def test_delay_controlled_random(self): for expected_result, delays in self.TEST_SUITE: print delays mock_uri_opener = Mock() side_effect = generate_delays(delays, rand_range=(0,2)) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() # This is where we change from test_delay_controlled, the basic # idea is that we'll allow false negatives but no false positives if expected_result == True: expected_result = [True, False] else: expected_result = [False,] self.assertIn(controlled, expected_result, delays)
def test_kb_list_shells_rfi_port_scan_2181(self): """ :see: https://github.com/andresriancho/w3af/issues/2181 """ w3af_core = w3afCore() vuln = MockVuln() url = URL('http://moth/?a=1') freq = FuzzableRequest(url) exploit_mutant = QSMutant.create_mutants(freq, [''], [], False, {})[0] shell = PortScanShell(vuln, w3af_core.uri_opener, w3af_core.worker_pool, exploit_mutant) kb.append('a', 'b', shell) shells = kb.get_all_shells(w3af_core=w3af_core) self.assertEqual(len(shells), 1) unpickled_shell = shells[0] self.assertEqual(shell, unpickled_shell) self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener) self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool) self.assertEqual(unpickled_shell._exploit_mutant, exploit_mutant) w3af_core.quit()
def test_mutant_creation_repeated_parameter_names(self): self.url = URL('http://moth/?id=1&id=2') freq = HTTPQSRequest(self.url) created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [ DataContainer([('id', ['abc', '2'])]), DataContainer([('id', ['def', '2'])]), DataContainer([('id', ['1', 'abc'])]), DataContainer([('id', ['1', 'def'])]) ] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'id') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'id') self.assertEqual(created_mutants[2].get_var_index(), 1) self.assertEqual(created_mutants[2].get_original_value(), '2') self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def test_mutant_creation_repeated_parameter_names(self): self.url = URL('http://moth/?id=1&id=2') freq = FuzzableRequest(self.url) created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = [ 'id=abc&id=2', 'id=1&id=abc', 'id=def&id=2', 'id=1&id=def' ] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEquals(expected_dcs, created_dcs) token_0 = created_mutants[0].get_token() self.assertIsInstance(token_0, DataToken) self.assertEqual(token_0.get_name(), 'id') self.assertEqual(token_0.get_original_value(), '1') self.assertEqual(token_0.get_value(), 'abc') token_1 = created_mutants[1].get_token() self.assertIsInstance(token_1, DataToken) self.assertEqual(token_1.get_name(), 'id') self.assertEqual(token_1.get_original_value(), '2') self.assertEqual(token_1.get_value(), 'abc') self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def test_mutant_creation_repeated_parameter_names(self): self.url = URL('http://moth/?id=1&id=2') freq = FuzzableRequest(self.url) created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['id=abc&id=2', 'id=1&id=abc', 'id=def&id=2', 'id=1&id=def'] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEquals(expected_dcs, created_dcs) token_0 = created_mutants[0].get_token() self.assertIsInstance(token_0, DataToken) self.assertEqual(token_0.get_name(), 'id') self.assertEqual(token_0.get_original_value(), '1') self.assertEqual(token_0.get_value(), 'abc') token_1 = created_mutants[1].get_token() self.assertIsInstance(token_1, DataToken) self.assertEqual(token_1.get_name(), 'id') self.assertEqual(token_1.get_original_value(), '2') self.assertEqual(token_1.get_value(), 'abc') self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def test_mutant_creation(self): self.url = URL("http://moth/?a=1&b=2") freq = FuzzableRequest(self.url) created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ["a=abc&b=2", "a=1&b=abc", "a=def&b=2", "a=1&b=def"] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEquals(expected_dcs, created_dcs) token_0 = created_mutants[0].get_token() self.assertIsInstance(token_0, DataToken) self.assertEqual(token_0.get_name(), "a") self.assertEqual(token_0.get_original_value(), "1") self.assertEqual(token_0.get_value(), "abc") token_2 = created_mutants[1].get_token() self.assertIsInstance(token_0, DataToken) self.assertEqual(token_2.get_name(), "b") self.assertEqual(token_2.get_original_value(), "2") self.assertEqual(token_2.get_value(), "abc") self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def test_mutant_creation_repeated_parameter_names(self): self.url = URL('http://moth/?id=1&id=2') freq = HTTPQSRequest(self.url) created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [DataContainer([('id', ['abc', '2'])]), DataContainer([('id', ['def', '2'])]), DataContainer([('id', ['1', 'abc'])]), DataContainer([('id', ['1', 'def'])])] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'id') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'id') self.assertEqual(created_mutants[2].get_var_index(), 1) self.assertEqual(created_mutants[2].get_original_value(), '2') self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def test_should_not_inject_qs_with_digit(self): self.url = URL('http://moth/?id=1') freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertFalse(self.plugin._should_inject(mutant, 'python'))
def test_should_not_inject_random_binary(self): self.url = URL('http://moth/?id=%s' % '\x00\x01\x02') freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertFalse(self.plugin._should_inject(mutant, 'java'))
def test_should_not_inject_qs_with_b64(self): b64data = base64.b64encode('just some random b64 data here') self.url = URL('http://moth/?id=%s' % b64data) freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertFalse(self.plugin._should_inject(mutant, 'python'))
