def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
class TestExtendedUrllibProxy(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
# Start the proxy daemon
self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler)
self._proxy.start()
self._proxy.wait_for_start()
port = self._proxy.get_port()
# Configure the proxy
settings = OpenerSettings()
options = settings.get_options()
proxy_address_opt = options['proxy_address']
proxy_port_opt = options['proxy_port']
proxy_address_opt.set_value('127.0.0.1')
proxy_port_opt.set_value(port)
settings.set_options(options)
self.uri_opener.settings = settings
def tearDown(self):
self.uri_opener.end()
def test_http_default_port_via_proxy(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_http_port_specification_via_proxy(self):
url = URL('http://moth:80/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_https_via_proxy(self):
TODO = 'Skip this test because of a strange bug with the extended'\
' url library and w3af\'s local proxy daemon. More info here:'\
' https://github.com/andresriancho/w3af/issues/183'
raise SkipTest(TODO)
url = URL('https://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_offline_port_via_proxy(self):
url = URL('http://127.0.0.1:8181/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(http_response.get_code(), 400)
def test_POST_via_proxy(self):
url = URL('http://moth/w3af/core/echo/post.php')
http_response = self.uri_opener.POST(url, data='abc=123', cache=False)
self.assertIn('[abc] => 123', http_response.body)
def test_send_mangled(self):
xurllib = ExtendedUrllib()
xurllib.set_evasion_plugins([self_reference(), ])
url = URL('http://moth/')
http_response = xurllib.GET(url)
self.assertEqual(http_response.get_url().url_string,
u'http://moth/./')
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_send_mangled(self):
xurllib = ExtendedUrllib()
xurllib.set_evasion_plugins([
self_reference(),
])
url = URL('http://moth/')
http_response = xurllib.GET(url)
self.assertEqual(http_response.get_url().url_string, u'http://moth/./')
class TestXUrllibIntegration(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def test_ntlm_auth_not_configured(self):
self.uri_opener = ExtendedUrllib()
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('Must authenticate.', http_response.body)
def test_ntlm_auth_valid_creds(self):
self.uri_opener = ExtendedUrllib()
settings = OpenerSettings()
options = settings.get_options()
ntlm_domain = options['ntlm_auth_domain']
ntlm_user = options['ntlm_auth_user']
ntlm_pass = options['ntlm_auth_passwd']
ntlm_url = options['ntlm_auth_url']
ntlm_domain.set_value('moth')
ntlm_user.set_value('admin')
ntlm_pass.set_value('admin')
ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/')
settings.set_options(options)
self.uri_opener.settings = settings
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('You are admin from MOTH/', http_response.body)
def test_gzip(self):
url = URL('http://moth/')
res = self.uri_opener.GET(url, cache=False)
headers = res.get_headers()
content_encoding, _ = headers.iget('content-encoding', '')
test_res = 'gzip' in content_encoding or \
'compress' in content_encoding
self.assertTrue(test_res, content_encoding)
def test_get_cookies(self):
self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 0)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie, cache=False)
self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 1)
cookie = [c for c in self.uri_opener.get_cookies()][0]
self.assertEqual('moth.local', cookie.domain)
def __init__(self, ip, port, urlOpener=ExtendedUrllib(),
proxy_cert='core/controllers/daemons/mitm.crt'):
'''
:param ip: IP address to bind
:param port: Port to bind
:param urlOpener: The urlOpener that will be used to open the requests
that arrive from the browser
:param proxyHandler: A class that will know how to handle requests
from the browser
:param proxy_cert: Proxy certificate to use, this is needed for
proxying SSL connections.
