def test_store_fuzzable_request_two(self):
ds = DiskSet()
# Add a simple fr, without post-data
fr = FuzzableRequest(URL('http://example.com/?id=1'))
ds.add(fr)
# Add a fr with post-data
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds.add(fr)
# Compare
stored_fr = ds[1]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_mutant_creation_qs_and_postdata(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "password"),
("value", "")])
url = URL('http://moth/foo.bar?action=login')
form = URLEncodedForm(form_params)
freq = FuzzableRequest(url, post_data=form)
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
created_dcs = [str(i.get_dc()) for i in created_mutants]
expected_dcs = [
'username=abc&password=FrAmE30.', 'username=John8212&password=abc',
'username=def&password=FrAmE30.', 'username=John8212&password=def'
]
self.assertEqual(created_dcs, expected_dcs)
for m in created_mutants:
self.assertEqual(m.get_uri(), url)
def test_multipart_post(self):
boundary, post_data = multipart_encode([
('a', 'bcd'),
], [])
multipart_boundary = 'multipart/form-data; boundary=%s'
headers = Headers([('content-length', str(len(post_data))),
('content-type', multipart_boundary % boundary)])
fr = FuzzableRequest.from_parts(self.url,
headers=headers,
post_data=post_data,
method='POST')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
expected_container = MultipartContainer(form_params)
expected_headers = Headers([('content-type',
multipart_boundary % boundary)])
self.assertEqual(fr.get_url(), self.url)
self.assertEqual(fr.get_headers(), expected_headers)
self.assertIn('multipart/form-data', fr.get_headers()['content-type'])
self.assertEqual(fr.get_method(), 'POST')
self.assertIsInstance(fr.get_raw_data(), MultipartContainer)
self.assertEqual(fr.get_raw_data(), expected_container)
def test_mutant_creation_repeated_parameter_name(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://w3af.com/?foo=3'),
post_data=form,
method='GET')
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_dcs = [
'id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc',
'id=abc&id=3419'
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'GET')
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_field_by_attr_items([("name", file_var),
("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_field_by_attr_items([("name", token.get_name()),
("type", "text"),
("value", token.get_value())])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_field_by_attr_items([("name", file_var), ("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_field_by_attr_items([("name", token.get_name()),
("type", "text"),
("value", token.get_value())])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def test_mutant_creation_repeated_parameter_name(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form_params.add_field_by_attr_items([("name", "id"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form,
method='GET')
created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [],
False,
self.fuzzer_config)
expected_dcs = ['id=def&id=3419',
'id=3419&id=def',
'id=3419&id=abc',
'id=abc&id=3419']
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'id')
self.assertEqual(token.get_original_value(), '')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'GET')
def test_multipart_post(self):
boundary, post_data = multipart_encode([('a', 'bcd'), ], [])
multipart_boundary = 'multipart/form-data; boundary=%s'
headers = Headers([('content-length', str(len(post_data))),
('content-type', multipart_boundary % boundary)])
fr = FuzzableRequest.from_parts(self.url, headers=headers,
post_data=post_data, method='POST')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
expected_container = MultipartContainer(form_params)
expected_headers = Headers([('content-type',
multipart_boundary % boundary)])
self.assertEqual(fr.get_url(), self.url)
self.assertEqual(fr.get_headers(), expected_headers)
self.assertIn('multipart/form-data', fr.get_headers()['content-type'])
self.assertEqual(fr.get_method(), 'POST')
self.assertIsInstance(fr.get_raw_data(), MultipartContainer)
self.assertEqual(fr.get_raw_data(), expected_container)
def test_is_suitable(self):
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
res = HTTPResponse(200, 'body', headers, url, url)
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
url_sends_cookie = URL(
get_w3af_moth_http('/w3af/core/cookie_handler/set-cookie.php'))
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'test'),
('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req, res)
self.assertTrue(suitable)
def test_sent_post_data(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", """d'z"0""")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = dc_from_form_params(form_params)
f = FuzzableRequest(URL('http://example.com/'), post_data=form)
self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_sent_post_data(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", """d'z"0""")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = dc_from_form_params(form_params)
