def test_store_fuzzable_request_two(self): ds = DiskSet() # Add a simple fr, without post-data fr = FuzzableRequest(URL('http://example.com/?id=1')) ds.add(fr) # Add a fr with post-data form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds.add(fr) # Compare stored_fr = ds[1] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_mutant_creation_qs_and_postdata(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "password"), ("value", "")]) url = URL('http://moth/foo.bar?action=login') form = URLEncodedForm(form_params) freq = FuzzableRequest(url, post_data=form) created_mutants = PostDataMutant.create_mutants( freq, self.payloads, [], False, self.fuzzer_config) created_dcs = [str(i.get_dc()) for i in created_mutants] expected_dcs = [ 'username=abc&password=FrAmE30.', 'username=John8212&password=abc', 'username=def&password=FrAmE30.', 'username=John8212&password=def' ] self.assertEqual(created_dcs, expected_dcs) for m in created_mutants: self.assertEqual(m.get_uri(), url)
def test_multipart_post(self): boundary, post_data = multipart_encode([ ('a', 'bcd'), ], []) multipart_boundary = 'multipart/form-data; boundary=%s' headers = Headers([('content-length', str(len(post_data))), ('content-type', multipart_boundary % boundary)]) fr = FuzzableRequest.from_parts(self.url, headers=headers, post_data=post_data, method='POST') form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) expected_container = MultipartContainer(form_params) expected_headers = Headers([('content-type', multipart_boundary % boundary)]) self.assertEqual(fr.get_url(), self.url) self.assertEqual(fr.get_headers(), expected_headers) self.assertIn('multipart/form-data', fr.get_headers()['content-type']) self.assertEqual(fr.get_method(), 'POST') self.assertIsInstance(fr.get_raw_data(), MultipartContainer) self.assertEqual(fr.get_raw_data(), expected_container)
def test_mutant_creation_repeated_parameter_name(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "id"), ("value", "")]) form_params.add_field_by_attr_items([("name", "id"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form, method='GET') created_mutants = PostDataMutant.create_mutants( freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = [ 'id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc', 'id=abc&id=3419' ] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'GET')
def create_vuln(self): v = super(FileUploadTemplate, self).create_vuln() form_params = FormParameters() for file_var in self.file_vars: form_params.add_field_by_attr_items([("name", file_var), ("type", "file")]) for token in self.data.iter_tokens(): if token.get_name() in self.file_vars: continue form_params.add_field_by_attr_items([("name", token.get_name()), ("type", "text"), ("value", token.get_value())]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.url, method=self.method, post_data=mpc) mutant = PostDataMutant(freq) mutant.set_dc(mpc) mutant.set_token((self.vulnerable_parameter, 0)) # User configured settings v['file_vars'] = self.file_vars v['file_dest'] = self.file_dest v.set_mutant(mutant) return v
def create_vuln(self): v = super(FileUploadTemplate, self).create_vuln() form_params = FormParameters() for file_var in self.file_vars: form_params.add_field_by_attr_items([("name", file_var), ("type", "file")]) for token in self.data.iter_tokens(): if token.get_name() in self.file_vars: continue form_params.add_field_by_attr_items([("name", token.get_name()), ("type", "text"), ("value", token.get_value())]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.url, method=self.method, post_data=mpc) mutant = PostDataMutant(freq) mutant.set_dc(mpc) mutant.set_token((self.vulnerable_parameter, 0)) # User configured settings v['file_vars'] = self.file_vars v['file_dest'] = self.file_dest v.set_mutant(mutant) return v
def test_mutant_creation_repeated_parameter_name(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "id"), ("value", "")]) form_params.add_field_by_attr_items([("name", "id"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form, method='GET') created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc', 'id=abc&id=3419'] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'GET')
def test_multipart_post(self): boundary, post_data = multipart_encode([('a', 'bcd'), ], []) multipart_boundary = 'multipart/form-data; boundary=%s' headers = Headers([('content-length', str(len(post_data))), ('content-type', multipart_boundary % boundary)]) fr = FuzzableRequest.from_parts(self.url, headers=headers, post_data=post_data, method='POST') form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) expected_container = MultipartContainer(form_params) expected_headers = Headers([('content-type', multipart_boundary % boundary)]) self.assertEqual(fr.get_url(), self.url) self.assertEqual(fr.get_headers(), expected_headers) self.assertIn('multipart/form-data', fr.get_headers()['content-type']) self.assertEqual(fr.get_method(), 'POST') self.assertIsInstance(fr.get_raw_data(), MultipartContainer) self.assertEqual(fr.get_raw_data(), expected_container)
def test_is_suitable(self): url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) res = HTTPResponse(200, 'body', headers, url, url) # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req, res) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req, res) self.assertFalse(suitable) url_sends_cookie = URL( get_w3af_moth_http('/w3af/core/cookie_handler/set-cookie.php')) self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req, res) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req, res) self.assertFalse(suitable) # False, no items in post-data url = URL('http://moth/') req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm()) suitable = self.csrf_plugin._is_suitable(req, res) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'test'), ('type', 'text')]) form = URLEncodedForm(form_params) req = FuzzableRequest(url, method='POST', post_data=form) suitable = self.csrf_plugin._is_suitable(req, res) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req, res) self.assertTrue(suitable)
