.originalReq.get_view_by_id('HttpRawView')
rawTextView.textView.connect("populate-popup", self._populate_popup)
# help
helplabel = gtk.Label()
helplabel.set_selectable(True)
helplabel.set_markup(FUZZYHELP)
self.originalReq.append_page(helplabel, gtk.Label("Syntax help"))
helplabel.show()
self.originalReq.show()
vbox.pack_start(self.originalReq, True, True, padding=5)
vbox.show()
# the commands
t = gtk.Table(2, 4)
analyzBut.connect("clicked", self._analyze)
t.attach(analyzBut, 0, 2, 0, 1)
self.analyzefb = gtk.Label("0 requests")
self.analyzefb.set_sensitive(False)
t.attach(self.analyzefb, 2, 3, 0, 1)
self.preview = gtk.CheckButton("Preview")
t.attach(self.preview, 3, 4, 0, 1)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
t.attach(self.sendPlayBut, 0, 1, 1, 2)
self.sendStopBut.connect("clicked", self._send_stop)
t.attach(self.sendStopBut, 1, 2, 1, 2)
self.sendfb = gtk.Label("0 ok, 0 errors")
self.sendfb.set_sensitive(False)
t.attach(self.sendfb, 2, 3, 1, 2)
t.attach(self._fix_content_lengthCB, 3, 4, 1, 2)
t.show_all()
vbox.pack_start(t, False, False, padding=5)
# ---- throbber pane ----
vbox = gtk.VBox()
self.throbber = helpers.Throbber()
self.throbber.set_sensitive(False)
vbox.pack_start(self.throbber, False, False)
vbox.show()
mainhbox.pack_start(vbox, False, False)
# ---- right pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox)
# A label to show the id of the response
self.title0 = gtk.Label()
self.title0.show()
vbox.pack_start(self.title0, False, True)
# result itself
self.resultReqResp = reqResViewer.reqResViewer(w3af,
withFuzzy=False,
editableRequest=False,
editableResponse=False)
self.resultReqResp.set_sensitive(False)
vbox.pack_start(self.resultReqResp, True, True, padding=5)
vbox.show()
# result control
centerbox = gtk.HBox()
self.pagesControl = entries.PagesControl(w3af, self._pageChange)
centerbox.pack_start(self.pagesControl, True, False)
centerbox.show()
# cluster responses button
image = gtk.Image()
image.set_from_file(
os.path.join('core', 'ui', 'gui', 'data', 'cluster_data.png'))
image.show()
self.clusterButton = gtk.Button(label='Cluster responses')
self.clusterButton.connect("clicked", self._clusterData)
self.clusterButton.set_sensitive(False)
self.clusterButton.set_image(image)
self.clusterButton.show()
centerbox.pack_start(self.clusterButton, True, False)
# clear responses button
self.clearButton = entries.SemiStockButton(
'Clear Responses',
gtk.STOCK_CLEAR,
tooltip='Clear all HTTP responses from fuzzer window')
self.clearButton.connect("clicked", self._clearResponses)
self.clearButton.set_sensitive(False)
self.clearButton.show()
centerbox.pack_start(self.clearButton, True, False)
vbox.pack_start(centerbox, False, False, padding=5)
# Show all!
self._sendPaused = True
self.vbox.pack_start(mainhbox)
self.vbox.show()
mainhbox.show()
self.show()
def __init__(self, w3af, initial_request=None):
super(FuzzyRequests, self).__init__(
w3af, "fuzzyreq", "w3af - Fuzzy Requests", "Fuzzy_Requests")
self.w3af = w3af
self.historyItem = HistoryItem()
mainhbox = gtk.HBox()
# To store the responses
self.responses = []
# ---- left pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox, False, False)
# we create the buttons first, to pass them
analyzBut = gtk.Button("Analyze")
self.sendPlayBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendStopBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_STOP, "Stops the request being sent")
self.sSB_state = helpers.PropagateBuffer(
self.sendStopBut.set_sensitive)
self.sSB_state.change(self, False)
# Fix content length checkbox
self._fix_content_lengthCB = gtk.CheckButton('Fix content length header')
self._fix_content_lengthCB.set_active(True)
self._fix_content_lengthCB.show()
# request
self.originalReq = reqResViewer.requestPart(self, w3af,
[analyzBut.set_sensitive,
self.sendPlayBut.set_sensitive,
functools.partial(
self.sSB_state.change, "rRV")],
editable=True, widgname="fuzzyrequest")
if initial_request is None:
self.originalReq.show_raw(FUZZY_REQUEST_EXAMPLE, '')
else:
(initialUp, initialDn) = initial_request
self.originalReq.show_raw(initialUp, initialDn)
# Add the right button popup menu to the text widgets
rawTextView = self.originalReq.get_view_by_id('HttpRawView')
rawTextView.textView.connect("populate-popup", self._populate_popup)
# help
helplabel = gtk.Label()
helplabel.set_selectable(True)
helplabel.set_markup(FUZZYHELP)
self.originalReq.append_page(helplabel, gtk.Label("Syntax help"))
helplabel.show()
self.originalReq.show()
vbox.pack_start(self.originalReq, True, True, padding=5)
vbox.show()
# the commands
t = gtk.Table(2, 4)
analyzBut.connect("clicked", self._analyze)
t.attach(analyzBut, 0, 2, 0, 1)
self.analyzefb = gtk.Label("0 requests")
self.analyzefb.set_sensitive(False)
t.attach(self.analyzefb, 2, 3, 0, 1)
self.preview = gtk.CheckButton("Preview")
t.attach(self.preview, 3, 4, 0, 1)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
t.attach(self.sendPlayBut, 0, 1, 1, 2)
self.sendStopBut.connect("clicked", self._send_stop)
t.attach(self.sendStopBut, 1, 2, 1, 2)
self.sendfb = gtk.Label("0 ok, 0 errors")
self.sendfb.set_sensitive(False)
t.attach(self.sendfb, 2, 3, 1, 2)
t.attach(self._fix_content_lengthCB, 3, 4, 1, 2)
t.show_all()
vbox.pack_start(t, False, False, padding=5)
# ---- throbber pane ----
vbox = gtk.VBox()
self.throbber = helpers.Throbber()
self.throbber.set_sensitive(False)
vbox.pack_start(self.throbber, False, False)
vbox.show()
mainhbox.pack_start(vbox, False, False)
# ---- right pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox)
# A label to show the id of the response
self.title0 = gtk.Label()
self.title0.show()
vbox.pack_start(self.title0, False, True)
# result itself
self.resultReqResp = reqResViewer.reqResViewer(w3af, withFuzzy=False,
editableRequest=False,
editableResponse=False)
self.resultReqResp.set_sensitive(False)
vbox.pack_start(self.resultReqResp, True, True, padding=5)
vbox.show()
# result control
centerbox = gtk.HBox()
self.pagesControl = entries.PagesControl(w3af, self._pageChange)
centerbox.pack_start(self.pagesControl, True, False)
centerbox.show()
# cluster responses button
image = gtk.Image()
image.set_from_file(os.path.join('core', 'ui', 'gui', 'data',
'cluster_data.png'))
image.show()
self.clusterButton = gtk.Button(label='Cluster responses')
self.clusterButton.connect("clicked", self._clusterData)
self.clusterButton.set_sensitive(False)
self.clusterButton.set_image(image)
self.clusterButton.show()
centerbox.pack_start(self.clusterButton, True, False)
# clear responses button
self.clearButton = entries.SemiStockButton(
'Clear Responses', gtk.STOCK_CLEAR,
tooltip='Clear all HTTP responses from fuzzer window')
self.clearButton.connect("clicked", self._clearResponses)
self.clearButton.set_sensitive(False)
self.clearButton.show()
centerbox.pack_start(self.clearButton, True, False)
vbox.pack_start(centerbox, False, False, padding=5)
# Show all!
self._sendPaused = True
self.vbox.pack_start(mainhbox)
self.vbox.show()
mainhbox.show()
self.show()
class httpLogTab(entries.RememberingHPaned):
"""A tab that shows all HTTP requests and responses made by the framework.
