def test_init_function_is_called_when_invoking_get_instance(self):
init_function = FunctionMock()
proxy = ExpensiveResourceProxy(init_function)
proxy.get_instance()
assert_that(init_function.has_been_called)
def test_init_function_is_called_when_invoking_get_instance(self):
init_function = FunctionMock()
proxy = ExpensiveResourceProxy(init_function)
proxy.get_instance()
assert_that(init_function.has_been_called)
def test_result_of_init_function_is_cached_by_the_proxy(self):
init_function = FunctionMock()
proxy = ExpensiveResourceProxy(init_function)
first_instance = proxy.get_instance()
second_instance = proxy.get_instance()
assert_that(init_function.number_of_calls, equal_to(1))
assert_that(first_instance is second_instance)
def test_result_of_init_function_is_cached_by_the_proxy(self):
init_function = FunctionMock()
proxy = ExpensiveResourceProxy(init_function)
first_instance = proxy.get_instance()
second_instance = proxy.get_instance()
assert_that(init_function.number_of_calls, equal_to(1))
assert_that(first_instance is second_instance)
def setUpClass(cls):
"""Prepares the OWTF instance, and clean the possible existing temp files"""
cls.clean_temp_files(
) # Cleans logfile and owtf_review/ before starting
cls.core_instance_proxy = ExpensiveResourceProxy(
CoreInitialiser("http://" + cls.TARGET))
super(PluginTestCase, cls).setUpClass()
class InteractiveShellTests(BaseTestCase):
shell_proxy = ExpensiveResourceProxy(InteractiveShellEnvironmentBuilder())
def before(self):
self.interactive_shell = self.__class__.shell_proxy.get_instance()
def test_Open_has_to_create_a_new_shell_connection(self):
assert_that(self.interactive_shell.Connection is not None)
assert_that(isinstance(self.interactive_shell.Connection, AsyncPopen))
def test_Run_command_in_a_shell(self):
output = self.interactive_shell.Run('pwd')
expected = self.get_abs_path(".")
assert_that(output, matches_regexp(expected))
def test_RunCommandList_runs_more_than_one_command_in_a_shell(self):
output = self.interactive_shell.RunCommandList(['pwd', "echo 1234"])
pwd_expected = self.get_abs_path(".")
echo_expected = "1234"
assert_that(output, matches_regexp(pwd_expected))
assert_that(output, matches_regexp(echo_expected))
def test_Close_should_kill_the_connection(self):
# As we are using the same instance for all the tests, it's necessary to make a backup
# of some methods and attributes, to make this test independent from the others.
shell_backup = self._get_backup(self.interactive_shell, "Run", "Connection")
#{"Run": self.interactive_shell.Run,"Connection": self.interactive_shell.Connection}
self.interactive_shell.Run = MethodMock(1, "exit")
self.interactive_shell.Connection = flexmock()
self.interactive_shell.Connection.should_receive("kill").once()
try:
self.interactive_shell.Close(None)
assert_that(self.interactive_shell.Connection is None)
finally:
# Tear down
self._restore_backup(self.interactive_shell, shell_backup)
def _get_backup(self, target, *attrs):
backup = {}
for attr in attrs:
backup[attr] = getattr(target, attr)
return backup
def _restore_backup(self, target, backup):
for name, obj in backup.items():
setattr(target, name, obj)
class PluginHandlerEnvironmentBuilder():
plugin_config_proxy = ExpensiveResourceProxy(PluginConfigEnvironmentBuilder())
def __init__(self):
self._create_core_mock()
self._create_shell_mock()
self.plugin_handler = PluginHandler(self.core_mock, self._get_options())
flexmock(self.plugin_handler.scanner)
def get_plugin_handler(self):
return self.plugin_handler
def _create_core_mock(self):
self.core_mock = flexmock()
self._create_config_mock()
def _create_config_mock(self):
self.core_mock.Config = flexmock()
self.core_mock.Config.Plugin = self.__class__.plugin_config_proxy.get_instance()
self.core_mock.Config.should_receive("GetProcessPerCore").and_return(1)
self.core_mock.Config.should_receive("GetMinRam").and_return(0)