f = FuzzableRequest(URL('http://example.com/'), post_data=form)
self.assertTrue(f.sent('d%5C%27z%5C%220'))
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def create_fuzzable_request(_id):
url_fmt = 'http://example.com/product/%s'
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.set_action(URL(url_fmt % _id))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_nor_enctype(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
urlencode_dc = dc_from_form_params(form_params)
self.assertIsInstance(urlencode_dc, URLEncodedForm)
self.assertEqual(urlencode_dc.get_file_vars(), [])
self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_form_encoding('multipart/form-data')
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'test'), ('type', 'text')])
form = URLEncodedForm(form_params)
req = FuzzableRequest(url, method='POST', post_data=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
def create_fuzzable_request(_id):
url_fmt = 'http://example.com/product/%s'
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.set_action(URL(url_fmt % _id))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_dc_from_form_params_without_files_nor_enctype(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
urlencode_dc = dc_from_form_params(form_params)
self.assertIsInstance(urlencode_dc, URLEncodedForm)
self.assertEqual(urlencode_dc.get_file_vars(), [])
self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_dc_from_form_params_without_files_with_multipart_enctype(self):
form_params = FormParameters()
form_params.set_form_encoding('multipart/form-data')
form_params.add_field_by_attr_items([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), [])
self.assertEqual(mpdc['a'], ['bcd'])
def test_dc_from_form_params_with_files(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'b'), ('type', 'file')])
form_params.add_field_by_attr_items([('name', 'a'), ('type', 'text'),
('value', 'bcd')])
form_params.set_file_name('b', 'hello.txt')
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), ['b'])
self.assertEqual(mpdc['a'], ['bcd'])
def create_fuzzable_request(_id):
path_count = _id * 5
paths = [rand_alnum(9) for _ in xrange(path_count)]
url = 'http://example.com/%s' % '/'.join(paths)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL(url))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/' \
u'?id=number!username=string&address=string'
self.assertEqual(clean_fuzzable_request(fr), expected)
def upload_file(self, _file):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'uploadedfile')])
form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'),
('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
mpc['uploadedfile'][0] = _file
resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc),
headers=Headers(mpc.get_headers()))
self.assertIn('was successfully uploaded', resp.get_body())
def test_mutant_creation(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
created_mutants = PostDataMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_dcs = [
'username=def&address=Bonsai%20Street%20123',
'username=abc&address=Bonsai%20Street%20123',
'username=John8212&address=def', 'username=John8212&address=abc'
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[1].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
token = created_mutants[3].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'PUT')
def test_clean_form_fuzzable_request_form(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected = u'(POST)-http://example.com/' \
u'?id=number!username=string&address=string'
self.assertEqual(clean_fuzzable_request(fr), expected)
def test_found_at(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
'The sent post-data was: "username=&address=" '\
'which modifies the "username" parameter.'
self.assertEqual(m.found_at(), expected)
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_dc_from_form_params_with_files(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'b'),
('type', 'file')])
form_params.add_field_by_attr_items([('name', 'a'),
('type', 'text'),
('value', 'bcd')])
form_params.set_file_name('b', 'hello.txt')
mpdc = dc_from_form_params(form_params)
self.assertIsInstance(mpdc, MultipartContainer)
self.assertEqual(mpdc.get_file_vars(), ['b'])
self.assertEqual(mpdc['a'], ['bcd'])
def upload_file(self, _file):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'uploadedfile')])
form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'),
('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
mpc['uploadedfile'][0] = _file
resp = self.opener.POST(self.MOTH_FILE_UP_URL,
data=str(mpc),
headers=Headers(mpc.get_headers()))
self.assertIn('was successfully uploaded', resp.get_body())
def test_from_form_POST(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
self.assertIs(fr.get_uri(), form.get_action())
self.assertIs(fr.get_raw_data(), form)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_upload_file_using_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'uploadedfile')])
