def test_export_with_dc(self): fr = FuzzableRequest(URL("http://www.w3af.com/")) d = DataContainer() d['a'] = ['1',] fr.set_dc(d) self.assertEqual(fr.export(), 'GET,http://www.w3af.com/?a=1,')
def test_variants_true_similar_params(self): # change the url by adding a querystring. shouldn't affect anything. url = self.url.url_join('?a=z') fr = FuzzableRequest(url, method='GET', dc={'a': ['1'], 'b': ['bb']}) fr_other = FuzzableRequest( self.url, method='GET', dc={'a': ['2'], 'b': ['cc']}) self.assertTrue(fr.is_variant_of(fr_other))
def test_analyze_cookies_https_value_over_http(self): body = '' url = URL('https://www.w3af.com/') headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=defjkluio; secure; httponly;' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') # Receive the cookie over HTTPS self.plugin.grep(request, response) url = URL('http://www.w3af.com/?id=defjkluio') headers = Headers({'content-type': 'text/html'}.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') # Send the cookie over HTTP as a parameter value self.plugin.grep(request, response) security = kb.kb.get('analyze_cookies', 'security') self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 1) self.assertEqual(len(security), 1) self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')), 0) names = [i.get_name() for i in security] self.assertIn('Secure cookies over insecure channel', names)
def test_analyze_cookies_collect_uniq(self): body = '' url = URL('http://www.w3af.com/') headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=def' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': '123=456' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=456' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 2) self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')), 0)
def _create_fuzzable_request(self): ''' Based on the attributes, return a fuzzable request object. Important variables used here: - self.headers : Stores the headers for the request - self.rfile : A file like object that stores the post_data - self.path : Stores the URL that was requested by the browser ''' # See HTTPWrapperClass if hasattr(self.server, 'chainedHandler'): base_path = "https://" + self.server.chainedHandler.path path = base_path + self.path else: path = self.path fuzzable_request = FuzzableRequest( URL(path), self.command, Headers(self.headers.dict.items()) ) post_data = self._get_post_data() if post_data: fuzzable_request.set_data(post_data) return fuzzable_request
def test_export_with_dc(self): fr = FuzzableRequest(URL("http://www.w3af.com/")) d = DataContainer() d['a'] = [ '1', ] fr.set_dc(d) self.assertEqual(fr.export(), 'GET,http://www.w3af.com/?a=1,')
def test_variants_true_similar_params(self): # change the url by adding a querystring. shouldn't affect anything. url = self.url.url_join('?a=z') fr = FuzzableRequest(url, method='GET', dc={'a': ['1'], 'b': ['bb']}) fr_other = FuzzableRequest(self.url, method='GET', dc={ 'a': ['2'], 'b': ['cc'] }) self.assertTrue(fr.is_variant_of(fr_other))
def test_basic(self): freq = FuzzableRequest(URL('http://www.w3af.com/')) fake_ref = 'http://w3af.org/' mutant = HeadersMutant(freq.copy()) mutant.set_var('Referer') original_referer = freq.get_referer() mutant.set_original_value(original_referer) mutant.set_mod_value(fake_ref) self.assertEqual(mutant.get_headers()['Referer'], fake_ref) self.assertEqual(mutant.get_original_value(), original_referer)
def test_dump_case01(self): expected = '\r\n'.join( ['GET http://w3af.com/a/b/c.php HTTP/1.1', 'Hello: World', '', '']) headers = Headers([('Hello', 'World')]) #TODO: Note that I'm passing a dc to the FuzzableRequest and it's not # appearing in the dump. It might be a bug... fr = FuzzableRequest(self.url, method='GET', dc={'a': ['b']}, headers=headers) self.assertEqual(fr.dump(), expected)