def _create_shell_mock(self):
self.core_mock.Shell = flexmock()
self.core_mock.Shell.should_receive("shell_exec").and_return(100)
def _get_options(self):
return {"Simulation": False,
"Scope": "localhost",
"PluginGroup": "web",
"PluginType": "quiet",
"Algorithm": "breadth",
"ListPlugins": None,
"OnlyPlugins": None,
"ExceptPlugins": None}
class ConfigTests(BaseTestCase):
config_proxy = ExpensiveResourceProxy(ConfigEnvironmentBuilder())
def before(self):
self.config = self.__class__.config_proxy.get_instance()
self.config_status_backup = ConfigState(self.config)
self.config.Core.DevMode = False
def after(self):
ConfigState.restore_state(self.config, self.config_status_backup)
def test_ProcessOptions_has_to_run_a_health_check_and_set_some_values(self):
health_check = flexmock()
health_check.should_receive("run").once()
self.config.HealthCheck = health_check
flexmock(self.config)
self.config.should_receive("LoadProfilesAndSettings").once()
self.config.should_receive("LoadPluginTestGroups").once()
self.config.ProcessOptions(self._get_options())
assert_that(config_property_is_defined("FORCE_OVERWRITE"))
assert_that(config_property_is_defined("INTERACTIVE"))
assert_that(config_property_is_defined("SIMULATION"))
assert_that(config_property_is_defined("PORTWAVES"))
def test_that_Set_records_the_parameter_in_the_internal_dictionary(self):
self.config.Set("key", "value")
assert_that(config_property_is_defined("key"))
def test_DeriveFromTarget_with_web_or_net_group_should_set_some_config_properties(self):
options = self._get_options()
options["Scope"] = ["http://localhost"]
flexmock(self.config)
self.config.should_receive("GetIPFromHostname").and_return("127.0.0.1")
self.config.should_receive("DeriveConfigFromURL").once()
method_backup = self.config.Get
def fake_get(key):
if key == "host_ip": return "127.0.0.1"
elif key == "port_number": return "80"
elif key == "OUTPUT_PATH": return "some/path"
self.config.Get = fake_get
self.config.DeriveFromTarget(options)
self.config.Get = method_backup # Restore original method
assert_that(config_property_is_defined("REVIEW_OFFSET"))
assert_that(config_property_is_defined("SUMMARY_HOST_IP"))
assert_that(config_property_is_defined("SUMMARY_PORT_NUMBER"))
assert_that(config_property_is_defined("REPORT_TYPE"))
def test_DeriveFromTarget_with_aux_group_should_set_some_config_properties(self):
options = self._get_options()
options["Scope"] = ["http://localhost:8080"]
options["PluginGroup"] = "auxiliary"
self.config.Set("OUTPUT_PATH", "some/path")
self.config.DeriveFromTarget(options)
assert_that(config_property_is_defined("AUX_OUTPUT_PATH"))
assert_that(config_property_is_defined("HTML_DETAILED_REPORT_PATH"))
assert_that(config_property_is_defined("REVIEW_OFFSET"))
assert_that(config_property_is_defined("SUMMARY_HOST_IP"))
assert_that(config_property_is_defined("SUMMARY_PORT_NUMBER"))
assert_that(config_property_is_defined("REPORT_TYPE"))
assert_that(target_is("auxiliary"))
def test_DeriveGlobalSettings_should_set_some_global_config_settings(self):
self.config.Set("OUTPUT_PATH", "some/path")
self.config.Set("USER_AGENT", "User Agent")
self.config.Set("HTML_REPORT", "")
self.config.DeriveGlobalSettings()
assert_that(config_property_is_defined("FRAMEWORK_DIR"))
assert_that(config_property_is_defined("UNREACHABLE_DB"))
assert_that(config_property_is_defined("RUN_DB"))
assert_that(config_property_is_defined("ERROR_DB"))
assert_that(config_property_is_defined("SEED_DB"))
assert_that(config_property_is_defined("SUMMARY_HTMLID_DB"))
assert_that(config_property_is_defined("DEBUG_DB"))
assert_that(config_property_is_defined("PLUGIN_REPORT_REGISTER"))
assert_that(config_property_is_defined("DETAILED_REPORT_REGISTER"))
assert_that(config_property_is_defined("COMMAND_REGISTER"))
assert_that(config_property_is_defined("USER_AGENT_#"))
assert_that(config_property_is_defined("SHORT_USER_AGENT"))
