def test_payloads(self): """Check if every single (stable) AngularJS version throws an alert using ACSTIS.""" for (version, url) in self.angular_assets.items(): server = LocalAngularServer() server.start(LocalAngularServer.HANDLER_VULNERABLE_TEST, {"asset": url}) try: shell_command = [ "python", "acstis.py", "--verify-payload", "--angular-version", version, "--domain", "http://" + server.url + "?vulnerable=payload" ] print("Testing: " + " ".join(shell_command)) process = subprocess.Popen(shell_command) exitcode = process.wait() except Exception as e: print("Exception: " + str(e)) exitcode = 1 server.stop() self.assertEqual(exitcode, 0)
def test_version_detect(self): """Check if a single (stable) AngularJS version is detected by ACSTIS.""" server = LocalAngularServer() server.start(LocalAngularServer.HANDLER_VULNERABLE_TEST, {"asset": "https://code.angularjs.org/1.5.8/angular.min.js"}) domain = "http://" + server.url + "?vulnerable=payload" version = BrowserHelper.javascript( QueueItem(Request(domain), Response(domain)), "return angular.version.full" ) server.stop() self.assertEqual("1.5.8", version)
def test_inside_non_bindable(self): """Payloads inside the non bindable attributes shouldn't be detected.""" server = LocalAngularServer() server.start(LocalAngularServer.HANDLER_SCOPE_TEST, {"position": "inside_non_bindable"}) try: shell_command = [ "python", "acstis.py", "--verify-payload", "--domain", "http://" + server.url + "?vulnerable=payload" ] process = subprocess.Popen(shell_command) exitcode = process.wait() except Exception as e: print("Exception: " + str(e)) exitcode = 1 server.stop() self.assertNotEqual(exitcode, 0)
def test_outside_app(self): """Payloads outside the AngularJS app shouldn't be detected.""" server = LocalAngularServer() server.start(LocalAngularServer.HANDLER_SCOPE_TEST, {"position": "outside_app"}) try: shell_command = [ "python", "acstis.py", "--verify-payload", "--domain", "http://" + server.url + "?vulnerable=payload" ] process = subprocess.Popen(shell_command) exitcode = process.wait() except Exception as e: print(e) exitcode = 1 server.stop() self.assertNotEqual(exitcode, 0)