:author: Andres Riancho ([email protected])
"""
def __init__(self, w3af, padding=10, time_refresh=False):
"""Init object."""
super(httpLogTab, self).__init__(w3af, "pane-httplogtab", 300)
self.w3af = w3af
self._padding = padding
self._lastId = 0
self._historyItem = HistoryItem()
if time_refresh:
gobject.timeout_add(1000, self.refresh_results)
# Create the main container
mainvbox = gtk.VBox()
mainvbox.set_spacing(self._padding)
# Add the menuHbox, Req/Res viewer and the R/R selector on the bottom
self._initSearchBox(mainvbox)
self._initFilterBox(mainvbox)
self._initReqResViewer(mainvbox)
mainvbox.show()
# Add everything
self.add(mainvbox)
self.show()
def _initReqResViewer(self, mainvbox):
"""Create the req/res viewer."""
self._reqResViewer = reqResViewer.reqResViewer(self.w3af, editableRequest=False, editableResponse=False)
self._reqResViewer.set_sensitive(False)
# Create the req/res selector (when a search with more
# than one result is done, this window appears)
self._sw = gtk.ScrolledWindow()
self._sw.set_shadow_type(gtk.SHADOW_ETCHED_IN)
self._sw.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
self._lstore = gtk.ListStore(
gobject.TYPE_UINT,
gobject.TYPE_BOOLEAN,
gobject.TYPE_STRING,
gobject.TYPE_STRING,
gobject.TYPE_STRING,
gobject.TYPE_UINT,
gobject.TYPE_STRING,
gobject.TYPE_UINT,
gobject.TYPE_STRING,
gobject.TYPE_FLOAT,
)
# Create tree view
self._lstoreTreeview = gtk.TreeView(self._lstore)
self._lstoreTreeview.set_rules_hint(True)
self._lstoreTreeview.set_search_column(0)
self.__add_columns(self._lstoreTreeview)
self._lstoreTreeview.show()
self._lstoreTreeview.connect("cursor-changed", self._view_in_req_res_viewer)
# Popup menu
self._rightButtonMenu = None
self._lstoreTreeview.connect("button-press-event", self._popupMenu)
#
#
# Selection
#
treeselection = self._lstoreTreeview.get_selection()
treeselection.set_mode(gtk.SELECTION_MULTIPLE)
self._sw.add(self._lstoreTreeview)
# self._sw.set_sensitive(False)
self._sw.show_all()
# I want all sections to be resizable
self._vpan = entries.RememberingVPaned(self.w3af, "pane-swandrRV", 100)
self._vpan.pack1(self._sw)
self._vpan.pack2(self._reqResViewer)
self._vpan.show()
mainvbox.pack_start(self._vpan)
def _popupMenu(self, tv, event):
"""Generate and show popup menu."""
if event.button != 3:
return
# creates the whole menu only once
if self._rightButtonMenu is None:
gm = gtk.Menu()
self._rightButtonMenu = gm
# the items
e = gtk.MenuItem(_("Delete selected items"))
e.connect("activate", self._deleteSelected)
gm.append(e)
gm.show_all()
else:
gm = self._rightButtonMenu
gm.popup(None, None, None, event.button, event.time)
return True
def _deleteSelected(self, widg=None):
"""Delete selected transactions."""
ids = []
iters = []
sel = self._lstoreTreeview.get_selection()
(model, pathlist) = sel.get_selected_rows()
for path in pathlist:
iters.append(self._lstore.get_iter(path))
itemNumber = path[0]
iid = self._lstore[itemNumber][0]
ids.append(iid)
for i in iters:
self._lstore.remove(i)
# TODO Move this action to separate thread
for iid in ids:
self._historyItem.delete(iid)
def _initSearchBox(self, mainvbox):
"""Init Search box."""
# The search entry
self._searchText = gtk.Entry()
self._searchText.connect("activate", self.find_request_response)
# The button that is used to advanced search
filterBtn = gtk.ToggleButton(label=_("_Filter Options"))
filterBtn.connect("toggled", self._showHideFilterBox)
filterImg = gtk.Image()
filterImg.set_from_stock(gtk.STOCK_FIND, gtk.ICON_SIZE_MENU)
filterBtn.set_image(filterImg)
# Clear button
close = gtk.Image()
close.set_from_stock(gtk.STOCK_CLEAR, gtk.ICON_SIZE_MENU)
clearBox = gtk.EventBox()
clearBox.add(close)
clearBox.connect("button-release-event", self._showAllRequestResponses)
# Create the container that has the menu
menuHbox = gtk.HBox()
menuHbox.set_spacing(self._padding)
menuHbox.pack_start(gtk.Label(_("Search:")), False)
menuHbox.pack_start(self._searchText)
menuHbox.pack_start(clearBox, False)
menuHbox.pack_start(filterBtn, False)
menuHbox.show_all()
mainvbox.pack_start(menuHbox, False, True)
def _initFilterBox(self, mainvbox):
"""Init advanced search options."""
self._advSearchBox = gtk.HBox()
self._advSearchBox.set_spacing(self._padding)
self.pref = FilterOptions(self)
# Filter options
self._filterMethods = [("GET", "GET", False), ("POST", "POST", False)]
filterMethods = OptionList()
for method in self._filterMethods:
filterMethods.add(opt_factory(method[0], method[2], method[1], "boolean"))
self.pref.add_section("methods", _("Request Method"), filterMethods)
filterId = OptionList()
filterId.add(opt_factory("min", "0", "Min ID", "string"))
filterId.add(opt_factory("max", "0", "Max ID", "string"))
self.pref.add_section("trans_id", _("Transaction ID"), filterId)
filterCodes = OptionList()
codes = [
("1xx", "1xx", False),
("2xx", "2xx", False),
("3xx", "3xx", False),
("4xx", "4xx", False),
("5xx", "5xx", False),
]
for code in codes:
filterCodes.add(opt_factory(code[0], code[2], code[1], "boolean"))
self.pref.add_section("codes", _("Response Code"), filterCodes)
filterMisc = OptionList()
filterMisc.add(opt_factory("tag", False, "Tag", "boolean"))
filterMisc.add(opt_factory("has_qs", False, "Request has Query String", "boolean"))
self.pref.add_section("misc", _("Misc"), filterMisc)
filterTypes = OptionList()
self._filterTypes = [
("html", "HTML", False),
("javascript", "JavaScript", False),
("image", "Images", False),
("flash", "Flash", False),
("css", "CSS", False),
("text", "Text", False),
]
for filterType in self._filterTypes:
filterTypes.add(opt_factory(filterType[0], filterType[2], filterType[1], "boolean"))
self.pref.add_section("types", _("Response Content Type"), filterTypes)
filterSize = OptionList()
filterSize.add(opt_factory("resp_size", False, "Not Null", "boolean"))
self.pref.add_section("sizes", _("Response Size"), filterSize)
self.pref.show()
self._advSearchBox.pack_start(self.pref, False, False)
self._advSearchBox.hide_all()
mainvbox.pack_start(self._advSearchBox, False, False)
def __add_columns(self, treeview):
"""Add columns to main log table."""