assert_that(config_property_is_defined("HTML_REPORT_PATH"))
def test_DeriveURLSettings_sets_url_settings(self):
options = {"PluginGroup": "network",
"RPort": "80",
"OnlyPlugins": None}
target = "http://localhost"
self.config.DeriveURLSettings(target, options)
assert_that(config_property_is_defined("target_url"))
assert_that(config_property_is_defined("host_path"))
assert_that(config_property_is_defined("url_scheme"))
assert_that(config_property_is_defined("port_number"))
assert_that(config_property_is_defined("host_name"))
assert_that(config_property_is_defined("host_ip"))
assert_that(config_property_is_defined("ip_url"))
assert_that(config_property_is_defined("top_domain"))
def test_DeriveOutputSettingsFromURL_sets_output_settings(self):
self.config.Set("host_ip", "127.0.0.1")
self.config.Set("port_number", "80")
self.config.DeriveOutputSettingsFromURL("http://localhost")
assert_that(config_property_is_defined("host_output"))
assert_that(config_property_is_defined("port_output"))
assert_that(config_property_is_defined("url_output"))
assert_that(config_property_is_defined("partial_url_output_path"))
assert_that(config_property_is_defined("PARTIAL_REPORT_REGISTER"))
assert_that(config_property_is_defined("HTML_DETAILED_REPORT_PATH"))
assert_that(config_property_is_defined("URL_REPORT_LINK_PATH"))
def test_InitHTTPDBs_sets_the_DB_locations_in_the_internal_dictionary(self):
self.config.InitHTTPDBs("path/to/db")
assert_that(transaction_DBs_path_are_defined())
assert_that(potential_DBs_path_are_defined())
assert_that(other_DBs_path_are_defined())
def test_GetFileName_should_obtain_name_from_the_path(self):
path = "/some/path/"
expected_filename = "file.py"
self.config.Set("TEST_FILENAME", path + expected_filename)
obtained_filename = self.config.GetFileName("TEST_FILENAME", True)
assert_that(obtained_filename, equal_to(expected_filename))
def test_LoadResourcesFromFile_parses_resources_succesfully(self):
path_to_file = self.get_abs_path("test_cases/resources/resources_example.cfg")
self.config.LoadResourcesFromFile(path_to_file)
resources = self.config.Resources
assert_that(resources, has_key("RESOURCETYPE"))
assert_that(resources["RESOURCETYPE"][0], equal_to(["ResourceName", "Resource"]))
def test_LoadProfiles_should_get_default_resource_files_and_parse_them(self):
self.config.LoadProfiles([])
profiles = self.config.Profiles
assert_that(profiles, has_key("web"))
assert_that(profiles, has_key("network"))
assert_that(profiles, has_key("r")) # r for Resources
assert_that(profiles, has_key("g")) # g for General
def test_GetResources_should_return_the_resources_associated_to_a_type(self):
self.config.LoadProfiles([])
web_resources = self.config.GetResources("web")
assert_that(web_resources is not None)
def test_GetResources_should_return_an_empty_list_and_a_warning_for_unkwnown_types(self):
self.config.LoadProfiles([])
self.init_stdout_recording()
resources = self.config.GetResources("unkwnown_type")
output = self.get_recorded_stdout_and_close()
assert_that(resources, equal_to([]))
assert_that(output, contains_string("is not defined"))
def test_that_TCP_and_UDP_port_listing_could_be_generated_with_config_object(self):
assert_that(self.config.GetTcpPorts(10, 100) is not None)
assert_that(self.config.GetUdpPorts(10, 100) is not None)
def _get_options(self):
return {"Force_Overwrite": False,
"Interactive": False,
"Simulation": True,
"PluginGroup": "web",
"PortWaves": [10,100],
'Scope': [],
"Profiles": {}}
def setUpClass(cls):
cls.clean_temp_files(
) # Cleans logfile and owtf_review/ before starting
cls.core_instance_proxy = ExpensiveResourceProxy(
CoreInitialiser("http://" + cls.TARGET))
super(WebPluginTestCase, cls).setUpClass()
class PluginConfigTests(BaseTestCase):
"""
WARNING: SLOW TESTS, as all the plugin configuration is loaded from
the config files, and the filesystem is scanned in order
to find the plugins.
