class TestExtendedUrllibProxy(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
# Start the proxy daemon
self._proxy = Proxy('127.0.0.1', 0, ExtendedUrllib(), w3afProxyHandler)
self._proxy.start()
self._proxy.wait_for_start()
port = self._proxy.get_port()
# Configure the proxy
settings = OpenerSettings()
options = settings.get_options()
proxy_address_opt = options['proxy_address']
proxy_port_opt = options['proxy_port']
proxy_address_opt.set_value('127.0.0.1')
proxy_port_opt.set_value(port)
settings.set_options(options)
self.uri_opener.settings = settings
def tearDown(self):
self.uri_opener.end()
def test_http_default_port_via_proxy(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_http_port_specification_via_proxy(self):
url = URL('http://moth:80/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_https_via_proxy(self):
TODO = 'Skip this test because of a strange bug with the extended'\
' url library and w3af\'s local proxy daemon. More info here:'\
' https://github.com/andresriancho/w3af/issues/183'
raise SkipTest(TODO)
url = URL('https://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_offline_port_via_proxy(self):
url = URL('http://127.0.0.1:8181/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(http_response.get_code(), 400)
def test_POST_via_proxy(self):
url = URL('http://moth/w3af/core/echo/post.php')
http_response = self.uri_opener.POST(url, data='abc=123', cache=False)
self.assertIn('[abc] => 123', http_response.body)
class TestXUrllib(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def tearDown(self):
self.uri_opener.end()
def test_basic(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
self.assertGreaterEqual(http_response.id, 1)
self.assertNotEqual(http_response.id, None)
def test_cache(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
def test_qs_params(self):
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('Showing the section content.' in http_response.body,
http_response.body)
url = URL('http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd')
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue(
'root:x:0:0:' in http_response.body, http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_unknown_url(self):
url = URL('http://longsitethatdoesnotexistfoo.com/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_stop(self):
self.uri_opener.stop()
url = URL('http://moth/')
self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url)
def test_pause_stop(self):
self.uri_opener.pause(True)
self.uri_opener.stop()
url = URL('http://moth/')
self.assertRaises(w3afMustStopByUserRequest, self.uri_opener.GET, url)
def test_pause(self):
output = Queue.Queue()
self.uri_opener.pause(True)
def send(uri_opener, output):
url = URL('http://moth/')
http_response = uri_opener.GET(url)
output.put(http_response)
th = Process(target=send, args=(self.uri_opener, output))
th.daemon = True
th.start()
self.assertRaises(Queue.Empty, output.get, True, 2)
def test_pause_unpause(self):
output = Queue.Queue()
self.uri_opener.pause(True)
def send(uri_opener, output):
url = URL('http://moth/')
http_response = uri_opener.GET(url)
output.put(http_response)
th = Process(target=send, args=(self.uri_opener, output))
th.daemon = True
th.start()
self.assertRaises(Queue.Empty, output.get, True, 2)
self.uri_opener.pause(False)
http_response = output.get()
th.join()
self.assertEqual(http_response.get_code(), 200)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
def test_removes_cache(self):
url = URL('http://moth/')
self.uri_opener.GET(url, cache=False)
# Please note that this line, together with the tearDown() act as
# a test for a "double call to end()".
self.uri_opener.end()
db_fmt = 'db_unittest-%s'
trace_fmt = 'db_unittest-%s_traces/'
temp_dir = get_temp_dir()
for i in xrange(100):
test_db_path = os.path.join(temp_dir, db_fmt % i)
test_trace_path = os.path.join(temp_dir, trace_fmt % i)
self.assertFalse(os.path.exists(test_db_path), test_db_path)
self.assertFalse(os.path.exists(test_trace_path), test_trace_path)
def test_special_char_header(self):
url = URL('http://moth/w3af/core/header_fuzzing/cookie_echo.php')
header_content = u'á'
headers = Headers([('foo', header_content)])
http_response = self.uri_opener.GET(url, cache=False, headers=headers)
self.assertEqual(header_content, http_response.body)
class TestXUrllib(unittest.TestCase):
MOTH_MESSAGE = 'Welcome to the moth homepage!'
def setUp(self):
self.uri_opener = ExtendedUrllib()
def tearDown(self):
self.uri_opener.end()
def test_basic(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url, cache=False)
self.assertIn(self.MOTH_MESSAGE, http_response.body)
self.assertGreaterEqual(http_response.id, 1)
self.assertNotEqual(http_response.id, None)
def test_cache(self):
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
url = URL('http://moth/')
http_response = self.uri_opener.GET(url)
self.assertTrue(self.MOTH_MESSAGE in http_response.body)
def test_qs_params(self):
url = URL(
'http://moth/w3af/audit/local_file_read/local_file_read.php?file=section.txt'
)
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('Showing the section content.' in http_response.body,
http_response.body)
url = URL(
'http://moth/w3af/audit/local_file_read/local_file_read.php?file=/etc/passwd'
)
http_response = self.uri_opener.GET(url, cache=False)
self.assertTrue('root:x:0:0:' in http_response.body,
http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_unknown_url(self):
url = URL('http://longsitethatdoesnotexistfoo.com/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_closed(self):
# TODO: Change 2312 by an always closed/non-http port
url = URL('http://127.0.0.1:2312/')
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
def test_url_port_not_http_many(self):
upper_daemon = UpperDaemon(EmptyTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException:
self.assertTrue(True)
break
else:
self.assertTrue(False)
def test_timeout(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
url = URL('http://127.0.0.1:%s/' % port)
self.uri_opener.settings.set_timeout(1)
self.assertRaises(w3afMustStopOnUrlError, self.uri_opener.GET, url)
self.uri_opener.settings.set_default_values()
def test_timeout_many(self):
upper_daemon = UpperDaemon(TimeoutTCPHandler)
upper_daemon.start()
upper_daemon.wait_for_start()
port = upper_daemon.get_port()
self.uri_opener.settings.set_timeout(1)
url = URL('http://127.0.0.1:%s/' % port)
for _ in xrange(MAX_ERROR_COUNT):
try:
self.uri_opener.GET(url)
except w3afMustStopByUnknownReasonExc:
self.assertTrue(False, 'Not expecting this exception type.')
except w3afMustStopOnUrlError:
self.assertTrue(True)
except w3afMustStopException, e:
self.assertTrue(True)
break
else:
