def test_analyze_cookies_https_value_over_http(self):
body = ''
url = URL('https://www.w3af.com/')
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=defjkluio; secure; httponly;'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
# Receive the cookie over HTTPS
self.plugin.grep(request, response)
url = URL('http://www.w3af.com/?id=defjkluio')
headers = Headers({'content-type': 'text/html'}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
# Send the cookie over HTTP as a parameter value
self.plugin.grep(request, response)
security = kb.kb.get('analyze_cookies', 'security')
self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 1)
self.assertEqual(len(security), 1)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')),
0)
names = [i.get_name() for i in security]
self.assertIn('Secure cookies over insecure channel', names)
def test_analyze_cookies_collect_uniq(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=def'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': '123=456'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=456'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 2)
self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')),
0)
def test_variants_true_similar_params(self):
# change the url by adding a querystring. shouldn't affect anything.
url = self.url.url_join('?a=z')
fr = FuzzableRequest(url, method='GET', dc={'a': ['1'], 'b': ['bb']})
fr_other = FuzzableRequest(self.url,
method='GET',
dc={
'a': ['2'],
'b': ['cc']
})
self.assertTrue(fr.is_variant_of(fr_other))
def test_variants_false_diff_params_type(self):
fr = FuzzableRequest(self.url,
method='GET',
dc={
'a': ['1'],
'b': ['1']
})
fr_other = FuzzableRequest(self.url,
method='GET',
dc={
'a': ['2'],
'b': ['cc']
})
self.assertFalse(fr.is_variant_of(fr_other))
def test_find_csrf_token_false(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=not a token')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertNotIn('secret', token)
def _create_fuzzable_request(self):
'''
Based on the attributes, return a fuzzable request object.
Important variables used here:
- self.headers : Stores the headers for the request
- self.rfile : A file like object that stores the post_data
- self.path : Stores the URL that was requested by the browser
'''
# See HTTPWrapperClass
if hasattr(self.server, 'chainedHandler'):
base_path = "https://" + self.server.chainedHandler.path
path = base_path + self.path
else:
path = self.path
fuzzable_request = FuzzableRequest(
URL(path),
self.command,
Headers(self.headers.dict.items())
)
post_data = self._get_post_data()
if post_data:
fuzzable_request.set_data(post_data)
return fuzzable_request
def test_clamav_workers(self, *args):
WAIT_TIME = 3
DELTA = WAIT_TIME * 0.1
# Prepare the mocked plugin
def wait(x, y):
time.sleep(WAIT_TIME)
self.plugin._is_properly_configured = Mock(return_value=True)
self.plugin._scan_http_response = wait
self.plugin._report_result = lambda x: 42
start_time = time.time()
for i in xrange(3):
body = ''
url = URL('http://www.w3af.com/%s' % i)
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
# Let the worker pool wait for the clamd response, this is done by
# the core when run in a real scan
self.plugin.worker_pool.close()
self.plugin.worker_pool.join()
end_time = time.time()
time_spent = end_time - start_time
findings = kb.kb.get('clamav', 'malware')
self.assertEqual(len(findings), 0, findings)
self.assertLessEqual(time_spent, WAIT_TIME + DELTA)
def setUp(self):
create_temp_dir()
kb.kb.cleanup()
self.plugin = ajax()
self.url = URL('http://www.w3af.com/')
self.request = FuzzableRequest(self.url)
kb.kb.clear('ajax', 'ajax')
def test_blank_body_code(self):
body = ''
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(401, body, headers, self.url, self.url, _id=1)
request = FuzzableRequest(self.url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('blank_body', 'blank_body')), 0)
def test_strange_http_codes(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
request = FuzzableRequest(url, method='GET')