'''
Proxy.__init__(self, ip, port, urlOpener, w3afLocalProxyHandler,
proxy_cert)
self.daemon = True
self.name = 'LocalProxyThread'
# Internal vars
self._request_queue = Queue.Queue()
self._edited_requests = {}
self._edited_responses = {}
# User configured parameters
self._methods_to_trap = set()
self._what_to_trap = re.compile('.*')
self._what_not_to_trap = re.compile('.*\.(gif|jpg|png|css|js|ico|swf|axd|tif)$')
self._trap = False
self._fix_content_length = True
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
def test_raise_on_domain_not_in_archive(self):
url = URL('http://www.w3af-scanner.org/')
fr = FuzzableRequest(url, method='GET')
ado = archive_dot_org()
uri_opener = ExtendedUrllib()
ado.set_url_opener(uri_opener)
self.assertRaises(w3afRunOnce, ado.crawl_wrapper, fr)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
class TestExtendedUrllibProxy(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
# Start the proxy daemon
self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler)
self._proxy.start()
self._proxy.wait_for_start()
port = self._proxy.get_port()
# Configure the proxy
settings = OpenerSettings()
options = settings.get_options()
proxy_address_opt = options['proxy_address']
proxy_port_opt = options['proxy_port']
proxy_address_opt.set_value('127.0.0.1')
proxy_port_opt.set_value(port)
settings.set_options(options)
self.uri_opener.settings = settings
def tearDown(self):
self.uri_opener.end()
def test_http_default_port_via_proxy(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_http_port_specification_via_proxy(self):
url = URL('http://moth:80/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_https_via_proxy(self):
TODO = 'Skip this test because of a strange bug with the extended'\
' url library and w3af\'s local proxy daemon. More info here:'\
' https://github.com/andresriancho/w3af/issues/183'
raise SkipTest(TODO)
url = URL('https://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_offline_port_via_proxy(self):
url = URL('http://127.0.0.1:8181/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(http_response.get_code(), 400)
def test_POST_via_proxy(self):
url = URL('http://moth/w3af/core/echo/post.php')
http_response = self.uri_opener.POST(url, data='abc=123', cache=False)
self.assertIn('[abc] => 123', http_response.body)
def setUp(self):
self.uri_opener = ExtendedUrllib()
# Start the proxy daemon
self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler)
self._proxy.start()
self._proxy.wait_for_start()
port = self._proxy.get_port()
# Configure the proxy
settings = OpenerSettings()
options = settings.get_options()
proxy_address_opt = options['proxy_address']
proxy_port_opt = options['proxy_port']
proxy_address_opt.set_value('127.0.0.1')
proxy_port_opt.set_value(port)
settings.set_options(options)
self.uri_opener.settings = settings
class TestXUrllibIntegration(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def test_ntlm_auth_not_configured(self):
self.uri_opener = ExtendedUrllib()
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('Must authenticate.', http_response.body)
def test_ntlm_auth_valid_creds(self):
self.uri_opener = ExtendedUrllib()
settings = OpenerSettings()
options = settings.get_options()
ntlm_domain = options['ntlm_auth_domain']
ntlm_user = options['ntlm_auth_user']
ntlm_pass = options['ntlm_auth_passwd']
ntlm_url = options['ntlm_auth_url']
ntlm_domain.set_value('moth')
ntlm_user.set_value('admin')
ntlm_pass.set_value('admin')
ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/')
settings.set_options(options)
self.uri_opener.settings = settings
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('You are admin from MOTH/', http_response.body)
def test_gzip(self):
url = URL('http://moth/')
res = self.uri_opener.GET(url, cache=False)
headers = res.get_headers()
content_encoding, _ = headers.iget('content-encoding', '')
test_res = 'gzip' in content_encoding or \
'compress' in content_encoding
self.assertTrue(test_res, content_encoding)
def test_get_cookies(self):
self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 0)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie, cache=False)
self.assertEqual(len([c for c in self.uri_opener.get_cookies()]), 1)
cookie = [c for c in self.uri_opener.get_cookies()][0]
self.assertEqual('moth.local', cookie.domain)
def test_ntlm_auth_valid_creds(self):
self.uri_opener = ExtendedUrllib()
settings = OpenerSettings()
options = settings.get_options()
ntlm_domain = options['ntlm_auth_domain']
ntlm_user = options['ntlm_auth_user']
ntlm_pass = options['ntlm_auth_passwd']
ntlm_url = options['ntlm_auth_url']
ntlm_domain.set_value('moth')
ntlm_user.set_value('admin')
ntlm_pass.set_value('admin')
ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/')
settings.set_options(options)
self.uri_opener.settings = settings
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('You are admin from MOTH/', http_response.body)
def test_demo_testfire_net(self):
# We don't control the demo.testfire.net domain, so we'll check if its
# up before doing anything else
uri_opener = ExtendedUrllib()
login_url = URL(self.demo_testfire + 'login.aspx')
try:
res = uri_opener.GET(login_url)
except:
raise SkipTest('demo.testfire.net is unreachable!')
else:
if not 'Online Banking Login' in res.body:
raise SkipTest('demo.testfire.net has changed!')