def test_dump_case01(self): expected = '\r\n'.join(['GET http://w3af.com/a/b/c.php HTTP/1.1', 'Hello: World', '', '']) headers = Headers([('Hello', 'World')]) #TODO: Note that I'm passing a dc to the FuzzableRequest and it's not # appearing in the dump. It might be a bug... fr = FuzzableRequest(self.url, method='GET', dc={'a': ['b']}, headers=headers) self.assertEqual(fr.dump(), expected)
def test_dump_case02(self): expected = u'\r\n'.join([u'GET http://w3af.com/a/b/c.php HTTP/1.1', u'Hola: Múndo', u'', u'']) headers = Headers([(u'Hola', u'Múndo')]) #TODO: Note that I'm passing a dc to the FuzzableRequest and it's not # appearing in the dump. It might be a bug... fr = FuzzableRequest(self.url, method='GET', dc={u'á': ['b']}, headers=headers) self.assertEqual(fr.dump(), expected)
def _urllibReq2fr(self, request): ''' Convert a urllib2 request object to a FuzzableRequest. Used in http_request. :param request: A urllib2 request obj. :return: A FuzzableRequest. ''' headers = request.headers headers.update(request.unredirected_hdrs) fr = FuzzableRequest(request.url_object, request.get_method(), headers) fr.set_data(request.get_data() or '') return fr
def test_dump_case02(self): expected = u'\r\n'.join([ u'GET http://w3af.com/a/b/c.php HTTP/1.1', u'Hola: Múndo', u'', u'' ]) headers = Headers([(u'Hola', u'Múndo')]) #TODO: Note that I'm passing a dc to the FuzzableRequest and it's not # appearing in the dump. It might be a bug... fr = FuzzableRequest(self.url, method='GET', dc={u'á': ['b']}, headers=headers) self.assertEqual(fr.dump(), expected)
def __init__(self, uri, method='POST', headers=Headers(), cookie=None, dc=None): if dc is not None and not isinstance(dc, Form): msg = 'The dc parameter for forms needs to be a Form instance,'\ 'got %s instead.' % type(dc) TypeError(msg) FuzzableRequest.__init__(self, uri, method, headers, cookie, dc)
def test_variants_false_diff_params_type(self): fr = FuzzableRequest(self.url, method='GET', dc={ 'a': ['1'], 'b': ['1'] }) fr_other = FuzzableRequest(self.url, method='GET', dc={ 'a': ['2'], 'b': ['cc'] }) self.assertFalse(fr.is_variant_of(fr_other))
def test_dump_case03(self): header_value = ''.join(chr(i) for i in xrange(256)) expected = u'\r\n'.join([u'GET http://w3af.com/a/b/c.php HTTP/1.1', u'Hola: %s' % smart_unicode(header_value), u'', u'']) headers = Headers([(u'Hola', header_value)]) #TODO: Note that I'm passing a dc to the FuzzableRequest and it's not # appearing in the dump. It might be a bug... fr = FuzzableRequest(self.url, method='GET', dc={u'a': ['b']}, headers=headers) self.assertEqual(fr.dump(), expected)
def setUp(self): kb.kb.cleanup() self.plugin = path_disclosure() self.url = URL('http://www.w3af.com/foo/bar.py') self.header = Headers([('content-type', 'text/html')]) self.request = FuzzableRequest(self.url, method='GET')
def test_from_mutant(self): dc = DataContainer() url = URL('http://moth/') payloads = ['abc', 'def'] dc['a'] = [ '1', ] dc['b'] = [ '2', ] freq = FuzzableRequest(url, dc=dc) fuzzer_config = {} created_mutants = Mutant.create_mutants(freq, payloads, [], False, fuzzer_config) mutant = created_mutants[0] inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name', mutant) self.assertIsInstance(inst, Info) self.assertEqual(inst.get_uri(), mutant.get_uri()) self.assertEqual(inst.get_url(), mutant.get_url()) self.assertEqual(inst.get_method(), mutant.get_method()) self.assertEqual(inst.get_dc(), mutant.get_dc()) self.assertEqual(inst.get_var(), mutant.get_var())
def test_find_csrf_token_true_simple(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token)
def test_delay_controlled_random(self): for expected_result, delays in self.TEST_SUITE: mock_uri_opener = Mock() side_effect = generate_delays(delays, rand_range=(0, 2)) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() # This is where we change from test_delay_controlled, the basic # idea is that we'll allow false negatives but no false positives if expected_result == True: expected_result = [True, False] else: expected_result = [ False, ] self.assertIn(controlled, expected_result, delays)
