def bruteforce_wrapper(self, fuzzable_request):
self.audit(fuzzable_request.copy())
res = []
for v in kb.kb.get(self.get_name(), "auth"):
if v.get_url() not in self._already_reported:
self._already_reported.append(v.get_url())
res.extend(create_fuzzable_requests(v["response"]))
return res
def bruteforce_wrapper(self, fuzzable_request):
self.audit(fuzzable_request.copy())
res = []
for v in kb.kb.get(self.get_name(), 'auth'):
if v.get_url() not in self._already_reported:
self._already_reported.append(v.get_url())
res.extend(create_fuzzable_requests(v['response']))
return res
def test_add_self(self):
body = ''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=True)
self.assertEqual(len(request_lst), 1)
fr = request_lst[0]
self.assertEqual(fr.get_url(), self.url)
self.assertFalse('content-type' in fr.get_headers())
def test_add_self(self):
body = ''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=True)
self.assertEqual(len(request_lst), 1)
fr = request_lst[0]
self.assertEqual(fr.get_url(), self.url)
self.assertFalse('content-type' in fr.get_headers())
def test_redirect_location(self):
body = ''
redir_url = 'http://www.w3af.org/'
headers = Headers([('content-type', 'text/html'),
('location', redir_url)])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(redir_fr), 1)
redir_fr = redir_fr[0]
self.assertEqual(redir_fr.get_url().url_string, redir_url)
def test_redirect_uri_relative(self):
body = ''
redir_url = '/foo.bar'
headers = Headers([('content-type', 'text/html'), ('uri', redir_url)])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(redir_fr), 1)
redir_fr = redir_fr[0]
self.assertEqual(redir_fr.get_url().url_string,
self.url.url_string[:-1] + redir_url)
def test_redirect_location(self):
body = ''
redir_url = 'http://www.w3af.org/'
headers = Headers([('content-type', 'text/html'),
('location', redir_url)])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(redir_fr), 1)
redir_fr = redir_fr[0]
self.assertEqual(redir_fr.get_url().url_string, redir_url)
def test_cookie(self):
body = ''
redir_url = '/foo.bar'
headers = Headers([('content-type', 'text/html'), ('uri', redir_url),
('cookie', 'abc=def')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr_cookie = create_fuzzable_requests(http_response,
add_self=False)
self.assertEqual(len(redir_fr_cookie), 1)
redir_fr_cookie = redir_fr_cookie[0]
self.assertEqual(str(redir_fr_cookie.get_cookie()), 'abc=def;')
def test_redirect_uri_relative(self):
body = ''
redir_url = '/foo.bar'
headers = Headers([('content-type', 'text/html'),
('uri', redir_url)])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(redir_fr), 1)
redir_fr = redir_fr[0]
self.assertEqual(redir_fr.get_url(
).url_string, self.url.url_string[:-1] + redir_url)
def test_cookie(self):
body = ''
redir_url = '/foo.bar'
headers = Headers([('content-type', 'text/html'),
('uri', redir_url),
('cookie', 'abc=def')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
redir_fr_cookie = create_fuzzable_requests(http_response,
add_self=False)
self.assertEqual(len(redir_fr_cookie), 1)
redir_fr_cookie = redir_fr_cookie[0]
self.assertEqual(str(redir_fr_cookie.get_cookie()), 'abc=def;')
def test_body_parse_form(self):
body = '''<form action="/foo.bar" method="POST">
A: <input name="a" />
B: <input name="b" value="123" />
</form>'''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
post_request_lst = create_fuzzable_requests(http_response,
add_self=False)
self.assertEqual(len(post_request_lst), 1)
post_request = post_request_lst[0]
self.assertEqual(post_request.get_url().url_string,
'http://www.w3af.com/foo.bar')
self.assertEqual(post_request.get_data(), 'a=&b=123')
self.assertEqual(post_request.get_method(), 'POST')
self.assertFalse('content-type' in post_request.get_headers())
def test_body_parse_form(self):
body = '''<form action="/foo.bar" method="POST">
A: <input name="a" />
B: <input name="b" value="123" />
</form>'''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
post_request_lst = create_fuzzable_requests(
http_response, add_self=False)
self.assertEqual(len(post_request_lst), 1)
post_request = post_request_lst[0]
self.assertEqual(
post_request.get_url().url_string, 'http://www.w3af.com/foo.bar')
self.assertEqual(post_request.get_data(), 'a=&b=123')
self.assertEqual(post_request.get_method(), 'POST')
self.assertFalse('content-type' in post_request.get_headers())
def test_is_token_checked_true(self):
generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
self.assertTrue(checked)
def test_is_token_checked_true(self):
generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token,
original_response)
self.assertTrue(checked)
def test_is_token_checked_false(self):
'''
This covers the case where there is a token but for some reason it
is NOT verified by the web application.
