def test_multipart_post(self): boundary, post_data = multipart_encode([('a', 'bcd'), ], []) multipart_boundary = 'multipart/form-data; boundary=%s' headers = Headers([('content-length', str(len(post_data))), ('content-type', multipart_boundary % boundary)]) fr = FuzzableRequest.from_parts(self.url, headers=headers, post_data=post_data, method='POST') form_params = FormParameters() form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) expected_container = MultipartContainer(form_params) expected_headers = Headers([('content-type', multipart_boundary % boundary)]) self.assertEqual(fr.get_url(), self.url) self.assertEqual(fr.get_headers(), expected_headers) self.assertIn('multipart/form-data', fr.get_headers()['content-type']) self.assertEqual(fr.get_method(), 'POST') self.assertIsInstance(fr.get_raw_data(), MultipartContainer) self.assertEqual(fr.get_raw_data(), expected_container)
def from_postdata(cls, headers, post_data): if not MultipartContainer.is_multipart(headers): raise ValueError('No multipart content-type header.') environ = {'REQUEST_METHOD': 'POST'} try: fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data), headers=headers.to_dict(), environ=environ) except ValueError: raise ValueError('Failed to create MultipartContainer.') else: # Please note that the FormParameters is just a container for # the information. # # When the FuzzableRequest is sent the framework calls get_data() # which returns a string version of this object, properly encoded # using multipart/form-data # # To make sure the web application properly decodes the request, we # also include the headers in get_headers() which include the # boundary form_params = FormParameters() for key in fs.list: if key.filename is None: form_params.add_input([('name', key.name), ('type', 'text'), ('value', key.file.read())]) else: form_params.set_file_name(key.name, key.filename) form_params.add_file_input([('name', key.name)]) return cls(form_params)
def create_vuln(self): v = super(FileUploadTemplate, self).create_vuln() form_params = FormParameters() for file_var in self.file_vars: form_params.add_file_input([("name", file_var), ("type", "file")]) for token in self.data.iter_tokens(): if token.get_name() in self.file_vars: continue form_params.add_input([("name", token.get_name()), ("type", "text"), ("value", token.get_value())]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.url, method=self.method, post_data=mpc) mutant = PostDataMutant(freq) mutant.set_dc(mpc) mutant.set_token((self.vulnerable_parameter, 0)) # User configured settings v['file_vars'] = self.file_vars v['file_dest'] = self.file_dest v.set_mutant(mutant) return v
def from_postdata(cls, headers, post_data): if not MultipartContainer.is_multipart(headers): raise ValueError('No multipart content-type header.') environ = {'REQUEST_METHOD': 'POST'} try: fs = cgi.FieldStorage(fp=StringIO.StringIO(post_data), headers=headers.to_dict(), environ=environ) except ValueError: raise ValueError('Failed to create MultipartContainer.') else: # Please note that the FormParameters is just a container for # the information. # # When the FuzzableRequest is sent the framework calls get_data() # which returns a string version of this object, properly encoded # using multipart/form-data # # To make sure the web application properly decodes the request, we # also include the headers in get_headers() which include the # boundary form_params = FormParameters() for key in fs.list: if key.filename is None: form_params.add_input([('name', key.name), ('type', 'text'), ('value', key.file.read())]) else: form_params.set_file_name(key.name, key.filename) form_params.add_file_input([('name', key.name)]) return cls(form_params)
def create_vuln(self): v = super(FileUploadTemplate, self).create_vuln() form_params = FormParameters() for file_var in self.file_vars: form_params.add_file_input([("name", file_var), ("type", "file")]) for token in self.data.iter_tokens(): if token.get_name() in self.file_vars: continue form_params.add_input([("name", token.get_value()), ("type", "text")]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.url, method=self.method, post_data=mpc) mutant = PostDataMutant(freq) mutant.set_dc(mpc) mutant.set_token((self.vulnerable_parameter, 0)) # User configured settings v['file_vars'] = self.file_vars v['file_dest'] = self.file_dest v.set_mutant(mutant) return v
def test_mutant_creation_repeated_parameter_name(self): form_params = FormParameters() form_params.add_input([("name", "id"), ("value", "")]) form_params.add_input([("name", "id"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form, method='GET') created_mutants = PostDataMutant.create_mutants( freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = [ 'id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc', 'id=abc&id=3419' ] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'GET')