def test_blank_body_code(self): body = '' headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(401, body, headers, self.url, self.url, _id=1) request = FuzzableRequest(self.url, method='GET') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('blank_body', 'blank_body')), 0)
def test_strange_http_codes(self): body = '' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) request = FuzzableRequest(url, method='GET') resp_200 = HTTPResponse(200, body, headers, url, url, _id=1) resp_404 = HTTPResponse(404, body, headers, url, url, _id=1) KNOWN_GOOD = [resp_200, resp_404] resp_999 = HTTPResponse(999, body, headers, url, url, _id=1) resp_123 = HTTPResponse(123, body, headers, url, url, _id=1) resp_567 = HTTPResponse(567, body, headers, url, url, _id=1) resp_666 = HTTPResponse(666, body, headers, url, url, _id=1) resp_777 = HTTPResponse(777, body, headers, url, url, _id=1) KNOWN_BAD = [resp_999, resp_123, resp_567, resp_666, resp_777] for resp in KNOWN_GOOD: kb.kb.cleanup() self.plugin.grep(request, resp) self.assertEquals(len(kb.kb.get('strange_http_codes', 'strange_http_codes')), 0) for resp in KNOWN_BAD: kb.kb.cleanup() self.plugin.grep(request, resp) self.assertEquals(len(kb.kb.get('strange_http_codes', 'strange_http_codes')), 1)
def test_blank_body_method(self): body = '' headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, self.url, self.url, _id=1) request = FuzzableRequest(self.url, method='ARGENTINA') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('ssn', 'ssn')), 0)
def test_find_csrf_token_false(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertNotIn('secret', token)
def test_handle_exception(self): url = URL('http://moth/') fr = FuzzableRequest(url) try: raise Exception() except Exception, e: self.bc.handle_exception('audit', 'sqli', fr, e)
def test_clamav_workers(self, *args): WAIT_TIME = 3 DELTA = WAIT_TIME * 0.1 # Prepare the mocked plugin def wait(x, y): time.sleep(WAIT_TIME) self.plugin._is_properly_configured = Mock(return_value=True) self.plugin._scan_http_response = wait self.plugin._report_result = lambda x: 42 start_time = time.time() for i in xrange(3): body = '' url = URL('http://www.w3af.com/%s' % i) headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) # Let the worker pool wait for the clamd response, this is done by # the core when run in a real scan self.plugin.worker_pool.close() self.plugin.worker_pool.join() end_time = time.time() time_spent = end_time - start_time findings = kb.kb.get('clamav', 'malware') self.assertEqual(len(findings), 0, findings) self.assertLessEqual(time_spent, WAIT_TIME + DELTA)
def test_mutant_creation(self): self.dc['a'] = [ '1', ] self.dc['b'] = [ '2', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [ DataContainer([('a', ['abc']), ('b', ['2'])]), DataContainer([('a', ['def']), ('b', ['2'])]), DataContainer([('a', ['1']), ('b', ['abc'])]), DataContainer([('a', ['1']), ('b', ['def'])]) ] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'a') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'b') self.assertEqual(created_mutants[2].get_var_index(), 0) self.assertEqual(created_mutants[2].get_original_value(), '2') self.assertTrue(all(isinstance(m, Mutant) for m in created_mutants)) self.assertTrue( all(m.get_mutant_class() == 'Mutant' for m in created_mutants))
def test_mutant_generic_methods(self): self.dc['a'] = [ '1', ] self.dc['b'] = [ '2', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) mutant = created_mutants[0] self.assertEqual(repr(mutant), '<mutant-generic | GET | http://moth/ >') self.assertEqual(mutant.print_mod_value(), 'The data that was sent is: "None".') self.assertNotEqual(id(mutant.copy()), id(mutant)) self.assertRaises(ValueError, mutant.get_original_response_body) body = 'abcdef123' mutant.set_original_response_body(body) self.assertEqual(mutant.get_original_response_body(), body)
