def test_save_current_to_new_profile(self): w3af_core = w3afCore() w3af_core.profiles.use_profile('OWASP_TOP10', workdir='.') audit = w3af_core.plugins.get_enabled_plugins('audit') disabled_plugin = audit[-1] audit = audit[:-1] w3af_core.plugins.set_plugins(audit, 'audit') enabled = w3af_core.plugins.get_enabled_plugins('audit') self.assertEquals(set(enabled), set(audit)) self.assertTrue(disabled_plugin not in enabled) w3af_core.profiles.save_current_to_new_profile('unittest-OWASP_TOP10') # Get a new, clean instance of the core. w3af_core = w3afCore() audit = w3af_core.plugins.get_enabled_plugins('audit') self.assertEquals(audit, []) w3af_core.profiles.use_profile('unittest-OWASP_TOP10') enabled_plugins = w3af_core.plugins.get_all_enabled_plugins() self.assertTrue(disabled_plugin not in enabled_plugins['audit']) self.assertTrue('credit_cards' in enabled_plugins['grep']) self.assertTrue('private_ip' in enabled_plugins['grep']) self.assertTrue('dns_wildcard' in enabled_plugins['infrastructure']) self.assertTrue('web_spider' in enabled_plugins['crawl']) w3af_core.profiles.remove_profile('unittest-OWASP_TOP10')
def test_saveCurrentToNewProfile(self): w3af_core = w3afCore() w3af_core.profiles.useProfile('OWASP_TOP10') audit = w3af_core.plugins.getEnabledPlugins('audit') disabled_plugin = audit[-1] audit = audit[:-1] w3af_core.plugins.setPlugins(audit,'audit') enabled = w3af_core.plugins.getEnabledPlugins('audit') self.assertEquals(enabled, audit) self.assertTrue(disabled_plugin not in enabled) w3af_core.profiles.saveCurrentToNewProfile('unittest-OWASP_TOP10') # Get a new, clean instance of the core. w3af_core = w3afCore() audit = w3af_core.plugins.getEnabledPlugins('audit') self.assertEquals( audit, []) w3af_core.profiles.useProfile('unittest-OWASP_TOP10') enabled_plugins = w3af_core.plugins.getAllEnabledPlugins() self.assertTrue( disabled_plugin not in enabled_plugins['audit']) self.assertTrue( 'creditCards' in enabled_plugins['grep']) self.assertTrue( 'privateIP' in enabled_plugins['grep']) self.assertTrue( 'dnsWildcard' in enabled_plugins['discovery']) w3af_core.profiles.removeProfile('unittest-OWASP_TOP10')
def test_remove_profile(self): w3af_core = w3afCore() w3af_core.profiles.save_current_to_new_profile('unittest-remove') w3af_core.profiles.remove_profile('unittest-remove') self.assertRaises( w3afException, w3af_core.profiles.use_profile, 'unittest-remove')
def test_use_all_profiles(self): ''' This test catches the errors in my profiles that generate these messages: *************************************************************************** The profile you are trying to load (web_infrastructure) seems to be outdated, this is a common issue which happens when the framework is updated and one of its plugins adds/removes one of the configuration parameters referenced by a profile, or the plugin is removed all together. The profile was loaded but some of your settings might have been lost. This is the list of issues that were found: - Setting the options for plugin "infrastructure.server_header" raised an exception due to unknown configuration parameters. We recommend you review the specific plugin configurations, apply the required changes and save the profile in order to update it and avoid this message. If this warning does not disappear you can manually edit the profile file to fix it. *************************************************************************** ''' w3af_core = w3afCore() valid, invalid = w3af_core.profiles.get_profile_list('.') self.assertTrue(len(valid) > 5) self.assertEqual(len(invalid), 0) for profile_inst in valid: profile_name = profile_inst.get_name() w3af_core.profiles.use_profile(profile_name, workdir='.')
def test_error_handling(self): class InvalidPlugin(object): def information(self, msg, new_line=True): raise Exception('Test') def error(self, msg, new_line=True): pass def get_name(self): return 'InvalidPlugin' invalid_plugin = InvalidPlugin() w3af_core = w3afCore() om.out._output_plugin_instances = [ invalid_plugin, ] om.out.information('abc') om.out.process_all_messages() exc_list = w3af_core.exception_handler.get_all_exceptions() self.assertEqual(len(exc_list), 1, exc_list) edata = exc_list[0] self.assertEqual(str(edata.exception), 'Test')
def test_getPluginInstanceAll(self): w3af_core = w3afCore() for plugin_type in itertools.chain( w3af_core.plugins.getPluginTypes() , ['attack'] ): for plugin_name in w3af_core.plugins.getPluginList(plugin_type): plugin_inst = w3af_core.plugins.getPluginInstance(plugin_name, plugin_type) self.assertEquals( plugin_inst.getName(), plugin_name )
def test_getPluginList(self): w3af_core = w3afCore() plugin_list = w3af_core.plugins.getPluginList('audit') expected = ['sqli', 'xss', 'eval'] for plugin_name in expected: self.assertTrue( plugin_name in plugin_list )
def test_set_plugins_negative(self): w3af_core = w3afCore() enabled = [ 'fake', ] self.assertRaises(ValueError, w3af_core.plugins.set_plugins, enabled, 'output')
def test_strategy_exception(self): core = w3afCore() target = core.target.get_options() target['target'].set_value(self.TARGET_URL) core.target.set_options(target) core.plugins.set_plugins(['sqli',], 'audit') core.plugins.init_plugins() core.verify_environment() core.scan_start_hook() strategy = w3af_core_strategy(core) strategy.join_all_consumers = Mock(side_effect=Exception) strategy.terminate = Mock(wraps=strategy.terminate) self.assertRaises(Exception, strategy.start) # Now test that those threads are being terminated self.assertEqual(strategy.terminate.called, True) core.exploit_phase_prerequisites = lambda: 42 core.scan_end_hook() thread_names = [t.name for t in threading.enumerate()] self.assertEqual(len(thread_names), 3, thread_names) thread_names = set(thread_names) expected_names = set(['MainThread', 'SQLiteExecutor', 'OutputManager']) self.assertEqual(thread_names, expected_names)
def test_error_handling(self): class InvalidPlugin(object): def information(self, msg, new_line=True): raise Exception('Test') def error(self, msg, new_line=True): pass def get_name(self): return 'InvalidPlugin' invalid_plugin = InvalidPlugin() w3af_core = w3afCore() om.out._output_plugin_instances = [invalid_plugin, ] om.out.information('abc') om.out.process_all_messages() exc_list = w3af_core.exception_handler.get_all_exceptions() self.assertEqual(len(exc_list), 1, exc_list) edata = exc_list[0] self.assertEqual(str(edata.exception), 'Test')
def setUp(self): ''' This is a rather complex setUp since I need to move the exception_raise.py plugin to the plugin directory in order to be able to run it afterwards. In the tearDown method, I'll remove the file. ''' self.src = os.path.join('core', 'controllers', 'tests', 'exception_raise.py') self.dst = os.path.join('plugins', 'crawl', 'exception_raise.py') shutil.copy(self.src, self.dst) self.w3afcore = w3afCore() target_opts = create_target_option_list(URL('http://moth/')) self.w3afcore.target.set_options(target_opts) self.w3afcore.plugins.set_plugins([ 'exception_raise', ], 'crawl') # Verify env and start the scan self.w3afcore.plugins.init_plugins() self.w3afcore.verify_environment() self.exception_plugin = self.w3afcore.plugins.plugins['crawl'][0]
def setUp(self): self.url_str = "http://moth/" self.url_inst = URL(self.url_str) self._w3af = w3afCore() self._plugins = [] for pname in self._w3af.plugins.get_plugin_list("grep"): self._plugins.append(self._w3af.plugins.get_plugin_inst("grep", pname))
def test_set_plugins(self): w3af_core = w3afCore() enabled = [ 'sqli', ] w3af_core.plugins.set_plugins(enabled, 'audit') retrieved = w3af_core.plugins.get_enabled_plugins('audit') self.assertEquals(enabled, retrieved)
def test_get_plugin_types(self): w3af_core = w3afCore() plugin_types = w3af_core.plugins.get_plugin_types() expected = set([ 'grep', 'output', 'mangle', 'audit', 'crawl', 'evasion', 'bruteforce', 'auth', 'infrastructure' ]) self.assertEquals(set(plugin_types), expected)
def test_plugin_options(self): w3af_core = w3afCore() plugin_inst = w3af_core.plugins.get_plugin_inst('crawl', 'web_spider') options_1 = plugin_inst.get_options() w3af_core.plugins.set_plugin_options('crawl', 'web_spider', options_1) options_2 = w3af_core.plugins.get_plugin_options('crawl', 'web_spider') self.assertEquals(options_1, options_2)
def __initRoot(self, do_upd): ''' Root menu init routine. ''' cons_upd = ConsoleUIUpdater(force=do_upd) cons_upd.update() # Core initialization self._w3af = w3afCore() self._w3af.plugins.set_plugins(['console'], 'output')
def test_get_plugin_instAll(self): w3af_core = w3afCore() for plugin_type in itertools.chain( w3af_core.plugins.get_plugin_types(), ['attack']): for plugin_name in w3af_core.plugins.get_plugin_list(plugin_type): plugin_inst = w3af_core.plugins.get_plugin_inst( plugin_type, plugin_name) self.assertEquals(plugin_inst.get_name(), plugin_name)
def test_plugin_options(self): w3af_core = w3afCore() plugin_inst = w3af_core.plugins.getPluginInstance('webSpider','discovery') options_1 = plugin_inst.getOptions() w3af_core.plugins.setPluginOptions('discovery', 'webSpider', options_1) options_2 = w3af_core.plugins.getPluginOptions('discovery', 'webSpider') self.assertEquals( options_1, options_2 )
def setUp(self): self.url_str = 'http://moth/' self.url_inst = URL(self.url_str) self._w3af = w3afCore() self._plugins = [] for pname in self._w3af.plugins.get_plugin_list('grep'): self._plugins.append( self._w3af.plugins.get_plugin_inst('grep', pname))
def test_set_plugins_negative_without_raise(self): w3af_core = w3afCore() enabled = [ 'fake', ] unknown_plugins = w3af_core.plugins.set_plugins(enabled, 'output', raise_on_error=False) self.assertEqual(enabled, unknown_plugins) w3af_core.plugins.init_plugins()
def test_useProfile(self): w3af_core = w3afCore() w3af_core.profiles.useProfile('OWASP_TOP10') enabled_plugins = w3af_core.plugins.getAllEnabledPlugins() self.assertTrue( 'sqli' in enabled_plugins['audit']) self.assertTrue( 'creditCards' in enabled_plugins['grep']) self.assertTrue( 'privateIP' in enabled_plugins['grep']) self.assertTrue( 'dnsWildcard' in enabled_plugins['discovery'])
def test_init_plugins(self): w3af_core = w3afCore() enabled = ['web_spider'] w3af_core.plugins.set_plugins(enabled, 'crawl') w3af_core.plugins.init_plugins() self.assertEquals(len(w3af_core.plugins.plugins['crawl']), 1, w3af_core.plugins.plugins['crawl']) plugin_inst = list(w3af_core.plugins.plugins['crawl'])[0] self.assertEquals(plugin_inst.get_name(), 'web_spider')
def test_enable_all(self): w3af_core = w3afCore() enabled = ['all'] w3af_core.plugins.set_plugins(enabled, 'crawl') w3af_core.plugins.init_plugins() self.assertEquals(set(w3af_core.plugins.get_enabled_plugins('crawl')), set(w3af_core.plugins.get_plugin_list('crawl'))) self.assertEquals(len(w3af_core.plugins.get_enabled_plugins('crawl')), len(w3af_core.plugins.get_plugin_list('crawl')))
def test_get_all_enabled_plugins(self): w3af_core = w3afCore() enabled_audit = ['sqli', 'xss'] enabled_grep = ['private_ip'] w3af_core.plugins.set_plugins(enabled_audit, 'audit') w3af_core.plugins.set_plugins(enabled_grep, 'grep') all_enabled = w3af_core.plugins.get_all_enabled_plugins() self.assertEquals(enabled_audit, all_enabled['audit']) self.assertEquals(enabled_grep, all_enabled['grep'])
def test_enable_dependency_same_type(self): w3af_core = w3afCore() enabled_infra = ['php_eggs', ] w3af_core.plugins.set_plugins(enabled_infra, 'infrastructure') w3af_core.plugins.init_plugins() enabled_infra.append('server_header') self.assertEquals( set(w3af_core.plugins.get_enabled_plugins('infrastructure')), set(enabled_infra))
def setUp(self): self.w3afcore = w3afCore() self.plugin_types = self.w3afcore.plugins.getPluginTypes() self.plugin_types += ['attack'] self.plugins = [] for plugin_type in self.plugin_types: for plugin_name in self.w3afcore.plugins.getPluginList( plugin_type ): plugin = self.w3afcore.plugins.getPluginInstance(plugin_name, plugin_type) self.plugins.append(plugin)
def test_getAllEnabledPlugins(self): w3af_core = w3afCore() enabled_audit = ['sqli', 'xss'] enabled_grep = ['privateIP'] w3af_core.plugins.setPlugins(enabled_audit,'audit') w3af_core.plugins.setPlugins(enabled_grep,'grep') all_enabled = w3af_core.plugins.getAllEnabledPlugins() self.assertEquals( enabled_audit, all_enabled['audit'] ) self.assertEquals( enabled_grep, all_enabled['grep'] )
def test_init_plugins(self): w3af_core = w3afCore() enabled = ['webSpider'] w3af_core.plugins.setPlugins(enabled,'discovery') w3af_core.plugins.init_plugins() self.assertEquals( len(w3af_core.plugins.plugins['discovery']), 1 ) plugin_inst = w3af_core.plugins.plugins['discovery'][0] self.assertEquals( plugin_inst.getName(), 'webSpider' )
def test_use_profile(self): w3af_core = w3afCore() w3af_core.profiles.use_profile('OWASP_TOP10', workdir='.') enabled_plugins = w3af_core.plugins.get_all_enabled_plugins() self.assertTrue('sqli' in enabled_plugins['audit']) self.assertTrue('credit_cards' in enabled_plugins['grep']) self.assertTrue('private_ip' in enabled_plugins['grep']) self.assertTrue('dns_wildcard' in enabled_plugins['infrastructure']) self.assertTrue('web_spider' in enabled_plugins['crawl'])
def test_enable_all_all(self): w3af_core = w3afCore() for plugin_type in w3af_core.plugins.get_plugin_types(): w3af_core.plugins.set_plugins(['all', ], plugin_type) w3af_core.plugins.init_plugins() for plugin_type in w3af_core.plugins.get_plugin_types(): enabled_plugins = w3af_core.plugins.get_enabled_plugins( plugin_type) all_plugins = w3af_core.plugins.get_plugin_list(plugin_type) self.assertEqual(set(enabled_plugins), set(all_plugins)) self.assertEqual(len(enabled_plugins), len(all_plugins))
def test_enable_not_web_spider_all(self): w3af_core = w3afCore() enabled = ['!web_spider', 'all'] w3af_core.plugins.set_plugins(enabled, 'crawl') w3af_core.plugins.init_plugins() all_plugins = w3af_core.plugins.get_plugin_list('crawl') all_plugins = all_plugins[:] all_plugins.remove('web_spider') self.assertEquals(set(w3af_core.plugins.get_enabled_plugins('crawl')), set(all_plugins))
def test_spider_with_time_limit(self): # # First scan # cf.cf.save('max_discovery_time', 1) cfg = self._run_configs['basic'] start_time = time.time() self._scan(self.target_url, cfg['plugins']) end_time = time.time() first_scan_time = end_time - start_time len_first_urls = len(self.kb.get_all_known_urls()) self.assertGreater(len_first_urls, 500) self.assertLess(first_scan_time, 120) # Cleanup self.w3afcore.quit() self.kb.cleanup() self.w3afcore = w3afCore() # # Second scan # cf.cf.save('max_discovery_time', 2) cfg = self._run_configs['basic'] start_time = time.time() self._scan(self.target_url, cfg['plugins']) end_time = time.time() second_scan_time = end_time - start_time len_second_urls = len(self.kb.get_all_known_urls()) self.assertGreater(len_second_urls, 900) self.assertGreater(len_second_urls, len_first_urls) self.assertLess(second_scan_time, 150) # The setup delta is the time it takes w3af to setup the scan, and # finish once the should_stop_scan method returns true. The 60 in the # next line is the initial scan time of 1 minute setup_delta = first_scan_time - 60 # Scan should take at least the setup time, 2 minutes which is the time # delay and because the setup_delta might be a little bit off, we just # substract some seconds from it at_least_takes = setup_delta + 120 - 10 self.assertGreater(second_scan_time, at_least_takes)
def test_cant_start_new_thread_bug(self): ''' This tests that https://github.com/andresriancho/w3af/issues/56 was properly fixed after the change in how sqlite threads were managed. ''' w3af_core = w3afCore() valid, _ = w3af_core.profiles.get_profile_list('.') for _ in xrange(10): for profile_inst in valid: profile_name = profile_inst.get_name() w3af_core.profiles.use_profile(profile_name, workdir='.')