def test_keep_sync(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("type", "text")]) form_params.add_input([("name", "pwd"), ("type", "password")]) form = Form(form_params) self.assertNotIn('address', form_params) self.assertNotIn('address', form) # Add to the form_params form_params['address'] = [''] self.assertIn('address', form_params) self.assertIn('address', form) # Add to the Form object form['company'] = [''] self.assertIn('company', form_params) self.assertIn('company', form) # Del from the Form object del form['address'] self.assertNotIn('address', form) self.assertNotIn('address', form_params) # Del from the FormParams object del form_params['company'] self.assertNotIn('company', form) self.assertNotIn('company', form_params)
def test_login_form_utils(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("type", "text")]) form_params.add_input([("name", "pwd"), ("type", "password")]) form = Form(form_params) self.assertTrue(form.is_login_form()) self.assertFalse(form.is_registration_form()) self.assertFalse(form.is_password_change_form()) self.assertEqual(form.get_parameter_type_count(), (1, 1, 0)) user_token, pass_token = form.get_login_tokens() self.assertEqual(user_token.get_name(), 'username') self.assertEqual(pass_token.get_name(), 'pwd') self.assertEqual(user_token.get_value(), '') self.assertEqual(pass_token.get_value(), '') form.set_login_username('andres') self.assertEqual(form['username'][0], 'andres') self.assertEqual(form['pwd'][0], '') form.set_login_username('pablo') form.set_login_password('long-complex') self.assertEqual(form['username'][0], 'pablo') self.assertEqual(form['pwd'][0], 'long-complex') self.assertIs(form.get_form_params(), form_params)
def test_mutant_creation_repeated_parameter_name(self): form_params = FormParameters() form_params.add_input([("name", "id"), ("value", "")]) form_params.add_input([("name", "id"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://w3af.com/?foo=3'), post_data=form, method='GET') created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['id=def&id=3419', 'id=3419&id=def', 'id=3419&id=abc', 'id=abc&id=3419'] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'id') self.assertEqual(token.get_original_value(), '') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'GET')
def create_form_params_helper(form_data): """ Creates a dc.Form object from a dict container :param form_data: A list containing dicts representing a form's internal structure :return: A dc.Form object from `form_data` """ new_form_params = FormParameters() for elem_data in form_data: elem_type = elem_data['tagname'] attrs = elem_data.items() if elem_type == 'input': _type = elem_data['type'] if _type == 'radio': new_form_params.add_radio(attrs) elif _type == 'checkbox': new_form_params.add_check_box(attrs) elif _type in ('text', 'hidden'): new_form_params.add_input(attrs) elif elem_type == 'select': new_form_params.add_select(elem_data['name'], elem_data['options']) return new_form_params
def test_sent_post_data(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", """d'z"0""")]) form_params.add_input([("name", "address"), ("value", "")]) form = dc_from_form_params(form_params) f = FuzzableRequest(URL('http://example.com/'), post_data=form) self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_sent_post_data(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", """d'z"0""")]) form_params.add_input([("name", "address"), ("value", "")]) form = dc_from_form_params(form_params) f = FuzzableRequest(URL('http://example.com/'), post_data=form) self.assertTrue(f.sent('d%5C%27z%5C%220'))
def test_login_form_utils(self): form = FormParameters() form.add_input([("name", "username"), ("type", "text")]) form.add_input([("name", "pwd"), ("type", "password")]) self.assertTrue(form.is_login_form()) self.assertFalse(form.is_registration_form()) self.assertFalse(form.is_password_change_form()) self.assertEqual(form.get_parameter_type_count(), (1, 1, 0))
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def create_simple_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) return FuzzableRequest.from_form(form)
def test_cpickle_simple(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("type", "text")]) form_params.add_input([("name", "pwd"), ("type", "password")]) form = Form(form_params) pickled_form = cPickle.loads(cPickle.dumps(form)) self.assertEqual(pickled_form.items(), form.items())
def test_dc_from_form_params_without_files_nor_enctype(self): form_params = FormParameters() form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) urlencode_dc = dc_from_form_params(form_params) self.assertIsInstance(urlencode_dc, URLEncodedForm) self.assertEqual(urlencode_dc.get_file_vars(), []) self.assertEqual(urlencode_dc['a'], ['bcd'])
def upload_file(self, _file): form_params = FormParameters() form_params.add_file_input([("name", "uploadedfile")]) form_params.add_input([("name", "MAX_FILE_SIZE"), ("type", "hidden"), ("value", "10000")]) mpc = MultipartContainer(form_params) mpc["uploadedfile"][0] = _file resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc), headers=Headers(mpc.get_headers())) self.assertIn("was successfully uploaded", resp.get_body())
