def test_false_positive_detection(self): # Test whether false positives in database are identified properly response = { 'scenario_id': '1', 'req_headers': 'headers', 'req_body': 'body', 'url': 'url', 'req_method': 'method', 'timestamp': datetime.datetime.utcnow(), 'server_protocol_error': False, 'server_timeout': False, 'server_error_text_detected': False, 'server_error_text_matched': 'matched_text', 'resp_statuscode': 'statuscode', 'resp_headers': 'resp_headers', 'resp_body': 'resp_body', 'resp_history': 'resp_history' } # First add one false positive and try checking against it dbtools.add_false_positive(self.context, response) self.assertEqual(dbtools.known_false_positive(self.context, response), True, "Duplicate false positive not detected") # Change one of the differentiating fields, and test, and # add the tested one to the database. response['scenario_id'] = '2' # Non-duplicate self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: scenario_id different") dbtools.add_false_positive(self.context, response) # Repeat for all the differentiating fields response['server_protocol_error'] = 'Error text' self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_protocol_error different") dbtools.add_false_positive(self.context, response) response['resp_statuscode'] = '500' self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: resp_statuscode different") dbtools.add_false_positive(self.context, response) response['server_timeout'] = True self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_timeout different") dbtools.add_false_positive(self.context, response) response['server_error_text_detected'] = True self.assertEqual( dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_error_text_detected different") dbtools.add_false_positive(self.context, response) # Finally, test the last one again twice, now it ought to be # reported back as a duplicate self.assertEqual(dbtools.known_false_positive(self.context, response), True, "A duplicate case not detected")
def step_impl(context): """Go through responses and save any that timed out into the database """ new_findings = 0 for response in context.responses: if response.get('server_timeout') is True: if fuzzdb.known_false_positive(context, response) is False: fuzzdb.add_false_positive(context, response) new_findings += 1 if new_findings > 0: context.new_findings += new_findings assert True
def step_impl(context): """Go through responses and store any with HTTP protocol errors (as caught by Requests) into the database """ new_findings = 0 for response in context.responses: if response.get('server_protocol_error') is not None: if fuzzdb.known_false_positive(context, response) is False: fuzzdb.add_false_positive(context, response) new_findings += 1 if new_findings > 0: context.new_findings += new_findings assert True
def step_impl(context, returncode_list): """Go through responses and store any with suspect return codes into the database """ disallowed_returncodes = unpack_integer_range(returncode_list) new_findings = 0 for response in context.responses: if response['resp_statuscode'] in disallowed_returncodes: if fuzzdb.known_false_positive(context, response) is False: fuzzdb.add_false_positive(context, response) new_findings += 1 if new_findings > 0: context.new_findings += new_findings assert True
def step_impl(context): """Go through responses and store any that contain a string from user-supplied list of strings into the database """ # Create a regex from the error response list error_list = [] for row in context.table: error_list.append(row['string']) error_list_regex = "(" + ")|(".join(error_list) + ")" # For each response, check that it isn't in the error response list new_findings = 0 for response in context.responses: if re.search(error_list_regex, response.get('resp_body'), re.IGNORECASE) is not None: response['server_error_text_detected'] = True if fuzzdb.known_false_positive(context, response) is False: fuzzdb.add_false_positive(context, response) new_findings += 1 if new_findings > 0: context.new_findings += new_findings assert True
def test_false_positive_detection(self): # Test whether false positives in database are identified properly response = {'scenario_id': '1', 'req_headers': 'headers', 'req_body': 'body', 'url': 'url', 'req_method': 'method', 'timestamp': datetime.datetime.utcnow(), 'server_protocol_error': False, 'server_timeout': False, 'server_error_text_detected': False, 'server_error_text_matched': 'matched_text', 'resp_statuscode': 'statuscode', 'resp_headers': 'resp_headers', 'resp_body': 'resp_body', 'resp_history': 'resp_history'} # First add one false positive and try checking against it dbtools.add_false_positive(self.context, response) self.assertEqual(dbtools.known_false_positive(self.context, response), True, "Duplicate false positive not detected") # Change one of the differentiating fields, and test, and # add the tested one to the database. response['scenario_id'] = '2' # Non-duplicate self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: scenario_id different") dbtools.add_false_positive(self.context, response) # Repeat for all the differentiating fields response['server_protocol_error'] = 'Error text' self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_protocol_error different") dbtools.add_false_positive(self.context, response) response['resp_statuscode'] = '500' self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: resp_statuscode different") dbtools.add_false_positive(self.context, response) response['server_timeout'] = True self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_timeout different") dbtools.add_false_positive(self.context, response) response['server_error_text_detected'] = True self.assertEqual(dbtools.known_false_positive(self.context, response), False, "Not a duplicate: server_error_text_detected different") dbtools.add_false_positive(self.context, response) # Finally, test the last one again twice, now it ought to be # reported back as a duplicate self.assertEqual(dbtools.known_false_positive(self.context, response), True, "A duplicate case not detected")