def setUp(self): self.w3afcore = w3afCore() self.plugin_types = self.w3afcore.plugins.get_plugin_types() self.plugin_types += ['attack'] self.plugins = {} for plugin_type in self.plugin_types: self.plugins[plugin_type] = [] for plugin_name in self.w3afcore.plugins.get_plugin_list(plugin_type): plugin = self.w3afcore.plugins.get_plugin_inst( plugin_type, plugin_name) self.plugins[plugin_type].append(plugin)
def test_enable_all_but_two(self): w3af_core = w3afCore() enabled = ['all', '!web_spider', '!archive_dot_org'] w3af_core.plugins.set_plugins(enabled, 'crawl') w3af_core.plugins.init_plugins() all_plugins = w3af_core.plugins.get_plugin_list('crawl') all_plugins = all_plugins[:] all_plugins.remove('web_spider') all_plugins.remove('archive_dot_org') self.assertEquals(set(w3af_core.plugins.get_enabled_plugins('crawl')), set(all_plugins))
def test_enable_dependency_same_type(self): w3af_core = w3afCore() enabled_infra = [ 'php_eggs', ] w3af_core.plugins.set_plugins(enabled_infra, 'infrastructure') w3af_core.plugins.init_plugins() enabled_infra.append('server_header') self.assertEquals( set(w3af_core.plugins.get_enabled_plugins('infrastructure')), set(enabled_infra))
def test_queue_status_not_started(self): s = w3af_core_status(w3afCore()) self.assertEqual(s.get_crawl_input_speed(), None) self.assertEqual(s.get_crawl_output_speed(), None) self.assertEqual(s.get_crawl_qsize(), None) self.assertEqual(s.get_crawl_current_fr(), None) self.assertEqual(s.get_crawl_eta(), None) self.assertEqual(s.get_audit_input_speed(), None) self.assertEqual(s.get_audit_output_speed(), None) self.assertEqual(s.get_audit_qsize(), None) self.assertEqual(s.get_audit_current_fr(), None) self.assertEqual(s.get_audit_eta(), None)
def test_enable_all_all(self): w3af_core = w3afCore() for plugin_type in w3af_core.plugins.get_plugin_types(): w3af_core.plugins.set_plugins([ 'all', ], plugin_type) w3af_core.plugins.init_plugins() for plugin_type in w3af_core.plugins.get_plugin_types(): enabled_plugins = w3af_core.plugins.get_enabled_plugins( plugin_type) all_plugins = w3af_core.plugins.get_plugin_list(plugin_type) self.assertEqual(set(enabled_plugins), set(all_plugins)) self.assertEqual(len(enabled_plugins), len(all_plugins))
def setUp(self): self.w3afcore = w3afCore() self.plugin_types = self.w3afcore.plugins.get_plugin_types() self.plugin_types += ['attack'] self.plugins = {} for plugin_type in self.plugin_types: self.plugins[plugin_type] = [] for plugin_name in self.w3afcore.plugins.get_plugin_list( plugin_type): plugin = self.w3afcore.plugins.get_plugin_inst( plugin_type, plugin_name) self.plugins[plugin_type].append(plugin)
def test_enable_dependency_same_type_order(self): w3af_core = w3afCore() enabled_infra = ['php_eggs', ] w3af_core.plugins.set_plugins(enabled_infra, 'infrastructure') w3af_core.plugins.init_plugins() self.assertEqual(w3af_core.plugins.get_enabled_plugins( 'infrastructure').index('server_header'), 0) self.assertEqual(w3af_core.plugins.get_enabled_plugins( 'infrastructure').index('php_eggs'), 1) self.assertEqual(w3af_core.plugins.plugins[ 'infrastructure'][0].get_name(), 'server_header') self.assertEqual(w3af_core.plugins.plugins[ 'infrastructure'][1].get_name(), 'php_eggs')