form_params['uploadedfile'][0] = NamedStringIO('file content', name='test.txt')
form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'),
('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc,
method='POST')
resp = self.opener.send_mutant(freq)
self.assertIn('was successfully uploaded', resp.get_body())
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.add_field_by_attr_items([("name", "file"), ("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def create_fuzzable_request(_id):
path_count = _id * 5
paths = [rand_alnum(9) for _ in xrange(path_count)]
url = 'http://example.com/%s' % '/'.join(paths)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.set_action(URL(url))
form_params.set_method('post')
form = dc_from_form_params(form_params)
return FuzzableRequest.from_form(form)
def test_mutant_creation(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [],
False,
self.fuzzer_config)
expected_dcs = ['username=def&address=Bonsai%20Street%20123',
'username=abc&address=Bonsai%20Street%20123',
'username=John8212&address=def',
'username=John8212&address=abc']
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEqual(set(created_dcs), set(expected_dcs))
token = created_mutants[0].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[1].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'abc')
token = created_mutants[2].get_token()
self.assertEqual(token.get_name(), 'username')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
token = created_mutants[3].get_token()
self.assertEqual(token.get_name(), 'address')
self.assertEqual(token.get_original_value(), '')
self.assertEqual(token.get_value(), 'def')
for m in created_mutants:
self.assertIsInstance(m, PostDataMutant)
for m in created_mutants:
self.assertEqual(m.get_method(), 'PUT')
def test_from_form_default(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
# Without a method
#form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
def test_from_form_default(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/'))
# Without a method
#form_params.set_method('GET')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
expected_url = 'http://example.com/?username=abc&address='
self.assertEqual(fr.get_uri().url_string, expected_url)
self.assertEqual(fr.get_uri().querystring, 'username=abc&address=')
self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm)
self.assertEqual(fr.get_method(), 'GET')
self.assertIsNot(fr.get_raw_data(), form)
def test_should_inject_form_hidden(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("type", "text")])
form_params.add_field_by_attr_items([("name", "csrf_token"),
("type", "hidden")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/'),
post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
self.assertFalse(self.plugin._should_inject(m, 'python'))
m.get_dc().set_token(('csrf_token', 0))
self.assertTrue(self.plugin._should_inject(m, 'python'))
def test_store_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "abc")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.set_action(URL('http://example.com/?id=1'))
form_params.set_method('post')
form = dc_from_form_params(form_params)
fr = FuzzableRequest.from_form(form)
ds = DiskSet()
ds.add(fr)
stored_fr = ds[0]
self.assertEqual(stored_fr, fr)
self.assertIsNot(stored_fr, fr)
def test_upload_file_using_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'uploadedfile')])
form_params['uploadedfile'][0] = NamedStringIO('file content',
name='test.txt')
form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'),
('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.MOTH_FILE_UP_URL,
post_data=mpc,
method='POST')
resp = self.opener.send_mutant(freq)
self.assertIn('was successfully uploaded', resp.get_body())
def test_form_file_post_no_files(self):
cf_singleton.save('fuzzable_headers', [])
cf_singleton.save('fuzz_cookies', False)
cf_singleton.save('fuzz_url_filenames', False)
cf_singleton.save('fuzzed_files_extension', 'gif')
cf_singleton.save('fuzz_form_files', True) # This one changed
cf_singleton.save('fuzz_url_parts', False)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
mutants = create_mutants(freq, self.payloads)
self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2]))
self.assertTrue(all(
isinstance(m, PostDataMutant) for m in mutants[4:]))
self.assertTrue(all(m.get_method() == 'PUT' for m in mutants))
expected_uris = {
'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3'
}
created_uris = set([i.get_uri().url_string for i in mutants])
self.assertEqual(expected_uris, created_uris)
expected_dcs = {
'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123',
'username=def&address=Bonsai%20Street%20123',
'username=John8212&address=abc', 'username=John8212&address=def'
}
created_dcs = set([str(i.get_dc()) for i in mutants])
self.assertEqual(created_dcs, expected_dcs)
def test_form_file_post_no_files(self):
cf_singleton.save('fuzzable_headers', [])
