def test_unvalidated_redirect():
s = setsecuritylevel(seclevel=config['seclevel'])
redirect_url = "http://www.th3r3p0.com"
url = "%s/index.php?page=redirectandlog.php&forwardurl=%s" % (
config['url'], redirect_url)
r = s.get(url, allow_redirects=False)
redirect = re.compile(r"%s" % redirect_url)
assert redirect.search(r.text) is None
def test_csrf_blog_post():
s = setsecuritylevel(seclevel=config['seclevel'])
url = "%s/index.php?page=add-to-your-blog.php" % config['url']
r = s.get(url)
csrf_token_one = get_csrf_token(r)
r = s.get(url)
csrf_token_two = get_csrf_token(r)
assert csrf_token_one != csrf_token_two
def test_lfi_source_code_viewer():
s = setsecuritylevel(seclevel=config['seclevel'])
badinput = "./../../../../etc/passwd"
url = "%s/index.php?page=source-viewer.php" % config['url']
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "page=%s&phpfile=show-log.php&source-file-viewer-php-submit-button=View+File" % badinput
r = s.post(url, data, headers=headers)
passwd = re.compile(r"/bin/sh")
assert passwd.search(r.text) is None
def test_post_vs_get_form():
s = setsecuritylevel(seclevel=config['seclevel'])
url = "%s/index.php?page=user-info.php" % config['url']
r = s.get(url)
soup = BeautifulSoup(r.text, "html.parser")
inputs = soup.find_all("form")
# check and make sure there is only one form
assert len(inputs) == 1
# check to make sure the method is sending values over POST and not a GET request
assert inputs[0]["method"] == "POST"
def test_uid_cookie_manipulation():
s = setsecuritylevel(seclevel=config['seclevel'])
s = auth(config['validuser'], config['validpass'], s)
url = "%s/index.php" % config['url']
r = s.get(url)
actual_user = (r.headers["Logged-In-User"])
s.cookies.set('uid', '1', domain=config["domain"], path=config["path"])
r = s.get(url)
assert actual_user == r.headers["Logged-In-User"]
def test_view_your_details():
s = setsecuritylevel(seclevel=config['seclevel'])
badinputs = ['%27', '%22']
# You could configure the sqli test to check for a 500 error instead of specific text on a page
sqli_error = re.compile(
r"Error: Failure is always an option and this situation proves it")
for badinput in badinputs:
url = "%s/index.php?page=user-info.php&username=%s&password=&user-info-php-submit-button=View+Account+Details"\
% (config['url'], badinput)
r = s.get(url)
# This will error out if a badinput triggers the sqli error text to be displayed
assert sqli_error.search(r.text) is None
def test_xss_dns_lookup():
s = setsecuritylevel(seclevel=config['seclevel'])
badinputs = ['%3Cscript%3Ealert%281%29%3C%2Fscript%3E']
# todo: fix the following:
# the regex will only search for the one badinput listed above. I tried to parse the badinputs, but the parenthesis
# needed to be escaped.
for badinput in badinputs:
url = "%s/index.php?page=dns-lookup.php" % config['url']
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "target_host=%s&dns-lookup-php-submit-button=Lookup+DNS" % badinput
r = s.post(url, data, headers=headers)
xss = re.compile("<script>alert\(1\)</script>")
# This will error out if a badinput triggers the sqli error text to be displayed
assert xss.search(r.text) is None
def test_http_to_https():
s = setsecuritylevel(seclevel=config['seclevel'])
# use the url from config, but turn it into an insecure request if using https
url = "%s/index.php" % config['url']
if url.startswith("https://"):
insecure_url = url.replace("https://", "http://")
elif url.startswith("http://"):
insecure_url = url
else:
raise NameError("URL is not valid - must start with http:// or http://")
r = s.get(insecure_url, allow_redirects=False)
# make sure a redirection occurs
print(r.status_code)
assert r.status_code == 301 or r.status_code == 302
if r.status_code == 301 or r.status_code == 302:
# make sure the redirection is to an https protocol
if "Location" in r.headers:
https_redirect = r.headers["Location"].startswith("https://")
assert https_redirect is True
else:
raise NameError("Redirect location did not appear in the headers")
def test_check_for_phpinfo_page():
s = setsecuritylevel(seclevel=config['seclevel'])
url = "%s/index.php?page=phpinfo.php" % config['url']
r = s.get(url)
php = re.compile(r"PHP Credits")
assert php.search(r.text) is None