def setUp(self):
self.kb.cleanup()
self.w3afcore = w3afCore()
self.misc_settings = MiscSettings()
self.request_callback_call_count = 0
self.request_callback_match = 0
if self.MOCK_RESPONSES:
httpretty.reset()
httpretty.enable()
try:
url = URL(self.target_url)
except ValueError, ve:
msg = ('When using MOCK_RESPONSES you need to set the'
' target_url attribute to a valid URL, exception was:'
' "%s".')
raise Exception(msg % ve)
domain = url.get_domain()
proto = url.get_protocol()
port = url.get_port()
self._register_httpretty_uri(proto, domain, port)
def test_default_proto(self):
"""
http is the default protocol, we can provide URLs with no proto
"""
u = URL('w3af.com')
self.assertEqual(u.get_domain(), 'w3af.com')
self.assertEqual(u.get_protocol(), 'http')
def test_websocket_secure_proto(self):
"""
We can also parse and handle ws and wss protocols
"""
u = URL('wss://w3af.com')
self.assertEqual(u.get_domain(), 'w3af.com')
self.assertEqual(u.get_protocol(), 'wss')
def test_websocket_secure_proto(self):
"""
We can also parse and handle ws and wss protocols
"""
u = URL('wss://w3af.com')
self.assertEqual(u.get_domain(), 'w3af.com')
self.assertEqual(u.get_protocol(), 'wss')
def test_default_proto(self):
"""
http is the default protocol, we can provide URLs with no proto
"""
u = URL('w3af.com')
self.assertEqual(u.get_domain(), 'w3af.com')
self.assertEqual(u.get_protocol(), 'http')
def setUp(self):
self.kb.cleanup()
self.w3afcore = w3afCore()
if self.MOCK_RESPONSES:
httpretty.enable()
try:
url = URL(self.target_url)
except ValueError, ve:
msg = 'When using MOCK_RESPONSES you need to set the'\
' target_url attribute to a valid URL, exception was:'\
' "%s".'
raise Exception(msg % ve)
domain = url.get_domain()
proto = url.get_protocol()
port = url.get_port()
self._register_httpretty_uri(proto, domain, port)
def alert_if_target_is_301_all(self):
"""
Alert the user when the configured target is set to a site which will
301 redirect all requests to https://
:see: https://github.com/andresriancho/w3af/issues/14976
:return: True if the site returns 301 for all resources. Also an Info
instance is saved to the KB in order to alert the user.
"""
site_does_redirect = False
msg = ('The configured target domain redirects all HTTP requests to a'
' different location. The most common scenarios are:\n\n'
''
' * HTTP redirect to HTTPS\n'
' * domain.com redirect to www.domain.com\n\n'
''
'While the scan engine can identify URLs and vulnerabilities'
' using the current configuration it might be wise to start'
' a new scan setting the target URL to the redirect target.')
targets = cf.cf.get('targets')
for url in targets:
# We test if the target URLs are redirecting to a different protocol
# or domain.
try:
http_response = self._w3af_core.uri_opener.GET(url,
cache=False)
except ScanMustStopByUserRequest:
# Not a real error, the user stopped the scan
raise
except Exception, e:
emsg = 'Exception found during alert_if_target_is_301_all(): "%s"'
emsg %= e
om.out.debug(emsg)
raise ScanMustStopException(emsg)
else:
if 300 <= http_response.get_code() <= 399:
# Get the redirect target
lower_headers = http_response.get_lower_case_headers()
redirect_url = None
for header_name in ('location', 'uri'):
if header_name in lower_headers:
header_value = lower_headers[header_name]
header_value = header_value.strip()
try:
redirect_url = URL(header_value)
except ValueError:
# No special invalid URL handling required
continue
if not redirect_url:
continue
# Check if the protocol was changed:
target_proto = url.get_protocol()
redirect_proto = redirect_url.get_protocol()
if target_proto != redirect_proto:
site_does_redirect = True
break
# Check if the domain was changed:
target_domain = url.get_domain()
redirect_domain = redirect_url.get_domain()
if target_domain != redirect_domain:
site_does_redirect = True
break
def test_set_protocol(self):
u = URL("http://1.2.3.4")
self.assertEqual(u.get_protocol(), 'http')
u.set_protocol('https')
self.assertEqual(u.get_protocol(), 'https')
def test_set_protocol(self):
u = URL("http://1.2.3.4")
self.assertEqual(u.get_protocol(), 'http')
u.set_protocol('https')
self.assertEqual(u.get_protocol(), 'https')
def alert_if_target_is_301_all(self):
"""
Alert the user when the configured target is set to a site which will
301 redirect all requests to https://
:see: https://github.com/andresriancho/w3af/issues/14976
:return: True if the site returns 301 for all resources. Also an Info
instance is saved to the KB in order to alert the user.
"""
site_does_redirect = False
msg = ('The configured target domain redirects all HTTP requests to a'
' different location. The most common scenarios are:\n\n'
''
' * HTTP redirect to HTTPS\n'
' * domain.com redirect to www.domain.com\n\n'
''
'While the scan engine can identify URLs and vulnerabilities'
' using the current configuration it might be wise to start'
' a new scan setting the target URL to the redirect target.')
targets = cf.cf.get('targets')
for url in targets:
# We test if the target URLs are redirecting to a different protocol
# or domain.
try:
http_response = self._w3af_core.uri_opener.GET(url, cache=False)
except ScanMustStopByUserRequest:
# Not a real error, the user stopped the scan
raise
except Exception, e:
emsg = 'Exception found during alert_if_target_is_301_all(): "%s"'
emsg %= e
om.out.debug(emsg)
raise ScanMustStopException(emsg)
else:
if 300 <= http_response.get_code() <= 399:
# Get the redirect target
lower_headers = http_response.get_lower_case_headers()
redirect_url = None
for header_name in ('location', 'uri'):
if header_name in lower_headers:
header_value = lower_headers[header_name]
header_value = header_value.strip()
try:
redirect_url = URL(header_value)
except ValueError:
# No special invalid URL handling required
continue
if not redirect_url:
continue
# Check if the protocol was changed:
target_proto = url.get_protocol()
redirect_proto = redirect_url.get_protocol()
if target_proto != redirect_proto:
site_does_redirect = True
break
# Check if the domain was changed:
target_domain = url.get_domain()
redirect_domain = redirect_url.get_domain()
if target_domain != redirect_domain:
site_does_redirect = True
break
