def test_analyze_cookies_https_value_over_http(self): body = '' url = URL('https://www.w3af.com/') headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=defjkluio; secure; httponly;' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') # Receive the cookie over HTTPS self.plugin.grep(request, response) url = URL('http://www.w3af.com/?id=defjkluio') headers = Headers({'content-type': 'text/html'}.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') # Send the cookie over HTTP as a parameter value self.plugin.grep(request, response) security = kb.kb.get('analyze_cookies', 'security') self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 1) self.assertEqual(len(security), 1) self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')), 0) names = [i.get_name() for i in security] self.assertIn('Secure cookies over insecure channel', names)
def test_analyze_cookies_collect_uniq(self): body = '' url = URL('http://www.w3af.com/') headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=def' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': '123=456' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) headers = Headers({ 'content-type': 'text/html', 'Set-Cookie': 'abc=456' }.items()) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('analyze_cookies', 'cookies')), 2) self.assertEqual(len(kb.kb.get('analyze_cookies', 'invalid-cookies')), 0)
def test_variants_true_similar_params(self): # change the url by adding a querystring. shouldn't affect anything. url = self.url.url_join('?a=z') fr = FuzzableRequest(url, method='GET', dc={'a': ['1'], 'b': ['bb']}) fr_other = FuzzableRequest(self.url, method='GET', dc={ 'a': ['2'], 'b': ['cc'] }) self.assertTrue(fr.is_variant_of(fr_other))
def test_variants_false_diff_params_type(self): fr = FuzzableRequest(self.url, method='GET', dc={ 'a': ['1'], 'b': ['1'] }) fr_other = FuzzableRequest(self.url, method='GET', dc={ 'a': ['2'], 'b': ['cc'] }) self.assertFalse(fr.is_variant_of(fr_other))
def test_find_csrf_token_false(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertNotIn('secret', token)
def _create_fuzzable_request(self): ''' Based on the attributes, return a fuzzable request object. Important variables used here: - self.headers : Stores the headers for the request - self.rfile : A file like object that stores the post_data - self.path : Stores the URL that was requested by the browser ''' # See HTTPWrapperClass if hasattr(self.server, 'chainedHandler'): base_path = "https://" + self.server.chainedHandler.path path = base_path + self.path else: path = self.path fuzzable_request = FuzzableRequest( URL(path), self.command, Headers(self.headers.dict.items()) ) post_data = self._get_post_data() if post_data: fuzzable_request.set_data(post_data) return fuzzable_request
def test_clamav_workers(self, *args): WAIT_TIME = 3 DELTA = WAIT_TIME * 0.1 # Prepare the mocked plugin def wait(x, y): time.sleep(WAIT_TIME) self.plugin._is_properly_configured = Mock(return_value=True) self.plugin._scan_http_response = wait self.plugin._report_result = lambda x: 42 start_time = time.time() for i in xrange(3): body = '' url = URL('http://www.w3af.com/%s' % i) headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) # Let the worker pool wait for the clamd response, this is done by # the core when run in a real scan self.plugin.worker_pool.close() self.plugin.worker_pool.join() end_time = time.time() time_spent = end_time - start_time findings = kb.kb.get('clamav', 'malware') self.assertEqual(len(findings), 0, findings) self.assertLessEqual(time_spent, WAIT_TIME + DELTA)
def setUp(self): create_temp_dir() kb.kb.cleanup() self.plugin = ajax() self.url = URL('http://www.w3af.com/') self.request = FuzzableRequest(self.url) kb.kb.clear('ajax', 'ajax')
