def send_raw_request(self, head, postdata, fix_content_len=True):
"""
In some cases the ExtendedUrllib user wants to send a request that was
typed in a textbox or is stored in a file. When something like that
happens, this library allows the user to send the request by specifying
two parameters for the send_raw_request method:
:param head: "<method> <URI> <HTTP version>\r\nHeader: Value\r\n..."
:param postdata: The data as string
If set to '' or None, no postdata is sent
:param fix_content_len: Indicates if the content length has to be fixed
:return: An HTTPResponse object.
"""
# Parse the two strings
fuzz_req = http_request_parser(head, postdata)
# Fix the content length
if fix_content_len:
headers = fuzz_req.get_headers()
fixed = False
for h in headers:
if h.lower() == 'content-length':
headers[h] = str(len(postdata))
fixed = True
if not fixed and postdata:
headers['content-length'] = str(len(postdata))
fuzz_req.set_headers(headers)
# Send it
function_reference = getattr(self, fuzz_req.get_method())
return function_reference(fuzz_req.get_uri(), data=fuzz_req.get_data(),
headers=fuzz_req.get_headers(), cache=False,
grep=False)
def html_export(request_string):
"""
:param request_string: The string of the request to export
:return: A HTML that will perform the same HTTP request.
"""
request_lines = request_string.split('\n\n')
header = request_lines[0]
body = '\n\n'.join(request_lines[1:])
http_request = http_request_parser(header, body)
res = """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Exported HTTP Request from w3af</title>
</head>
<body>\n"""
res += '<form action="' + cgi.escape(http_request.get_uri().url_string,
True)
res += '" method="' + cgi.escape(http_request.get_method(), True) + '">\n'
if http_request.get_data() and http_request.get_data() != '\n':
post_data = http_request.get_raw_data()
for token in post_data.iter_tokens():
res += '<label>' + cgi.escape(token.get_name()) + '</label>\n'
res += '<input type="text" name="' + \
cgi.escape(token.get_name().strip(), True)
res += '" value="' + cgi.escape(token.get_value(), True) + '">\n'
res += '<input type="submit">\n'
res += '</form>\n'
res += """</body>\n</html>"""
return res
def send_raw_request(self, head, postdata, fix_content_len=True):
"""
In some cases the ExtendedUrllib user wants to send a request that was
typed in a textbox or is stored in a file. When something like that
happens, this library allows the user to send the request by specifying
two parameters for the send_raw_request method:
:param head: "<method> <URI> <HTTP version>\r\nHeader: Value\r\n..."
:param postdata: The data as string
If set to '' or None, no postdata is sent
:param fix_content_len: Indicates if the content length has to be fixed
:return: An HTTPResponse object.
"""
# Parse the two strings
fuzz_req = http_request_parser(head, postdata)
# Fix the content length
if fix_content_len:
headers = fuzz_req.get_headers()
fixed = False
for h in headers:
if h.lower() == 'content-length':
headers[h] = str(len(postdata))
fixed = True
if not fixed and postdata:
headers['content-length'] = str(len(postdata))
fuzz_req.set_headers(headers)
# Send it
function_reference = getattr(self, fuzz_req.get_method())
return function_reference(fuzz_req.get_uri(), data=fuzz_req.get_data(),
headers=fuzz_req.get_headers(), cache=False,
grep=False)
def html_export(request_string):
"""
:param request_string: The string of the request to export
:return: A HTML that will perform the same HTTP request.
"""
request_lines = request_string.split('\n\n')
header = request_lines[0]
body = '\n\n'.join(request_lines[1:])
http_request = http_request_parser(header, body)
res = """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Exported HTTP Request from w3af</title>
</head>
<body>\n"""
res += '<form action="' + cgi.escape(http_request.get_uri()
.url_string, True)
res += '" method="' + cgi.escape(http_request.get_method(), True) + '">\n'
if http_request.get_data() and http_request.get_data() != '\n':
post_data = http_request.get_raw_data()
for token in post_data.iter_tokens():
res += '<label>' + cgi.escape(token.get_name()) + '</label>\n'
res += '<input type="text" name="' + \
cgi.escape(token.get_name().strip(), True)
res += '" value="' + cgi.escape(token.get_value(), True) + '">\n'
res += '<input type="submit">\n'
res += '</form>\n'
res += """</body>\n</html>"""
return res
def get_object(self):
"""
Return object (request or response).