self._scan(self.demo_testfire_net['target'],
self.demo_testfire_net['plugins'])
urls = self.kb.get_all_known_urls()
url_strings = set(str(u) for u in urls)
self.assertTrue(self.demo_testfire + 'queryxpath.aspx' in url_strings)
self.assertTrue(self.demo_testfire +
'queryxpath.aspx.cs' in url_strings)
def test_pickleable_shells(self):
pool = Pool(1)
xurllib = ExtendedUrllib()
original_shell = Shell(MockVuln(), xurllib, pool)
kb.append('a', 'b', original_shell)
unpickled_shell = kb.get('a', 'b')[0]
self.assertEqual(original_shell, unpickled_shell)
self.assertEqual(unpickled_shell.worker_pool, None)
self.assertEqual(unpickled_shell._uri_opener, None)
pool.terminate()
pool.join()
def test_xurllib(self):
uri_opener = ExtendedUrllib()
uri_opener.GET(self.URL_SENDS_COOKIE)
resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=True)
self.assertTrue('Cookie was sent.' in resp)
resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=False)
self.assertTrue('Cookie was NOT sent.' in resp)
resp = uri_opener.GET(self.URL_CHECK_COOKIE, cookies=True)
self.assertTrue('Cookie was sent.' in resp)
def setUp(self):
self.uri_opener = ExtendedUrllib()
# Start the proxy daemon
self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler)
self._proxy.start()
self._proxy.wait_for_start()
port = self._proxy.get_port()
# Configure the proxy
settings = OpenerSettings()
options = settings.get_options()
proxy_address_opt = options['proxy_address']
proxy_port_opt = options['proxy_port']
proxy_address_opt.set_value('127.0.0.1')
proxy_port_opt.set_value(port)
settings.set_options(options)
self.uri_opener.settings = settings
def test_ntlm_auth_valid_creds(self):
self.uri_opener = ExtendedUrllib()
settings = OpenerSettings()
options = settings.get_options()
ntlm_domain = options['ntlm_auth_domain']
ntlm_user = options['ntlm_auth_user']
ntlm_pass = options['ntlm_auth_passwd']
ntlm_url = options['ntlm_auth_url']
ntlm_domain.set_value('moth')
ntlm_user.set_value('admin')
ntlm_pass.set_value('admin')
ntlm_url.set_value('http://moth/w3af/core/ntlm_auth/ntlm_v1/')
settings.set_options(options)
self.uri_opener.settings = settings
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('You are admin from MOTH/', http_response.body)
def setUp(self):
self.uri_opener = ExtendedUrllib()
class TestXUrllib(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def tearDown(self):
self.uri_opener.end()
def test_basic(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
self.assertGreaterEqual(http_response.id, 1)
self.assertNotEqual(http_response.id, None)
def test_cache(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
def test_qs_params(self):
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('Showing the section content.' in http_response.body,
http_response.body)
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue(
'root:x:0:0:' in http_response.body, http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_unknown_url(self):
url = URL('http://longsitethatdoesnotexistfoo.com/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_closed(self):
# TODO: Change 2312 by an always closed/non-http port
url = URL('http://127.0.0.1:2312/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http_many(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException:
self.assertTrue(True)
break
else:
self.assertTrue(False)
def test_timeout(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.uri_opener.settings.set_timeout(1)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
self.uri_opener.settings.set_default_values()
def test_timeout_many(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
self.uri_opener.settings.set_timeout(1)
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException, e:
self.assertTrue(True)
break
else:
class TestSQLMapWrapper(unittest.TestCase):
SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?name=andres'
SSL_SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?name=andres'
SQLI_POST = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php'
DATA_POST = 'name=andres'
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
def tearDown(self):
self.uri_opener.end()
self.sqlmap.cleanup()
@classmethod
def setUpClass(cls):
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
@classmethod
def tearDownClass(cls):
# Doing this in both setupclass and teardownclass in order to be sure
# that a ctrl+c doesn't break it
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
def test_verify_vulnerability(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_false(self):
not_vuln = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?fake=invalid'
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_wrapper_invalid_url(self):