def test_delay_controlled(self): for expected_result, delays in self.TEST_SUITE: mock_uri_opener = Mock() side_effect = generate_delays(delays) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = AproxDelay('%s9!', '1', 10) url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_token(('id', 0)) ed = AproxDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() self.assertEqual(expected_result, controlled, delays)
def test_delay_controlled(self): for expected_result, delays in self.TEST_SUITE: urllib = ExtendedUrllib() side_effect = generate_delays(delays) urllib.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_token(('id', 0)) ed = ExactDelayController(mutant, delay_obj, urllib) controlled, responses = ed.delay_is_controlled() self.assertEqual(expected_result, controlled, delays)
def test_should_not_inject_qs_with_b64_pickle_java(self): b64data = base64.b64encode(cPickle.dumps(1)) self.url = URL('http://moth/?id=%s' % b64data) freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertFalse(self.plugin._should_inject(mutant, 'java'))
def test_should_inject_qs_with_pickle(self): pickle_data = cPickle.dumps(1) self.url = URL('http://moth/?id=%s' % pickle_data) freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertTrue(self.plugin._should_inject(mutant, 'python'))
def test_delay_controlled_random(self): for expected_result, delays in self.TEST_SUITE: print delays mock_uri_opener = Mock() side_effect = generate_delays(delays, rand_range=(0, 2)) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() # This is where we change from test_delay_controlled, the basic # idea is that we'll allow false negatives but no false positives if expected_result == True: expected_result = [True, False] else: expected_result = [ False, ] self.assertIn(controlled, expected_result, delays)
def test_should_inject_qs_with_b64_pickle(self): b64data = base64.b64encode( cPickle.dumps({ 'data': 'here', 'cookie': 'A' * 16 })) self.url = URL('http://moth/?id=%s' % b64data) freq = FuzzableRequest(self.url) mutant = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)[0] self.assertTrue(self.plugin._should_inject(mutant, 'python'))
def _generate_qs(self, fuzzable_request): """ Check the URL query string. :return: A list of mutants. """ query_string = fuzzable_request.get_uri().querystring for token in query_string.iter_tokens(): wordnet_results = self._search_wn(token.get_value()) mutants = QSMutant.create_mutants(fuzzable_request, wordnet_results, [token.get_name()], False, {}) for mutant in mutants: yield mutant
def _generate_qs(self, fuzzable_request): """ Check the URL query string. :return: A list of mutants. """ query_string = fuzzable_request.get_uri().querystring for parameter_name in query_string: # this for loop was added to address the repeated parameter name issue for element_index in xrange(len(query_string[parameter_name])): orig_content = query_string[parameter_name][element_index] wordnet_result = self._search_wn(orig_content) mutants = QSMutant.create_mutants(fuzzable_request, wordnet_result, [parameter_name], False, {}) for mutant in mutants: yield mutant
def test_from_mutant(self): url = URL("http://moth/?a=1&b=2") payloads = ["abc", "def"] freq = FuzzableRequest(url) fuzzer_config = {} created_mutants = QSMutant.create_mutants(freq, payloads, [], False, fuzzer_config) mutant = created_mutants[0] inst = Info.from_mutant("TestCase", "desc" * 30, 1, "plugin_name", mutant) self.assertIsInstance(inst, Info) self.assertEqual(inst.get_uri(), mutant.get_uri()) self.assertEqual(inst.get_url(), mutant.get_url()) self.assertEqual(inst.get_method(), mutant.get_method()) self.assertEqual(inst.get_dc(), mutant.get_dc()) self.assertIsInstance(inst.get_dc(), QueryString)
def _generate_qs(self, fuzzable_request): """ Check the URL query string. :return: A list of mutants. """ query_string = fuzzable_request.get_uri().querystring for parameter_name in query_string: # this for loop was added to address the repeated parameter name issue for element_index in xrange(len(query_string[parameter_name])): orig_content = query_string[parameter_name][element_index] wordnet_result = self._search_wn(orig_content) mutants = QSMutant.create_mutants(fuzzable_request, wordnet_result, [ parameter_name, ], False, {}) for mutant in mutants: yield mutant
def test_from_mutant(self): url = URL('http://moth/?a=1&b=2') payloads = ['abc', 'def'] freq = FuzzableRequest(url) fuzzer_config = {} created_mutants = QSMutant.create_mutants(freq, payloads, [], False, fuzzer_config) mutant = created_mutants[0] inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name', mutant) self.assertIsInstance(inst, Info) self.assertEqual(inst.get_uri(), mutant.get_uri()) self.assertEqual(inst.get_url(), mutant.get_url()) self.assertEqual(inst.get_method(), mutant.get_method()) self.assertEqual(inst.get_dc(), mutant.get_dc()) self.assertIsInstance(inst.get_dc(), QueryString)
def test_from_mutant(self): url = URL('http://moth/?a=1&b=2') payloads = ['abc', 'def'] freq = FuzzableRequest(url) fuzzer_config = {} created_mutants = QSMutant.create_mutants(freq, payloads, [], False, fuzzer_config) mutant = created_mutants[0] inst = Vuln.from_mutant('TestCase', 'desc' * 30, 'High', 1, 'plugin_name', mutant) self.assertIsInstance(inst, Vuln) self.assertEqual(inst.get_uri(), mutant.get_uri()) self.assertEqual(inst.get_url(), mutant.get_url()) self.assertEqual(inst.get_method(), mutant.get_method()) self.assertEqual(inst.get_dc(), mutant.get_dc()) self.assertEqual(inst.get_token_name(), mutant.get_token().get_name())
def form_pointer_factory(freq): if isinstance(freq.get_uri().querystring, Form): return QSMutant(freq) return PostDataMutant(freq)
def test_print_mod_value(self): freq = FuzzableRequest(URL('http://www.w3af.com/?id=3')) m = QSMutant(freq) expected = 'The sent URI was http://www.w3af.com/?id=3 .' self.assertEqual(m.print_mod_value(), expected)