Exemplo n.º 1
0
    def bruteforce_wrapper(self, fuzzable_request):
        self.audit(fuzzable_request.copy())

        res = []
        for v in kb.kb.get(self.get_name(), 'auth'):
            if v.get_url() not in self._already_reported:
                self._already_reported.append(v.get_url())
                res.extend(create_fuzzable_requests(v['response']))
        return res
Exemplo n.º 2
0
    def bruteforce_wrapper(self, fuzzable_request):
        self.audit(fuzzable_request.copy())

        res = []
        for v in kb.kb.get(self.get_name(), 'auth'):
            if v.get_url() not in self._already_reported:
                self._already_reported.append(v.get_url())
                res.extend(create_fuzzable_requests(v['response']))
        return res
    def test_add_self(self):
        body = ''
        headers = Headers([('content-type', 'text/html')])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        request_lst = create_fuzzable_requests(http_response, add_self=True)
        self.assertEqual(len(request_lst), 1)

        fr = request_lst[0]
        self.assertEqual(fr.get_url(), self.url)
        self.assertFalse('content-type' in fr.get_headers())
    def test_redirect_location(self):
        body = ''
        redir_url = 'http://www.w3af.org/'
        headers = Headers([('content-type', 'text/html'),
                           ('location', redir_url)])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        redir_fr = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(redir_fr), 1)

        redir_fr = redir_fr[0]
        self.assertEqual(redir_fr.get_url().url_string, redir_url)
    def test_redirect_uri_relative(self):
        body = ''
        redir_url = '/foo.bar'
        headers = Headers([('content-type', 'text/html'),
                           ('uri', redir_url)])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        redir_fr = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(redir_fr), 1)

        redir_fr = redir_fr[0]
        self.assertEqual(redir_fr.get_url(
        ).url_string, self.url.url_string[:-1] + redir_url)
    def test_cookie(self):
        body = ''
        redir_url = '/foo.bar'
        headers = Headers([('content-type', 'text/html'),
                           ('uri', redir_url),
                           ('cookie', 'abc=def')])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        redir_fr_cookie = create_fuzzable_requests(http_response,
                                                   add_self=False)
        self.assertEqual(len(redir_fr_cookie), 1)

        redir_fr_cookie = redir_fr_cookie[0]
        self.assertEqual(str(redir_fr_cookie.get_cookie()), 'abc=def;')
    def test_body_parse_form(self):
        body = """<form action="/foo.bar" method="POST">
                    A: <input name="a" />
                    B: <input name="b" value="123" />
                  </form>"""
        headers = Headers([('content-type', 'text/html')])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        post_request_lst = create_fuzzable_requests(
            http_response, add_self=False)
        self.assertEqual(len(post_request_lst), 1)

        post_request = post_request_lst[0]
        self.assertEqual(
            post_request.get_url().url_string, 'http://www.w3af.com/foo.bar')
        self.assertEqual(post_request.get_data(), 'a=&b=123')
        self.assertEqual(post_request.get_method(), 'POST')
        self.assertFalse('content-type' in post_request.get_headers())
Exemplo n.º 8
0
    def test_is_token_checked_true(self):
        generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
        http_response = self.uri_opener.GET(generator)
        
        # Please note that this freq holds a fresh/valid CSRF token
        freq_lst = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(freq_lst), 1)
        
        freq = freq_lst[0]

        # FIXME:
        # And I use this token here to get the original response, and if the
        # application is properly developed, that token will be invalidated
        # and that's where this algorithm fails.
        original_response = self.uri_opener.send_mutant(freq)
        
        token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
        checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
        self.assertTrue(checked)
Exemplo n.º 9
0
    def test_is_token_checked_true(self):
        generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/')
        http_response = self.uri_opener.GET(generator)

        # Please note that this freq holds a fresh/valid CSRF token
        freq_lst = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(freq_lst), 1)

        freq = freq_lst[0]

        # FIXME:
        # And I use this token here to get the original response, and if the
        # application is properly developed, that token will be invalidated
        # and that's where this algorithm fails.
        original_response = self.uri_opener.send_mutant(freq)

        token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
        checked = self.csrf_plugin._is_token_checked(freq, token,
                                                     original_response)
        self.assertTrue(checked)
Exemplo n.º 10
0
 def test_is_token_checked_false(self):
     """
     This covers the case where there is a token but for some reason it
     is NOT verified by the web application.
     """
     generator = URL('http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
     http_response = self.uri_opener.GET(generator)
     