self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET, self.uri_opener)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = ['--batch',]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def test_no_coloring(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--disable-coloring', params)
def test_always_batch(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--batch', params)
def test_use_proxy(self):
params = self.sqlmap.get_wrapper_params()
self.assertTrue(any(i.startswith('--proxy=http://127.0.0.1:') for i in params))
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def test_dbs(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dbs()
output = process.stdout.read()
self.assertIn('fetching database names', output)
self.assertIn('available databases', output)
self.assertIn('information_schema', output)
def test_tables(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.tables()
output = process.stdout.read()
self.assertIn('fetching tables for databases:', output)
self.assertIn('Database: information_schema', output)
self.assertIn('COLUMN_PRIVILEGES', output)
def test_users(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.users()
output = process.stdout.read()
self.assertIn('debian-sys-maint', output)
self.assertIn('localhost', output)
self.assertIn('root', output)
def test_dump(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dump()
output = process.stdout.read()
self.assertIn('email', output)
self.assertIn('phone', output)
self.assertIn('address', output)
self.assertIn('47789900', output)
def test_sqlmap(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.direct('--dump -D w3af_test -T users')
output = process.stdout.read()
self.assertIn('email', output)
self.assertIn('phone', output)
self.assertIn('address', output)
self.assertIn('47789900', output)
self.assertNotIn('information_schema', output)
self.assertNotIn('COLUMN_PRIVILEGES', output)
def setUp(self):
self.uri_opener = ExtendedUrllib()
class TestXUrllib(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def tearDown(self):
self.uri_opener.end()
def test_basic(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
self.assertGreaterEqual(http_response.id, 1)
self.assertNotEqual(http_response.id, None)
def test_cache(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
def test_qs_params(self):
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('Showing the section content.' in http_response.body,
http_response.body)
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue(
'root:x:0:0:' in http_response.body, http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_unknown_url(self):
url = URL('http://longsitethatdoesnotexistfoo.com/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_stop(self):
self.uri_opener.stop()
url = URL('http://moth/')
self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url)
def test_pause_stop(self):
self.uri_opener.pause(True)
self.uri_opener.stop()
url = URL('http://moth/')
self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url)
def test_pause(self):
output = Queue.Queue()
self.uri_opener.pause(True)
def send(uri_opener, output):
url = URL('http://moth/')
http_response = uri_opener.GET(url)
output.put(http_response)
th = Process(target=send, args=(self.uri_opener, output))
th.daemon = True
th.start()
self.assertRaises(Queue.Empty, output.get, True, 2)
def test_pause_unpause(self):
output = Queue.Queue()
self.uri_opener.pause(True)
def send(uri_opener, output):
url = URL('http://moth/')
http_response = uri_opener.GET(url)
output.put(http_response)
th = Process(target=send, args=(self.uri_opener, output))
th.daemon = True
th.start()
self.assertRaises(Queue.Empty, output.get, True, 2)
self.uri_opener.pause(False)
http_response = output.get()
th.join()
self.assertEqual(http_response.get_code(), 200)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_removes_cache(self):
url = URL('http://moth/')
self.uri_opener.GET(url, cache=False)
# Please note that this line, together with the tearDown() act as
# a test for a "double call to end()".
self.uri_opener.end()
db_fmt = 'db_unittest-%s'
trace_fmt = 'db_unittest-%s_traces/'
temp_dir = get_temp_dir()
for i in xrange(100):
test_db_path = os.path.join(temp_dir, db_fmt % i)
test_trace_path = os.path.join(temp_dir, trace_fmt % i)
self.assertFalse(os.path.exists(test_db_path), test_db_path)
self.assertFalse(os.path.exists(test_trace_path), test_trace_path)
def test_special_char_header(self):
url = URL('http://moth/w3af/core/header_fuzzing/cookie_echo.php')
header_content = u'á'
headers = Headers([('foo', header_content)])
http_response = self.uri_opener.GET(url, cache=False, headers=headers)
self.assertEqual(header_content, http_response.body)
def setUp(self):
create_temp_dir()
self.pks_se = pks(ExtendedUrllib())