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_form_encoding('multipart/form-data') form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_dc_from_form_params_without_files_nor_enctype(self): form_params = FormParameters() form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) urlencode_dc = dc_from_form_params(form_params) self.assertIsInstance(urlencode_dc, URLEncodedForm) self.assertEqual(urlencode_dc.get_file_vars(), []) self.assertEqual(urlencode_dc['a'], ['bcd'])
def test_form_copy(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("type", "text")]) form_params.add_input([("name", "pwd"), ("type", "password")]) form = Form(form_params) form.set_token(('username', 0)) form_copy = copy.deepcopy(form) self.assertEqual(form.get_token(), form_copy.get_token()) self.assertIsNot(None, form_copy.get_token())
def test_is_suitable(self): # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False, no items in post-data url = URL('http://moth/') req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm()) suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form_params = FormParameters() form_params.add_input([('name', 'test'), ('type', 'text')]) form = URLEncodedForm(form_params) req = FuzzableRequest(url, method='POST', post_data=form) suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable)
def test_is_suitable(self): # False because no cookie is set and no QS nor post-data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False because no cookie is set url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) url_sends_cookie = URL( 'http://moth/w3af/core/cookie_handler/set-cookie.php') self.uri_opener.GET(url_sends_cookie) # Still false because it doesn't have any QS or POST data url = URL('http://moth/') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) self.csrf_plugin._strict_mode = True # Still false because of the strict mode url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # False, no items in post-data url = URL('http://moth/') req = FuzzableRequest(url, method='POST', post_data=URLEncodedForm()) suitable = self.csrf_plugin._is_suitable(req) self.assertFalse(suitable) # True, items in DC, POST (passes strict mode) and cookies url = URL('http://moth/') form_params = FormParameters() form_params.add_input([('name', 'test'), ('type', 'text')]) form = URLEncodedForm(form_params) req = FuzzableRequest(url, method='POST', post_data=form) suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable) self.csrf_plugin._strict_mode = False # True now that we have strict mode off, cookies and QS url = URL('http://moth/?id=3') req = FuzzableRequest(url, method='GET') suitable = self.csrf_plugin._is_suitable(req) self.assertTrue(suitable)
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_dc_from_form_params_without_files_with_multipart_enctype(self): form_params = FormParameters() form_params.set_form_encoding('multipart/form-data') form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), []) self.assertEqual(mpdc['a'], ['bcd'])
def test_upload_file_using_fuzzable_request(self): form_params = FormParameters() form_params.add_file_input([("name", "uploadedfile")]) form_params["uploadedfile"][0] = NamedStringIO("file content", name="test.txt") form_params.add_input([("name", "MAX_FILE_SIZE"), ("type", "hidden"), ("value", "10000")]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc, method="POST") resp = self.opener.send_mutant(freq) self.assertIn("was successfully uploaded", resp.get_body())
def test_dc_from_form_params_with_files(self): form_params = FormParameters() form_params.set_file_name('b', 'hello.txt') form_params.add_file_input([('name', 'b')]) form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), ['b']) self.assertEqual(mpdc['a'], ['bcd'])
def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
def test_mutant_iter_bound_tokens(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", ""), ("type", "password")]) form_params.add_input([("name", "address"), ("value", "")]) form = Form(form_params) for form_copy, _ in form.iter_bound_tokens(): self.assertIsInstance(form_copy, Form) self.assertEquals(form_copy.items(), form.items()) self.assertEquals(form_copy.get_parameter_type('username'), FormParameters.INPUT_TYPE_PASSWD)
def test_dc_from_form_params_with_files(self): form_params = FormParameters() form_params.set_file_name('b', 'hello.txt') form_params.add_file_input([('name', 'b')]) form_params.add_input([('name', 'a'), ('type', 'text'), ('value', 'bcd')]) mpdc = dc_from_form_params(form_params) self.assertIsInstance(mpdc, MultipartContainer) self.assertEqual(mpdc.get_file_vars(), ['b']) self.assertEqual(mpdc['a'], ['bcd'])
def upload_file(self, _file): form_params = FormParameters() form_params.add_file_input([('name', 'uploadedfile')]) form_params.add_input([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) mpc['uploadedfile'][0] = _file resp = self.opener.POST(self.MOTH_FILE_UP_URL, data=str(mpc), headers=Headers(mpc.get_headers())) self.assertIn('was successfully uploaded', resp.get_body())