def test_sent_post_data(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", """d'z"0""")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = dc_from_form_params(form_params) f = FuzzableRequest(URL('http://example.com/'), post_data=form) self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_sent_post_data(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", """d'z"0""")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = dc_from_form_params(form_params) f = FuzzableRequest(URL('http://example.com/'), post_data=form) self.assertTrue(f.sent('d%5C%27z%5C%220'))
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id): url_fmt = 'http://example.com/product/%s' form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.set_action(URL(url_fmt % _id)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_nor_enctype(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) urlencode_dc = dc_from_form_params(form_params) self.assertIsInstance(urlencode_dc, URLEncodedForm) self.assertEqual(urlencode_dc.get_file_vars(), []) self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_form_encoding('multipart/form-data') form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_is_suitable(self): # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False, no items in post-data url = URL('http://moth/') req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm()) suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'test'), ('type', 'text')]) form = URLEncodedForm(form_params) req = FuzzableRequest(url, method='POST', post_data=form) suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable)
def create_fuzzable_request(_id): url_fmt = 'http://example.com/product/%s' form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.set_action(URL(url_fmt % _id)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_nor_enctype(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) urlencode_dc = dc_from_form_params(form_params) self.assertIsInstance(urlencode_dc, URLEncodedForm) self.assertEqual(urlencode_dc.get_file_vars(), []) self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_form_encoding('multipart/form-data') form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_dc_from_form_params_with_files(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'b'), ('type', 'file')]) form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) form_params.set_file_name('b', 'hello.txt') mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), ['b']) self.assertEqual(mpdc['a'], ['bcd'])
def create_fuzzable_request(_id): path_count = _id * 5 paths = [rand_alnum(9) for _ in xrange(path_count)] url = 'http://example.com/%s' % '/'.join(paths) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL(url)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/' \ u'?id=number!username=string&address=string' self.assertEqual(clean_fuzzable_request(fr), expected)
def upload_file(self, _file): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'uploadedfile')]) form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) mpc['uploadedfile'][0] = _file resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc), headers=Headers(mpc.get_headers())) self.assertIn('was successfully uploaded', resp.get_body())
def test_mutant_creation(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') created_mutants = PostDataMutant.create_mutants( freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = [ 'username=def&address=Bonsai%20Street%20123', 'username=abc&address=Bonsai%20Street%20123', 'username=John8212&address=def', 'username=John8212&address=abc' ] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[1].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') token = created_mutants[3].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'PUT')
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/' \ u'?id=number!username=string&address=string' self.assertEqual(clean_fuzzable_request(fr), expected)
def test_found_at(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\ 'The sent post-data was: "username=&address=" '\ 'which modifies the "username" parameter.' self.assertEqual(m.found_at(), expected)
def test_from_form_POST(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_dc_from_form_params_with_files(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'b'), ('type', 'file')]) form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) form_params.set_file_name('b', 'hello.txt') mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), ['b']) self.assertEqual(mpdc['a'], ['bcd'])
def upload_file(self, _file): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'uploadedfile')]) form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) mpc['uploadedfile'][0] = _file resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc), headers=Headers(mpc.get_headers())) self.assertIn('was successfully uploaded', resp.get_body())
def test_from_form_POST(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_upload_file_using_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'uploadedfile')]) form_params['uploadedfile'][0] = NamedStringIO('file content', name='test.txt') form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc, method='POST') resp = self.opener.send_mutant(freq) self.assertIn('was successfully uploaded', resp.get_body())