def test_blank_body_code(self): body = '' headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(401, body, headers, self.url, self.url, _id=1) request = FuzzableRequest(self.url, method='GET') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('blank_body', 'blank_body')), 0)
def test_strange_http_codes(self): body = '' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) request = FuzzableRequest(url, method='GET') resp_200 = HTTPResponse(200, body, headers, url, url, _id=1) resp_404 = HTTPResponse(404, body, headers, url, url, _id=1) KNOWN_GOOD = [resp_200, resp_404] resp_999 = HTTPResponse(999, body, headers, url, url, _id=1) resp_123 = HTTPResponse(123, body, headers, url, url, _id=1) resp_567 = HTTPResponse(567, body, headers, url, url, _id=1) resp_666 = HTTPResponse(666, body, headers, url, url, _id=1) resp_777 = HTTPResponse(777, body, headers, url, url, _id=1) KNOWN_BAD = [resp_999, resp_123, resp_567, resp_666, resp_777] for resp in KNOWN_GOOD: kb.kb.cleanup() self.plugin.grep(request, resp) self.assertEquals(len(kb.kb.get('strange_http_codes', 'strange_http_codes')), 0) for resp in KNOWN_BAD: kb.kb.cleanup() self.plugin.grep(request, resp) self.assertEquals(len(kb.kb.get('strange_http_codes', 'strange_http_codes')), 1)
def test_blank_body_method(self): body = '' headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, self.url, self.url, _id=1) request = FuzzableRequest(self.url, method='ARGENTINA') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('ssn', 'ssn')), 0)
def profile_me(): ''' To be profiled ''' for _ in xrange(1): for counter in xrange(1, 5): file_name = 'test-' + str(counter) + '.html' file_path = os.path.join('plugins', 'tests', 'grep', 'data', file_name) body = file(file_path).read() hdrs = Headers({'Content-Type': 'text/html'}.items()) response = HTTPResponse(200, body, hdrs, URL(self.url_str + str(counter)), URL(self.url_str + str(counter)), _id=random.randint(1, 5000)) request = FuzzableRequest(self.url_inst) for pinst in self._plugins: pinst.grep(request, response) for pinst in self._plugins: pinst.end()
def test_delay_controlled_random(self): for expected_result, delays in self.TEST_SUITE: mock_uri_opener = Mock() side_effect = generate_delays(delays, rand_range=(0, 2)) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() # This is where we change from test_delay_controlled, the basic # idea is that we'll allow false negatives but no false positives if expected_result == True: expected_result = [True, False] else: expected_result = [ False, ] self.assertIn(controlled, expected_result, delays)
def test_find_csrf_token_true_simple(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token)
def test_handle_exception(self): url = URL('http://moth/') fr = FuzzableRequest(url) try: raise Exception() except Exception, e: self.bc.handle_exception('audit', 'sqli', fr, e)
def setUp(self): kb.kb.cleanup() self.plugin = path_disclosure() self.url = URL('http://www.w3af.com/foo/bar.py') self.header = Headers([('content-type', 'text/html')]) self.request = FuzzableRequest(self.url, method='GET')
def test_mutant_creation(self): self.dc['a'] = [ '1', ] self.dc['b'] = [ '2', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [ DataContainer([('a', ['abc']), ('b', ['2'])]), DataContainer([('a', ['def']), ('b', ['2'])]), DataContainer([('a', ['1']), ('b', ['abc'])]), DataContainer([('a', ['1']), ('b', ['def'])]) ] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'a') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'b') self.assertEqual(created_mutants[2].get_var_index(), 0) self.assertEqual(created_mutants[2].get_original_value(), '2') self.assertTrue(all(isinstance(m, Mutant) for m in created_mutants)) self.assertTrue( all(m.get_mutant_class() == 'Mutant' for m in created_mutants))