def test_mutant_smart_fill_simple(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params['username'][0] = DataToken('username', '', ('username', 0)) form = Form(form_params) form.smart_fill() self.assertEqual(form['username'], ['', ]) self.assertEqual(form['address'], ['Bonsai Street 123', ]) self.assertIsInstance(form['username'][0], DataToken) self.assertIs(form.get_form_params(), form_params)
def test_from_form_POST(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_found_at(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\ 'The sent post-data was: "username=&address=" '\ 'which modifies the "username" parameter.' self.assertEqual(m.found_at(), expected)
def test_mutant_creation(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') created_mutants = PostDataMutant.create_mutants( freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = [ 'username=def&address=Bonsai%20Street%20123', 'username=abc&address=Bonsai%20Street%20123', 'username=John8212&address=def', 'username=John8212&address=abc' ] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[1].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') token = created_mutants[3].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'PUT')
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def test_found_at(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\ 'The sent post-data was: "username=&address=" '\ 'which modifies the "username" parameter.' self.assertEqual(m.found_at(), expected)
def create_simple_filecontent_mutant(self, container_klass): form_params = FormParameters() form_params.set_method('POST') form_params.set_action(self.url) form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "file"), ("type", "file")]) form = container_klass(form_params) freq = FuzzableRequest.from_form(form) m = FileContentMutant(freq) m.get_dc().set_token(('file', 0)) m.set_token_value('abc') return m
def test_from_form_POST(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) self.assertIs(fr.get_uri(), form.get_action()) self.assertIs(fr.get_raw_data(), form) self.assertEqual(fr.get_method(), 'POST') self.assertEqual(fr.get_uri().querystring, QueryString([('id', ['1'])]))
def test_mutant_creation(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') created_mutants = PostDataMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config) expected_dcs = ['username=def&address=Bonsai%20Street%20123', 'username=abc&address=Bonsai%20Street%20123', 'username=John8212&address=def', 'username=John8212&address=abc'] created_dcs = [str(i.get_dc()) for i in created_mutants] self.assertEqual(set(created_dcs), set(expected_dcs)) token = created_mutants[0].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[1].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'abc') token = created_mutants[2].get_token() self.assertEqual(token.get_name(), 'username') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') token = created_mutants[3].get_token() self.assertEqual(token.get_name(), 'address') self.assertEqual(token.get_original_value(), '') self.assertEqual(token.get_value(), 'def') for m in created_mutants: self.assertIsInstance(m, PostDataMutant) for m in created_mutants: self.assertEqual(m.get_method(), 'PUT')
def test_upload_file_using_fuzzable_request(self): form_params = FormParameters() form_params.add_file_input([('name', 'uploadedfile')]) form_params['uploadedfile'][0] = NamedStringIO('file content', name='test.txt') form_params.add_input([('name', 'MAX_FILE_SIZE'), ('type', 'hidden'), ('value', '10000')]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.MOTH_FILE_UP_URL, post_data=mpc, method='POST') resp = self.opener.send_mutant(freq) self.assertIn('was successfully uploaded', resp.get_body())
def test_from_form_default(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) # Without a method #form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form)
def test_from_form_default(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/')) # Without a method #form_params.set_method('GET') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected_url = 'http://example.com/?username=abc&address=' self.assertEqual(fr.get_uri().url_string, expected_url) self.assertEqual(fr.get_uri().querystring, 'username=abc&address=') self.assertIsInstance(fr.get_uri().querystring, URLEncodedForm) self.assertEqual(fr.get_method(), 'GET') self.assertIsNot(fr.get_raw_data(), form)
