def test_false_positive_detection(self):
# Test whether false positives in database are identified properly
response = {
'scenario_id': '1',
'req_headers': 'headers',
'req_body': 'body',
'url': 'url',
'req_method': 'method',
'timestamp': datetime.datetime.utcnow(),
'server_protocol_error': False,
'server_timeout': False,
'server_error_text_detected': False,
'server_error_text_matched': 'matched_text',
'resp_statuscode': 'statuscode',
'resp_headers': 'resp_headers',
'resp_body': 'resp_body',
'resp_history': 'resp_history'
}
# First add one false positive and try checking against it
dbtools.add_false_positive(self.context, response)
self.assertEqual(dbtools.known_false_positive(self.context, response),
True, "Duplicate false positive not detected")
# Change one of the differentiating fields, and test, and
# add the tested one to the database.
response['scenario_id'] = '2' # Non-duplicate
self.assertEqual(dbtools.known_false_positive(self.context, response),
False, "Not a duplicate: scenario_id different")
dbtools.add_false_positive(self.context, response)
# Repeat for all the differentiating fields
response['server_protocol_error'] = 'Error text'
self.assertEqual(dbtools.known_false_positive(self.context,
response), False,
"Not a duplicate: server_protocol_error different")
dbtools.add_false_positive(self.context, response)
response['resp_statuscode'] = '500'
self.assertEqual(dbtools.known_false_positive(self.context, response),
False, "Not a duplicate: resp_statuscode different")
dbtools.add_false_positive(self.context, response)
response['server_timeout'] = True
self.assertEqual(dbtools.known_false_positive(self.context, response),
False, "Not a duplicate: server_timeout different")
dbtools.add_false_positive(self.context, response)
response['server_error_text_detected'] = True
self.assertEqual(
dbtools.known_false_positive(self.context, response), False,
"Not a duplicate: server_error_text_detected different")
dbtools.add_false_positive(self.context, response)
# Finally, test the last one again twice, now it ought to be
# reported back as a duplicate
self.assertEqual(dbtools.known_false_positive(self.context, response),
True, "A duplicate case not detected")
def step_impl(context):
"""Go through responses and save any that timed out into the database
"""
new_findings = 0
for response in context.responses:
if response.get('server_timeout') is True:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context):
"""Go through responses and save any that timed out into the database
"""
new_findings = 0
for response in context.responses:
if response.get('server_timeout') is True:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context):
"""Go through responses and store any with HTTP protocol errors
(as caught by Requests) into the database
"""
new_findings = 0
for response in context.responses:
if response.get('server_protocol_error') is not None:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context):
"""Go through responses and store any with HTTP protocol errors
(as caught by Requests) into the database
"""
new_findings = 0
for response in context.responses:
if response.get('server_protocol_error') is not None:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context, returncode_list):
"""Go through responses and store any with suspect return codes
into the database
"""
disallowed_returncodes = unpack_integer_range(returncode_list)
new_findings = 0
for response in context.responses:
if response['resp_statuscode'] in disallowed_returncodes:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context, returncode_list):
"""Go through responses and store any with suspect return codes
into the database
"""
disallowed_returncodes = unpack_integer_range(returncode_list)
new_findings = 0
for response in context.responses:
if response['resp_statuscode'] in disallowed_returncodes:
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context):
"""Go through responses and store any that contain a string from
user-supplied list of strings into the database
"""
# Create a regex from the error response list
error_list = []
for row in context.table:
error_list.append(row['string'])
error_list_regex = "(" + ")|(".join(error_list) + ")"
# For each response, check that it isn't in the error response list
new_findings = 0
for response in context.responses:
if re.search(error_list_regex, response.get('resp_body'),
re.IGNORECASE) is not None:
response['server_error_text_detected'] = True
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def step_impl(context):
"""Go through responses and store any that contain a string from
user-supplied list of strings into the database
"""
# Create a regex from the error response list
error_list = []
for row in context.table:
error_list.append(row['string'])
error_list_regex = "(" + ")|(".join(error_list) + ")"
# For each response, check that it isn't in the error response list
new_findings = 0
for response in context.responses:
if re.search(error_list_regex, response.get('resp_body'),
re.IGNORECASE) is not None:
response['server_error_text_detected'] = True
if fuzzdb.known_false_positive(context, response) is False:
fuzzdb.add_false_positive(context, response)
new_findings += 1
if new_findings > 0:
context.new_findings += new_findings
assert True
def test_false_positive_detection(self):
# Test whether false positives in database are identified properly
response = {'scenario_id': '1',
'req_headers': 'headers',
'req_body': 'body',
'url': 'url',
'req_method': 'method',
'timestamp': datetime.datetime.utcnow(),
'server_protocol_error': False,
'server_timeout': False,
'server_error_text_detected': False,
'server_error_text_matched': 'matched_text',
'resp_statuscode': 'statuscode',
'resp_headers': 'resp_headers',
'resp_body': 'resp_body',
'resp_history': 'resp_history'}
# First add one false positive and try checking against it
dbtools.add_false_positive(self.context, response)
self.assertEqual(dbtools.known_false_positive(self.context,
response),
True, "Duplicate false positive not detected")
# Change one of the differentiating fields, and test, and
# add the tested one to the database.
response['scenario_id'] = '2' # Non-duplicate
self.assertEqual(dbtools.known_false_positive(self.context,
response),
False, "Not a duplicate: scenario_id different")
dbtools.add_false_positive(self.context, response)
# Repeat for all the differentiating fields
response['server_protocol_error'] = 'Error text'
self.assertEqual(dbtools.known_false_positive(self.context,
response),
False, "Not a duplicate: server_protocol_error different")
dbtools.add_false_positive(self.context, response)
response['resp_statuscode'] = '500'
self.assertEqual(dbtools.known_false_positive(self.context,
response),
False, "Not a duplicate: resp_statuscode different")
dbtools.add_false_positive(self.context, response)
response['server_timeout'] = True
self.assertEqual(dbtools.known_false_positive(self.context,
response),
False, "Not a duplicate: server_timeout different")
dbtools.add_false_positive(self.context, response)
response['server_error_text_detected'] = True
self.assertEqual(dbtools.known_false_positive(self.context,
response),
False, "Not a duplicate: server_error_text_detected different")
dbtools.add_false_positive(self.context, response)
# Finally, test the last one again twice, now it ought to be
# reported back as a duplicate
self.assertEqual(dbtools.known_false_positive(self.context,
response),
True, "A duplicate case not detected")