def test_ntlm_auth_not_configured(self):
self.uri_opener = ExtendedUrllib()
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('Must authenticate.', http_response.body)
def setUp(self):
self.query, self.limit = random.choice([('big bang theory', 20),
('two and half man', 20),
('doctor house', 20)])
opener = ExtendedUrllib()
self.gse = google(opener)
class TestSQLMapWrapper(unittest.TestCase):
SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?name=andres'
SSL_SQLI_GET = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?name=andres'
SQLI_POST = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php'
DATA_POST = 'name=andres'
def setUp(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
def tearDown(self):
self.uri_opener.end()
self.sqlmap.cleanup()
@classmethod
def setUpClass(cls):
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
@classmethod
def tearDownClass(cls):
# Doing this in both setupclass and teardownclass in order to be sure
# that a ctrl+c doesn't break it
output_dir = os.path.join(SQLMapWrapper.SQLMAP_LOCATION, 'output')
if os.path.exists(output_dir):
shutil.rmtree(output_dir)
def test_verify_vulnerability(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_ssl(self):
uri = URL(self.SSL_SQLI_GET)
target = Target(uri)
self.uri_opener = ExtendedUrllib()
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_verify_vulnerability_false(self):
not_vuln = 'http://moth/w3af/audit/sql_injection/select/'\
'sql_injection_string.php?fake=invalid'
uri = URL(not_vuln)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertFalse(vulnerable)
def test_verify_vulnerability_POST(self):
target = Target(URL(self.SQLI_POST), self.DATA_POST)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
def test_wrapper_invalid_url(self):
self.assertRaises(TypeError, SQLMapWrapper, self.SQLI_GET,
self.uri_opener)
def test_stds(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
self.sqlmap = SQLMapWrapper(target, self.uri_opener)
prms = [
'--batch',
]
cmd, process = self.sqlmap.run_sqlmap_with_pipes(prms)
self.assertIsInstance(process.stdout, file)
self.assertIsInstance(process.stderr, file)
self.assertIsInstance(process.stdin, file)
self.assertIsInstance(cmd, basestring)
self.assertIn('sqlmap.py', cmd)
def test_target_basic(self):
target = Target(URL(self.SQLI_GET))
params = target.to_params()
self.assertEqual(params, ["--url=%s" % self.SQLI_GET])
def test_target_post_data(self):
target = Target(URL(self.SQLI_GET), self.DATA_POST)
params = target.to_params()
self.assertEqual(
params, ["--url=%s" % self.SQLI_GET,
"--data=%s" % self.DATA_POST])
def test_no_coloring(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--disable-coloring', params)
def test_always_batch(self):
params = self.sqlmap.get_wrapper_params()
self.assertIn('--batch', params)
def test_use_proxy(self):
params = self.sqlmap.get_wrapper_params()
self.assertTrue(
any(i.startswith('--proxy=http://127.0.0.1:') for i in params))
def test_enable_coloring(self):
uri = URL(self.SQLI_GET)
target = Target(uri)
sqlmap = SQLMapWrapper(target, self.uri_opener, coloring=True)
params = sqlmap.get_wrapper_params()
self.assertNotIn('--disable-coloring', params)
def test_dbs(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dbs()
output = process.stdout.read()
self.assertIn('fetching database names', output)
self.assertIn('available databases', output)
self.assertIn('information_schema', output)
def test_tables(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.tables()
output = process.stdout.read()
self.assertIn('fetching tables for databases:', output)
self.assertIn('Database: information_schema', output)
self.assertIn('COLUMN_PRIVILEGES', output)
def test_users(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.users()
output = process.stdout.read()
self.assertIn('debian-sys-maint', output)
self.assertIn('localhost', output)
self.assertIn('root', output)
def test_dump(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.dump()
output = process.stdout.read()
self.assertIn('email', output)
self.assertIn('phone', output)
self.assertIn('address', output)
self.assertIn('47789900', output)
def test_sqlmap(self):
vulnerable = self.sqlmap.is_vulnerable()
self.assertTrue(vulnerable)
cmd, process = self.sqlmap.direct('--dump -D w3af_test -T users')
output = process.stdout.read()
self.assertIn('email', output)
self.assertIn('phone', output)
self.assertIn('address', output)
self.assertIn('47789900', output)
self.assertNotIn('information_schema', output)
self.assertNotIn('COLUMN_PRIVILEGES', output)
def setUp(self):
super(TestCSRF, self).setUp()
self.csrf_plugin = csrf()
self.uri_opener = ExtendedUrllib()
self.csrf_plugin.set_url_opener(self.uri_opener)
class TestCSRF(PluginTest):
target_url = 'http://moth/w3af/audit/csrf/'
