def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener)
class TestExtendedUrllibProxy(unittest.TestCase): MOTH_MESSAGE = 'Welcome to the moth homepage!' def setUp(self): self.uri_opener = ExtendedUrllib() # Start the proxy daemon self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler) self._proxy.start() self._proxy.wait_for_start() port = self._proxy.get_port() # Configure the proxy settings = OpenerSettings() options = settings.get_options() proxy_address_opt = options['proxy_address'] proxy_port_opt = options['proxy_port'] proxy_address_opt.set_value('127.0.0.1') proxy_port_opt.set_value(port) settings.set_options(options) self.uri_opener.settings = settings def tearDown(self): self.uri_opener.end() def test_http_default_port_via_proxy(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) def test_http_port_specification_via_proxy(self): url = URL('http://moth:80/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) def test_https_via_proxy(self): TODO = 'Skip this test because of a strange bug with the extended'\ ' url library and w3af\'s local proxy daemon. More info here:'\ ' https://github.com/andresriancho/w3af/issues/183' raise SkipTest(TODO) url = URL('https://moth/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) def test_offline_port_via_proxy(self): url = URL('http://127.0.0.1:8181/') http_response = self.uri_opener.GET(url, cache=False) self.assertEqual(http_response.get_code(), 400) def test_POST_via_proxy(self): url = URL('http://moth/w3af/core/echo/post.php') http_response = self.uri_opener.POST(url, data='abc=123', cache=False) self.assertIn('[abc] => 123', http_response.body)
def test_send_mangled(self): xurllib = ExtendedUrllib() xurllib.set_evasion_plugins([self_reference(), ]) url = URL('http://moth/') http_response = xurllib.GET(url) self.assertEqual(http_response.get_url().url_string, u'http://moth/./')
def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable)
def test_send_mangled(self): xurllib = ExtendedUrllib() xurllib.set_evasion_plugins([ self_reference(), ]) url = URL('http://moth/') http_response = xurllib.GET(url) self.assertEqual(http_response.get_url().url_string, u'http://moth/./')
class TestXUrllibIntegration(unittest.TestCase): MOTH_MESSAGE = 'Welcome to the moth homepage!' def setUp(self): self.uri_opener = ExtendedUrllib() def test_ntlm_auth_not_configured(self): self.uri_opener = ExtendedUrllib() url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/") http_response = self.uri_opener.GET(url, cache=False) self.assertIn('Must authenticate.', http_response.body) def test_ntlm_auth_valid_creds(self): self.uri_opener = ExtendedUrllib() settings = OpenerSettings() options = settings.get_options() ntlm_domain = options['ntlm_auth_domain'] ntlm_user = options['ntlm_auth_user'] ntlm_pass = options['ntlm_auth_passwd'] ntlm_url = options['ntlm_auth_url'] ntlm_domain.set_value('moth') ntlm_user.set_value('admin') ntlm_pass.set_value('admin') ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/') settings.set_options(options) self.uri_opener.settings = settings url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/") http_response = self.uri_opener.GET(url, cache=False) self.assertIn('You are admin from MOTH/', http_response.body) def test_gzip(self): url = URL('http://moth/') res = self.uri_opener.GET(url, cache=False) headers = res.get_headers() content_encoding, _ = headers.iget('content-encoding', '') test_res = 'gzip' in content_encoding or \ 'compress' in content_encoding self.assertTrue(test_res, content_encoding) def test_get_cookies(self): self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 0) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie, cache=False) self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 1) cookie = [c for c in self.uri_opener.get_cookies()][0] self.assertEqual('moth.local', cookie.domain)
