def test_json_mutant_create_mutants_not(self): freq = JSONPostDataRequest(URL('http://www.w3af.com/?id=3')) freq.set_dc('a=1&b=foo') generated_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 0, generated_mutants)
def test_json_mutant_create_mutants(self): freq = JSONPostDataRequest(URL('http://www.w3af.com/?id=3')) freq.set_dc({"a": "b", "c": "d"}) generated_mutants = JSONMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) self.assertEqual(len(generated_mutants), 4, generated_mutants) m0 = generated_mutants[0] self.assertEqual(m0.get_data(), '{"a": "abc", "c": "d"}') m1 = generated_mutants[1] self.assertEqual(m1.get_data(), '{"a": "53", "c": "d"}') m2 = generated_mutants[2] self.assertEqual(m2.get_data(), '{"a": "b", "c": "abc"}') m3 = generated_mutants[3] self.assertEqual(m3.get_data(), '{"a": "b", "c": "53"}')
def create_fuzzable_request_from_parts(url, method='GET', post_data='', add_headers=None): """ Creates a fuzzable request based on the input parameters. :param req_url: A URL object :param method: A string that represents the method ('GET', 'POST', etc) :param post_data: A string that represents the postdata. :param add_headers: A Headers object that holds the headers. If `req_url` is a request then this dict will be merged with the request's headers. """ if add_headers is not None and not isinstance(add_headers, Headers): raise ValueError('create_fuzzable_request requires Headers object.') if not isinstance(url, URL): raise TypeError('Requires URL to create FuzzableRequest.') headers = add_headers or Headers() # Just a query string request! No postdata if not post_data: return HTTPQSRequest(url, method, headers) else: # Seems to be something that has post data data = {} conttype, header_name = headers.iget('content-type', '') if conttype: del headers[header_name] contlen, header_name = headers.iget('content-length', '') if contlen: del headers[header_name] # # Case #1 - multipart form data - prepare data container # if conttype.startswith('multipart/form-data'): pdict = cgi.parse_header(conttype)[1] try: dc = cgi.parse_multipart(StringIO(post_data), pdict) except Exception, e: msg = 'Multipart form data is invalid, exception: "%s".' \ ' Returning our best match HTTPPostDataRequest.' om.out.debug(msg % e) empty_data = QueryString() return HTTPPostDataRequest(url, method, headers, dc=empty_data) else: data = QueryString() data.update(dc) # Please note that the QueryString is just a container for the # information. When the HTTPPostDataRequest is sent it should # be serialized into multipart again by the MultipartPostHandler # because the headers contain the multipart/form-data header headers['content-type'] = conttype return HTTPPostDataRequest(url, method, headers, dc=data) # # Case #2 - JSON request # try: data = json.loads(post_data) except: pass else: if data: return JSONPostDataRequest(url, method, headers, dc=data) # # Case #3 - XMLRPC request # if all(map(lambda stop: stop in post_data.lower(), XMLRPC_WORDS)): return XMLRPCRequest(post_data, url, method, headers) # # Case #4 - a typical post request # try: data = parse_qs(post_data) except: om.out.debug('Failed to create a data container that ' 'can store this data: "' + post_data + '".') else: # Finally create request return HTTPPostDataRequest(url, method, headers, dc=data) return None