Exemplo n.º 1
0
    def test_found_at(self):
        headers = Headers([('Referer', 'http://moth/')])
        freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
                               headers=headers)
        m = HeadersMutant(freq)
        m.set_var('Referer')
        m.set_mod_value('foo')

        expected = '"http://www.w3af.com/", using HTTP method GET. The modified'\
                   ' header was: "Referer" and it\'s value was: "foo".'
        self.assertEqual(m.found_at(), expected)
Exemplo n.º 2
0
    def test_basic(self):
        freq = FuzzableRequest(URL('http://www.w3af.com/'))
        fake_ref = 'http://w3af.org/'

        mutant = HeadersMutant(freq.copy())
        mutant.set_var('Referer')
        original_referer = freq.get_referer()
        mutant.set_original_value(original_referer)
        mutant.set_mod_value(fake_ref)

        self.assertEqual(mutant.get_headers()['Referer'], fake_ref)
        self.assertEqual(mutant.get_original_value(), original_referer)
Exemplo n.º 3
0
Arquivo: csrf.py Projeto: weisst/w3af
    def _is_origin_checked(self, freq, orig_response):
        '''
        :return: True if the remote web application verifies the Referer before
                 processing the HTTP request.
        '''
        fake_ref = 'http://www.w3af.org/'
        mutant = HeadersMutant(freq.copy())
        mutant.set_var('Referer')
        mutant.set_original_value(freq.get_referer())
        mutant.set_mod_value(fake_ref)
        mutant_response = self._uri_opener.send_mutant(mutant)

        if not self._is_resp_equal(orig_response, mutant_response):
            return True

        return False