def test_are_url_similar__when_url_are_not_similar__returns_false(self):
long_url = "http://www.pomodoro.com/content=pepe/rare.htm"
short_url = "http://www.potato.com/"
links_finder = LinksFinder(long_url)
links_finder.url = short_url
self.assertFalse(links_finder.are_url_similar(long_url))
def test_does_page_contains_form__page_has_at_least_a_form__returns_true(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
browser = MagicMock()
browser.get_forms = MagicMock(return_value=["form"])
self.assertTrue(links_finder.does_page_contains_form(browser))
def test_get_valid_links__returns_list_of_url(self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
expected_url_list = links_finder.url_list
links_finder.add_valid_links = MagicMock()
actual_url_list = links_finder.get_valid_links()
self.assertEqual(expected_url_list, actual_url_list)
def test_get_url_base__returns_url_base(self):
long_url = "http://www.potato.com/content=pepe/rare.htm"
expected_url = "http://www.potato.com/"
links_finder = LinksFinder(expected_url)
actual_url = links_finder.get_url_base(long_url)
self.assertEqual(expected_url, actual_url)
def test_add_valid_link__when_the_link_is_invalid__then_the_link_is_not_in_list(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
browser = RoboBrowser(parser=PARSER, history=True)
browser.follow_link = MagicMock(side_effect=RoboError)
links_finder.add_valid_link(browser, link)
actual_url_list = links_finder.url_list
self.assertTrue(link not in actual_url_list)
def test_add_valid_link__when_the_link_is_another_web_site__then_the_link_is_not_in_list(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
browser = MagicMock()
browser.follow_link = MagicMock()
links_finder.are_url_similar = MagicMock(return_value=False)
links_finder.add_valid_link(browser, link)
actual_url_list = links_finder.url_list
self.assertTrue(link not in actual_url_list)
def test_add_valid_link__when_link_is_invalid__then_the_browser_is_on_the_same_url(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
browser = MagicMock()
url_before = browser.url
browser.follow_link = MagicMock(side_effect=RoboError)
links_finder.add_valid_link(browser, link)
url_after = browser.url
self.assertTrue(url_before == url_after)
def test_add_valid_link__when_url_are_not_similar__then_the_browser_is_on_the_same_url(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
browser = MagicMock()
url_before = browser.url
browser.follow_link = MagicMock()
links_finder.are_url_similar = MagicMock(return_value=False)
links_finder.add_valid_link(browser, link)
url_after = browser.url
self.assertTrue(url_before == url_after)
class XSSFinder:
def __init__(self, url):
self.list_xss = []
# self.url = url
self.browser = RoboBrowser(parser=PARSER, history=True)
self.browser.open(url)
self.links_finder = LinksFinder(self.browser.url)
def find(self):
links = self.links_finder.get_valid_links()
for link in links:
self.browser.open(link)
forms = self.browser.get_forms()
for form in forms:
fields = form.fields
for field in fields:
form[field].value = VULNERABILITY_TESTING_STRING
self.validate_xss_weakness(form, field)
def validate_xss_weakness(self, form, field):
try:
self.browser.submit_form(form)
self.add_threat_to_list(field, form.method)
except InvalidSubmitError:
pass
def add_threat_to_list(self, parameter, xss_type):
threat = XSSFlaw(self.browser.url, parameter, xss_type)
if threat not in self.list_xss:
self.list_xss.append(threat)
def get_xss_flaws(self):
self.find()
if len(self.list_xss) == 0:
return NO_RESULT_FOUND
else:
result = EMPTY_STRING
for xss_threat in self.list_xss:
result += URL
result += xss_threat.get_url()
result += NEW_LINE
result += PARAMETER
result += xss_threat.get_parameter()
result += NEW_LINE
result += TYPE
result += xss_threat.get_xss_type()
result += TWO_NEW_LINES
return result
def test_add_valid_link__when_the_valid_url_is_not_in_the_list__then_the_url_added_in_the_list(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link_url = ANY_NOT_SECURED_URL + "login"
link = MagicMock()
browser = MagicMock()
browser.follow_link = MagicMock()
browser.url = PropertyMock(link_url)
links_finder.are_url_similar = MagicMock(return_value=True)
links_finder.does_page_contains_form = MagicMock(return_value=True)
links_finder.add_valid_link(browser, link)
self.assertTrue(browser.url in links_finder.url_list)
def test_add_valid_link__when_the_link_page_has_no_form__then_the_link_is_not_in_list(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
link_url = ANY_NOT_SECURED_URL + "login"
browser = MagicMock()
browser.url = PropertyMock(link_url)
browser.follow_link = MagicMock()
links_finder.are_url_similar = MagicMock(return_value=True)
links_finder.does_page_contains_form = MagicMock(return_value=False)
links_finder.add_valid_link(browser, link)
actual_url_list = links_finder.url_list
self.assertTrue(link not in actual_url_list)
def test_add_valid_link__when_url_is_in_the_list__then_the_browser_is_on_the_same_url(
self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
link = MagicMock()
link_url = ANY_NOT_SECURED_URL + "login"
links_finder.url_list.append(link_url)
browser = MagicMock()
url_before = browser.url
browser.follow_link = MagicMock()
links_finder.are_url_similar = MagicMock(return_value=True)
links_finder.does_page_contains_form = MagicMock(return_value=True)
links_finder.add_valid_link(browser, link)
url_after = browser.url
self.assertTrue(url_before == url_after)
def __init__(self, url):
self.list_xss = []
# self.url = url
self.browser = RoboBrowser(parser=PARSER, history=True)
self.browser.open(url)
self.links_finder = LinksFinder(self.browser.url)
def test_does_page_contains_form__page_has_no_form__returns_false(self):
links_finder = LinksFinder(ANY_NOT_SECURED_URL)
browser = MagicMock()
browser.get_forms = MagicMock(return_value=[])
self.assertFalse(links_finder.does_page_contains_form(browser))