def profile_me(): ''' To be profiled ''' for _ in xrange(1): for counter in xrange(1, 5): file_name = 'test-' + str(counter) + '.html' file_path = os.path.join('plugins', 'tests', 'grep', 'data', file_name) body = file(file_path).read() hdrs = Headers({'Content-Type': 'text/html'}.items()) response = HTTPResponse(200, body, hdrs, URL(self.url_str + str(counter)), URL(self.url_str + str(counter)), _id=random.randint(1, 5000)) request = FuzzableRequest(self.url_inst) for pinst in self._plugins: pinst.grep(request, response) for pinst in self._plugins: pinst.end()
def test_mutant_creation_repeated_params(self): self.dc['a'] = ['1', '2'] self.dc['b'] = [ '3', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [ DataContainer([('a', ['abc', '2']), ('b', ['3'])]), DataContainer([('a', ['def', '2']), ('b', ['3'])]), DataContainer([('a', ['1', 'abc']), ('b', ['3'])]), DataContainer([('a', ['1', 'def']), ('b', ['3'])]), DataContainer([('a', ['1', '2']), ('b', ['abc'])]), DataContainer([('a', ['1', '2']), ('b', ['def'])]) ] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'a') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'a') self.assertEqual(created_mutants[2].get_var_index(), 1) self.assertEqual(created_mutants[2].get_original_value(), '2')
def setUp(self): create_temp_dir() kb.kb.cleanup() self.plugin = ajax() self.url = URL('http://www.w3af.com/') self.request = FuzzableRequest(self.url) kb.kb.clear('ajax', 'ajax')
def test_private_ip_find_10(self): body = 'header 10.2.34.2 footer' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_private_ip_broken_html(self): body = '<html><head>192.168.1.1</html>' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_phishtank_no_match(self): phishtank_inst = self.w3afcore.plugins.get_plugin_inst('crawl', 'phishtank') phishtank_inst.crawl(FuzzableRequest(URL(self.safe_url))) vulns = self.kb.get('phishtank', 'phishtank') self.assertEqual(len(vulns), 0, vulns)
def test_ajax_two(self): body = '<script> ... xhr = new XMLHttpRequest(); ... xhr = new ActiveXObject("Microsoft.XMLHTTP"); ... </script>' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_dump_mangle(self): fr = FuzzableRequest(URL("http://www.w3af.com/"),\ headers=Headers([('Host','www.w3af.com'),])) expected = u'\r\n'.join([u'GET http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'', u'']) self.assertEqual(fr.dump(), expected) fr.set_method('POST') fr.set_data('data=23') expected = u'\r\n'.join([u'POST http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'', u'data=23']) self.assertEqual(fr.dump(), expected)
def test_set_url(self): self.assertRaises(TypeError, FuzzableRequest, 'http://www.google.com/') url = URL('http://www.google.com/') r = FuzzableRequest(url) self.assertEqual(r.get_url(), url)
def test_variants_false_diff_meths(self): # Different methods fr_get = FuzzableRequest(self.url, method='GET', dc={'a': ['1']}) fr_post = FuzzableRequest(self.url, method='POST', dc={'a': ['1']}) self.assertFalse(fr_get.is_variant_of(fr_post))
def test_variants_commutative(self): # 'is_variant_of' is commutative fr = FuzzableRequest(self.url, method='POST', dc={'a': ['1']}) fr_other = FuzzableRequest(self.url, method='POST', dc={'a': ['1']}) self.assertTrue(fr.is_variant_of(fr_other)) self.assertTrue(fr_other.is_variant_of(fr))
def test_variants_false_diff_params_type(self): fr = FuzzableRequest( self.url, method='GET', dc={'a': ['1'], 'b': ['1']}) fr_other = FuzzableRequest( self.url, method='GET', dc={'a': ['2'], 'b': ['cc']}) self.assertFalse(fr.is_variant_of(fr_other))
def test_variants_true_similar_params_two(self): fr = FuzzableRequest(self.url, method='GET', dc={'a': ['b']}) fr_other = FuzzableRequest(self.url, method='GET', dc={'a': ['']}) self.assertTrue(fr.is_variant_of(fr_other))
def test_export_without_dc(self): fr = FuzzableRequest(URL("http://www.w3af.com/")) self.assertEqual(fr.export(), 'GET,http://www.w3af.com/,')
def test_variants_false_nonetype_in_params(self): fr = FuzzableRequest(self.url, method='GET', dc={'a': [None]}) fr_other = FuzzableRequest(self.url, method='GET', dc={'a': ['s']}) self.assertFalse(fr.is_variant_of(fr_other))