"""
head, body = self.get_split_text()
if self.is_request:
return http_request_parser(head, body)
else:
raise Exception('HttpResponseParser is not implemented!')
def get_object(self):
"""Return object (request or response)."""
head = self.startLine
for header in self._headersStore:
head += header[0] + ':' + header[1] + CRLF
if self.is_request:
return http_request_parser(head, self._raw.get_text())
else:
raise Exception('HttpResponseParser is not implemented')
def get_object(self):
"""Return object (request or response)."""
head = self.startLine
for header in self._header_store:
head += header[0] + ':' + header[1] + CRLF
if self.is_request:
return http_request_parser(head, self._raw.get_text())
else:
raise Exception('HttpResponseParser is not implemented')
def test_simple_GET_relative(self):
http_request = 'GET / HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Foo: bar\n'
fr = http_request_parser(http_request, '')
exp_headers = Headers([('Host', 'www.w3af.org'), ('Foo', 'bar')])
self.assertEquals(fr.get_headers(), exp_headers)
self.assertEqual(fr.get_url().get_domain(), 'www.w3af.org')
self.assertEqual(fr.get_data(), '')
def test_head_post_data(self):
request_head = 'POST http://www.w3af.org/ HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Content-Length: 7\n' \
'Content-Type: application/x-www-form-urlencoded\n'
post_data = 'foo=bar'
fr = http_request_parser(request_head, post_data)
self.assertIsInstance(fr, FuzzableRequest)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_data(), post_data)
def test_simple_GET_relative(self):
http_request = 'GET / HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Foo: bar\n'
fr = http_request_parser(http_request, '')
exp_headers = Headers([('Host', 'www.w3af.org'), ('Foo', 'bar')])
self.assertEquals(fr.get_headers(), exp_headers)
self.assertEqual(fr.get_url().get_domain(), 'www.w3af.org')
self.assertEqual(fr.get_data(), '')
def test_head_post_data(self):
request_head = 'POST http://www.w3af.org/ HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Content-Length: 7\n' \
'Content-Type: application/x-www-form-urlencoded\n'
post_data = 'foo=bar'
fr = http_request_parser(request_head, post_data)
self.assertIsInstance(fr, FuzzableRequest)
self.assertEqual(fr.get_method(), 'POST')
self.assertEqual(fr.get_data(), post_data)
def data(self, data):
if self.parsing_request:
if not self.current_is_base64:
request_text = data
head, postdata = request_text.split('\n\n', 1)
else:
request_text_b64 = data
request_text = base64.b64decode(request_text_b64)
head, postdata = request_text.split('\r\n\r\n', 1)
fuzzable_request = http_request_parser(head, postdata)
self.requests.append(fuzzable_request)
def test_POST_request(self):
self.http_daemon = HTTPDaemon()
self.http_daemon.start()
self.http_daemon.wait_for_start()
#
# Send the request to our server using the GUI
#
self.double_click('localhost')
self.type('127.0.0.1:%s' % self.http_daemon.get_port(), False)
# Move to the beginning
self.type(['<PgUp>',], False)
# Replace GET with POST
self.type(['<Delete>',], False)
self.type(['<Delete>',], False)
self.type(['<Delete>',], False)
self.type('POST', False)
# Move to the end (postdata)
self.type(['<PgDn>',], False)
post_data = 'foo=bar&spam=eggs'
self.type(post_data, False)
self.click('send')
# Wait until we actually get the response, and verify we got the
# response body we expected:
self.find('abcdef')
self.find('200_OK')
#
# Assert that it's what we really expected
#
requests = self.http_daemon.requests
self.assertEqual(len(requests), 1)
request = requests[0]
head, postdata = MANUAL_REQUEST_EXAMPLE, ''
http_request = http_request_parser(head, postdata)
self.assertEqual(http_request.get_url().get_path(), request.path)
self.assertEqual('POST', request.command)
for header_name, header_value in http_request.get_headers().iteritems():