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'audit': (PluginConfig('csrf'),),
'crawl': (
PluginConfig(
'web_spider',
('only_forward', True, PluginConfig.BOOL)),
)
}
}
}
def setUp(self):
super(TestCSRF, self).setUp()
self.csrf_plugin = csrf()
self.uri_opener = ExtendedUrllib()
self.csrf_plugin.set_url_opener(self.uri_opener)
def test_found_csrf(self):
EXPECTED = [
('/w3af/audit/csrf/vulnerable/buy.php'),
('/w3af/audit/csrf/vulnerable-rnd/buy.php'),
#@see: https://github.com/andresriancho/w3af/issues/120
#('/w3af/audit/csrf/vulnerable-token-ignored/buy.php'),
('/w3af/audit/csrf/link-vote/vote.php')
]
# Run the scan
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('csrf', 'csrf')
self.assertEquals(set(EXPECTED),
set([v.get_url().get_path() for v in vulns]))
self.assertTrue(
all(['CSRF vulnerability' == v.get_name() for v in vulns]))
def test_resp_is_equal(self):
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
r1 = HTTPResponse(200, 'body', headers, url, url)
r2 = HTTPResponse(404, 'body', headers, url, url)
self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2))
r1 = HTTPResponse(200, 'a', headers, url, url)
r2 = HTTPResponse(200, 'b', headers, url, url)
self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2))
r1 = HTTPResponse(200, 'a', headers, url, url)
r2 = HTTPResponse(200, 'a', headers, url, url)
self.assertTrue(self.csrf_plugin._is_resp_equal(r1, r2))
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in dc
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', dc=Form())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form = Form()
form.add_input([('name', 'test'), ('type', 'text')])
req = FuzzableRequest(url, method='POST', dc=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
def test_is_origin_checked_true_case01(self):
url = URL('http://moth/w3af/audit/csrf/referer/buy.php?shares=123')
headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer/')])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response)
self.assertTrue(origin_checked)
def test_is_origin_checked_true_case02(self):
url = URL('http://moth/w3af/audit/csrf/referer-rnd/buy.php?shares=123')
headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response)
self.assertTrue(origin_checked)
def test_is_origin_checked_false(self):
url = URL('http://moth/w3af/audit/csrf/vulnerable/buy.php?shares=123')
headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer-rnd/')])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(freq, orig_response)
self.assertFalse(origin_checked)
def test_is_csrf_token_true_case01(self):
self.csrf_plugin.is_csrf_token('token', 'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_true_case02(self):
self.csrf_plugin.is_csrf_token('secret', 'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_true_case03(self):
self.csrf_plugin.is_csrf_token('csrf', 'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_false_case01(self):
self.csrf_plugin.is_csrf_token('token', '')
def test_is_csrf_token_false_case02(self):
self.csrf_plugin.is_csrf_token('secret', 'helloworld')
def test_is_csrf_token_false_case03(self):
self.csrf_plugin.is_csrf_token('secret', 'helloworld123')
def test_is_csrf_token_false_case04(self):
self.csrf_plugin.is_csrf_token('secret', 'hello world 123')
def test_is_csrf_token_false_case05(self):
lorem = ('Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
' Curabitur at eros elit, rhoncus feugiat libero. Praesent'
' lobortis ultricies est gravida tempor. Sed tortor mi,'
' euismod at interdum quis, hendrerit vitae risus. Sed'
' iaculis, ante sagittis ullamcorper molestie, metus nibh'
' posuere purus, non tempor massa leo at odio. Duis quis'
' elit enim. Morbi lobortis est sed metus adipiscing in'
' lacinia est porttitor. Suspendisse potenti. Morbi pretium'
' lacinia magna, sit amet tincidunt enim vestibulum sed.')
self.csrf_plugin.is_csrf_token('secret', lorem)
def test_is_csrf_token_false_case06(self):
self.csrf_plugin.is_csrf_token('token', 'f842e')
def test_find_csrf_token_true_simple(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertIn('secret', token)
def test_find_csrf_token_true_repeated(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3'
'&secret=not a token')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertIn('secret', token)
def test_find_csrf_token_false(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=not a token')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertNotIn('secret', token)
def test_is_token_checked_true(self):
generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
self.assertTrue(checked)
def test_is_token_checked_false(self):
'''
This covers the case where there is a token but for some reason it
is NOT verified by the web application.
