Exemplo n.º 1
0
    def test_mutant_creation_qs_and_postdata(self):
        original_form = Form()
        original_form.add_input([("name", "username"), ("value", "")])
        original_form.add_input([("name", "password"), ("value", "")])

        url = URL('http://moth/foo.bar?action=login')

        freq = HTTPPostDataRequest(url, dc=original_form)

        created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
                                                self.fuzzer_config)

        expected_dc_lst = [
            Form([('username', ['abc']), ('password', ['FrAmE30.'])]),
            Form([('username', ['def']), ('password', ['FrAmE30.'])]),
            Form([('username', ['John8212']), ('password', ['abc'])]),
            Form([('username', ['John8212']), ('password', ['def'])]),
        ]

        created_dc_lst = [i.get_dc() for i in created_mutants]
        created_urls = [i.get_uri() for i in created_mutants]

        self.assertEqual(created_urls, [
            url,
        ] * 4)
        self.assertEqual(created_dc_lst, expected_dc_lst)
Exemplo n.º 2
0
    def test_mutant_creation_repeated_parameter_name(self):
        form = Form()
        form.add_input([("name", "id"), ("value", "")])
        form.add_input([("name", "id"), ("value", "")])

        freq = HTTPPostDataRequest(URL('http://w3af.com/?foo=3'),
                                   dc=form,
                                   method='GET')

        created_mutants = PostDataMutant.create_mutants(
            freq, self.payloads, [], False, self.fuzzer_config)

        expected_dc_lst = [
            Form([('id', ['abc', '3419'])]),
            Form([('id', ['def', '3419'])]),
            Form([('id', ['3419', 'abc'])]),
            Form([('id', ['3419', 'def'])])
        ]

        created_dc_lst = [i.get_dc() for i in created_mutants]

        self.assertEqual(created_dc_lst, expected_dc_lst)

        self.assertEqual(created_mutants[0].get_var(), 'id')
        self.assertEqual(created_mutants[0].get_var_index(), 0)
        self.assertEqual(created_mutants[0].get_original_value(), '')
        self.assertEqual(created_mutants[2].get_var(), 'id')
        self.assertEqual(created_mutants[2].get_var_index(), 1)
        self.assertEqual(created_mutants[2].get_original_value(), '')

        for m in created_mutants:
            self.assertIsInstance(m, PostDataMutant)

        for m in created_mutants:
            self.assertEqual(m.get_method(), 'GET')
Exemplo n.º 3
0
    def test_mutant_creation(self):
        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_input([("name", "address"), ("value", "")])

        freq = HTTPPostDataRequest(URL('http://www.w3af.com/?id=3'),
                                   dc=form,
                                   method='PUT')

        created_mutants = PostDataMutant.create_mutants(
            freq, self.payloads, [], False, self.fuzzer_config)

        expected_dc_lst = [
            Form([('username', ['abc']), ('address', ['Bonsai Street 123'])]),
            Form([('username', ['def']), ('address', ['Bonsai Street 123'])]),
            Form([('username', ['John8212']), ('address', ['abc'])]),
            Form([('username', ['John8212']), ('address', ['def'])])
        ]

        created_dc_lst = [i.get_dc() for i in created_mutants]

        self.assertEqual(created_dc_lst, expected_dc_lst)

        self.assertEqual(created_mutants[0].get_var(), 'username')
        self.assertEqual(created_mutants[0].get_var_index(), 0)
        self.assertEqual(created_mutants[0].get_original_value(), '')
        self.assertEqual(created_mutants[2].get_var(), 'address')
        self.assertEqual(created_mutants[2].get_var_index(), 0)
        self.assertEqual(created_mutants[2].get_original_value(), '')

        for m in created_mutants:
            self.assertIsInstance(m, PostDataMutant)

        for m in created_mutants:
            self.assertEqual(m.get_method(), 'PUT')
Exemplo n.º 4
0
    def test_is_suitable(self):
        # False because no cookie is set and no QS nor post-data
        url = URL('http://moth/')
        req = FuzzableRequest(url, method='GET')
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertFalse(suitable)

        # False because no cookie is set
        url = URL('http://moth/?id=3')
        req = FuzzableRequest(url, method='GET')
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertFalse(suitable)

        url_sends_cookie = URL(
            'http://moth/w3af/core/cookie_handler/set-cookie.php')
        self.uri_opener.GET(url_sends_cookie)