cf_singleton.save('fuzz_cookies', False)
cf_singleton.save('fuzz_url_filenames', False)
cf_singleton.save('fuzzed_files_extension', 'gif')
cf_singleton.save('fuzz_form_files', True) # This one changed
cf_singleton.save('fuzz_url_parts', False)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
mutants = create_mutants(freq, self.payloads)
self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2]))
self.assertTrue(all(isinstance(m, PostDataMutant) for m in mutants[4:]))
self.assertTrue(all(m.get_method() == 'PUT' for m in mutants))
expected_uris = {'http://www.w3af.com/?id=abc',
'http://www.w3af.com/?id=def',
'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3'}
created_uris = set([i.get_uri().url_string for i in mutants])
self.assertEqual(expected_uris, created_uris)
expected_dcs = {'id=abc', 'id=def',
'username=abc&address=Bonsai%20Street%20123',
'username=def&address=Bonsai%20Street%20123',
'username=John8212&address=abc',
'username=John8212&address=def'}
created_dcs = set([str(i.get_dc()) for i in mutants])
self.assertEqual(created_dcs, expected_dcs)
def test_mutant_creation_file(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "default")])
form_params.add_field_by_attr_items([("name", "file_upload"), ("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/upload'),
post_data=form, method='POST')
payloads = [file(__file__)]
created_mutants = PostDataMutant.create_mutants(freq, payloads,
['file_upload', ],
False,
self.fuzzer_config)
self.assertEqual(len(created_mutants), 1, created_mutants)
mutant = created_mutants[0]
self.assertIsInstance(mutant.get_token().get_value(), file)
self.assertEqual(mutant.get_dc()['username'][0], 'default')
def test_mutant_creation_qs_and_postdata(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "password"), ("value", "")])
url = URL('http://moth/foo.bar?action=login')
form = URLEncodedForm(form_params)
freq = FuzzableRequest(url, post_data=form)
created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [],
False,
self.fuzzer_config)
created_dcs = [str(i.get_dc()) for i in created_mutants]
expected_dcs = ['username=abc&password=FrAmE30.',
'username=John8212&password=abc',
'username=def&password=FrAmE30.',
'username=John8212&password=def']
self.assertEqual(created_dcs, expected_dcs)
for m in created_mutants:
self.assertEqual(m.get_uri(), url)
def create_simple_filecontent_mutant(self, container_klass):
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.add_field_by_attr_items([("name", "file"),
("type", "file")])
form = container_klass(form_params)
freq = FuzzableRequest.from_form(form)
m = FileContentMutant(freq)
m.get_dc().set_token(('file', 0))
m.set_token_value('abc')
return m
def test_generate_all(self):
fuzzer_config = {'fuzz_form_files': True,
'fuzzed_files_extension': 'gif'}
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.add_field_by_attr_items([("name", "image"), ("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest.from_form(form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = FileContentMutant.create_mutants(freq,
self.payloads,
[], False,
fuzzer_config)
self.assertEqual(len(generated_mutants), 2, generated_mutants)
_, file_payload_abc, _ = get_template_with_payload('gif', 'abc')
_, file_payload_def, _ = get_template_with_payload('gif', 'def')
file_abc = NamedStringIO(file_payload_abc, 'upload.gif')
file_def = NamedStringIO(file_payload_def, 'upload.gif')
form_1 = MultipartContainer(copy.deepcopy(form_params))
form_2 = MultipartContainer(copy.deepcopy(form_params))
form_1['image'] = [file_abc]
form_1['username'] = ['John8212']
form_1['address'] = ['Bonsai Street 123']
form_2['image'] = [file_def]
form_2['username'] = ['John8212']
form_2['address'] = ['Bonsai Street 123']
expected_forms = [form_1, form_2]
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [encode_as_multipart(f, boundary) for f in expected_forms]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_abc, str_file)
str_file = generated_forms[1]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_def, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_mutant_creation_post_data(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.add_field_by_attr_items([("name", "image"), ("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, post_data=form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = PostDataMutant.create_mutants(freq,
self.payloads, [],
False,
self.fuzzer_config)
self.assertEqual(len(generated_mutants), 6, generated_mutants)
_, gif_file_content, _ = get_file_from_template('gif')
gif_named_stringio = NamedStringIO(gif_file_content, 'upload.gif')
expected_forms = []
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['def']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['abc']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
# TODO: Please note that these two multipart forms are a bug, since
# they should never be created by PostDataMutant.create_mutants
# (they are not setting the image as a file, just as a string)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = ['def']
form['username'] = ['John8212']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = ['abc']