'''
generator = URL('http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
self.assertFalse(checked)
def test_body_parse_a(self):
'''
TODO: I need to decide if I'm going to implement this in create_fuzzable_requests
or if I'm going to delegate this responsability to the web_spider plugin
only.
Note that all the uses of create_fuzzable_requests can be found with:
find . -name '*.py' | xargs grep create_fuzzable_requests
And they all need to be analyzed before making a decision.
'''
raise SkipTest('FIXME: See TODO.')
body = '<a href="http://www.google.com/?id=1">click here</a>'
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(request_lst), 1)
fr = request_lst[0]
self.assertEqual(fr.get_url().url_string, 'http://www.google.com/?id=1')
def test_body_parse_a(self):
'''
TODO: I need to decide if I'm going to implement this in create_fuzzable_requests
or if I'm going to delegate this responsability to the web_spider plugin
only.
Note that all the uses of create_fuzzable_requests can be found with:
find . -name '*.py' | xargs grep create_fuzzable_requests
And they all need to be analyzed before making a decision.
'''
raise SkipTest('FIXME: See TODO.')
body = '<a href="http://www.google.com/?id=1">click here</a>'
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(request_lst), 1)
fr = request_lst[0]
self.assertEqual(fr.get_url().url_string,
'http://www.google.com/?id=1')
def test_is_token_checked_false(self):
'''
This covers the case where there is a token but for some reason it
is NOT verified by the web application.
'''
generator = URL(
'http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token,
original_response)
self.assertFalse(checked)
order to continue discovering.
"""
# We only want to scan pages that are in current scope
in_scope = lambda fr: fr.get_url().get_domain() == url.get_domain()
for url in target_urls:
try:
#
# GET the initial target URLs in order to save them
# in a list and use them as our bootstrap URLs
#
response = self._w3af_core.uri_opener.GET(url, cache=True)
except (w3afMustStopOnUrlError, w3afException, w3afMustStopException), w3:
om.out.error("The target URL: %s is unreachable." % url)
om.out.error("Error description: %s" % w3)
except Exception, e:
om.out.error("The target URL: %s is unreachable " "because of an unhandled exception." % url)
om.out.error('Error description: "%s". See debug ' "output for more information." % e)
om.out.error("Traceback for this error: %s" % traceback.format_exc())
else:
all_fuzzable_requests = create_fuzzable_requests(response)
filtered_seeds = filter(in_scope, all_fuzzable_requests)
for seed in filtered_seeds:
self._out_queue.put((None, None, seed))
# Update the set that lives in the KB
kb.kb.add_fuzzable_request(seed)
self._out_queue.put(POISON_PILL)
def test_not_add_self(self):
body = ''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(request_lst), 0)
def test_not_add_self(self):
body = ''
headers = Headers([('content-type', 'text/html')])
http_response = HTTPResponse(200, body, headers, self.url, self.url)
request_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(request_lst), 0)
def _create_fuzzable_requests(self,
HTTPResponse,
request=None,
add_self=True):
return create_fuzzable_requests(HTTPResponse, request, add_self)
for url in target_urls:
try:
#
# GET the initial target URLs in order to save them
# in a list and use them as our bootstrap URLs
#
response = self._w3af_core.uri_opener.GET(url, cache=True)
except (w3afMustStopOnUrlError, w3afException,
w3afMustStopException), w3:
om.out.error('The target URL: %s is unreachable.' % url)
om.out.error('Error description: %s' % w3)
except Exception, e:
om.out.error('The target URL: %s is unreachable '
'because of an unhandled exception.' % url)
om.out.error('Error description: "%s". See debug '
'output for more information.' % e)
om.out.error('Traceback for this error: %s' %
traceback.format_exc())
else:
all_fuzzable_requests = create_fuzzable_requests(response)
filtered_seeds = filter(in_scope, all_fuzzable_requests)
for seed in filtered_seeds:
self._out_queue.put((None, None, seed))
# Update the set that lives in the KB
kb.kb.add_fuzzable_request(seed)
self._out_queue.put(POISON_PILL)
def _create_fuzzable_requests(self, HTTPResponse, request=None, add_self=True):
return create_fuzzable_requests(HTTPResponse, request, add_self)