model = treeview.get_model()
# Column for id's
column = gtk.TreeViewColumn(_("ID"), gtk.CellRendererText(), text=0)
column.set_sort_column_id(0)
treeview.append_column(column)
# Column for bookmark
# TODO: Find a better way to do this. The "B" and the checkbox aren't nice
# what we aim for is something like the stars in gmail.
"""
renderer = gtk.CellRendererToggle()
renderer.set_property('activatable', True)
renderer.connect('toggled', self.toggle_bookmark, model)
column = gtk.TreeViewColumn(_('B'), renderer)
column.add_attribute(renderer, "active", 1)
column.set_sort_column_id(1)
treeview.append_column(column)
"""
# Column for METHOD
column = gtk.TreeViewColumn(_("Method"), gtk.CellRendererText(), text=2)
column.set_sort_column_id(2)
treeview.append_column(column)
# Column for URI
renderer = gtk.CellRendererText()
renderer.set_property("ellipsize", pango.ELLIPSIZE_END)
column = gtk.TreeViewColumn("URI", renderer, text=3)
column.set_sort_column_id(3)
column.set_expand(True)
column.set_resizable(True)
treeview.append_column(column)
# Column for Tag
renderer = gtk.CellRendererText()
# renderer.set_property('ellipsize', pango.ELLIPSIZE_END)
renderer.set_property("editable", True)
renderer.connect("edited", self.edit_tag, model)
column = gtk.TreeViewColumn(_("Tag"), renderer, text=4)
column.set_sort_column_id(4)
column.set_resizable(True)
column.set_sizing(gtk.TREE_VIEW_COLUMN_GROW_ONLY)
treeview.append_column(column)
extColumns = [
(5, _("Code")),
(6, _("Message")),
(7, _("Content-Length")),
(8, _("Content-Type")),
(9, _("Time (ms)")),
]
for n, title in extColumns:
column = gtk.TreeViewColumn(title, gtk.CellRendererText(), text=n)
column.set_sort_column_id(n)
treeview.append_column(column)
def toggle_bookmark(self, cell, path, model):
"""Toggle bookmark."""
model[path][1] = not model[path][1]
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.toggle_mark(True)
return
def edit_tag(self, cell, path, new_text, model):
"""Edit tag."""
model[path][4] = new_text
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.update_tag(new_text, True)
return
def _showHideFilterBox(self, widget):
"""Show/hide advanced options."""
if not widget.get_active():
self._advSearchBox.hide_all()
else:
self._advSearchBox.show_all()
def _showAllRequestResponses(self, widget=None, event=None):
"""Show all results."""
self._searchText.set_text("")
try:
self.find_request_response()
except w3afException, w3:
self._empty_results()
return
class FuzzyRequests(entries.RememberingWindow):
'''Infrastructure to generate fuzzy HTTP requests.
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af, initial_request=None):
super(FuzzyRequests,
self).__init__(w3af, "fuzzyreq", "w3af - Fuzzy Requests",
"Fuzzy_Requests")
self.w3af = w3af
self.historyItem = HistoryItem()
mainhbox = gtk.HBox()
# To store the responses
self.responses = []
# ---- left pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox, False, False)
# we create the buttons first, to pass them
analyzBut = gtk.Button("Analyze")
self.sendPlayBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendStopBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_STOP, "Stops the request being sent")
self.sSB_state = helpers.PropagateBuffer(
self.sendStopBut.set_sensitive)
self.sSB_state.change(self, False)
# Fix content length checkbox
self._fix_content_lengthCB = gtk.CheckButton(
'Fix content length header')
self._fix_content_lengthCB.set_active(True)
self._fix_content_lengthCB.show()
# request
self.originalReq = reqResViewer.requestPart(
self,
w3af, [
analyzBut.set_sensitive, self.sendPlayBut.set_sensitive,
functools.partial(self.sSB_state.change, "rRV")
],
editable=True,
widgname="fuzzyrequest")
if initial_request is None:
self.originalReq.show_raw(FUZZY_REQUEST_EXAMPLE, '')
else:
(initialUp, initialDn) = initial_request
self.originalReq.show_raw(initialUp, initialDn)
# Add the right button popup menu to the text widgets
rawTextView = self.originalReq.get_view_by_id('HttpRawView')
rawTextView.textView.connect("populate-popup", self._populate_popup)
# help
helplabel = gtk.Label()
helplabel.set_selectable(True)
helplabel.set_markup(FUZZYHELP)
self.originalReq.append_page(helplabel, gtk.Label("Syntax help"))
helplabel.show()
self.originalReq.show()
vbox.pack_start(self.originalReq, True, True, padding=5)
vbox.show()
# the commands
t = gtk.Table(2, 4)
analyzBut.connect("clicked", self._analyze)
t.attach(analyzBut, 0, 2, 0, 1)
self.analyzefb = gtk.Label("0 requests")
self.analyzefb.set_sensitive(False)
t.attach(self.analyzefb, 2, 3, 0, 1)
self.preview = gtk.CheckButton("Preview")
t.attach(self.preview, 3, 4, 0, 1)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
t.attach(self.sendPlayBut, 0, 1, 1, 2)
self.sendStopBut.connect("clicked", self._send_stop)
t.attach(self.sendStopBut, 1, 2, 1, 2)
self.sendfb = gtk.Label("0 ok, 0 errors")
self.sendfb.set_sensitive(False)
t.attach(self.sendfb, 2, 3, 1, 2)
t.attach(self._fix_content_lengthCB, 3, 4, 1, 2)
t.show_all()
vbox.pack_start(t, False, False, padding=5)
# ---- throbber pane ----
vbox = gtk.VBox()
self.throbber = helpers.Throbber()
self.throbber.set_sensitive(False)
vbox.pack_start(self.throbber, False, False)
vbox.show()
mainhbox.pack_start(vbox, False, False)
# ---- right pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox)
# A label to show the id of the response
self.title0 = gtk.Label()
self.title0.show()
vbox.pack_start(self.title0, False, True)
# result itself
self.resultReqResp = reqResViewer.reqResViewer(w3af,
withFuzzy=False,
editableRequest=False,
editableResponse=False)
self.resultReqResp.set_sensitive(False)
vbox.pack_start(self.resultReqResp, True, True, padding=5)
vbox.show()
# result control
centerbox = gtk.HBox()
self.pagesControl = entries.PagesControl(w3af, self._pageChange)
centerbox.pack_start(self.pagesControl, True, False)
centerbox.show()
# cluster responses button
image = gtk.Image()
image.set_from_file(
os.path.join('core', 'ui', 'gui', 'data', 'cluster_data.png'))
image.show()
self.clusterButton = gtk.Button(label='Cluster responses')
self.clusterButton.connect("clicked", self._clusterData)
self.clusterButton.set_sensitive(False)
self.clusterButton.set_image(image)
self.clusterButton.show()
centerbox.pack_start(self.clusterButton, True, False)
# clear responses button
self.clearButton = entries.SemiStockButton(
'Clear Responses',
gtk.STOCK_CLEAR,
tooltip='Clear all HTTP responses from fuzzer window')
self.clearButton.connect("clicked", self._clearResponses)
self.clearButton.set_sensitive(False)
self.clearButton.show()
centerbox.pack_start(self.clearButton, True, False)
vbox.pack_start(centerbox, False, False, padding=5)
# Show all!
self._sendPaused = True
self.vbox.pack_start(mainhbox)
self.vbox.show()
mainhbox.show()
self.show()
def _populate_popup(self, textview, menu):
'''Populates the menu with the fuzzing items.'''
menu.append(gtk.SeparatorMenuItem())
main_generator_menu = gtk.MenuItem(_("Generators"))
main_generator_menu.set_submenu(create_generator_menu(self))
menu.append(main_generator_menu)
menu.show_all()
def _clearResponses(self, widg):
'''Clears all the responses from the fuzzy window.'''
self.responses = []
self.resultReqResp.request.clear_panes()
self.resultReqResp.response.clear_panes()
self.resultReqResp.set_sensitive(False)
self.clusterButton.set_sensitive(False)
self.clearButton.set_sensitive(False)
self.pagesControl.deactivate()
def _clusterData(self, widg):
'''Analyze if we can cluster the responses and do it.'''
data = []
for resp in self.responses:
if resp[0]:
reqid = resp[1]
historyItem = self.historyItem.read(reqid)
data.append(historyItem.response)
if data:
distance_function_selector(self.w3af, data)
else:
# Let the user know ahout the problem
msg = "There are no HTTP responses available to cluster."
dlg = gtk.MessageDialog(None, gtk.DIALOG_MODAL,
gtk.MESSAGE_WARNING, gtk.BUTTONS_OK, msg)
opt = dlg.run()
dlg.destroy()
def _analyze(self, widg):
'''Handles the Analyze part.'''