        # Still false because it doesn't have any QS or POST data
        url = URL('http://moth/')
        req = FuzzableRequest(url, method='GET')
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertFalse(suitable)

        self.csrf_plugin._strict_mode = True

        # Still false because of the strict mode
        url = URL('http://moth/?id=3')
        req = FuzzableRequest(url, method='GET')
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertFalse(suitable)

        # False, no items in dc
        url = URL('http://moth/')
        req = FuzzableRequest(url, method='POST', dc=Form())
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertFalse(suitable)

        # True, items in DC, POST (passes strict mode) and cookies
        url = URL('http://moth/')
        form = Form()
        form.add_input([('name', 'test'), ('type', 'text')])
        req = FuzzableRequest(url, method='POST', dc=form)
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertTrue(suitable)

        self.csrf_plugin._strict_mode = False

        # True now that we have strict mode off, cookies and QS
        url = URL('http://moth/?id=3')
        req = FuzzableRequest(url, method='GET')
        suitable = self.csrf_plugin._is_suitable(req)
        self.assertTrue(suitable)
Exemplo n.º 5
0
    def test_mutant_creation_post_data(self):
        original_form = Form()
        original_form.add_input([("name", "username"), ("value", "")])
        original_form.add_input([("name", "address"), ("value", "")])
        original_form.add_file_input([("name", "file"), ("type", "file")])

        freq = HTTPPostDataRequest(self.url, dc=original_form)

        created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
                                                self.fuzzer_config)

        self.assertEqual(len(created_mutants), 4, created_mutants)

        expected_username_values = self.payloads + ['John8212'] * 2
        expected_address_values = ['Bonsai Street 123'] * 2 + self.payloads
        expected_file_values = ['GIF89a'] * 4

        created_dc_lst = [i.get_dc() for i in created_mutants]
        generated_username_values = [
            dc['username'][0] for dc in created_dc_lst
        ]
        generated_address_values = [dc['address'][0] for dc in created_dc_lst]
        generated_file_values = [dc['file'][0] for dc in created_dc_lst]

        self.assertEqual(expected_username_values, generated_username_values)
        self.assertEqual(expected_address_values, generated_address_values)
        for index, gen_file_value in enumerate(generated_file_values):
            startswith = gen_file_value.startswith(expected_file_values[index])
            self.assertTrue(startswith, gen_file_value)

        self.assertTrue(
            all(str_file.name[-4:].startswith('.gif')
                for str_file in generated_file_values))
Exemplo n.º 6
0
    def test_form_file_post_no_files(self):
        cf_singleton.save('fuzzable_headers', [])
        cf_singleton.save('fuzz_cookies', False)
        cf_singleton.save('fuzz_url_filenames', False)
        cf_singleton.save('fuzzed_files_extension', 'gif')
        cf_singleton.save('fuzz_form_files', True)  # This one changed
        cf_singleton.save('fuzz_url_parts', False)

        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_input([("name", "address"), ("value", "")])

        freq = HTTPPostDataRequest(URL('http://www.w3af.com/?id=3'),
                                   dc=form,
                                   method='PUT')

        generated_mutants = create_mutants(freq, self.payloads)

        self.assertTrue(
            all('http://www.w3af.com/?id=3' == m.get_uri().url_string
                for m in generated_mutants))

        self.assertTrue(
            all(isinstance(m, PostDataMutant) for m in generated_mutants),
            generated_mutants)

        self.assertTrue(all(m.get_method() == 'PUT'
                            for m in generated_mutants))

        expected_dc_lst = [
            Form([('username', ['abc']), ('address', ['Bonsai Street 123'])]),
            Form([('username', ['def']), ('address', ['Bonsai Street 123'])]),
            Form([('username', ['John8212']), ('address', ['abc'])]),
            Form([('username', ['John8212']), ('address', ['def'])])
        ]

        created_dc_lst = [i.get_dc() for i in generated_mutants]

        self.assertEqual(created_dc_lst, expected_dc_lst)
Exemplo n.º 7
0
    def test_found_at(self):
        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_input([("name", "address"), ("value", "")])

        freq = HTTPPostDataRequest(URL('http://www.w3af.com/?id=3'),
                                   dc=form,
                                   method='PUT')
        m = PostDataMutant(freq)
        m.set_var('username')

        expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
                   'The sent post-data was: "username=&address=" '\
                   'which modifies the "username" parameter.'
        self.assertEqual(m.found_at(), expected)
Exemplo n.º 8
0
    def test_valid_results(self):
        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_file_input([("name", "file"), ("type", "file")])