self.assertIn(header_name.lower(), request.headers)
self.assertEqual(header_value, request.headers[header_name.lower()])
self.assertEqual(str(len(post_data)), request.headers['content-length'])
self.http_daemon.shutdown()
def data(self, data):
if self.parsing_request:
if not self.current_is_base64:
request_text = data
head, postdata = request_text.split('\n\n', 1)
else:
request_text_b64 = data
request_text = base64.b64decode(request_text_b64)
head, postdata = request_text.split('\r\n\r\n', 1)
fuzzable_request = http_request_parser(head, postdata)
self.requests.append(fuzzable_request)
def on_request_edit_finished(self, orig_http_request, head, post_data):
"""
This method is called when the user finishes editing the request that
will be sent to the wire.
:param orig_http_request: The original HTTP request
:param head: The headers for the modified request
:param post_data: The post-data for the modified request
:return: The HTTP response
"""
try:
http_request = http_request_parser(head, post_data)
http_response = self._send_http_request(http_request)
except Exception, e:
trace = str(traceback.format_exc())
http_response = self._create_error_response(orig_http_request, None, e, trace=trace)
def ruby_export(request_string):
"""
:param request_string: The string of the request to export
:return: A net/http based ruby script that will perform the same HTTP
request.
"""
# get the header and the body
splitted_request = request_string.split('\n\n')
header = splitted_request[0]
body = '\n\n'.join(splitted_request[1:])
http_request = http_request_parser(header, body)
# Now I do the real magic...
res = 'require \'net/https\'\n\n'
res += 'url = URI.parse("' + ruby_escape_string(
http_request.get_uri().url_string) + '")\n'
if http_request.get_data() != '\n' and http_request.get_data():
escaped_data = ruby_escape_string(str(http_request.get_data()))
res += 'data = "' + escaped_data + '"\n'
else:
res += 'data = nil\n'
res += 'headers = {\n'
headers = http_request.get_headers()
for header_name, header_value in headers.iteritems():
header_value = ruby_escape_string(header_value)
header_name = ruby_escape_string(header_name)
res += ' "' + header_name + '" => "' + header_value + '",\n'
res = res[:-2]
res += '\n}\n'
method = http_request.get_method()
res += 'res = Net::HTTP.start(url.host, url.port) do |http|\n'
res += ' http.use_ssl = '
if http_request.get_url().get_protocol().lower() == 'https':
res += 'true\n'
else:
res += 'false\n'
res += ' http.send_request("' + method + '", url.path, data, headers)\n'
res += 'end\n\n'
res += 'puts res.body\n'
return res
def test_POST_repeated(self):
request_head = 'POST http://www.w3af.org/ HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Content-Length: 7\n' \
'Content-Type: application/x-www-form-urlencoded\n' \
'Foo: spam\n' \
'Foo: eggs\n'
post_data = 'a=1&a=2'
fr = http_request_parser(request_head, post_data)
exp_headers = Headers([('Host', 'www.w3af.org'),
('Content-Type',
'application/x-www-form-urlencoded'),
('Foo', 'spam, eggs')])
self.assertEqual(fr.get_headers(), exp_headers)
self.assertEquals(fr.get_data(), post_data)
def test_POST_repeated(self):
request_head = 'POST http://www.w3af.org/ HTTP/1.1\n' \
'Host: www.w3af.org\n' \
'Content-Length: 7\n' \
'Content-Type: application/x-www-form-urlencoded\n' \
'Foo: spam\n' \
'Foo: eggs\n'
post_data = 'a=1&a=2'
fr = http_request_parser(request_head, post_data)
exp_headers = Headers([('Host', 'www.w3af.org'),
('Content-Type',
'application/x-www-form-urlencoded'),
('Foo', 'spam, eggs')])
self.assertEqual(fr.get_headers(), exp_headers)
self.assertEquals(fr.get_data(), post_data)
def ruby_export(request_string):
"""
:param request_string: The string of the request to export
:return: A net/http based ruby script that will perform the same HTTP
request.