(request, postbody) = self.originalReq.get_both_texts()
try:
fg = helpers.coreWrap(fuzzygen.FuzzyGenerator, request, postbody)
except fuzzygen.FuzzyError:
return
self.analyzefb.set_text("%d requests" % fg.calculate_quantity())
self.analyzefb.set_sensitive(True)
# raise the window only if preview is active
if self.preview.get_active():
PreviewWindow(self.w3af, self, fg)
def _send_stop(self, widg=None):
'''Stop the requests being sent.'''
self._sendStopped = True
self.sendPlayBut.change_internals("", gtk.STOCK_MEDIA_PLAY,
"Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
self.sSB_state.change(self, False)
self.throbber.running(False)
def _send_pause(self, widg):
'''Pause the requests being sent.'''
self._sendPaused = True
self.sendPlayBut.change_internals("", gtk.STOCK_MEDIA_PLAY,
"Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_play)
self.throbber.running(False)
def _send_play(self, widg):
'''Continue sending the requests.'''
self._sendPaused = False
self.sendPlayBut.change_internals("", gtk.STOCK_MEDIA_PAUSE,
"Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_pause)
self.throbber.running(True)
def _send_start(self, widg):
'''Start sending the requests.'''
(request, postbody) = self.originalReq.get_both_texts()
try:
fg = helpers.coreWrap(fuzzygen.FuzzyGenerator, request, postbody)
except fuzzygen.FuzzyError:
return
quant = fg.calculate_quantity()
if quant > 20:
msg = "Are you sure you want to send %d requests?" % quant
dlg = gtk.MessageDialog(None, gtk.DIALOG_MODAL,
gtk.MESSAGE_WARNING, gtk.BUTTONS_YES_NO,
msg)
opt = dlg.run()
dlg.destroy()
if opt != gtk.RESPONSE_YES:
return
# Get the fix content length value
fixContentLength = self._fix_content_lengthCB.get_active()
# initial state
self.result_ok = 0
self.result_err = 0
self._sendPaused = False
self._sendStopped = False
requestGenerator = fg.generate()
# change the buttons
self.sendPlayBut.change_internals("", gtk.STOCK_MEDIA_PAUSE,
"Pauses the requests sending")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_pause)
self.sSB_state.change(self, True)
self.throbber.running(True)
# let's send the requests!
gobject.timeout_add(100, self._real_send, fixContentLength,
requestGenerator)
def _real_send(self, fixContentLength, requestGenerator):
'''This is the one that actually sends the requests, if corresponds.
:param fixContentLength: if the lenght should be fixed by the core.
:param requestGenerator: where to ask for the requests
'''
if self._sendStopped:
return False
if self._sendPaused:
return True
try:
(realreq, realbody) = requestGenerator.next()
except StopIteration:
# finished with all the requests!
self._send_stop()
return False
try:
httpResp = self.w3af.uri_opener.send_raw_request(
realreq, realbody, fixContentLength)
errorMsg = None
self.result_ok += 1
except w3afException, e:
errorMsg = str(e)
httpResp = None
self.result_err += 1
except w3afMustStopException, e:
errorMsg = str(e)
httpResp = None
self.result_err += 1
# Let the user know about the problem
msg = "Stopped sending requests because of the following"\
" unexpected error:\n\n%s" % str(e)
helpers.FriendlyExceptionDlg(msg)
return False
class FuzzyRequests(entries.RememberingWindow):
'''Infrastructure to generate fuzzy HTTP requests.
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af, initial_request=None):
super(FuzzyRequests, self).__init__(
w3af, "fuzzyreq", "w3af - Fuzzy Requests", "Fuzzy_Requests")
self.w3af = w3af
self.historyItem = HistoryItem()
mainhbox = gtk.HBox()
# To store the responses
self.responses = []
# ---- left pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox, False, False)
# we create the buttons first, to pass them
analyzBut = gtk.Button("Analyze")
self.sendPlayBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendStopBut = entries.SemiStockButton(
"", gtk.STOCK_MEDIA_STOP, "Stops the request being sent")
self.sSB_state = helpers.PropagateBuffer(
self.sendStopBut.set_sensitive)
self.sSB_state.change(self, False)
# Fix content length checkbox
self._fix_content_lengthCB = gtk.CheckButton('Fix content length header')
self._fix_content_lengthCB.set_active(True)
self._fix_content_lengthCB.show()
# request
self.originalReq = reqResViewer.requestPart(self, w3af,
[analyzBut.set_sensitive,
self.sendPlayBut.set_sensitive,
functools.partial(
self.sSB_state.change, "rRV")],
editable=True, widgname="fuzzyrequest")
if initial_request is None:
self.originalReq.show_raw(FUZZY_REQUEST_EXAMPLE, '')
else:
(initialUp, initialDn) = initial_request
self.originalReq.show_raw(initialUp, initialDn)
# Add the right button popup menu to the text widgets
rawTextView = self.originalReq.get_view_by_id('HttpRawView')
rawTextView.textView.connect("populate-popup", self._populate_popup)
# help
helplabel = gtk.Label()
helplabel.set_selectable(True)
helplabel.set_markup(FUZZYHELP)
self.originalReq.append_page(helplabel, gtk.Label("Syntax help"))
helplabel.show()
self.originalReq.show()
vbox.pack_start(self.originalReq, True, True, padding=5)
vbox.show()
# the commands
t = gtk.Table(2, 4)
analyzBut.connect("clicked", self._analyze)
t.attach(analyzBut, 0, 2, 0, 1)
self.analyzefb = gtk.Label("0 requests")
self.analyzefb.set_sensitive(False)
t.attach(self.analyzefb, 2, 3, 0, 1)
self.preview = gtk.CheckButton("Preview")
t.attach(self.preview, 3, 4, 0, 1)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
t.attach(self.sendPlayBut, 0, 1, 1, 2)
self.sendStopBut.connect("clicked", self._send_stop)
t.attach(self.sendStopBut, 1, 2, 1, 2)
self.sendfb = gtk.Label("0 ok, 0 errors")
self.sendfb.set_sensitive(False)
t.attach(self.sendfb, 2, 3, 1, 2)
t.attach(self._fix_content_lengthCB, 3, 4, 1, 2)
t.show_all()
vbox.pack_start(t, False, False, padding=5)
# ---- throbber pane ----
vbox = gtk.VBox()
self.throbber = helpers.Throbber()
self.throbber.set_sensitive(False)
vbox.pack_start(self.throbber, False, False)
vbox.show()
mainhbox.pack_start(vbox, False, False)
# ---- right pane ----
vbox = gtk.VBox()
mainhbox.pack_start(vbox)
# A label to show the id of the response
self.title0 = gtk.Label()
self.title0.show()
vbox.pack_start(self.title0, False, True)
# result itself
self.resultReqResp = reqResViewer.reqResViewer(w3af, withFuzzy=False,
editableRequest=False,
editableResponse=False)
self.resultReqResp.set_sensitive(False)
vbox.pack_start(self.resultReqResp, True, True, padding=5)
vbox.show()
# result control
centerbox = gtk.HBox()
self.pagesControl = entries.PagesControl(w3af, self._pageChange)
centerbox.pack_start(self.pagesControl, True, False)
centerbox.show()
# cluster responses button
image = gtk.Image()
image.set_from_file(os.path.join('core', 'ui', 'gui', 'data',
'cluster_data.png'))
image.show()
self.clusterButton = gtk.Button(label='Cluster responses')
self.clusterButton.connect("clicked", self._clusterData)
self.clusterButton.set_sensitive(False)
self.clusterButton.set_image(image)
self.clusterButton.show()
centerbox.pack_start(self.clusterButton, True, False)
# clear responses button
self.clearButton = entries.SemiStockButton(
'Clear Responses', gtk.STOCK_CLEAR,
tooltip='Clear all HTTP responses from fuzzer window')
self.clearButton.connect("clicked", self._clearResponses)
self.clearButton.set_sensitive(False)
self.clearButton.show()
centerbox.pack_start(self.clearButton, True, False)
vbox.pack_start(centerbox, False, False, padding=5)
# Show all!
self._sendPaused = True
self.vbox.pack_start(mainhbox)
self.vbox.show()
mainhbox.show()
self.show()
def _populate_popup(self, textview, menu):
'''Populates the menu with the fuzzing items.'''