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def create_fuzzable_request(_id): path_count = _id * 5 paths = [rand_alnum(9) for _ in xrange(path_count)] url = 'http://example.com/%s' % '/'.join(paths) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL(url)) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_mutant_creation(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['username=def&address=Bonsai%20Street%20123', 'username=abc&address=Bonsai%20Street%20123', 'username=John8212&address=def', 'username=John8212&address=abc'] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[1].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') token = created_mutants[3].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'PUT')
def test_from_form_default(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) # Without a method #form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form)
def test_from_form_default(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) # Without a method #form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form)
def test_should_inject_form_hidden(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("type", "text")]) form_params.add_field_by_attr_items([("name", "csrf_token"), ("type", "hidden")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) self.assertFalse(self.plugin._should_inject(m, 'python')) m.get_dc().set_token(('csrf_token', 0)) self.assertTrue(self.plugin._should_inject(m, 'python'))
def test_store_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds = DiskSet() ds.add(fr) stored_fr = ds[0] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_upload_file_using_fuzzable_request(self): form_params = FormParameters() form_params.add_field_by_attr_items([('name', 'uploadedfile')]) form_params['uploadedfile'][0] = NamedStringIO('file content', name='test.txt') form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc, method='POST') resp = self.opener.send_mutant(freq) self.assertIn('was successfully uploaded', resp.get_body())
def test_form_file_post_no_files(self): cf_singleton.save('fuzzable_headers', []) cf_singleton.save('fuzz_cookies', False) cf_singleton.save('fuzz_url_filenames', False) cf_singleton.save('fuzzed_files_extension', 'gif') cf_singleton.save('fuzz_form_files', True) # This one changed cf_singleton.save('fuzz_url_parts', False) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') mutants = create_mutants(freq, self.payloads) self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2])) self.assertTrue(all( isinstance(m, PostDataMutant) for m in mutants[4:])) self.assertTrue(all(m.get_method() == 'PUT' for m in mutants)) expected_uris = { 'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3' } created_uris = set([i.get_uri().url_string for i in mutants]) self.assertEqual(expected_uris, created_uris) expected_dcs = { 'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123', 'username=def&address=Bonsai%20Street%20123', 'username=John8212&address=abc', 'username=John8212&address=def' } created_dcs = set([str(i.get_dc()) for i in mutants]) self.assertEqual(created_dcs, expected_dcs)
def test_form_file_post_no_files(self): cf_singleton.save('fuzzable_headers', []) cf_singleton.save('fuzz_cookies', False) cf_singleton.save('fuzz_url_filenames', False) cf_singleton.save('fuzzed_files_extension', 'gif') cf_singleton.save('fuzz_form_files', True) # This one changed cf_singleton.save('fuzz_url_parts', False) form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') mutants = create_mutants(freq, self.payloads) self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2])) self.assertTrue(all(isinstance(m, PostDataMutant) for m in mutants[4:])) self.assertTrue(all(m.get_method() == 'PUT' for m in mutants)) expected_uris = {'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3'} created_uris = set([i.get_uri().url_string for i in mutants]) self.assertEqual(expected_uris, created_uris) expected_dcs = {'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123', 'username=def&address=Bonsai%20Street%20123', 'username=John8212&address=abc', 'username=John8212&address=def'} created_dcs = set([str(i.get_dc()) for i in mutants]) self.assertEqual(created_dcs, expected_dcs)
def test_mutant_creation_file(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "default")]) form_params.add_field_by_attr_items([("name", "file_upload"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/upload'), post_data=form, method='POST') payloads = [file(__file__)] created_mutants = PostDataMutant.create_mutants(freq, payloads, ['file_upload', ], False, self.fuzzer_config) self.assertEqual(len(created_mutants), 1, created_mutants) mutant = created_mutants[0] self.assertIsInstance(mutant.get_token().get_value(), file) self.assertEqual(mutant.get_dc()['username'][0], 'default')
def test_mutant_creation_qs_and_postdata(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "password"), ("value", "")]) url = URL('http://moth/foo.bar?action=login') form = URLEncodedForm(form_params) freq = FuzzableRequest(url, post_data=form) created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) created_dcs = [str(i.get_dc()) for i in created_mutants] expected_dcs = ['username=abc&password=FrAmE30.', 'username=John8212&password=abc', 'username=def&password=FrAmE30.', 'username=John8212&password=def'] self.assertEqual(created_dcs, expected_dcs) for m in created_mutants: self.assertEqual(m.get_uri(), url)