def test_form_file_post_no_files(self): cf_singleton.save("fuzzable_headers", []) cf_singleton.save("fuzz_cookies", False) cf_singleton.save("fuzz_url_filenames", False) cf_singleton.save("fuzzed_files_extension", "gif") cf_singleton.save("fuzz_form_files", True) # This one changed cf_singleton.save("fuzz_url_parts", False) form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL("http://www.w3af.com/?id=3"), post_data=form, method="PUT") mutants = create_mutants(freq, self.payloads) self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2])) self.assertTrue(all(isinstance(m, PostDataMutant) for m in mutants[4:])) self.assertTrue(all(m.get_method() == "PUT" for m in mutants)) expected_uris = { "http://www.w3af.com/?id=abc", "http://www.w3af.com/?id=def", "http://www.w3af.com/?id=3", "http://www.w3af.com/?id=3", "http://www.w3af.com/?id=3", "http://www.w3af.com/?id=3", } created_uris = set([i.get_uri().url_string for i in mutants]) self.assertEqual(expected_uris, created_uris) expected_dcs = { "id=abc", "id=def", "username=abc&address=Bonsai%20Street%20123", "username=def&address=Bonsai%20Street%20123", "username=John8212&address=abc", "username=John8212&address=def", } created_dcs = set([str(i.get_dc()) for i in mutants]) self.assertEqual(created_dcs, expected_dcs)
def test_store_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds = DiskSet() ds.add(fr) stored_fr = ds[0] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_store_fuzzable_request(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) ds = DiskSet() ds.add(fr) stored_fr = ds[0] self.assertEqual(stored_fr, fr) self.assertIsNot(stored_fr, fr)
def test_mutant_smart_fill_with_file(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.add_file_input([("name", "file"), ("type", "file")]) form = Form(form_params) form['username'][0] = DataToken('username', '', ('username', 0)) form.smart_fill() self.assertEqual(form['username'], ['', ]) self.assertEqual(form['address'], ['Bonsai Street 123', ]) self.assertIsInstance(form['username'][0], DataToken) str_file = form['file'][0] self.assertEqual(str_file.name[-4:], '.gif') self.assertIn('GIF', str_file) self.assertIs(form.get_form_params(), form_params)
def test_form_file_post_no_files(self): cf_singleton.save('fuzzable_headers', []) cf_singleton.save('fuzz_cookies', False) cf_singleton.save('fuzz_url_filenames', False) cf_singleton.save('fuzzed_files_extension', 'gif') cf_singleton.save('fuzz_form_files', True) # This one changed cf_singleton.save('fuzz_url_parts', False) form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "")]) form_params.add_input([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') mutants = create_mutants(freq, self.payloads) self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2])) self.assertTrue(all( isinstance(m, PostDataMutant) for m in mutants[4:])) self.assertTrue(all(m.get_method() == 'PUT' for m in mutants)) expected_uris = { 'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3' } created_uris = set([i.get_uri().url_string for i in mutants]) self.assertEqual(expected_uris, created_uris) expected_dcs = { 'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123', 'username=def&address=Bonsai%20Street%20123', 'username=John8212&address=abc', 'username=John8212&address=def' } created_dcs = set([str(i.get_dc()) for i in mutants]) self.assertEqual(created_dcs, expected_dcs)
def test_multipart_post(self): boundary, post_data = multipart_encode([("a", "bcd")], []) multipart_boundary = "multipart/form-data; boundary=%s" headers = Headers([("content-length", str(len(post_data))), ("content-type", multipart_boundary % boundary)]) fr = FuzzableRequest.from_parts(self.url, headers=headers, post_data=post_data, method="POST") form_params = FormParameters() form_params.add_input([("name", "a"), ("type", "text"), ("value", "bcd")]) expected_container = MultipartContainer(form_params) expected_headers = Headers([("content-type", multipart_boundary % boundary)]) self.assertEqual(fr.get_url(), self.url) self.assertEqual(fr.get_headers(), expected_headers) self.assertIn("multipart/form-data", fr.get_headers()["content-type"]) self.assertEqual(fr.get_method(), "POST") self.assertIsInstance(fr.get_raw_data(), MultipartContainer) self.assertEqual(fr.get_raw_data(), expected_container)
def test_mutant_creation_file(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "default")]) form_params.add_file_input([("name", "file_upload")]) form = MultipartContainer(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/upload'), post_data=form, method='POST') payloads = [file(__file__)] created_mutants = PostDataMutant.create_mutants(freq, payloads, ['file_upload', ], False, self.fuzzer_config) self.assertEqual(len(created_mutants), 1, created_mutants) mutant = created_mutants[0] self.assertIsInstance(mutant.get_token().get_value(), file) self.assertEqual(mutant.get_dc()['username'][0], 'default')
def test_mutant_creation_file(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "default")]) form_params.add_file_input([("name", "file_upload")]) form = MultipartContainer(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/upload'), post_data=form, method='POST') payloads = [file(__file__)] created_mutants = PostDataMutant.create_mutants( freq, payloads, [ 'file_upload', ], False, self.fuzzer_config) self.assertEqual(len(created_mutants), 1, created_mutants) mutant = created_mutants[0] self.assertIsInstance(mutant.get_token().get_value(), file) self.assertEqual(mutant.get_dc()['username'][0], 'default')