menu.append(gtk.SeparatorMenuItem())
main_generator_menu = gtk.MenuItem(_("Generators"))
main_generator_menu.set_submenu(create_generator_menu(self))
menu.append(main_generator_menu)
menu.show_all()
def _clearResponses(self, widg):
'''Clears all the responses from the fuzzy window.'''
self.responses = []
self.resultReqResp.request.clear_panes()
self.resultReqResp.response.clear_panes()
self.resultReqResp.set_sensitive(False)
self.clusterButton.set_sensitive(False)
self.clearButton.set_sensitive(False)
self.pagesControl.deactivate()
def _clusterData(self, widg):
'''Analyze if we can cluster the responses and do it.'''
data = []
for resp in self.responses:
if resp[0]:
reqid = resp[1]
historyItem = self.historyItem.read(reqid)
data.append(historyItem.response)
if data:
distance_function_selector(self.w3af, data)
else:
# Let the user know ahout the problem
msg = "There are no HTTP responses available to cluster."
dlg = gtk.MessageDialog(None, gtk.DIALOG_MODAL,
gtk.MESSAGE_WARNING, gtk.BUTTONS_OK, msg)
opt = dlg.run()
dlg.destroy()
def _analyze(self, widg):
'''Handles the Analyze part.'''
(request, postbody) = self.originalReq.get_both_texts()
try:
fg = helpers.coreWrap(fuzzygen.FuzzyGenerator, request, postbody)
except fuzzygen.FuzzyError:
return
self.analyzefb.set_text("%d requests" % fg.calculate_quantity())
self.analyzefb.set_sensitive(True)
# raise the window only if preview is active
if self.preview.get_active():
PreviewWindow(self.w3af, self, fg)
def _send_stop(self, widg=None):
'''Stop the requests being sent.'''
self._sendStopped = True
self.sendPlayBut.change_internals(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_start)
self.sSB_state.change(self, False)
self.throbber.running(False)
def _send_pause(self, widg):
'''Pause the requests being sent.'''
self._sendPaused = True
self.sendPlayBut.change_internals(
"", gtk.STOCK_MEDIA_PLAY, "Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_play)
self.throbber.running(False)
def _send_play(self, widg):
'''Continue sending the requests.'''
self._sendPaused = False
self.sendPlayBut.change_internals(
"", gtk.STOCK_MEDIA_PAUSE, "Sends the pending requests")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_pause)
self.throbber.running(True)
def _send_start(self, widg):
'''Start sending the requests.'''
(request, postbody) = self.originalReq.get_both_texts()
try:
fg = helpers.coreWrap(fuzzygen.FuzzyGenerator, request, postbody)
except fuzzygen.FuzzyError:
return
quant = fg.calculate_quantity()
if quant > 20:
msg = "Are you sure you want to send %d requests?" % quant
dlg = gtk.MessageDialog(None, gtk.DIALOG_MODAL, gtk.MESSAGE_WARNING, gtk.BUTTONS_YES_NO, msg)
opt = dlg.run()
dlg.destroy()
if opt != gtk.RESPONSE_YES:
return
# Get the fix content length value
fixContentLength = self._fix_content_lengthCB.get_active()
# initial state
self.result_ok = 0
self.result_err = 0
self._sendPaused = False
self._sendStopped = False
requestGenerator = fg.generate()
# change the buttons
self.sendPlayBut.change_internals(
"", gtk.STOCK_MEDIA_PAUSE, "Pauses the requests sending")
self.sendPlayBut.disconnect(self.sPB_signal)
self.sPB_signal = self.sendPlayBut.connect("clicked", self._send_pause)
self.sSB_state.change(self, True)
self.throbber.running(True)
# let's send the requests!
gobject.timeout_add(
100, self._real_send, fixContentLength, requestGenerator)
def _real_send(self, fixContentLength, requestGenerator):
'''This is the one that actually sends the requests, if corresponds.
:param fixContentLength: if the lenght should be fixed by the core.
:param requestGenerator: where to ask for the requests
'''
if self._sendStopped:
return False
if self._sendPaused:
return True
try:
(realreq, realbody) = requestGenerator.next()
except StopIteration:
# finished with all the requests!
self._send_stop()
return False
try:
httpResp = self.w3af.uri_opener.send_raw_request(
realreq, realbody, fixContentLength)
errorMsg = None
self.result_ok += 1
except w3afException, e:
errorMsg = str(e)
httpResp = None
self.result_err += 1
except w3afMustStopException, e:
errorMsg = str(e)
httpResp = None
self.result_err += 1
# Let the user know about the problem
msg = "Stopped sending requests because of the following"\
" unexpected error:\n\n%s" % str(e)
helpers.FriendlyExceptionDlg(msg)
return False
class FullKBTree(kbtree.KBTree):
'''A tree showing all the info.
This also gives a long description of the element when clicked.
@param kbbrowser: The KB Browser
@param filter: The filter to show which elements
@author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af, kbbrowser, ifilter):
super(FullKBTree,self).__init__(w3af, ifilter, 'Knowledge Base', strict=False)
self._historyItem = HistoryItem()
self.kbbrowser = kbbrowser
self.connect('cursor-changed', self._showDesc)
self.show()
def _showDesc(self, tv):
'''Shows the description at the right
@param tv: the treeview.
'''
(path, column) = tv.get_cursor()
if path is None:
return
instance = self.getInstance(path)
if hasattr(instance, "getDesc"):
longdesc = str(instance.getDesc())
else:
longdesc = ""
self.kbbrowser.explanation.set_text(longdesc)
success = False
if hasattr(instance, "getId" ):
if instance.getId() is not None:
#
# We have two different cases:
#
# 1) The object is related to ONLY ONE request / response
# 2) The object is related to MORE THAN ONE request / response
#
# For 1), we show the classic view, and for 2) we show the classic
# view with a "page control"
#
# Work:
#
if len( instance.getId() ) == 1:
# There is ONLY ONE id related to the object
# This is 1)
self.kbbrowser.pagesControl.deactivate()
self.kbbrowser._pageChange(0)
self.kbbrowser.pagesControl.hide()
self.kbbrowser.title0.hide()
# This handles a special case, where the plugin writer made a mistake and
# failed to set an id to the info / vuln object:
if instance.getId()[0] is None:
raise Exception('Exception - The id should not be None! "' + str(instance._desc) + '".')
success = False
else:
# ok, we don't have None in the id:
historyItem = self._historyItem.read(instance.getId()[0])
if historyItem:
self.kbbrowser.rrV.request.showObject(historyItem.request)
self.kbbrowser.rrV.response.showObject(historyItem.response)
# Don't forget to highlight if neccesary
severity = instance.getSeverity()
for s in instance.getToHighlight():
self.kbbrowser.rrV.response.highlight( s, severity )
success = True
else:
om.out.error(_('Failed to find request/response with id: ') + str(instance.getId()) + _(' in the database.') )
else:
# There are MORE THAN ONE ids related to the object
# This is 2)
self.kbbrowser.pagesControl.show()
self.kbbrowser.title0.show()
self.kbbrowser.req_res_ids = instance.getId()
self.kbbrowser.pagesControl.activate(len(instance.getId()))
self.kbbrowser._pageChange(0)
success = True
if success:
self.kbbrowser.rrV.set_sensitive(True)
else:
self.kbbrowser.rrV.request.clearPanes()
self.kbbrowser.rrV.response.clearPanes()
self.kbbrowser.rrV.set_sensitive(False)
def _get_hist_obj(self):
hist_obj = self._hist_obj
if hist_obj is None:
historyobjs = HistoryItem().find([('alias', self._hash_id, "=")])
self._hist_obj = hist_obj = historyobjs[0] if historyobjs else None
return hist_obj
class FullKBTree(KBTree):
'''A tree showing all the info.
