def test_generate_variations(self, handler, vector):
original = vector['data']
generated = []
check = OpenRedirectCheck()
for payload in check.payloads(vector['url'], "ava", "avascan"):
variation = copy(vector)
variation['data'] = original.replace("avascan", payload)
generated.append({'vector': variation, 'payload': payload, 'value': payload})
test = handler._generate_variations(check, vector, "ava")
assert list(test) == generated
def test_generate_variations_dynamic_payloads(self, handler, vector):
generated = []
url = vector['url']
# check with dynamic payloads
check = OpenRedirectCheck()
for payload in check.payloads(url, url, url):
# append
variation = deepcopy(vector)
encoded = parse.quote(
payload[1:] if payload.startswith('/') else payload, safe='')
variation['url'] = url.rstrip('/') + '/' + encoded
generated.append({
'vector': variation,
'payload': payload,
'value': url.rstrip('/') + '/' + encoded
})
# query
variation = deepcopy(vector)
variation['url'] = url + '?' + payload
generated.append({
'vector': variation,
'payload': payload,
'value': url + '?' + payload
})
# fragment
variation = deepcopy(vector)
variation['url'] = url + '#' + payload
generated.append({
'vector': variation,
'payload': payload,
'value': url + '#' + payload
})
# path parameter
variation = deepcopy(vector)
variation['url'] = url + ';' + payload
generated.append({
'vector': variation,
'payload': payload,
'value': url + ';' + payload
})
test = list(
handler._generate_variations(check, vector,
"http://www.example.com/"))
assert test == generated
def test_generate_variations_dynamic_payloads(self, handler, vector):
generated = []
# check with dynamic payloads
check = OpenRedirectCheck()
for payload in check.payloads(vector['url'], "ava", "avascan"):
# replace
variation = deepcopy(vector)
variation['params']['ava'] = payload
generated.append({'vector': variation, 'payload': payload, 'value': payload})
# append
variation = deepcopy(vector)
variation['params']['ava'] = "avascan" + payload
generated.append({'vector': variation, 'payload': payload, 'value': "avascan" + payload})
test = handler._generate_variations(check, vector, 'ava')
assert list(test) == generated