def test_mutant_generic_methods(self): self.dc['a'] = [ '1', ] self.dc['b'] = [ '2', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) mutant = created_mutants[0] self.assertEqual(repr(mutant), '<mutant-generic | GET | http://moth/ >') self.assertEqual(mutant.print_mod_value(), 'The data that was sent is: "None".') self.assertNotEqual(id(mutant.copy()), id(mutant)) self.assertRaises(ValueError, mutant.get_original_response_body) body = 'abcdef123' mutant.set_original_response_body(body) self.assertEqual(mutant.get_original_response_body(), body)
def test_mutant_creation_repeated_params(self): self.dc['a'] = ['1', '2'] self.dc['b'] = [ '3', ] freq = FuzzableRequest(self.url, dc=self.dc) created_mutants = Mutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dc_lst = [ DataContainer([('a', ['abc', '2']), ('b', ['3'])]), DataContainer([('a', ['def', '2']), ('b', ['3'])]), DataContainer([('a', ['1', 'abc']), ('b', ['3'])]), DataContainer([('a', ['1', 'def']), ('b', ['3'])]), DataContainer([('a', ['1', '2']), ('b', ['abc'])]), DataContainer([('a', ['1', '2']), ('b', ['def'])]) ] created_dc_lst = [i.get_dc() for i in created_mutants] self.assertEqual(created_dc_lst, expected_dc_lst) self.assertEqual(created_mutants[0].get_var(), 'a') self.assertEqual(created_mutants[0].get_var_index(), 0) self.assertEqual(created_mutants[0].get_original_value(), '1') self.assertEqual(created_mutants[2].get_var(), 'a') self.assertEqual(created_mutants[2].get_var_index(), 1) self.assertEqual(created_mutants[2].get_original_value(), '2')
def test_from_mutant(self): dc = DataContainer() url = URL('http://moth/') payloads = ['abc', 'def'] dc['a'] = [ '1', ] dc['b'] = [ '2', ] freq = FuzzableRequest(url, dc=dc) fuzzer_config = {} created_mutants = Mutant.create_mutants(freq, payloads, [], False, fuzzer_config) mutant = created_mutants[0] inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name', mutant) self.assertIsInstance(inst, Info) self.assertEqual(inst.get_uri(), mutant.get_uri()) self.assertEqual(inst.get_url(), mutant.get_url()) self.assertEqual(inst.get_method(), mutant.get_method()) self.assertEqual(inst.get_dc(), mutant.get_dc()) self.assertEqual(inst.get_var(), mutant.get_var())
def test_ajax_broken_2(self): body = '<html><head><script>xhr = new XMLHttpRequest(); xhr.open(GET, "data.txt", true);' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_private_ip_find_10(self): body = 'header 10.2.34.2 footer' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_private_ip_broken_html(self): body = '<html><head>192.168.1.1</html>' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('private_ip', 'HTML')), 1)
def test_invalid_check_not_find_credit_card_spaces(self): body = '3566 0020 2036 0705' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 0)
def test_oracle_long(self): body = 'ABC ' * 10000 url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEqual(len(kb.kb.get('oracle', 'oracle')), 0)
def test_phishtank_no_match(self): phishtank_inst = self.w3afcore.plugins.get_plugin_inst('crawl', 'phishtank') phishtank_inst.crawl(FuzzableRequest(URL(self.safe_url))) vulns = self.kb.get('phishtank', 'phishtank') self.assertEqual(len(vulns), 0, vulns)
def test_find_credit_card_html(self): body = '<a> 378282246310005</a>' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('credit_cards', 'credit_cards')), 1)
def test_ajax_two(self): body = '<script> ... xhr = new XMLHttpRequest(); ... xhr = new ActiveXObject("Microsoft.XMLHTTP"); ... </script>' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 1)
def test_ajax_empty(self): body = '' url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) response = HTTPResponse(200, body, headers, url, url, _id=1) request = FuzzableRequest(url, method='GET') self.plugin.grep(request, response) self.assertEquals(len(kb.kb.get('ajax', 'ajax')), 0)
def test_export_with_dc(self): fr = FuzzableRequest(URL("http://www.w3af.com/")) d = DataContainer() d['a'] = [ '1', ] fr.set_dc(d) self.assertEqual(fr.export(), 'GET,http://www.w3af.com/?a=1,')