     # Please note that this freq holds a fresh/valid CSRF token
     freq_lst = create_fuzzable_requests(http_response, add_self=False)
     self.assertEqual(len(freq_lst), 1)
     
     freq = freq_lst[0]
     # FIXME:
     # And I use this token here to get the original response, and if the
     # application is properly developed, that token will be invalidated
     # and that's where this algorithm fails.
     original_response = self.uri_opener.send_mutant(freq)
     
     token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
     checked = self.csrf_plugin._is_token_checked(freq, token, original_response)
     self.assertFalse(checked)
Exemplo n.º 11
0
    def test_body_parse_a(self):
        """
        TODO: I need to decide if I'm going to implement this in create_fuzzable_requests
              or if I'm going to delegate this responsability to the web_spider plugin
              only.

              Note that all the uses of create_fuzzable_requests can be found with:

              find . -name '*.py' | xargs grep create_fuzzable_requests

              And they all need to be analyzed before making a decision.
        """
        raise SkipTest('FIXME: See TODO.')

        body = '<a href="http://www.google.com/?id=1">click here</a>'
        headers = Headers([('content-type', 'text/html')])
        http_response = HTTPResponse(200, body, headers, self.url, self.url)

        request_lst = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(request_lst), 1)

        fr = request_lst[0]
        self.assertEqual(fr.get_url().url_string, 'http://www.google.com/?id=1')
Exemplo n.º 12
0
    def test_is_token_checked_false(self):
        """
        This covers the case where there is a token but for some reason it
        is NOT verified by the web application.
        """
        generator = URL(
            'http://moth/w3af/audit/csrf/vulnerable-token-ignored/')
        http_response = self.uri_opener.GET(generator)

        # Please note that this freq holds a fresh/valid CSRF token
        freq_lst = create_fuzzable_requests(http_response, add_self=False)
        self.assertEqual(len(freq_lst), 1)

        freq = freq_lst[0]
        # FIXME:
        # And I use this token here to get the original response, and if the
        # application is properly developed, that token will be invalidated
        # and that's where this algorithm fails.
        original_response = self.uri_opener.send_mutant(freq)

        token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
        checked = self.csrf_plugin._is_token_checked(freq, token,
                                                     original_response)
        self.assertFalse(checked)
Exemplo n.º 13
0
 def _create_fuzzable_requests(self,
                               HTTPResponse,
                               request=None,
                               add_self=True):
     return create_fuzzable_requests(HTTPResponse, request, add_self)
Exemplo n.º 14
0
        for url in target_urls:
            try:
                #
                #    GET the initial target URLs in order to save them
                #    in a list and use them as our bootstrap URLs
                #
                response = self._w3af_core.uri_opener.GET(url, cache=True)
            except (ScanMustStopOnUrlError, BaseFrameworkException,
                    ScanMustStopException), w3:
                om.out.error('The target URL: %s is unreachable.' % url)
                om.out.error('Error description: %s' % w3)
            except Exception, e:
                om.out.error('The target URL: %s is unreachable '
                             'because of an unhandled exception.' % url)
                om.out.error('Error description: "%s". See debug '
                             'output for more information.' % e)
                om.out.error('Traceback for this error: %s' %
                             traceback.format_exc())
            else:
                all_fuzzable_requests = create_fuzzable_requests(response)
                filtered_seeds = filter(in_scope, all_fuzzable_requests)

                for seed in filtered_seeds:
                    self._out_queue.put((None, None, seed))

                    # Update the set that lives in the KB
                    kb.kb.add_fuzzable_request(seed)

        self._out_queue.put(POISON_PILL)
Exemplo n.º 15
0
 def _create_fuzzable_requests(self, HTTPResponse, request=None, add_self=True):
     return create_fuzzable_requests(HTTPResponse, request, add_self)
Exemplo n.º 16
0
 def test_not_add_self(self):
     body = ''
     headers = Headers([('content-type', 'text/html')])
     http_response = HTTPResponse(200, body, headers, self.url, self.url)
     request_lst = create_fuzzable_requests(http_response, add_self=False)
     self.assertEqual(len(request_lst), 0)