"""
# get the header and the body
splitted_request = request_string.split("\n\n")
header = splitted_request[0]
body = "\n\n".join(splitted_request[1:])
http_request = http_request_parser(header, body)
# Now I do the real magic...
res = "require 'net/https'\n\n"
res += 'url = URI.parse("' + ruby_escape_string(http_request.get_uri().url_string) + '")\n'
if http_request.get_data() != "\n" and http_request.get_data():
escaped_data = ruby_escape_string(str(http_request.get_data()))
res += 'data = "' + escaped_data + '"\n'
else:
res += "data = nil\n"
res += "headers = {\n"
headers = http_request.get_headers()
for header_name, header_value in headers.iteritems():
header_value = ruby_escape_string(header_value)
header_name = ruby_escape_string(header_name)
res += ' "' + header_name + '" => "' + header_value + '",\n'
res = res[:-2]
res += "\n}\n"
method = http_request.get_method()
res += "res = Net::HTTP.start(url.host, url.port) do |http|\n"
res += " http.use_ssl = "
if http_request.get_url().get_protocol().lower() == "https":
res += "true\n"
else:
res += "false\n"
res += ' http.send_request("' + method + '", url.path, data, headers)\n'
res += "end\n\n"
res += "puts res.body\n"
return res
def on_request_edit_finished(self, orig_http_request, head, post_data):
"""
This method is called when the user finishes editing the request that
will be sent to the wire.
:param orig_http_request: The original HTTP request
:param head: The headers for the modified request
:param post_data: The post-data for the modified request
:return: The HTTP response
"""
try:
http_request = http_request_parser(head, post_data)
http_response = self._send_http_request(http_request)
except Exception, e:
trace = str(traceback.format_exc())
http_response = self._create_error_response(orig_http_request,
None,
e,
trace=trace)
def python_export(request_string):
"""
:param request_string: The string of the request to export
:return: A urllib2 based python script that will perform the same HTTP
request.
"""
# get the header and the body
splitted_request = request_string.split('\n\n')
header = splitted_request[0]
body = '\n\n'.join(splitted_request[1:])
http_request = http_request_parser(header, body)
# Now I do the real magic...
res = 'import urllib2\n\n'
res += 'url = "' + python_escape_string(http_request.get_uri()
.url_string) + '"\n'
if http_request.get_data() != '\n' and http_request.get_data():
escaped_data = python_escape_string(str(http_request.get_data()))
res += 'data = "' + escaped_data + '"\n'
else:
res += 'data = None\n'
res += 'headers = {\n'
headers = http_request.get_headers()
for header_name, header_value in headers.iteritems():
header_value = python_escape_string(header_value)
header_name = python_escape_string(header_name)
res += ' "' + header_name + '" : "' + header_value + '",\n'
res = res[:-2]
res += '\n}\n'
res += """
request = urllib2.Request(url, data, headers)
response = urllib2.urlopen(request)
response_body = response.read()
"""
res += 'print response_body\n'
return res
def python_export(request_string):
"""
:param request_string: The string of the request to export
:return: A urllib2 based python script that will perform the same HTTP
request.