def test_enable_dependency_different_type(self): w3af_core = w3afCore() enabled_crawl = ['url_fuzzer', ] w3af_core.plugins.set_plugins(enabled_crawl, 'crawl') enabled_infra = ['allowed_methods', ] w3af_core.plugins.init_plugins() self.assertEquals(set(w3af_core.plugins.get_enabled_plugins('crawl')), set(enabled_crawl)) self.assertEquals( set(w3af_core.plugins.get_enabled_plugins('infrastructure')), set(enabled_infra))
def test_all_wizards(self): mod = 'core.controllers.wizard.wizards.%s' w3af_core = w3afCore() for filename in os.listdir('core/controllers/wizard/wizards/'): wizard_id, ext = os.path.splitext(filename) if wizard_id in ('__init__', '.git') or ext == '.pyc': continue klass = mod % wizard_id wizard_inst = factory(klass, w3af_core) yield self._test_wizard_correct, wizard_inst wizard_inst = factory(klass, w3af_core) yield self._test_wizard_fail, wizard_inst
def test_enable_dependency_different_type(self): w3af_core = w3afCore() enabled_crawl = [ 'url_fuzzer', ] w3af_core.plugins.set_plugins(enabled_crawl, 'crawl') enabled_infra = [ 'allowed_methods', ] w3af_core.plugins.init_plugins() self.assertEquals(set(w3af_core.plugins.get_enabled_plugins('crawl')), set(enabled_crawl)) self.assertEquals( set(w3af_core.plugins.get_enabled_plugins('infrastructure')), set(enabled_infra))
def test_strategy_run(self): core = w3afCore() target = core.target.get_options() target['target'].set_value(self.TARGET_URL) core.target.set_options(target) core.plugins.set_plugins(['sqli',], 'audit') core.plugins.init_plugins() core.verify_environment() core.scan_start_hook() def verify_threads_running(functor): thread_names = [t.name for t in threading.enumerate()] self.assertIn('WorkerThread', thread_names) self.called_teardown_audit = True return functor self.called_teardown_audit = False strategy = w3af_core_strategy(core) strategy._teardown_audit = verify_threads_running(strategy._teardown_audit) strategy.start() # Now test that those threads are being terminated self.assertTrue(self.called_teardown_audit) vulns = kb.get('sqli', 'sqli') self.assertEqual(len(vulns), 1) core.exploit_phase_prerequisites = lambda: 42 core.scan_end_hook() thread_names = [t.name for t in threading.enumerate()] self.assertEqual(len(thread_names), 3, thread_names) thread_names = set(thread_names) expected_names = set(['MainThread', 'SQLiteExecutor', 'OutputManager']) self.assertEqual(thread_names, expected_names)
def test_all_questions(self): ''' This is a very basic test where we perform the following: * Create an instance * Exercise all getters * Exercise all setters * Make sure "back" works ''' mod = 'core.controllers.wizard.questions.%s' w3af_core = w3afCore() for filename in os.listdir('core/controllers/wizard/questions/'): question_id, ext = os.path.splitext(filename) if question_id in ('__init__', '.git') or ext == '.pyc': continue klass = mod % question_id question_inst = factory(klass, w3af_core) yield self._test_qid, question_inst