def __init__(self, ip, port, urlOpener=ExtendedUrllib(), proxy_cert='core/controllers/daemons/mitm.crt'): ''' :param ip: IP address to bind :param port: Port to bind :param urlOpener: The urlOpener that will be used to open the requests that arrive from the browser :param proxyHandler: A class that will know how to handle requests from the browser :param proxy_cert: Proxy certificate to use, this is needed for proxying SSL connections. ''' Proxy.__init__(self, ip, port, urlOpener, w3afLocalProxyHandler, proxy_cert) self.daemon = True self.name = 'LocalProxyThread' # Internal vars self._request_queue = Queue.Queue() self._edited_requests = {} self._edited_responses = {} # User configured parameters self._methods_to_trap = set() self._what_to_trap = re.compile('.*') self._what_not_to_trap = re.compile('.*\.(gif|jpg|png|css|js|ico|swf|axd|tif)$') self._trap = False self._fix_content_length = True
def test_raise_on_domain_not_in_archive(self): url = URL('http://www.w3af-scanner.org/') fr = FuzzableRequest(url, method='GET') ado = archive_dot_org() uri_opener = ExtendedUrllib() ado.set_url_opener(uri_opener) self.assertRaises(w3afRunOnce, ado.crawl_wrapper, fr)
def setUp(self): self.uri_opener = ExtendedUrllib() # Start the proxy daemon self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler) self._proxy.start() self._proxy.wait_for_start() port = self._proxy.get_port() # Configure the proxy settings = OpenerSettings() options = settings.get_options() proxy_address_opt = options['proxy_address'] proxy_port_opt = options['proxy_port'] proxy_address_opt.set_value('127.0.0.1') proxy_port_opt.set_value(port) settings.set_options(options) self.uri_opener.settings = settings
def test_ntlm_auth_valid_creds(self): self.uri_opener = ExtendedUrllib() settings = OpenerSettings() options = settings.get_options() ntlm_domain = options['ntlm_auth_domain'] ntlm_user = options['ntlm_auth_user'] ntlm_pass = options['ntlm_auth_passwd'] ntlm_url = options['ntlm_auth_url'] ntlm_domain.set_value('moth') ntlm_user.set_value('admin') ntlm_pass.set_value('admin') ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/') settings.set_options(options) self.uri_opener.settings = settings url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/") http_response = self.uri_opener.GET(url, cache=False) self.assertIn('You are admin from MOTH/', http_response.body)
def test_demo_testfire_net(self): # We don't control the demo.testfire.net domain, so we'll check if its # up before doing anything else uri_opener = ExtendedUrllib() login_url = URL(self.demo_testfire + 'login.aspx') try: res = uri_opener.GET(login_url) except: raise SkipTest('demo.testfire.net is unreachable!') else: if not 'Online Banking Login' in res.body: raise SkipTest('demo.testfire.net has changed!') self._scan(self.demo_testfire_net['target'], self.demo_testfire_net['plugins']) urls = self.kb.get_all_known_urls() url_strings = set(str(u) for u in urls) self.assertTrue(self.demo_testfire + 'queryxpath.aspx' in url_strings) self.assertTrue(self.demo_testfire + 'queryxpath.aspx.cs' in url_strings)
def test_pickleable_shells(self): pool = Pool(1) xurllib = ExtendedUrllib() original_shell = Shell(MockVuln(), xurllib, pool) kb.append('a', 'b', original_shell) unpickled_shell = kb.get('a', 'b')[0] self.assertEqual(original_shell, unpickled_shell) self.assertEqual(unpickled_shell.worker_pool, None) self.assertEqual(unpickled_shell._uri_opener, None) pool.terminate() pool.join()
def test_xurllib(self): uri_opener = ExtendedUrllib() uri_opener.GET(self.URL_SENDS_COOKIE) resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=True) self.assertTrue('Cookie was sent.' in resp) resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=False) self.assertTrue('Cookie was NOT sent.' in resp) resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=True) self.assertTrue('Cookie was sent.' in resp)
def setUp(self): self.uri_opener = ExtendedUrllib()
class TestXUrllib(unittest.TestCase): MOTH_MESSAGE = 'Welcome to the moth homepage!' def setUp(self): self.uri_opener = ExtendedUrllib() def tearDown(self): self.uri_opener.end() def test_basic(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) self.assertGreaterEqual(http_response.id, 1) self.assertNotEqual(http_response.id, None) def test_cache(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) def test_qs_params(self): url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt') http_response = self.uri_opener.GET(url, cache=False) self.assertTrue('Showing the section content.' in http_response.body, http_response.body) url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd') http_response = self.uri_opener.GET(url, cache=False) self.assertTrue( 'root:x:0:0:' in http_response.body, http_response.body) def