resp_200 = HTTPResponse(200, body, headers, url, url, _id=1)
resp_404 = HTTPResponse(404, body, headers, url, url, _id=1)
KNOWN_GOOD = [resp_200, resp_404]
resp_999 = HTTPResponse(999, body, headers, url, url, _id=1)
resp_123 = HTTPResponse(123, body, headers, url, url, _id=1)
resp_567 = HTTPResponse(567, body, headers, url, url, _id=1)
resp_666 = HTTPResponse(666, body, headers, url, url, _id=1)
resp_777 = HTTPResponse(777, body, headers, url, url, _id=1)
KNOWN_BAD = [resp_999, resp_123, resp_567, resp_666, resp_777]
for resp in KNOWN_GOOD:
kb.kb.cleanup()
self.plugin.grep(request, resp)
self.assertEquals(len(kb.kb.get('strange_http_codes',
'strange_http_codes')), 0)
for resp in KNOWN_BAD:
kb.kb.cleanup()
self.plugin.grep(request, resp)
self.assertEquals(len(kb.kb.get('strange_http_codes',
'strange_http_codes')), 1)
def test_blank_body_method(self):
body = ''
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, self.url, self.url, _id=1)
request = FuzzableRequest(self.url, method='ARGENTINA')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('ssn', 'ssn')), 0)
def profile_me():
'''
To be profiled
'''
for _ in xrange(1):
for counter in xrange(1, 5):
file_name = 'test-' + str(counter) + '.html'
file_path = os.path.join('plugins', 'tests', 'grep',
'data', file_name)
body = file(file_path).read()
hdrs = Headers({'Content-Type': 'text/html'}.items())
response = HTTPResponse(200,
body,
hdrs,
URL(self.url_str + str(counter)),
URL(self.url_str + str(counter)),
_id=random.randint(1, 5000))
request = FuzzableRequest(self.url_inst)
for pinst in self._plugins:
pinst.grep(request, response)
for pinst in self._plugins:
pinst.end()
def test_delay_controlled_random(self):
for expected_result, delays in self.TEST_SUITE:
mock_uri_opener = Mock()
side_effect = generate_delays(delays, rand_range=(0, 2))
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_var('id', 0)
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
# This is where we change from test_delay_controlled, the basic
# idea is that we'll allow false negatives but no false positives
if expected_result == True:
expected_result = [True, False]
else:
expected_result = [
False,
]
self.assertIn(controlled, expected_result, delays)
def test_find_csrf_token_true_simple(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertIn('secret', token)
def test_handle_exception(self):
url = URL('http://moth/')
fr = FuzzableRequest(url)
try:
raise Exception()
except Exception, e:
self.bc.handle_exception('audit', 'sqli', fr, e)
def setUp(self):
kb.kb.cleanup()
self.plugin = path_disclosure()
self.url = URL('http://www.w3af.com/foo/bar.py')
self.header = Headers([('content-type', 'text/html')])
self.request = FuzzableRequest(self.url, method='GET')
def test_mutant_creation(self):
self.dc['a'] = [
'1',
]
self.dc['b'] = [
'2',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
self.fuzzer_config)
expected_dc_lst = [
DataContainer([('a', ['abc']), ('b', ['2'])]),
DataContainer([('a', ['def']), ('b', ['2'])]),
DataContainer([('a', ['1']), ('b', ['abc'])]),
DataContainer([('a', ['1']), ('b', ['def'])])
]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
self.assertEqual(created_mutants[0].get_var(), 'a')
self.assertEqual(created_mutants[0].get_var_index(), 0)
self.assertEqual(created_mutants[0].get_original_value(), '1')
self.assertEqual(created_mutants[2].get_var(), 'b')
self.assertEqual(created_mutants[2].get_var_index(), 0)
self.assertEqual(created_mutants[2].get_original_value(), '2')
self.assertTrue(all(isinstance(m, Mutant) for m in created_mutants))
self.assertTrue(
all(m.get_mutant_class() == 'Mutant' for m in created_mutants))
def test_mutant_generic_methods(self):
self.dc['a'] = [
'1',
]
self.dc['b'] = [
'2',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
self.fuzzer_config)
mutant = created_mutants[0]
self.assertEqual(repr(mutant),
'<mutant-generic | GET | http://moth/ >')
self.assertEqual(mutant.print_mod_value(),
'The data that was sent is: "None".')
