def _fill_form(self, fuzzable_req):
"""
Fill the HTTP request form that is passed as fuzzable_req.
:return: A filled form
"""
self._already_filled_form.add(fuzzable_req.get_url())
to_send = fuzzable_req.get_dc().copy()
for param_name in to_send:
# I do not want to mess with the "static" fields
if isinstance(to_send, form.Form):
if to_send.get_type(param_name) in ("checkbox", "file", "radio", "select"):
continue
# Set all the other fields, except from the ones that have a
# value set (example: hidden fields like __VIEWSTATE).
for elem_index in xrange(len(to_send[param_name])):
# TODO: Should I ignore it because it already has a value?
if to_send[param_name][elem_index] != "":
continue
# SmartFill it!
to_send[param_name][elem_index] = smart_fill(param_name)
fuzzable_req.set_dc(to_send)
return fuzzable_req
def _fill_form(self, fuzzable_req):
'''
Fill the HTTP request form that is passed as fuzzable_req.
:return: A filled form
'''
self._already_filled_form.add(fuzzable_req.get_url())
to_send = fuzzable_req.get_dc().copy()
for param_name in to_send:
# I do not want to mess with the "static" fields
if isinstance(to_send, form.Form):
if to_send.get_type(param_name) in ('checkbox', 'file',
'radio', 'select'):
continue
# Set all the other fields, except from the ones that have a
# value set (example: hidden fields like __VIEWSTATE).
for elem_index in xrange(len(to_send[param_name])):
# TODO: Should I ignore it because it already has a value?
if to_send[param_name][elem_index] != '':
continue
# SmartFill it!
to_send[param_name][elem_index] = smart_fill(param_name)
fuzzable_req.set_dc(to_send)
return fuzzable_req
def mutant_smart_fill(freq, dc_copy, ignore_pname, ignore_index, fuzzer_config):
'''
:param freq: The fuzzable request (original request instance) we're fuzzing
:param ignore_pname: A parameter name to ignore
:param ignore_index: The index we want to ignore
:return: A data container that has been filled using smart_fill, ignoring
the parameters that I'm fuzzing and filling the file inputs with
valid image file.
'''
for var_name_dc in dc_copy:
for element_index_dc, element_value_dc in enumerate(dc_copy[var_name_dc]):
if (var_name_dc, element_index_dc) == (ignore_pname, ignore_index):
continue
if dc_copy.get_type(var_name_dc) in AVOID_FILLING_FORM_TYPES:
continue
# Fill only if the parameter does NOT have a value set.
#
# The reason of having this already set would be that the form
# has something like this:
#
# <input type="text" name="p" value="foobar">
#
if dc_copy[var_name_dc][element_index_dc] == '':
#
# Fill it smartly
#
dc_copy[var_name_dc][
element_index_dc] = smart_fill(var_name_dc)
# Please see the comment above (search for __HERE__) for an explanation
# of what we are doing here:
for var_name in freq.get_file_vars():
# Try to upload a valid file
extension = fuzzer_config.get('fuzz_form_files') or 'gif'
success, file_content, file_name = get_file_from_template(extension)
# I have to create the NamedStringIO with a "name",
# required for MultipartPostHandler
str_file = NamedStringIO(file_content, name=file_name)
# TODO: Is this hard-coded [0] enough?
dc_copy[var_name][0] = str_file
return dc_copy
def test_default(self):
self.assertEquals(smart_fill('foobar'), '56')
def test_ip_case_insensitive(self):
self.assertEquals(smart_fill('IP'), '127.0.0.1')
def test_ip(self):
self.assertEquals(smart_fill('ip'), '127.0.0.1')
def test_address_2(self):
self.assertEquals(smart_fill('street_address'), 'Bonsai Street 123')
def test_default(self):
self.assertEquals(smart_fill('foobar'), '56')
def test_ip_case_insensitive(self):
self.assertEquals(smart_fill('IP'), '127.0.0.1')
def test_ip(self):
self.assertEquals(smart_fill('ip'), '127.0.0.1')
def test_address_2(self):
self.assertEquals(smart_fill('street_address'), 'Bonsai Street 123')