def audit(self, freq, orig_response):
'''
Plugin entry point.
:param freq: A fuzzableRequest
'''
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener):
return
url = freq.get_url()
self.analyze_cors_security(url)
def audit(self, freq, orig_response):
'''
Plugin entry point.
:param freq: A fuzzableRequest
'''
# Detect if current url provides CORS features
if not provides_cors_features(freq, self._uri_opener):
return
url = freq.get_url()
self.analyze_cors_security(url)
def test_provides_cors_features_false(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
http_response = HTTPResponse(200, '', Headers(), url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
call_header = Headers({'Origin': 'www.w3af.org'}.items())
url_opener_mock.GET.assert_called_with(url, headers=call_header)
self.assertFalse(cors)
def test_provides_cors_features_false(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
http_response = HTTPResponse(200, '', Headers(), url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
call_header = Headers({'Origin': 'www.w3af.org'}.items())
url_opener_mock.GET.assert_called_with(url, headers=call_header)
self.assertFalse(cors)
def test_provides_cors_features_true(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items()
cors_headers = Headers(hdrs)
http_response = HTTPResponse(200, '', cors_headers, url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
url_opener_mock.GET.assert_called_with(url)
self.assertTrue(cors)
def test_provides_cors_features_true(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items()
cors_headers = Headers(hdrs)
http_response = HTTPResponse(200, '', cors_headers, url, url)
url_opener_mock = Mock()
url_opener_mock.GET = MagicMock(return_value=http_response)
cors = provides_cors_features(fr, url_opener_mock)
url_opener_mock.GET.assert_called_with(url)
self.assertTrue(cors)