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def test_generate_all(self): fuzzer_config = {'fuzz_form_files': True, 'fuzzed_files_extension': 'gif'} form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest.from_form(form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = FileContentMutant.create_mutants(freq, self.payloads, [], False, fuzzer_config) self.assertEqual(len(generated_mutants), 2, generated_mutants) _, file_payload_abc, _ = get_template_with_payload('gif', 'abc') _, file_payload_def, _ = get_template_with_payload('gif', 'def') file_abc = NamedStringIO(file_payload_abc, 'upload.gif') file_def = NamedStringIO(file_payload_def, 'upload.gif') form_1 = MultipartContainer(copy.deepcopy(form_params)) form_2 = MultipartContainer(copy.deepcopy(form_params)) form_1['image'] = [file_abc] form_1['username'] = ['John8212'] form_1['address'] = ['Bonsai Street 123'] form_2['image'] = [file_def] form_2['username'] = ['John8212'] form_2['address'] = ['Bonsai Street 123'] expected_forms = [form_1, form_2] boundary = get_boundary() noop = '1' * len(boundary) expected_data = [encode_as_multipart(f, boundary) for f in expected_forms] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_abc, str_file) str_file = generated_forms[1]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_def, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_mutant_creation_post_data(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest(self.url, post_data=form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 6, generated_mutants) _, gif_file_content, _ = get_file_from_template('gif') gif_named_stringio = NamedStringIO(gif_file_content, 'upload.gif') expected_forms = [] form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['def'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['abc'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) # TODO: Please note that these two multipart forms are a bug, since # they should never be created by PostDataMutant.create_mutants # (they are not setting the image as a file, just as a string) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = ['def'] form['username'] = ['John8212'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = ['abc'] form['username'] = ['John8212'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) # # TODO: /end # form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['John8212'] form['address'] = ['abc'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['John8212'] form['address'] = ['def'] expected_forms.append(form) boundary = get_boundary() noop = '1' * len(boundary) expected_data = [encode_as_multipart(f, boundary) for f in expected_forms] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0] self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(gif_file_content, str_file) str_file = generated_forms[1]['image'][0] self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(gif_file_content, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_mutant_creation_post_data(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest(self.url, post_data=form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 6, generated_mutants) _, gif_file_content, _ = get_file_from_template('gif') gif_named_stringio = NamedStringIO(gif_file_content, 'upload.gif') expected_forms = [] form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['def'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['abc'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) # TODO: Please note that these two multipart forms are a bug, since # they should never be created by PostDataMutant.create_mutants # (they are not setting the image as a file, just as a string) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = ['def'] form['username'] = ['John8212'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = ['abc'] form['username'] = ['John8212'] form['address'] = ['Bonsai Street 123'] expected_forms.append(form) # # TODO: /end # form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['John8212'] form['address'] = ['abc'] expected_forms.append(form) form = MultipartContainer(copy.deepcopy(form_params)) form['image'] = [gif_named_stringio] form['username'] = ['John8212'] form['address'] = ['def'] expected_forms.append(form) boundary = get_boundary() noop = '1' * len(boundary) expected_data = [encode_as_multipart(f, boundary) for f in expected_forms] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0] self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(gif_file_content, str_file) str_file = generated_forms[1]['image'][0] self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(gif_file_content, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_generate_all(self): fuzzer_config = { 'fuzz_form_files': True, 'fuzzed_files_extension': 'gif' } form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form_params.add_field_by_attr_items([("name", "image"), ("type", "file")]) form = MultipartContainer(form_params) freq = FuzzableRequest.from_form(form) ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha' with patch(ph) as mock_rand_alpha: mock_rand_alpha.return_value = 'upload' generated_mutants = FileContentMutant.create_mutants( freq, self.payloads, [], False, fuzzer_config) self.assertEqual(len(generated_mutants), 2, generated_mutants) _, file_payload_abc, _ = get_template_with_payload('gif', 'abc') _, file_payload_def, _ = get_template_with_payload('gif', 'def') file_abc = NamedStringIO(file_payload_abc, 'upload.gif') file_def = NamedStringIO(file_payload_def, 'upload.gif') form_1 = MultipartContainer(copy.deepcopy(form_params)) form_2 = MultipartContainer(copy.deepcopy(form_params)) form_1['image'] = [file_abc] form_1['username'] = ['John8212'] form_1['address'] = ['Bonsai Street 123'] form_2['image'] = [file_def] form_2['username'] = ['John8212'] form_2['address'] = ['Bonsai Street 123'] expected_forms = [form_1, form_2] boundary = get_boundary() noop = '1' * len(boundary) expected_data = [ encode_as_multipart(f, boundary) for f in expected_forms ] expected_data = set([s.replace(boundary, noop) for s in expected_data]) generated_forms = [m.get_dc() for m in generated_mutants] generated_data = [ str(f).replace(f.boundary, noop) for f in generated_forms ] self.assertEqual(expected_data, set(generated_data)) str_file = generated_forms[0]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_abc, str_file) str_file = generated_forms[1]['image'][0].get_value() self.assertIsInstance(str_file, NamedStringIO) self.assertEqual(str_file.name[-4:], '.gif') self.assertEqual(file_payload_def, str_file) self.assertIn('name="image"; filename="upload.gif"', generated_data[0])