test_POST(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') data = DataContainer([('empresa', 'abc'), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertTrue('def' in http_response.body, http_response.body) def test_POST_special_chars(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') test_data = u'abc<def>"-á-' data = DataContainer([('empresa', test_data), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertIn(test_data, http_response.body) def test_unknown_url(self): url = URL('http://longsitethatdoesnotexistfoo.com/') self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_closed(self): # TODO: Change 2312 by an always closed/non-http port url = URL('http://127.0.0.1:2312/') self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_not_http(self): upper_daemon = UpperDaemon(EmptyTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_not_http_many(self): upper_daemon = UpperDaemon(EmptyTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) for _ in xrange(MAX_ERROR_COUNT): try: self.uri_opener.GET(url) except w3afMustStopByUnknownReasonExc: self.assertTrue(False, 'Not expecting this exception type.') except w3afMustStopOnUrlError: self.assertTrue(True) except w3afMustStopException: self.assertTrue(True) break else: self.assertTrue(False) def test_timeout(self): upper_daemon = UpperDaemon(TimeoutTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) self.uri_opener.settings.set_timeout(1) self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) self.uri_opener.settings.set_default_values() def test_timeout_many(self): upper_daemon = UpperDaemon(TimeoutTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() self.uri_opener.settings.set_timeout(1) url = URL('http://127.0.0.1:%s/' % port) for _ in xrange(MAX_ERROR_COUNT): try: self.uri_opener.GET(url) except w3afMustStopByUnknownReasonExc: self.assertTrue(False, 'Not expecting this exception type.') except w3afMustStopOnUrlError: self.assertTrue(True) except w3afMustStopException, e: self.assertTrue(True) break else:
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?name=andres' SSL_SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?name=andres' SQLI_POST = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php' DATA_POST = 'name=andres' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_false(self): not_vuln = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?fake=invalid' uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = ['--batch',] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue(any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('fetching database names', output) self.assertIn('available databases', output) self.assertIn('information_schema', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('fetching tables for databases:', output) self.assertIn('Database: information_schema', output) self.assertIn('COLUMN_PRIVILEGES', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('debian-sys-maint', output) self.assertIn('localhost', output) self.assertIn('root', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('email', output) self.assertIn('phone', output) self.assertIn('address', output) self.assertIn('47789900', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.direct('--dump -D w3af_test -T users') output = process.stdout.read() self.assertIn('email', output) self.assertIn('phone', output) self.assertIn('address', output) self.assertIn('47789900', output) self.assertNotIn('information_schema', output) self.assertNotIn('COLUMN_PRIVILEGES', output)
class TestXUrllib(unittest.TestCase): MOTH_MESSAGE = 'Welcome to the moth homepage!' def setUp(self): self.uri_opener = ExtendedUrllib() def tearDown(self): self.uri_opener.end() def test_basic(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) self.assertGreaterEqual(http_response.id, 1) self.assertNotEqual(http_response.id, None) def test_cache(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) def test_qs_params(self): url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt') http_response = self.uri_opener.GET(url, cache=False) self.assertTrue('Showing the section content.' in http_response.body, http_response.body) url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd') http_response = self.uri_opener.GET(url, cache=False) self.assertTrue( 'root:x:0:0:' in