self.assertNotEqual(id(mutant.copy()), id(mutant))
self.assertRaises(ValueError, mutant.get_original_response_body)
body = 'abcdef123'
mutant.set_original_response_body(body)
self.assertEqual(mutant.get_original_response_body(), body)
def test_mutant_creation_repeated_params(self):
self.dc['a'] = ['1', '2']
self.dc['b'] = [
'3',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
self.fuzzer_config)
expected_dc_lst = [
DataContainer([('a', ['abc', '2']), ('b', ['3'])]),
DataContainer([('a', ['def', '2']), ('b', ['3'])]),
DataContainer([('a', ['1', 'abc']), ('b', ['3'])]),
DataContainer([('a', ['1', 'def']), ('b', ['3'])]),
DataContainer([('a', ['1', '2']), ('b', ['abc'])]),
DataContainer([('a', ['1', '2']), ('b', ['def'])])
]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
self.assertEqual(created_mutants[0].get_var(), 'a')
self.assertEqual(created_mutants[0].get_var_index(), 0)
self.assertEqual(created_mutants[0].get_original_value(), '1')
self.assertEqual(created_mutants[2].get_var(), 'a')
self.assertEqual(created_mutants[2].get_var_index(), 1)
self.assertEqual(created_mutants[2].get_original_value(), '2')
def test_from_mutant(self):
dc = DataContainer()
url = URL('http://moth/')
payloads = ['abc', 'def']
dc['a'] = [
'1',
]
dc['b'] = [
'2',
]
freq = FuzzableRequest(url, dc=dc)
fuzzer_config = {}
created_mutants = Mutant.create_mutants(freq, payloads, [], False,
fuzzer_config)
mutant = created_mutants[0]
inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name',
mutant)
self.assertIsInstance(inst, Info)
self.assertEqual(inst.get_uri(), mutant.get_uri())
self.assertEqual(inst.get_url(), mutant.get_url())
self.assertEqual(inst.get_method(), mutant.get_method())
self.assertEqual(inst.get_dc(), mutant.get_dc())
self.assertEqual(inst.get_var(), mutant.get_var())
def test_ajax_broken_2(self):
body = '<html><head><script>xhr = new XMLHttpRequest(); xhr.open(GET, "data.txt", true);'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_private_ip_find_10(self):
body = 'header 10.2.34.2 footer'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_private_ip_broken_html(self):
body = '<html><head>192.168.1.1</html>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_invalid_check_not_find_credit_card_spaces(self):
body = '3566 0020 2036 0705'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 0)
def test_oracle_long(self):
body = 'ABC ' * 10000
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('oracle', 'oracle')), 0)
def test_phishtank_no_match(self):
phishtank_inst = self.w3afcore.plugins.get_plugin_inst('crawl',
'phishtank')
phishtank_inst.crawl(FuzzableRequest(URL(self.safe_url)))
vulns = self.kb.get('phishtank', 'phishtank')
self.assertEqual(len(vulns), 0, vulns)
def test_find_credit_card_html(self):
body = '<a> 378282246310005</a>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 1)
def test_ajax_two(self):
body = '<script> ... xhr = new XMLHttpRequest(); ... xhr = new ActiveXObject("Microsoft.XMLHTTP"); ... </script>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_ajax_empty(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 0)
def test_export_with_dc(self):
fr = FuzzableRequest(URL("http://www.w3af.com/"))
d = DataContainer()
d['a'] = [
'1',
]
fr.set_dc(d)
self.assertEqual(fr.export(), 'GET,http://www.w3af.com/?a=1,')
