def setUp(self): self.kb.cleanup() self.w3afcore = w3afCore() self.misc_settings = MiscSettings() self.request_callback_call_count = 0 self.request_callback_match = 0 if self.MOCK_RESPONSES: httpretty.reset() httpretty.enable() try: url = URL(self.target_url) except ValueError, ve: msg = ('When using MOCK_RESPONSES you need to set the' ' target_url attribute to a valid URL, exception was:' ' "%s".') raise Exception(msg % ve) domain = url.get_domain() proto = url.get_protocol() port = url.get_port() self._register_httpretty_uri(proto, domain, port)
def test_default_proto(self): """ http is the default protocol, we can provide URLs with no proto """ u = URL('w3af.com') self.assertEqual(u.get_domain(), 'w3af.com') self.assertEqual(u.get_protocol(), 'http')
def test_websocket_secure_proto(self): """ We can also parse and handle ws and wss protocols """ u = URL('wss://w3af.com') self.assertEqual(u.get_domain(), 'w3af.com') self.assertEqual(u.get_protocol(), 'wss')
def setUp(self): self.kb.cleanup() self.w3afcore = w3afCore() if self.MOCK_RESPONSES: httpretty.enable() try: url = URL(self.target_url) except ValueError, ve: msg = 'When using MOCK_RESPONSES you need to set the'\ ' target_url attribute to a valid URL, exception was:'\ ' "%s".' raise Exception(msg % ve) domain = url.get_domain() proto = url.get_protocol() port = url.get_port() self._register_httpretty_uri(proto, domain, port)
def alert_if_target_is_301_all(self): """ Alert the user when the configured target is set to a site which will 301 redirect all requests to https:// :see: https://github.com/andresriancho/w3af/issues/14976 :return: True if the site returns 301 for all resources. Also an Info instance is saved to the KB in order to alert the user. """ site_does_redirect = False msg = ('The configured target domain redirects all HTTP requests to a' ' different location. The most common scenarios are:\n\n' '' ' * HTTP redirect to HTTPS\n' ' * domain.com redirect to www.domain.com\n\n' '' 'While the scan engine can identify URLs and vulnerabilities' ' using the current configuration it might be wise to start' ' a new scan setting the target URL to the redirect target.') targets = cf.cf.get('targets') for url in targets: # We test if the target URLs are redirecting to a different protocol # or domain. try: http_response = self._w3af_core.uri_opener.GET(url, cache=False) except ScanMustStopByUserRequest: # Not a real error, the user stopped the scan raise except Exception, e: emsg = 'Exception found during alert_if_target_is_301_all(): "%s"' emsg %= e om.out.debug(emsg) raise ScanMustStopException(emsg) else: if 300 <= http_response.get_code() <= 399: # Get the redirect target lower_headers = http_response.get_lower_case_headers() redirect_url = None for header_name in ('location', 'uri'): if header_name in lower_headers: header_value = lower_headers[header_name] header_value = header_value.strip() try: redirect_url = URL(header_value) except ValueError: # No special invalid URL handling required continue if not redirect_url: continue # Check if the protocol was changed: target_proto = url.get_protocol() redirect_proto = redirect_url.get_protocol() if target_proto != redirect_proto: site_does_redirect = True break # Check if the domain was changed: target_domain = url.get_domain() redirect_domain = redirect_url.get_domain() if target_domain != redirect_domain: site_does_redirect = True break
def test_set_protocol(self): u = URL("http://1.2.3.4") self.assertEqual(u.get_protocol(), 'http') u.set_protocol('https') self.assertEqual(u.get_protocol(), 'https')