http_response.body, http_response.body) def test_POST(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') data = DataContainer([('empresa', 'abc'), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertTrue('def' in http_response.body, http_response.body) def test_POST_special_chars(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') test_data = u'abc<def>"-á-' data = DataContainer([('empresa', test_data), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertIn(test_data, http_response.body) def test_unknown_url(self): url = URL('http://longsitethatdoesnotexistfoo.com/') self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_stop(self): self.uri_opener.stop() url = URL('http://moth/') self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url) def test_pause_stop(self): self.uri_opener.pause(True) self.uri_opener.stop() url = URL('http://moth/') self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url) def test_pause(self): output = Queue.Queue() self.uri_opener.pause(True) def send(uri_opener, output): url = URL('http://moth/') http_response = uri_opener.GET(url) output.put(http_response) th = Process(target=send, args=(self.uri_opener, output)) th.daemon = True th.start() self.assertRaises(Queue.Empty, output.get, True, 2) def test_pause_unpause(self): output = Queue.Queue() self.uri_opener.pause(True) def send(uri_opener, output): url = URL('http://moth/') http_response = uri_opener.GET(url) output.put(http_response) th = Process(target=send, args=(self.uri_opener, output)) th.daemon = True th.start() self.assertRaises(Queue.Empty, output.get, True, 2) self.uri_opener.pause(False) http_response = output.get() th.join() self.assertEqual(http_response.get_code(), 200) self.assertIn(self.MOTH_MESSAGE, http_response.body) def test_removes_cache(self): url = URL('http://moth/') self.uri_opener.GET(url, cache=False) # Please note that this line, together with the tearDown() act as # a test for a "double call to end()". self.uri_opener.end() db_fmt = 'db_unittest-%s' trace_fmt = 'db_unittest-%s_traces/' temp_dir = get_temp_dir() for i in xrange(100): test_db_path = os.path.join(temp_dir, db_fmt % i) test_trace_path = os.path.join(temp_dir, trace_fmt % i) self.assertFalse(os.path.exists(test_db_path), test_db_path) self.assertFalse(os.path.exists(test_trace_path), test_trace_path) def test_special_char_header(self): url = URL('http://moth/w3af/core/header_fuzzing/cookie_echo.php') header_content = u'á' headers = Headers([('foo', header_content)]) http_response = self.uri_opener.GET(url, cache=False, headers=headers) self.assertEqual(header_content, http_response.body)
def setUp(self): create_temp_dir() self.pks_se = pks(ExtendedUrllib())
def test_ntlm_auth_not_configured(self): self.uri_opener = ExtendedUrllib() url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/") http_response = self.uri_opener.GET(url, cache=False) self.assertIn('Must authenticate.', http_response.body)
def setUp(self): self.query, self.limit = random.choice([('big bang theory', 20), ('two and half man', 20), ('doctor house', 20)]) opener = ExtendedUrllib() self.gse = google(opener)
class TestSQLMapWrapper(unittest.TestCase): SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?name=andres' SSL_SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?name=andres' SQLI_POST = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php' DATA_POST = 'name=andres' def setUp(self): uri = URL(self.SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) def tearDown(self): self.uri_opener.end() self.sqlmap.cleanup() @classmethod def setUpClass(cls): output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) @classmethod def tearDownClass(cls): # Doing this in both setupclass and teardownclass in order to be sure # that a ctrl+c doesn't break it output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output') if os.path.exists(output_dir): shutil.rmtree(output_dir) def test_verify_vulnerability(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_ssl(self): uri = URL(self.SSL_SQLI_GET) target = Target(uri) self.uri_opener = ExtendedUrllib() self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_verify_vulnerability_false(self): not_vuln = 'http://moth/w3af/audit/sql_injection/select/'\ 'sql_injection_string.php?fake=invalid' uri = URL(not_vuln) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertFalse(vulnerable) def test_verify_vulnerability_POST(self): target = Target(URL(self.SQLI_POST), self.DATA_POST) self.sqlmap = SQLMapWrapper(target, self.uri_opener) vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) def test_wrapper_invalid_url(self): self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener) def test_stds(self): uri = URL(self.SQLI_GET) target = Target(uri) self.sqlmap = SQLMapWrapper(target, self.uri_opener) prms = [ '--batch', ] cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms) self.assertIsInstance(process.stdout, file) self.assertIsInstance(process.stderr, file) self.assertIsInstance(process.stdin, file) self.assertIsInstance(cmd, basestring) self.assertIn('sqlmap.py', cmd) def test_target_basic(self): target = Target(URL(self.SQLI_GET)) params = target.to_params() self.assertEqual(params, ["--url=%s" % self.SQLI_GET]) def test_target_post_data(self): target = Target(URL(self.SQLI_GET), self.DATA_POST) params = target.to_params() self.assertEqual( params, ["--url=%s" % self.SQLI_GET, "--data=%s" % self.DATA_POST]) def test_no_coloring(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--disable-coloring', params) def test_always_batch(self): params = self.sqlmap.get_wrapper_params() self.assertIn('--batch', params) def test_use_proxy(self): params = self.sqlmap.get_wrapper_params() self.assertTrue( any(i.startswith('--proxy=http://127.0.0.1:') for i in params)) def test_enable_coloring(self): uri = URL(self.SQLI_GET) target = Target(uri) sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True) params = sqlmap.get_wrapper_params() self.assertNotIn('--disable-coloring', params) def test_dbs(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dbs() output = process.stdout.read() self.assertIn('fetching database names', output) self.assertIn('available databases', output) self.assertIn('information_schema', output) def test_tables(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.tables() output = process.stdout.read() self.assertIn('fetching tables for databases:', output) self.assertIn('Database: information_schema', output) self.assertIn('COLUMN_PRIVILEGES', output) def test_users(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.users() output = process.stdout.read() self.assertIn('debian-sys-maint', output) self.assertIn('localhost', output) self.assertIn('root', output) def test_dump(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.dump() output = process.stdout.read() self.assertIn('email', output) self.assertIn('phone', output) self.assertIn('address', output) self.assertIn('47789900', output) def test_sqlmap(self): vulnerable = self.sqlmap.is_vulnerable() self.assertTrue(vulnerable) cmd, process = self.sqlmap.direct('--dump -D w3af_test -T users') output = process.stdout.read() self.assertIn('email', output) self.assertIn('phone', output) self.assertIn('address', output) self.assertIn('47789900', output) self.assertNotIn('information_schema', output) self.assertNotIn('COLUMN_PRIVILEGES', output)
def setUp(self): super(TestCSRF, self).setUp() self.csrf_plugin = csrf() self.uri_opener = ExtendedUrllib() self.csrf_plugin.set_url_opener(self.uri_opener)
class TestCSRF(PluginTest): target_url = 'http://moth/w3af/audit/csrf/' _run_configs = { 'cfg': { 'target': target_url, 'plugins': { 'audit': (PluginConfig('csrf'),), 'crawl': ( PluginConfig( 'web_spider', ('only_forward', True, PluginConfig.BOOL)), ) } } } def setUp(self): super(TestCSRF, self).setUp() self.csrf_plugin = csrf() self.uri_opener = ExtendedUrllib() self.csrf_plugin.set_url_opener(self.uri_opener) def test_found_csrf(self): EXPECTED = [ ('/w3af/audit/csrf/vulnerable/buy.php'), ('/w3af/audit/csrf/vulnerable-rnd/buy.php'), #@see: https://github.com/andresriancho/w3af/issues/120 #('/w3af/audit/csrf/vulnerable-token-ignored/buy.php'), ('/w3af/audit/csrf/link-vote/vote.php') ] # Run the scan cfg = self._run_configs['cfg'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('csrf', 'csrf') self.assertEquals(set(EXPECTED), set([v.get_url().get_path() for v in vulns])) self.assertTrue( all(['CSRF vulnerability' == v.get_name() for v in vulns])) def test_resp_is_equal(self): url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) r1 = HTTPResponse(200, 'body', headers, url, url) r2 = HTTPResponse(404, 'body', headers, url, url) self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2)) r1 = HTTPResponse(200, 'a', headers, url, url) r2 = HTTPResponse(200, 'b', headers, url, url) self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2)) r1 = HTTPResponse(200, 'a', headers, url, url) r2 = HTTPResponse(200, 'a', headers, url, url) self.assertTrue(self.csrf_plugin._is_resp_equal(r1, r2)) def test_is_suitable(self): # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False, no items in dc url = URL('http://moth/') req = FuzzableRequest(url, method='POST', dc=Form()) suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form = Form() form.add_input([('name', 'test'), ('type', 'text')]) req = FuzzableRequest(url, method='POST', dc=form) suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) def test_is_origin_checked_true_case01(self): url = URL('http://moth/w3af/audit/csrf/referer/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer/')]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response) self.assertTrue(origin_checked) def test_is_origin_checked_true_case02(self): url = URL('http://moth/w3af/audit/csrf/referer-rnd/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response) self.assertTrue(origin_checked) def test_is_origin_checked_false(self): url = URL('http://moth/w3af/audit/csrf/vulnerable/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response) self.assertFalse(origin_checked) def test_is_csrf_token_true_case01(self): self.csrf_plugin.is_csrf_token('token', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_true_case02(self): self.csrf_plugin.is_csrf_token('secret', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_true_case03(self): self.csrf_plugin.is_csrf_token('csrf', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_false_case01(self): self.csrf_plugin.is_csrf_token('token', '') def test_is_csrf_token_false_case02(self): self.csrf_plugin.is_csrf_token('secret', 'helloworld') def test_is_csrf_token_false_case03(self): self.csrf_plugin.is_csrf_token('secret', 'helloworld123') def test_is_csrf_token_false_case04(self): self.csrf_plugin.is_csrf_token('secret', 'hello world 123') def test_is_csrf_token_false_case05(self): lorem = ('Lorem ipsum dolor sit amet, consectetur adipiscing elit.' ' Curabitur at eros elit, rhoncus feugiat libero. Praesent' ' lobortis ultricies est gravida tempor. Sed tortor mi,' ' euismod at interdum quis, hendrerit vitae risus. Sed' ' iaculis, ante sagittis ullamcorper molestie, metus nibh' ' posuere purus, non tempor massa leo at odio. Duis quis' ' elit enim. Morbi lobortis est sed metus adipiscing in' ' lacinia est porttitor. Suspendisse potenti. Morbi pretium' ' lacinia magna, sit amet tincidunt enim vestibulum sed.') self.csrf_plugin.is_csrf_token('secret', lorem) def test_is_csrf_token_false_case06(self): self.csrf_plugin.is_csrf_token('token', 'f842e') def test_find_csrf_token_true_simple(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token) def test_find_csrf_token_true_repeated(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3' '&secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token) def test_find_csrf_token_false(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertNotIn('secret', token) def test_is_token_checked_true(self): generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertTrue(checked) def test_is_token_checked_false(self): ''' This covers the case where there is a token but for some reason it is NOT verified by the web application. ''' generator = URL('http://moth/w3af/audit/csrf/vulnerable-token-ignored/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertFalse(checked)
if id(orig_fuzzable_req) in self._edited_responses: res = self._edited_responses[id(orig_fuzzable_req)] del self._edited_responses[id(orig_fuzzable_req)] # Now we return it... if isinstance(res, Exception): raise res else: return res # I looped and got nothing! raise w3afException( 'Timed out waiting for response from remote server.') if __name__ == '__main__': lp = LocalProxy('127.0.0.1', 8080, ExtendedUrllib()) lp.start() for i in xrange(10): time.sleep(1) tr = lp.get_trapped_request() if tr: print tr print lp.send_raw_request(tr, tr.dump_request_head(), tr.get_data()) else: print 'Waiting...' print 'Exit!' lp.stop() print 'bye bye...'