"""
# get the header and the body
splitted_request = request_string.split('\n\n')
header = splitted_request[0]
body = '\n\n'.join(splitted_request[1:])
http_request = http_request_parser(header, body)
# Now I do the real magic...
res = 'import urllib2\n\n'
res += 'url = "' + python_escape_string(
http_request.get_uri().url_string) + '"\n'
if http_request.get_data() != '\n' and http_request.get_data():
escaped_data = python_escape_string(str(http_request.get_data()))
res += 'data = "' + escaped_data + '"\n'
else:
res += 'data = None\n'
res += 'headers = {\n'
headers = http_request.get_headers()
for header_name, header_value in headers.iteritems():
header_value = python_escape_string(header_value)
header_name = python_escape_string(header_name)
res += ' "' + header_name + '" : "' + header_value + '",\n'
res = res[:-2]
res += '\n}\n'
res += """
request = urllib2.Request(url, data, headers)
response = urllib2.urlopen(request)
response_body = response.read()
"""
res += 'print response_body\n'
return res
def test_GET_request(self):
self.http_daemon = HTTPDaemon()
self.http_daemon.start()
self.http_daemon.wait_for_start()
#
# Send the request to our server using the GUI
#
self.double_click('localhost')
self.type('127.0.0.1:%s' % self.http_daemon.get_port(), False)
self.click('play')
# Wait until we actually get the response, and verify we got the
# response body we expected:
self.click('response_tab')
self.find('abcdef')
self.find('200_OK')
#
# Assert that it's what we really expected
#
requests = self.http_daemon.requests
self.assertEqual(len(requests), 10)
head, postdata = FUZZY_REQUEST_EXAMPLE, ''
parsed_request = http_request_parser(head, postdata)
for i, daemon_request in enumerate(self.http_daemon.requests):
self.assertEqual('/%s' % i, daemon_request.path)
self.assertEqual(parsed_request.get_method(),
daemon_request.command)
for header_name, header_value in parsed_request.get_headers(
).iteritems():
self.assertIn(header_name.lower(), daemon_request.headers)
self.assertEqual(header_value,
daemon_request.headers[header_name.lower()])
self.http_daemon.shutdown()
def test_GET_request(self):
self.http_daemon = HTTPDaemon()
self.http_daemon.start()
self.http_daemon.wait_for_start()
#
# Send the request to our server using the GUI
#
self.double_click('localhost')
self.type('127.0.0.1:%s' % self.http_daemon.get_port(), False)
self.click('play')
# Wait until we actually get the response, and verify we got the
# response body we expected:
self.click('response_tab')
self.find('abcdef')
self.find('200_OK')
#
# Assert that it's what we really expected
#
requests = self.http_daemon.requests
self.assertEqual(len(requests), 10)
head, postdata = FUZZY_REQUEST_EXAMPLE, ''
parsed_request = http_request_parser(head, postdata)
for i, daemon_request in enumerate(self.http_daemon.requests):
self.assertEqual('/%s' % i, daemon_request.path)
self.assertEqual(parsed_request.get_method(), daemon_request.command)
for header_name, header_value in parsed_request.get_headers().iteritems():
self.assertIn(header_name.lower(), daemon_request.headers)
self.assertEqual(header_value, daemon_request.headers[header_name.lower()])
self.http_daemon.shutdown()
def do_fix_content_length(self, head, postdata):
"""
The user may have changed the postdata of the request, and not the
content-length header; so we are going to fix that problem.
"""
fuzzable_request = http_request_parser(head, postdata)
headers = fuzzable_request.get_headers()
if not fuzzable_request.get_data():
# In the past, maybe, we had a post-data. Now we don't have any,
# so we'll remove the content-length
try:
headers.idel('content-length')
except KeyError:
pass
else:
# We now have a post-data, so we better set the content-length
headers['content-length'] = str(len(fuzzable_request.get_data()))
head = fuzzable_request.dump_request_head()
return head, postdata
def ajax_export(request_string):
"""
:param request_string: The string of the request to export
:return: A javascript that will perform the same HTTP request.