This also gives a long description of the element when clicked.
:param kbbrowser: The KB Browser
:param filter: The filter to show which elements
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af, kbbrowser, ifilter):
super(FullKBTree, self).__init__(w3af, ifilter,
'Knowledge Base', strict=False)
self._historyItem = HistoryItem()
self.kbbrowser = kbbrowser
self.connect('cursor-changed', self._showDesc)
self.show()
def _showDesc(self, tv):
'''Shows the description at the right
:param tv: the treeview.
'''
(path, column) = tv.get_cursor()
if path is None:
return
instance = self.get_instance(path)
if not isinstance(instance, Info):
return
longdesc = instance.get_desc()
self.kbbrowser.explanation.set_text(longdesc)
success = False
if instance.get_id():
#
# We have two different cases:
#
# 1) The object is related to ONLY ONE request / response
# 2) The object is related to MORE THAN ONE request / response
#
# For 1), we show the classic view, and for 2) we show the classic
# view with a "page control"
#
# Work:
#
if len(instance.get_id()) == 1:
# There is ONLY ONE id related to the object
# This is 1)
self.kbbrowser.pagesControl.deactivate()
self.kbbrowser._pageChange(0)
self.kbbrowser.pagesControl.hide()
self.kbbrowser.title0.hide()
historyItem = self._historyItem.read(instance.get_id()[0])
if historyItem:
self.kbbrowser.rrV.request.show_object(historyItem.request)
self.kbbrowser.rrV.response.show_object(
historyItem.response)
# Don't forget to highlight if neccesary
severity = instance.get_severity()
for s in instance.get_to_highlight():
self.kbbrowser.rrV.response.highlight(s, severity)
success = True
else:
msg = _('Failed to find request/response with id'
'%s in the database.' % instance.get_id())
om.out.error(msg)
else:
# There are MORE THAN ONE ids related to the object
# This is 2)
self.kbbrowser.pagesControl.show()
self.kbbrowser.title0.show()
self.kbbrowser.req_res_ids = instance.get_id()
self.kbbrowser.pagesControl.activate(
len(instance.get_id()))
self.kbbrowser._pageChange(0)
success = True
if success:
self.kbbrowser.rrV.set_sensitive(True)
else:
self.kbbrowser.rrV.request.clear_panes()
self.kbbrowser.rrV.response.clear_panes()
self.kbbrowser.rrV.set_sensitive(False)
def clear():
'''
Clear the cache (remove all files and directories associated with it).
'''
return HistoryItem().clear()
def init():
create_temp_dir()
HistoryItem().init()
def test_find(self):
find_id = random.randint(1, 499)
url = url_object('http://w3af.org/a/b/foobar.php?foo=123')
tag_value = createRandAlNum(10)
for i in xrange(0, 500):
fr = FuzzReq(url, dc={'a': ['1']})
code = 200
if i == find_id:
code = 302
res = httpResponse(code, '<html>',{'Content-Type':'text/html'}, url, url)
h1 = HistoryItem()
h1.request = fr
res.setId(i)
h1.response = res
if i == find_id:
h1.toggleMark()
h1.updateTag(tag_value)
h1.save()
h2 = HistoryItem()
self.assertEqual(len(h2.find([('tag', "%"+tag_value+"%", 'like')])), 1)
self.assertEqual(len(h2.find([('code', 302, '=')])), 1)
self.assertEqual(len(h2.find([('mark', 1, '=')])), 1)
self.assertEqual(len(h2.find([('has_qs', 1, '=')])), 500)
self.assertEqual(len(h2.find([('has_qs', 1, '=')], resultLimit=10)), 10)
results = h2.find([('has_qs', 1, '=')], resultLimit=1, orderData=[('id','desc')])
self.assertEqual(results[0].id, 499)
search_data = []
search_data.append(('id', find_id + 1, "<"))
search_data.append(('id', find_id - 1, ">"))
self.assertEqual(len(h2.find(search_data)), 1)
class FullKBTree(KBTree):
'''A tree showing all the info.
This also gives a long description of the element when clicked.
:param kbbrowser: The KB Browser
:param filter: The filter to show which elements
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af, kbbrowser, ifilter):
super(FullKBTree, self).__init__(w3af,
ifilter,
'Knowledge Base',
strict=False)
self._historyItem = HistoryItem()
self.kbbrowser = kbbrowser
self.connect('cursor-changed', self._showDesc)
self.show()
def _showDesc(self, tv):
'''Shows the description at the right
:param tv: the treeview.
'''
(path, column) = tv.get_cursor()
if path is None:
return
instance = self.get_instance(path)
if not isinstance(instance, Info):
return
longdesc = instance.get_desc()
self.kbbrowser.explanation.set_text(longdesc)
success = False
if instance.get_id():
#
# We have two different cases:
#
# 1) The object is related to ONLY ONE request / response
# 2) The object is related to MORE THAN ONE request / response
#
# For 1), we show the classic view, and for 2) we show the classic
# view with a "page control"
#
# Work:
#
if len(instance.get_id()) == 1:
# There is ONLY ONE id related to the object
# This is 1)
self.kbbrowser.pagesControl.deactivate()
self.kbbrowser._pageChange(0)
self.kbbrowser.pagesControl.hide()
self.kbbrowser.title0.hide()
historyItem = self._historyItem.read(instance.get_id()[0])
if historyItem:
self.kbbrowser.rrV.request.show_object(historyItem.request)
self.kbbrowser.rrV.response.show_object(
historyItem.response)
# Don't forget to highlight if neccesary
severity = instance.get_severity()
for s in instance.get_to_highlight():
self.kbbrowser.rrV.response.highlight(s, severity)
success = True
else:
msg = _('Failed to find request/response with id'
'%s in the database.' % instance.get_id())
om.out.error(msg)
else:
# There are MORE THAN ONE ids related to the object
# This is 2)
self.kbbrowser.pagesControl.show()
self.kbbrowser.title0.show()
self.kbbrowser.req_res_ids = instance.get_id()
self.kbbrowser.pagesControl.activate(len(instance.get_id()))
self.kbbrowser._pageChange(0)
success = True
if success:
self.kbbrowser.rrV.set_sensitive(True)
else:
self.kbbrowser.rrV.request.clear_panes()
self.kbbrowser.rrV.response.clear_panes()
self.kbbrowser.rrV.set_sensitive(False)
def __init__(self, w3af):
super(KBBrowser, self).__init__(w3af, "pane-kbbrowser", 250)
# Internal variables:
#
# Here I save the request and response ids to be used in the page control
self.req_res_ids = []