class TestXUrllib(unittest.TestCase): MOTH_MESSAGE = 'Welcome to the moth homepage!' def setUp(self): self.uri_opener = ExtendedUrllib() def tearDown(self): self.uri_opener.end() def test_basic(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url, cache=False) self.assertIn(self.MOTH_MESSAGE, http_response.body) self.assertGreaterEqual(http_response.id, 1) self.assertNotEqual(http_response.id, None) def test_cache(self): url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) url = URL('http://moth/') http_response = self.uri_opener.GET(url) self.assertTrue(self.MOTH_MESSAGE in http_response.body) def test_qs_params(self): url = URL( 'http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt' ) http_response = self.uri_opener.GET(url, cache=False) self.assertTrue('Showing the section content.' in http_response.body, http_response.body) url = URL( 'http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd' ) http_response = self.uri_opener.GET(url, cache=False) self.assertTrue('root:x:0:0:' in http_response.body, http_response.body) def test_POST(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') data = DataContainer([('empresa', 'abc'), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertTrue('def' in http_response.body, http_response.body) def test_POST_special_chars(self): url = URL('http://moth/w3af/audit/xss/data_receptor2.php') test_data = u'abc<def>"-á-' data = DataContainer([('empresa', test_data), ('firstname', 'def')]) http_response = self.uri_opener.POST(url, data, cache=False) self.assertIn(test_data, http_response.body) def test_unknown_url(self): url = URL('http://longsitethatdoesnotexistfoo.com/') self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_closed(self): # TODO: Change 2312 by an always closed/non-http port url = URL('http://127.0.0.1:2312/') self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_not_http(self): upper_daemon = UpperDaemon(EmptyTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) def test_url_port_not_http_many(self): upper_daemon = UpperDaemon(EmptyTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) for _ in xrange(MAX_ERROR_COUNT): try: self.uri_opener.GET(url) except w3afMustStopByUnknownReasonExc: self.assertTrue(False, 'Not expecting this exception type.') except w3afMustStopOnUrlError: self.assertTrue(True) except w3afMustStopException: self.assertTrue(True) break else: self.assertTrue(False) def test_timeout(self): upper_daemon = UpperDaemon(TimeoutTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() url = URL('http://127.0.0.1:%s/' % port) self.uri_opener.settings.set_timeout(1) self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url) self.uri_opener.settings.set_default_values() def test_timeout_many(self): upper_daemon = UpperDaemon(TimeoutTCPHandler) upper_daemon.start() upper_daemon.wait_for_start() port = upper_daemon.get_port() self.uri_opener.settings.set_timeout(1) url = URL('http://127.0.0.1:%s/' % port) for _ in xrange(MAX_ERROR_COUNT): try: self.uri_opener.GET(url) except w3afMustStopByUnknownReasonExc: self.assertTrue(False, 'Not expecting this exception type.') except w3afMustStopOnUrlError: self.assertTrue(True) except w3afMustStopException, e: self.assertTrue(True) break else:
class FakeCore(object): worker_pool = Pool(1) uri_opener = ExtendedUrllib()
class TestCSRF(PluginTest): target_url = 'http://moth/w3af/audit/csrf/' _run_configs = { 'cfg': { 'target': target_url, 'plugins': { 'audit': (PluginConfig('csrf'), ), 'crawl': (PluginConfig('web_spider', ('only_forward', True, PluginConfig.BOOL)), ) } } } def setUp(self): super(TestCSRF, self).setUp() self.csrf_plugin = csrf() self.uri_opener = ExtendedUrllib() self.csrf_plugin.set_url_opener(self.uri_opener) def test_found_csrf(self): EXPECTED = [ ('/w3af/audit/csrf/vulnerable/buy.php'), ('/w3af/audit/csrf/vulnerable-rnd/buy.php'), #@see: https://github.com/andresriancho/w3af/issues/120 #('/w3af/audit/csrf/vulnerable-token-ignored/buy.php'), ('/w3af/audit/csrf/link-vote/vote.php') ] # Run the scan cfg = self._run_configs['cfg'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('csrf', 'csrf') self.assertEquals(set(EXPECTED), set([v.get_url().get_path() for v in vulns])) self.assertTrue( all(['CSRF vulnerability' == v.get_name() for v