def get_test_cases(cls, filename, file_content):
request_obj = parser.create_request(
file_content, os.environ.get("SYNTRIBOS_ENDPOINT"))
request_obj.headers['Origin'] = 'http://example.com'
cls.resp = cls.client.send_request(request_obj)
yield cls
def get_test_cases(cls, filename, file_content):
"""Makes sure API call supports XML
Overrides parent fuzz test generation, if API method does not support
XML, do not generate tests.
"""
# Send request for different content-types
request_obj = parser.create_request(file_content, CONF.syntribos.endpoint)
prepared_copy = request_obj.get_prepared_copy()
prepared_copy.headers["content-type"] = "application/json"
prepared_copy_xml = prepared_copy.get_prepared_copy()
prepared_copy_xml.headers["content-type"] = "application/xml"
init_response, init_signals = cls.client.send_request(prepared_copy)
_, xml_signals = cls.client.send_request(prepared_copy_xml)
cls.init_resp = init_response
cls.init_signals = init_signals
if "HTTP_CONTENT_TYPE_XML" not in init_signals and "HTTP_CONTENT_TYPE_XML" not in xml_signals:
return
# iterate through permutations of doctype declarations and fuzz fields
dtds = cls._get_strings(cls.dtds_data_key)
for d_num, dtd in enumerate(dtds):
prefix_name = "{filename}_{test_name}_{fuzz_file}{d_index}_"
prefix_name = prefix_name.format(
filename=filename, test_name=cls.test_name, fuzz_file=cls.dtds_data_key, d_index=d_num
)
fr = syntribos.tests.fuzz.datagen.fuzz_request(request_obj, ["&xxe;"], cls.test_type, prefix_name)
for fuzz_name, request, fuzz_string, param_path in fr:
request.data = "{0}\n{1}".format(dtd, request.data)
yield cls.extend_class(fuzz_name, fuzz_string, param_path, {"request": request})
def get_test_cases(cls, filename, file_content):
request_obj = parser.create_request(file_content,
CONF.syntribos.endpoint)
prepared_copy = request_obj.get_prepared_copy()
cls.test_resp, cls.test_signals = cls.client.send_request(
prepared_copy)
yield cls
def get_test_cases(cls, filename, file_content, meta_vars):
request_obj = parser.create_request(
file_content, CONF.syntribos.endpoint, meta_vars
)
prepared_copy = request_obj.get_prepared_copy()
cls.test_resp, cls.test_signals = cls.client.send_request(
prepared_copy)
cls.test_req = request_obj.get_prepared_copy()
yield cls
def get_test_cases(cls, filename, file_content):
xst_header = {"TRACE_THIS": "XST_Vuln"}
request_obj = parser.create_request(
file_content, CONF.syntribos.endpoint, meta_vars=None)
prepared_copy = request_obj.get_prepared_copy()
prepared_copy.method = "TRACE"
prepared_copy.headers.update(xst_header)
cls.test_resp, cls.test_signals = cls.client.send_request(
prepared_copy)
yield cls
def get_test_cases(cls, filename, file_content, meta_vars):
xst_header = {"TRACE_THIS": "XST_Vuln"}
request_obj = parser.create_request(
file_content, CONF.syntribos.endpoint, meta_vars)
prepared_copy = request_obj.get_prepared_copy()
prepared_copy.method = "TRACE"
prepared_copy.headers.update(xst_header)
cls.test_resp, cls.test_signals = cls.client.send_request(
prepared_copy)
yield cls
def create_init_request(cls, filename, file_content):
"""Parses template and creates init request object
This method does not send the initial request, instead, it only creates
the object for use in the debug test
:param str filename: name of template file
:param str file_content: content of template file as string
"""
request_obj = parser.create_request(file_content,
CONF.syntribos.endpoint)
cls.init_req = request_obj
cls.init_resp = None
cls.init_signals = None
def create_init_request(cls, filename, file_content, meta_vars):
"""Parses template and creates init request object
This method does not send the initial request, instead, it only creates
the object for use in the debug test
:param str filename: name of template file
:param str file_content: content of template file as string
"""
request_obj = parser.create_request(
file_content, CONF.syntribos.endpoint, meta_vars)
cls.init_req = request_obj
cls.init_resp = None
cls.init_signals = None
def get_test_cases(cls, filename, file_content):
"""Makes sure API call supports XML
Overrides parent fuzz test generation, if API method does not support
XML, do not generate tests.
"""
# Send request for different content-types
request_obj = parser.create_request(file_content,
CONF.syntribos.endpoint)
prepared_copy = request_obj.get_prepared_copy()
prepared_copy.headers['content-type'] = "application/json"
prepared_copy_xml = prepared_copy.get_prepared_copy()
prepared_copy_xml.headers['content-type'] = "application/xml"
init_response, init_signals = cls.client.send_request(prepared_copy)
init_response_xml, xml_signals = cls.client.send_request(
prepared_copy_xml)
cls.init_resp = init_response
cls.init_signals = init_signals
if ("HTTP_CONTENT_TYPE_XML" not in init_signals
and "HTTP_CONTENT_TYPE_XML" not in xml_signals):
return
# iterate through permutations of doctype declarations and fuzz fields
dtds = cls._get_strings(cls.dtds_data_key)
for d_num, dtd in enumerate(dtds):
prefix_name = "{filename}_{test_name}_{fuzz_file}{d_index}_"
prefix_name = prefix_name.format(filename=filename,
test_name=cls.test_name,
fuzz_file=cls.dtds_data_key,
d_index=d_num)
fr = syntribos.tests.fuzz.datagen.fuzz_request(
request_obj, ["&xxe;"], cls.test_type, prefix_name)
for fuzz_name, request, fuzz_string, param_path in fr:
request.data = "{0}\n{1}".format(dtd, request.data)
yield cls.extend_class(fuzz_name, fuzz_string, param_path,
{"request": request})
def send_init_request(cls, filename, file_content):
"""Parses template, creates init request object, and sends init request
This method sends the initial request, which is the request created
after parsing the template file. This request will not be modified
any further by the test cases themselves.
:param str filename: name of template file
:param str file_content: content of template file as string
"""
cls.init_req = parser.create_request(file_content,
CONF.syntribos.endpoint)
prepared_copy = cls.init_req.get_prepared_copy()
cls.init_resp, cls.init_signals = cls.client.send_request(
prepared_copy)
if cls.init_resp is not None:
# Get the computed body and add it to our RequestObject
# TODO(cneill): Figure out a better way to handle this discrepancy
cls.init_req.body = cls.init_resp.request.body
else:
cls.dead = True
def send_init_request(cls, filename, file_content, meta_vars):
"""Parses template, creates init request object, and sends init request
This method sends the initial request, which is the request created
after parsing the template file. This request will not be modified
any further by the test cases themselves.
:param str filename: name of template file
:param str file_content: content of template file as string
"""
cls.init_req = parser.create_request(
file_content, CONF.syntribos.endpoint, meta_vars)
prepared_copy = cls.init_req.get_prepared_copy()
cls.init_resp, cls.init_signals = cls.client.send_request(
prepared_copy)
if cls.init_resp is not None:
# Get the computed body and add it to our RequestObject
# TODO(cneill): Figure out a better way to handle this discrepancy
cls.init_req.body = cls.init_resp.request.body
else:
cls.dead = True