"""
# get the header and the body
splitted_request = request_string.split('\n\n')
header = splitted_request[0]
body = '\n\n'.join(splitted_request[1:])
http_request = http_request_parser(header, body)
# Now I do the real magic...
# This is the header, to include the AJAX stuff:
res = """/* Init AJAX stuff */
var xmlhttp = false;
/*@cc_on @*/
/*@if (@_jscript_version >= 5)
// JScript gives us Conditional compilation, we can cope with old IE versions.
// and security blocked creation of the objects.
try {
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp = false;
}
}
@end @*/
if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
try {
xmlhttp = new XMLHttpRequest();
} catch (e) {
xmlhttp = false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp = window.createRequest();
} catch (e) {
xmlhttp = false;
}
}
/* Finished AJAX initialization */
/* Create the request, please remember the same-origin policy, which might
affect how and if this request is sent by the browser */
"""
# Set the method and the path
res += 'xmlhttp.open("' + http_request.get_method() + '", "'
res += ajax_escape_string(
http_request.get_uri().url_string) + '", true);\n'
# For debugging
res += """
/* Debugging code, this should be removed for real life XSS exploits */
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4 ) {
alert(xmlhttp.responseText);
}
}
/* Add headers to the request and send it, please note that custom headers
might be removed by the browser and/or generate an exception that will
make the request fail */
"""
# Now I add the headers:
headers = http_request.get_headers()
for header_name, header_value in headers.iteritems():
res += 'xmlhttp.setRequestHeaders("' + ajax_escape_string(
header_name) + '", "'
res += ajax_escape_string(header_value) + '");\n'
# And finally the post data (if any)
if http_request.get_data() and http_request.get_data() != '\n':
res += 'var post_data = (<r><![CDATA[' + str(
http_request.get_data()) + ']]></r>).toString();\n'
res += 'xmlhttp.send(post_data);\n'
else:
res += 'xmlhttp.send(null);\n'
return res
def test_qs(self):
fr = http_request_parser('GET http://www.w3af.com/ HTTP/1.0', '')
self.assertIsInstance(fr, FuzzableRequest)
self.assertEqual(fr.get_method(), 'GET')
self.assertEqual(fr.get_data(), '')
def show_raw(self, head, body):
self._obj = http_request_parser(head, body)
self.synchronize()
def show_raw(self, head, body):
self._obj = http_request_parser(head, body)
self.synchronize()
def test_qs(self):
fr = http_request_parser('GET http://www.w3af.com/ HTTP/1.0', '')
self.assertIsInstance(fr, FuzzableRequest)
self.assertEqual(fr.get_method(), 'GET')
self.assertEqual(fr.get_data(), '')
def test_POST_request(self):
self.http_daemon = HTTPDaemon()
self.http_daemon.start()
self.http_daemon.wait_for_start()
#
# Send the request to our server using the GUI
#
self.double_click('localhost')
self.type('127.0.0.1:%s' % self.http_daemon.get_port(), False)
# Move to the beginning
self.type([
'<PgUp>',
], False)
# Replace GET with POST
self.type([
'<Delete>',
], False)
self.type([
'<Delete>',
], False)
self.type([
'<Delete>',
], False)
self.type('POST', False)
# Move to the end (postdata)
self.type([
'<PgDn>',
], False)
post_data = 'foo=bar&spam=eggs'
self.type(post_data, False)
self.click('send')
# Wait until we actually get the response, and verify we got the
# response body we expected:
self.find('abcdef')
self.find('200_OK')
#
# Assert that it's what we really expected
#
requests = self.http_daemon.requests
self.assertEqual(len(requests), 1)
request = requests[0]
head, postdata = MANUAL_REQUEST_EXAMPLE, ''
http_request = http_request_parser(head, postdata)
self.assertEqual(http_request.get_url().get_path(), request.path)
self.assertEqual('POST', request.command)
for header_name, header_value in http_request.get_headers().iteritems(
):
self.assertIn(header_name.lower(), request.headers)
self.assertEqual(header_value,
request.headers[header_name.lower()])
self.assertEqual(str(len(post_data)),
request.headers['content-length'])
self.http_daemon.shutdown()