form['username'] = ['John8212']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
#
# TODO: /end
#
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['John8212']
form['address'] = ['abc']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['John8212']
form['address'] = ['def']
expected_forms.append(form)
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [encode_as_multipart(f, boundary) for f in expected_forms]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0]
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(gif_file_content, str_file)
str_file = generated_forms[1]['image'][0]
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(gif_file_content, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_mutant_creation_post_data(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form_params.add_field_by_attr_items([("name", "image"), ("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, post_data=form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = PostDataMutant.create_mutants(freq,
self.payloads, [],
False,
self.fuzzer_config)
self.assertEqual(len(generated_mutants), 6, generated_mutants)
_, gif_file_content, _ = get_file_from_template('gif')
gif_named_stringio = NamedStringIO(gif_file_content, 'upload.gif')
expected_forms = []
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['def']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['abc']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
# TODO: Please note that these two multipart forms are a bug, since
# they should never be created by PostDataMutant.create_mutants
# (they are not setting the image as a file, just as a string)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = ['def']
form['username'] = ['John8212']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = ['abc']
form['username'] = ['John8212']
form['address'] = ['Bonsai Street 123']
expected_forms.append(form)
#
# TODO: /end
#
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['John8212']
form['address'] = ['abc']
expected_forms.append(form)
form = MultipartContainer(copy.deepcopy(form_params))
form['image'] = [gif_named_stringio]
form['username'] = ['John8212']
form['address'] = ['def']
expected_forms.append(form)
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [encode_as_multipart(f, boundary) for f in expected_forms]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [str(f).replace(f.boundary, noop) for f in generated_forms]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0]
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(gif_file_content, str_file)
str_file = generated_forms[1]['image'][0]
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(gif_file_content, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
def test_generate_all(self):
fuzzer_config = {
'fuzz_form_files': True,
'fuzzed_files_extension': 'gif'
}
form_params = FormParameters()
form_params.set_method('POST')
form_params.set_action(self.url)
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form_params.add_field_by_attr_items([("name", "image"),
("type", "file")])
form = MultipartContainer(form_params)
freq = FuzzableRequest.from_form(form)
ph = 'w3af.core.data.constants.file_templates.file_templates.rand_alpha'
with patch(ph) as mock_rand_alpha:
mock_rand_alpha.return_value = 'upload'
generated_mutants = FileContentMutant.create_mutants(
freq, self.payloads, [], False, fuzzer_config)
self.assertEqual(len(generated_mutants), 2, generated_mutants)
_, file_payload_abc, _ = get_template_with_payload('gif', 'abc')
_, file_payload_def, _ = get_template_with_payload('gif', 'def')
file_abc = NamedStringIO(file_payload_abc, 'upload.gif')
file_def = NamedStringIO(file_payload_def, 'upload.gif')
form_1 = MultipartContainer(copy.deepcopy(form_params))
form_2 = MultipartContainer(copy.deepcopy(form_params))
form_1['image'] = [file_abc]
form_1['username'] = ['John8212']
form_1['address'] = ['Bonsai Street 123']
form_2['image'] = [file_def]
form_2['username'] = ['John8212']
form_2['address'] = ['Bonsai Street 123']
expected_forms = [form_1, form_2]
boundary = get_boundary()
noop = '1' * len(boundary)
expected_data = [
encode_as_multipart(f, boundary) for f in expected_forms
]
expected_data = set([s.replace(boundary, noop) for s in expected_data])
generated_forms = [m.get_dc() for m in generated_mutants]
generated_data = [
str(f).replace(f.boundary, noop) for f in generated_forms
]
self.assertEqual(expected_data, set(generated_data))
str_file = generated_forms[0]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_abc, str_file)
str_file = generated_forms[1]['image'][0].get_value()
self.assertIsInstance(str_file, NamedStringIO)
self.assertEqual(str_file.name[-4:], '.gif')
self.assertEqual(file_payload_def, str_file)
self.assertIn('name="image"; filename="upload.gif"', generated_data[0])