in vulns])) def test_resp_is_equal(self): url = URL('http://www.w3af.com/') headers = Headers([('content-type', 'text/html')]) r1 = HTTPResponse(200, 'body', headers, url, url) r2 = HTTPResponse(404, 'body', headers, url, url) self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2)) r1 = HTTPResponse(200, 'a', headers, url, url) r2 = HTTPResponse(200, 'b', headers, url, url) self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2)) r1 = HTTPResponse(200, 'a', headers, url, url) r2 = HTTPResponse(200, 'a', headers, url, url) self.assertTrue(self.csrf_plugin._is_resp_equal(r1, r2)) def test_is_suitable(self): # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False, no items in dc url = URL('http://moth/') req = FuzzableRequest(url, method='POST', dc=Form()) suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form = Form() form.add_input([('name', 'test'), ('type', 'text')]) req = FuzzableRequest(url, method='POST', dc=form) suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) def test_is_origin_checked_true_case01(self): url = URL('http://moth/w3af/audit/csrf/referer/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer/') ]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked( freq, orig_response) self.assertTrue(origin_checked) def test_is_origin_checked_true_case02(self): url = URL('http://moth/w3af/audit/csrf/referer-rnd/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked( freq, orig_response) self.assertTrue(origin_checked) def test_is_origin_checked_false(self): url = URL('http://moth/w3af/audit/csrf/vulnerable/buy.php?shares=123') headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')]) freq = FuzzableRequest(url, method='GET', headers=headers) orig_response = self.uri_opener.send_mutant(freq) origin_checked = self.csrf_plugin._is_origin_checked( freq, orig_response) self.assertFalse(origin_checked) def test_is_csrf_token_true_case01(self): self.csrf_plugin.is_csrf_token('token', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_true_case02(self): self.csrf_plugin.is_csrf_token('secret', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_true_case03(self): self.csrf_plugin.is_csrf_token('csrf', 'f842eb01b87a8ee18868d3bf80a558f3') def test_is_csrf_token_false_case01(self): self.csrf_plugin.is_csrf_token('token', '') def test_is_csrf_token_false_case02(self): self.csrf_plugin.is_csrf_token('secret', 'helloworld') def test_is_csrf_token_false_case03(self): self.csrf_plugin.is_csrf_token('secret', 'helloworld123') def test_is_csrf_token_false_case04(self): self.csrf_plugin.is_csrf_token('secret', 'hello world 123') def test_is_csrf_token_false_case05(self): lorem = ('Lorem ipsum dolor sit amet, consectetur adipiscing elit.' ' Curabitur at eros elit, rhoncus feugiat libero. Praesent' ' lobortis ultricies est gravida tempor. Sed tortor mi,' ' euismod at interdum quis, hendrerit vitae risus. Sed' ' iaculis, ante sagittis ullamcorper molestie, metus nibh' ' posuere purus, non tempor massa leo at odio. Duis quis' ' elit enim. Morbi lobortis est sed metus adipiscing in' ' lacinia est porttitor. Suspendisse potenti. Morbi pretium' ' lacinia magna, sit amet tincidunt enim vestibulum sed.') self.csrf_plugin.is_csrf_token('secret', lorem) def test_is_csrf_token_false_case06(self): self.csrf_plugin.is_csrf_token('token', 'f842e') def test_find_csrf_token_true_simple(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token) def test_find_csrf_token_true_repeated(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3' '&secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertIn('secret', token) def test_find_csrf_token_false(self): url = URL('http://moth/w3af/audit/csrf/') query_string = parse_qs('secret=not a token') freq = FuzzableRequest(url, method='GET', dc=query_string) token = self.csrf_plugin._find_csrf_token(freq) self.assertNotIn('secret', token) def test_is_token_checked_true(self): generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertTrue(checked) def test_is_token_checked_false(self): ''' This covers the case where there is a token but for some reason it is NOT verified by the web application. ''' generator = URL( 'http://moth/w3af/audit/csrf/vulnerable-token-ignored/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertFalse(checked)