        freq = HTTPPostDataRequest(self.url, dc=form)

        generated_mutants = FileContentMutant.create_mutants(
            freq, self.payloads, [], False, self.fuzzer_config)

        self.assertEqual(len(generated_mutants), 2, generated_mutants)

        expected_data = [
            Form([('username', ['John8212']), ('file', ['abc'])]),
            Form([('username', ['John8212']), ('file', ['def'])]),
        ]

        generated_data = [m.get_data() for m in generated_mutants]

        self.assertEqual(expected_data, generated_data)

        str_file = generated_data[0]['file'][0]
        self.assertEqual(str_file.name[-4:], '.gif')
        self.assertIn('abc', str_file)
Exemplo n.º 9
0
    def test_mutant_smart_fill_simple(self):
        original_form = Form()
        original_form.add_input([("name", "username"), ("value", "")])
        original_form.add_input([("name", "address"), ("value", "")])

        freq = HTTPPostDataRequest(self.url, dc=original_form)

        filled_form = mutant_smart_fill(freq, original_form, 'username', 0,
                                        self.fuzzer_config)

        self.assertEqual(id(original_form), id(filled_form))
        self.assertEqual(filled_form['username'], [
            '',
        ])
        self.assertEqual(filled_form['address'], [
            'Bonsai Street 123',
        ])
Exemplo n.º 10
0
    def test_config_true(self):
        fuzzer_config = {
            'fuzz_form_files': True,
            'fuzzed_files_extension': 'gif'
        }

        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_input([("name", "address"), ("value", "")])
        form.add_file_input([("name", "file"), ("type", "file")])

        freq = HTTPPostDataRequest(self.url, dc=form)

        generated_mutants = FileContentMutant.create_mutants(
            freq, self.payloads, [], False, fuzzer_config)

        self.assertNotEqual(len(generated_mutants), 0, generated_mutants)
Exemplo n.º 11
0
    def test_mutant_smart_fill_with_file(self):
        original_form = Form()
        original_form.add_input([("name", "username"), ("value", "")])
        original_form.add_input([("name", "address"), ("value", "")])
        original_form.add_file_input([("name", "file"), ("type", "file")])

        freq = HTTPPostDataRequest(self.url, dc=original_form)

        filled_form = mutant_smart_fill(freq, original_form, 'username', 0,
                                        self.fuzzer_config)

        self.assertEqual(id(original_form), id(filled_form))
        self.assertEqual(filled_form['username'], [
            '',
        ])
        self.assertEqual(filled_form['address'], [
            'Bonsai Street 123',
        ])

        str_file = filled_form['file'][0]
        self.assertEqual(str_file.name[-4:], '.gif')
        self.assertIn('GIF', str_file)
Exemplo n.º 12
0
    def test_mutant_creation_file(self):
        form = Form()
        form.add_input([("name", "username"), ("value", "default")])
        form.add_file_input([("name", "file_upload")])

        freq = HTTPPostDataRequest(URL('http://www.w3af.com/upload'),
                                   dc=form,
                                   method='POST')

        payloads = [
            file(__file__),
        ]
        created_mutants = PostDataMutant.create_mutants(
            freq, payloads, [
                'file_upload',
            ], False, self.fuzzer_config)

        self.assertEqual(len(created_mutants), 1, created_mutants)

        mutant = created_mutants[0]

        self.assertIsInstance(mutant.get_dc()['file_upload'][0], file)
        self.assertEqual(mutant.get_dc()['username'][0], 'default')
Exemplo n.º 13
0
    def test_basics(self):
        form = Form()
        form.add_input([("name", "username"), ("value", "")])
        form.add_input([("name", "address"), ("value", "")])
        form.add_file_input([("name", "file"), ("type", "file")])

        freq = HTTPPostDataRequest(self.url, dc=form)

        m = FileContentMutant(freq)
        m.set_var('file', 0)
        m.set_mod_value('abc')
        self.assertEqual(m.get_url().url_string, 'http://moth/')

        expected_mod_value = 'The data that was sent is: "username=&file=abc&address=".'
        generated_mod_value = m.print_mod_value()

        self.assertEqual(generated_mod_value, expected_mod_value)

        expected_found_at = u'"http://moth/", using HTTP method POST. The'\
            ' sent post-data was: "username=&file=abc&address="'\
            ' which modifies the uploaded file content.'
        generated_found_at = m.found_at()

        self.assertEqual(generated_found_at, expected_found_at)