# This is to search the DB and print the different request and responses as they are
# requested from the page control, "_pageChange" method.
self._historyItem = HistoryItem()
# the filter to the tree
filterbox = gtk.HBox()
self.filters = {}
def make_but(label, signal, initial):
but = gtk.CheckButton(label)
but.set_active(initial)
but.connect("clicked", self.type_filter, signal)
self.filters[signal] = initial
but.show()
filterbox.pack_start(but, expand=False, fill=False, padding=2)
make_but("Vulnerabilities", "vuln", True)
make_but("Informations", "info", True)
filterbox.show()
# the kb tree
self.kbtree = FullKBTree(w3af, self, self.filters)
# all in the first pane
scrollwin21 = gtk.ScrolledWindow()
scrollwin21.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin21.add(self.kbtree)
scrollwin21.show()
# the filter and tree box
treebox = gtk.VBox()
treebox.pack_start(filterbox, expand=False, fill=False)
treebox.pack_start(scrollwin21)
treebox.show()
# the explanation
explan_tv = gtk.TextView()
explan_tv.set_editable(False)
explan_tv.set_cursor_visible(False)
explan_tv.set_wrap_mode(gtk.WRAP_WORD)
self.explanation = explan_tv.get_buffer()
explan_tv.show()
scrollwin22 = gtk.ScrolledWindow()
scrollwin22.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin22.add_with_viewport(explan_tv)
scrollwin22.show()
# The request/response viewer
self.rrV = reqResViewer.reqResViewer(w3af, withAudit=False)
self.rrV.set_sensitive(False)
# Create the title label to show the request id
self.title0 = gtk.Label()
self.title0.show()
# Create page changer to handle info/vuln objects that have MORE THAN ONE
# related request/response
self.pagesControl = entries.PagesControl(w3af, self._pageChange, 0)
self.pagesControl.deactivate()
self._pageChange(0)
centerbox = gtk.HBox()
centerbox.pack_start(self.pagesControl, True, False)
# Add everything to a vbox
vbox_rrv_centerbox = gtk.VBox()
vbox_rrv_centerbox.pack_start(self.title0, False, True)
vbox_rrv_centerbox.pack_start(self.rrV, True, True)
vbox_rrv_centerbox.pack_start(centerbox, False, False)
# and show
vbox_rrv_centerbox.show()
self.pagesControl.show()
centerbox.show()
# And now put everything inside the vpaned
vpanedExplainAndView = entries.RememberingVPaned(
w3af, "pane-kbbexplainview", 100)
vpanedExplainAndView.pack1(scrollwin22)
vpanedExplainAndView.pack2(vbox_rrv_centerbox)
vpanedExplainAndView.show()
# pack & show
self.pack1(treebox)
self.pack2(vpanedExplainAndView)
self.show()
class KBBrowser(entries.RememberingHPaned):
'''Show the Knowledge Base, with the filter and the tree.
:author: Facundo Batista <facundobatista =at= taniquetil.com.ar>
'''
def __init__(self, w3af):
super(KBBrowser, self).__init__(w3af, "pane-kbbrowser", 250)
# Internal variables:
#
# Here I save the request and response ids to be used in the page control
self.req_res_ids = []
# This is to search the DB and print the different request and responses as they are
# requested from the page control, "_pageChange" method.
self._historyItem = HistoryItem()
# the filter to the tree
filterbox = gtk.HBox()
self.filters = {}
def make_but(label, signal, initial):
but = gtk.CheckButton(label)
but.set_active(initial)
but.connect("clicked", self.type_filter, signal)
self.filters[signal] = initial
but.show()
filterbox.pack_start(but, expand=False, fill=False, padding=2)
make_but("Vulnerabilities", "vuln", True)
make_but("Informations", "info", True)
filterbox.show()
# the kb tree
self.kbtree = FullKBTree(w3af, self, self.filters)
# all in the first pane
scrollwin21 = gtk.ScrolledWindow()
scrollwin21.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin21.add(self.kbtree)
scrollwin21.show()
# the filter and tree box
treebox = gtk.VBox()
treebox.pack_start(filterbox, expand=False, fill=False)
treebox.pack_start(scrollwin21)
treebox.show()
# the explanation
explan_tv = gtk.TextView()
explan_tv.set_editable(False)
explan_tv.set_cursor_visible(False)
explan_tv.set_wrap_mode(gtk.WRAP_WORD)
self.explanation = explan_tv.get_buffer()
explan_tv.show()
scrollwin22 = gtk.ScrolledWindow()
scrollwin22.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
scrollwin22.add_with_viewport(explan_tv)
scrollwin22.show()
# The request/response viewer
self.rrV = reqResViewer.reqResViewer(w3af, withAudit=False)
self.rrV.set_sensitive(False)
# Create the title label to show the request id
self.title0 = gtk.Label()
self.title0.show()
# Create page changer to handle info/vuln objects that have MORE THAN ONE
# related request/response
self.pagesControl = entries.PagesControl(w3af, self._pageChange, 0)
self.pagesControl.deactivate()
self._pageChange(0)
centerbox = gtk.HBox()
centerbox.pack_start(self.pagesControl, True, False)
# Add everything to a vbox
vbox_rrv_centerbox = gtk.VBox()
vbox_rrv_centerbox.pack_start(self.title0, False, True)
vbox_rrv_centerbox.pack_start(self.rrV, True, True)
vbox_rrv_centerbox.pack_start(centerbox, False, False)
# and show
vbox_rrv_centerbox.show()
self.pagesControl.show()
centerbox.show()
# And now put everything inside the vpaned
vpanedExplainAndView = entries.RememberingVPaned(
w3af, "pane-kbbexplainview", 100)
vpanedExplainAndView.pack1(scrollwin22)
vpanedExplainAndView.pack2(vbox_rrv_centerbox)
vpanedExplainAndView.show()
# pack & show
self.pack1(treebox)
self.pack2(vpanedExplainAndView)
self.show()
def type_filter(self, button, ptype):
'''Changes the filter of the KB in the tree.'''
self.filters[ptype] = button.get_active()
self.kbtree.set_filter(self.filters)
def _pageChange(self, page):
'''
Handle the page change in the page control.
'''
# Only do something if I have a list of request and responses
if self.req_res_ids:
request_id = self.req_res_ids[page]
try:
historyItem = self._historyItem.read(request_id)
except:
# the request brought problems
self.rrV.request.clear_panes()
self.rrV.response.clear_panes()
self.rrV.set_sensitive(False)
self.title0.set_markup("<b>Error</b>")
else:
self.title0.set_markup("<b>Id: %d</b>" % request_id)
self.rrV.request.show_object(historyItem.request)
self.rrV.response.show_object(historyItem.response)
self.rrV.set_sensitive(True)
class httpLogTab(entries.RememberingHPaned):
'''A tab that shows all HTTP requests and responses made by the framework.
:author: Andres Riancho ([email protected])
'''
def __init__(self, w3af, padding=10, time_refresh=False):
"""Init object."""
super(httpLogTab, self).__init__(w3af, "pane-httplogtab", 300)
self.w3af = w3af
self._padding = padding
self._lastId = 0
self._historyItem = HistoryItem()
if time_refresh:
gobject.timeout_add(1000, self.refresh_results)
# Create the main container
mainvbox = gtk.VBox()
mainvbox.set_spacing(self._padding)
# Add the menuHbox, Req/Res viewer and the R/R selector on the bottom
self._initSearchBox(mainvbox)
self._initFilterBox(mainvbox)
self._initReqResViewer(mainvbox)
mainvbox.show()
# Add everything
self.add(mainvbox)
self.show()
def _initReqResViewer(self, mainvbox):
"""Create the req/res viewer."""
self._reqResViewer = reqResViewer.reqResViewer(self.w3af,
editableRequest=False,
editableResponse=False)
self._reqResViewer.set_sensitive(False)
# Create the req/res selector (when a search with more
# than one result is done, this window appears)
self._sw = gtk.ScrolledWindow()
self._sw.set_shadow_type(gtk.SHADOW_ETCHED_IN)
self._sw.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
self._lstore = gtk.ListStore(gobject.TYPE_UINT, gobject.TYPE_BOOLEAN,
gobject.TYPE_STRING, gobject.TYPE_STRING,
gobject.TYPE_STRING, gobject.TYPE_UINT,
gobject.TYPE_STRING, gobject.TYPE_UINT,
gobject.TYPE_STRING, gobject.TYPE_FLOAT)
# Create tree view
self._lstoreTreeview = gtk.TreeView(self._lstore)
self._lstoreTreeview.set_rules_hint(True)
self._lstoreTreeview.set_search_column(0)
self.__add_columns(self._lstoreTreeview)
self._lstoreTreeview.show()
self._lstoreTreeview.connect('cursor-changed',
self._view_in_req_res_viewer)
# Popup menu
self._rightButtonMenu = None
self._lstoreTreeview.connect('button-press-event', self._popupMenu)
#
#
# Selection
#
treeselection = self._lstoreTreeview.get_selection()
treeselection.set_mode(gtk.SELECTION_MULTIPLE)
self._sw.add(self._lstoreTreeview)
#self._sw.set_sensitive(False)
self._sw.show_all()
# I want all sections to be resizable
self._vpan = entries.RememberingVPaned(self.w3af, "pane-swandrRV", 100)
self._vpan.pack1(self._sw)
self._vpan.pack2(self._reqResViewer)
self._vpan.show()
mainvbox.pack_start(self._vpan)
def _popupMenu(self, tv, event):
'''Generate and show popup menu.'''