'''
generator = URL('http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
self.assertFalse(checked)
if id(orig_fuzzable_req) in self._edited_responses:
res = self._edited_responses[id(orig_fuzzable_req)]
del self._edited_responses[id(orig_fuzzable_req)]
# Now we return it...
if isinstance(res, Exception):
raise res
else:
return res
# I looped and got nothing!
raise w3afException(
'Timed out waiting for response from remote server.')
if __name__ == '__main__':
lp = LocalProxy('127.0.0.1', 8080, ExtendedUrllib())
lp.start()
for i in xrange(10):
time.sleep(1)
tr = lp.get_trapped_request()
if tr:
print tr
print lp.send_raw_request(tr, tr.dump_request_head(),
tr.get_data())
else:
print 'Waiting...'
print 'Exit!'
lp.stop()
print 'bye bye...'
class TestXUrllib(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def tearDown(self):
self.uri_opener.end()
def test_basic(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
self.assertGreaterEqual(http_response.id, 1)
self.assertNotEqual(http_response.id, None)
def test_cache(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
def test_qs_params(self):
url = URL(
'http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt'
)
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('Showing the section content.' in http_response.body,
http_response.body)
url = URL(
'http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd'
)
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('root:x:0:0:' in http_response.body,
http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_unknown_url(self):
url = URL('http://longsitethatdoesnotexistfoo.com/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_closed(self):
# TODO: Change 2312 by an always closed/non-http port
url = URL('http://127.0.0.1:2312/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http_many(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException:
self.assertTrue(True)
break
else:
self.assertTrue(False)
def test_timeout(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.uri_opener.settings.set_timeout(1)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
self.uri_opener.settings.set_default_values()
def test_timeout_many(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
self.uri_opener.settings.set_timeout(1)
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException, e:
self.assertTrue(True)
break
else:
def test_ntlm_auth_not_configured(self):
self.uri_opener = ExtendedUrllib()
url = URL("http://moth/w3af/core/ntlm_auth/ntlm_v1/")
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn('Must authenticate.', http_response.body)
def setUp(self):
super(TestCSRF, self).setUp()
self.csrf_plugin = csrf()
self.uri_opener = ExtendedUrllib()
self.csrf_plugin.set_url_opener(self.uri_opener)
class FakeCore(object):
worker_pool = Pool(1)
uri_opener = ExtendedUrllib()
class TestCSRF(PluginTest):
target_url = 'http://moth/w3af/audit/csrf/'
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'audit': (PluginConfig('csrf'), ),
'crawl':
(PluginConfig('web_spider',
('only_forward', True, PluginConfig.BOOL)), )
}
}
}
def setUp(self):
super(TestCSRF, self).setUp()
self.csrf_plugin = csrf()
self.uri_opener = ExtendedUrllib()
self.csrf_plugin.set_url_opener(self.uri_opener)
def test_found_csrf(self):
EXPECTED = [
('/w3af/audit/csrf/vulnerable/buy.php'),
('/w3af/audit/csrf/vulnerable-rnd/buy.php'),
#@see: https://github.com/andresriancho/w3af/issues/120
#('/w3af/audit/csrf/vulnerable-token-ignored/buy.php'),
('/w3af/audit/csrf/link-vote/vote.php')
]
# Run the scan
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('csrf', 'csrf')
self.assertEquals(set(EXPECTED),
set([v.get_url().get_path() for v in vulns]))
self.assertTrue(
all(['CSRF vulnerability' == v.get_name() for v in vulns]))
def test_resp_is_equal(self):
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
r1 = HTTPResponse(200, 'body', headers, url, url)
r2 = HTTPResponse(404, 'body', headers, url, url)
self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2))
r1 = HTTPResponse(200, 'a', headers, url, url)
r2 = HTTPResponse(200, 'b', headers, url, url)
self.assertFalse(self.csrf_plugin._is_resp_equal(r1, r2))
r1 = HTTPResponse(200, 'a', headers, url, url)
r2 = HTTPResponse(200, 'a', headers, url, url)
self.assertTrue(self.csrf_plugin._is_resp_equal(r1, r2))
def test_is_suitable(self):
# False because no cookie is set and no QS nor post-data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False because no cookie is set
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
url_sends_cookie = URL(
'http://moth/w3af/core/cookie_handler/set-cookie.php')
self.uri_opener.GET(url_sends_cookie)
# Still false because it doesn't have any QS or POST data
url = URL('http://moth/')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
self.csrf_plugin._strict_mode = True
# Still false because of the strict mode
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# False, no items in dc
url = URL('http://moth/')
req = FuzzableRequest(url, method='POST', dc=Form())
suitable = self.csrf_plugin._is_suitable(req)
self.assertFalse(suitable)
# True, items in DC, POST (passes strict mode) and cookies
url = URL('http://moth/')
form = Form()
form.add_input([('name', 'test'), ('type', 'text')])
req = FuzzableRequest(url, method='POST', dc=form)
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
self.csrf_plugin._strict_mode = False
# True now that we have strict mode off, cookies and QS
url = URL('http://moth/?id=3')
req = FuzzableRequest(url, method='GET')
suitable = self.csrf_plugin._is_suitable(req)
self.assertTrue(suitable)
def test_is_origin_checked_true_case01(self):
url = URL('http://moth/w3af/audit/csrf/referer/buy.php?shares=123')
headers = Headers([('Referer', 'http://moth/w3af/audit/csrf/referer/')
])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(
freq, orig_response)
self.assertTrue(origin_checked)
def test_is_origin_checked_true_case02(self):
url = URL('http://moth/w3af/audit/csrf/referer-rnd/buy.php?shares=123')
headers = Headers([('Referer',
'http://moth/w3af/audit/csrf/referer-rnd/')])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(
freq, orig_response)
self.assertTrue(origin_checked)
def test_is_origin_checked_false(self):
url = URL('http://moth/w3af/audit/csrf/vulnerable/buy.php?shares=123')
headers = Headers([('Referer',
'http://moth/w3af/audit/csrf/referer-rnd/')])
freq = FuzzableRequest(url, method='GET', headers=headers)
orig_response = self.uri_opener.send_mutant(freq)
origin_checked = self.csrf_plugin._is_origin_checked(
freq, orig_response)
self.assertFalse(origin_checked)
def test_is_csrf_token_true_case01(self):
self.csrf_plugin.is_csrf_token('token',
'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_true_case02(self):
self.csrf_plugin.is_csrf_token('secret',
'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_true_case03(self):
self.csrf_plugin.is_csrf_token('csrf',
'f842eb01b87a8ee18868d3bf80a558f3')
def test_is_csrf_token_false_case01(self):
self.csrf_plugin.is_csrf_token('token', '')
def test_is_csrf_token_false_case02(self):
self.csrf_plugin.is_csrf_token('secret', 'helloworld')
def test_is_csrf_token_false_case03(self):
self.csrf_plugin.is_csrf_token('secret', 'helloworld123')
def test_is_csrf_token_false_case04(self):
self.csrf_plugin.is_csrf_token('secret', 'hello world 123')
def test_is_csrf_token_false_case05(self):
lorem = ('Lorem ipsum dolor sit amet, consectetur adipiscing elit.'
' Curabitur at eros elit, rhoncus feugiat libero. Praesent'
' lobortis ultricies est gravida tempor. Sed tortor mi,'
' euismod at interdum quis, hendrerit vitae risus. Sed'
' iaculis, ante sagittis ullamcorper molestie, metus nibh'
' posuere purus, non tempor massa leo at odio. Duis quis'
' elit enim. Morbi lobortis est sed metus adipiscing in'
' lacinia est porttitor. Suspendisse potenti. Morbi pretium'
' lacinia magna, sit amet tincidunt enim vestibulum sed.')
self.csrf_plugin.is_csrf_token('secret', lorem)
def test_is_csrf_token_false_case06(self):
self.csrf_plugin.is_csrf_token('token', 'f842e')
def test_find_csrf_token_true_simple(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertIn('secret', token)
def test_find_csrf_token_true_repeated(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=f842eb01b87a8ee18868d3bf80a558f3'
'&secret=not a token')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertIn('secret', token)
def test_find_csrf_token_false(self):
url = URL('http://moth/w3af/audit/csrf/')
query_string = parse_qs('secret=not a token')
freq = FuzzableRequest(url, method='GET', dc=query_string)
token = self.csrf_plugin._find_csrf_token(freq)
self.assertNotIn('secret', token)
def test_is_token_checked_true(self):
generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token,
original_response)
self.assertTrue(checked)
def test_is_token_checked_false(self):
'''
This covers the case where there is a token but for some reason it
is NOT verified by the web application.
'''
generator = URL(
'http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
freq_lst = create_fuzzable_requests(http_response, add_self=False)
self.assertEqual(len(freq_lst), 1)
freq = freq_lst[0]
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token,
original_response)
self.assertFalse(checked)