if event.button != 3:
return
# creates the whole menu only once
if self._rightButtonMenu is None:
gm = gtk.Menu()
self._rightButtonMenu = gm
# the items
e = gtk.MenuItem(_("Delete selected items"))
e.connect('activate', self._deleteSelected)
gm.append(e)
gm.show_all()
else:
gm = self._rightButtonMenu
gm.popup(None, None, None, event.button, event.time)
return True
def _deleteSelected(self, widg=None):
'''Delete selected transactions.'''
ids = []
iters = []
sel = self._lstoreTreeview.get_selection()
(model, pathlist) = sel.get_selected_rows()
for path in pathlist:
iters.append(self._lstore.get_iter(path))
itemNumber = path[0]
iid = self._lstore[itemNumber][0]
ids.append(iid)
for i in iters:
self._lstore.remove(i)
# TODO Move this action to separate thread
for iid in ids:
self._historyItem.delete(iid)
def _initSearchBox(self, mainvbox):
"""Init Search box."""
# The search entry
self._searchText = gtk.Entry()
self._searchText.connect("activate", self.find_request_response)
# The button that is used to advanced search
filterBtn = gtk.ToggleButton(label=_("_Filter Options"))
filterBtn.connect("toggled", self._showHideFilterBox)
filterImg = gtk.Image()
filterImg.set_from_stock(gtk.STOCK_FIND, gtk.ICON_SIZE_MENU)
filterBtn.set_image(filterImg)
# Clear button
close = gtk.Image()
close.set_from_stock(gtk.STOCK_CLEAR, gtk.ICON_SIZE_MENU)
clearBox = gtk.EventBox()
clearBox.add(close)
clearBox.connect("button-release-event", self._showAllRequestResponses)
# Create the container that has the menu
menuHbox = gtk.HBox()
menuHbox.set_spacing(self._padding)
menuHbox.pack_start(gtk.Label(_("Search:")), False)
menuHbox.pack_start(self._searchText)
menuHbox.pack_start(clearBox, False)
menuHbox.pack_start(filterBtn, False)
menuHbox.show_all()
mainvbox.pack_start(menuHbox, False, True)
def _initFilterBox(self, mainvbox):
"""Init advanced search options."""
self._advSearchBox = gtk.HBox()
self._advSearchBox.set_spacing(self._padding)
self.pref = FilterOptions(self)
# Filter options
self._filterMethods = [
('GET', 'GET', False),
('POST', 'POST', False),
]
filterMethods = OptionList()
for method in self._filterMethods:
filterMethods.add(
opt_factory(method[0], method[2], method[1], "boolean"))
self.pref.add_section('methods', _('Request Method'), filterMethods)
filterId = OptionList()
filterId.add(opt_factory("min", "0", "Min ID", "string"))
filterId.add(opt_factory("max", "0", "Max ID", "string"))
self.pref.add_section('trans_id', _('Transaction ID'), filterId)
filterCodes = OptionList()
codes = [
("1xx", "1xx", False),
("2xx", "2xx", False),
("3xx", "3xx", False),
("4xx", "4xx", False),
("5xx", "5xx", False),
]
for code in codes:
filterCodes.add(opt_factory(code[0], code[2], code[1], "boolean"))
self.pref.add_section('codes', _('Response Code'), filterCodes)
filterMisc = OptionList()
filterMisc.add(opt_factory("tag", False, "Tag", "boolean"))
filterMisc.add(
opt_factory("has_qs", False, "Request has Query String",
"boolean"))
self.pref.add_section('misc', _('Misc'), filterMisc)
filterTypes = OptionList()
self._filterTypes = [
('html', 'HTML', False),
('javascript', 'JavaScript', False),
('image', 'Images', False),
('flash', 'Flash', False),
('css', 'CSS', False),
('text', 'Text', False),
]
for filterType in self._filterTypes:
filterTypes.add(
opt_factory(filterType[0], filterType[2], filterType[1],
"boolean"))
self.pref.add_section('types', _('Response Content Type'), filterTypes)
filterSize = OptionList()
filterSize.add(opt_factory("resp_size", False, "Not Null", "boolean"))
self.pref.add_section('sizes', _('Response Size'), filterSize)
self.pref.show()
self._advSearchBox.pack_start(self.pref, False, False)
self._advSearchBox.hide_all()
mainvbox.pack_start(self._advSearchBox, False, False)
def __add_columns(self, treeview):
"""Add columns to main log table."""
model = treeview.get_model()
# Column for id's
column = gtk.TreeViewColumn(_('ID'), gtk.CellRendererText(), text=0)
column.set_sort_column_id(0)
treeview.append_column(column)
# Column for bookmark
#TODO: Find a better way to do this. The "B" and the checkbox aren't nice
#what we aim for is something like the stars in gmail.
'''
renderer = gtk.CellRendererToggle()
renderer.set_property('activatable', True)
renderer.connect('toggled', self.toggle_bookmark, model)
column = gtk.TreeViewColumn(_('B'), renderer)
column.add_attribute(renderer, "active", 1)
column.set_sort_column_id(1)
treeview.append_column(column)
'''
# Column for METHOD
column = gtk.TreeViewColumn(_('Method'),
gtk.CellRendererText(),
text=2)
column.set_sort_column_id(2)
treeview.append_column(column)
# Column for URI
renderer = gtk.CellRendererText()
renderer.set_property('ellipsize', pango.ELLIPSIZE_END)
column = gtk.TreeViewColumn('URI', renderer, text=3)
column.set_sort_column_id(3)
column.set_expand(True)
column.set_resizable(True)
treeview.append_column(column)
# Column for Tag
renderer = gtk.CellRendererText()
#renderer.set_property('ellipsize', pango.ELLIPSIZE_END)
renderer.set_property('editable', True)
renderer.connect('edited', self.edit_tag, model)
column = gtk.TreeViewColumn(_('Tag'), renderer, text=4)
column.set_sort_column_id(4)
column.set_resizable(True)
column.set_sizing(gtk.TREE_VIEW_COLUMN_GROW_ONLY)
treeview.append_column(column)
extColumns = [
(5, _('Code')),
(6, _('Message')),
(7, _('Content-Length')),
(8, _('Content-Type')),
(9, _('Time (ms)')),
]
for n, title in extColumns:
column = gtk.TreeViewColumn(title, gtk.CellRendererText(), text=n)
column.set_sort_column_id(n)
treeview.append_column(column)
def toggle_bookmark(self, cell, path, model):
"""Toggle bookmark."""
model[path][1] = not model[path][1]
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.toggle_mark(True)
return
def edit_tag(self, cell, path, new_text, model):
"""Edit tag."""
model[path][4] = new_text
historyItem = HistoryItem()
historyItem.load(model[path][0])
historyItem.update_tag(new_text, True)
return
def _showHideFilterBox(self, widget):
"""Show/hide advanced options."""
if not widget.get_active():
self._advSearchBox.hide_all()
else:
self._advSearchBox.show_all()
def _showAllRequestResponses(self, widget=None, event=None):
"""Show all results."""
self._searchText.set_text("")
try:
self.find_request_response()
except w3afException, w3:
self._empty_results()
return