"""
plugin_config_proxy = ExpensiveResourceProxy(
PluginConfigEnvironmentBuilder())
def before(self):
self.plugin_config = self.__class__.plugin_config_proxy.get_instance()
def test_GetAllTypes_should_return_a_list_with_all_types(self):
all_types = self.plugin_config.GetAllTypes()
assert_that(all_types, has_item('active'))
assert_that(all_types, has_item('bruteforce'))
assert_that(all_types, has_item('dos'))
assert_that(all_types, has_item('exploit'))
assert_that(all_types, has_item('external'))
assert_that(all_types, has_item('grep'))
assert_that(all_types, has_item('passive'))
assert_that(all_types, has_item('rce'))
assert_that(all_types, has_item('se'))
assert_that(all_types, has_item('selenium'))
assert_that(all_types, has_item('semi_passive'))
assert_that(all_types, has_item('smb'))
def test_GetAllGroups_should_return_a_list_with_all_groups(self):
all_groups = self.plugin_config.GetAllGroups()
assert_that(all_groups, has_item('aux'))
assert_that(all_groups, has_item('net'))
assert_that(all_groups, has_item('web'))
def test_GetTypesForGroup_aux_should_return_a_list_with_its_types(self):
aux_types = self.plugin_config.GetTypesForGroup("aux")
assert_that(aux_types, has_length(7))
def test_GetTypesForGroup_net_should_return_a_list_with_its_types(self):
net_types = self.plugin_config.GetTypesForGroup("net")
assert_that(net_types, has_length(2))
def test_GetTypesForGroup_web_should_return_a_list_with_its_types(self):
web_types = self.plugin_config.GetTypesForGroup("web")
assert_that(web_types, has_length(5))
def test_GetTypesForGroup_with_non_existing_group_should_return_empty_list_and_warning(
self):
self.init_stdout_recording()
types = self.plugin_config.GetTypesForGroup("non_existing_group")
warning = self.get_recorded_stdout_and_close()
assert_that(types, has_length(0))
assert_that(warning, contains_string("not found"))
def test_GetGroupsForPlugins_should_return_a_group_given_a_plugin(self):
groups = self.plugin_config.GetGroupsForPlugins(
["Application_Discovery"])
assert_that(groups, has_item("web"))
def test_GetPlugin_should_return_the_first_plugin_matching_the_criteria(
self):
criteria = {"Group": "web", "Type": "active"}
plugin = self.plugin_config.GetPlugin(criteria)
assert_that(plugin is not None)
def test_GetPlugin_with_no_matching_criteria_should_return_None_and_print_warning(
self):
self.init_stdout_recording()
plugin = self.plugin_config.GetPlugin({"Group": "non_existing_group"},
ShowWarnings=True)
warning = self.get_recorded_stdout_and_close()
assert_that(plugin is None)
assert_that(warning, contains_string("WARNING"))
def test_GetAll_should_return_plugins_that_math_the_given_group_and_type(
self):
plugin_group = "net"
plugin_type = "bruteforce"
plugins = self.plugin_config.GetAll(plugin_group, plugin_type)
assert_that(plugins, has_length(greater_than(0)))
for plugin in plugins:
assert_that(plugin['Group'], is_(plugin_group))
assert_that(plugin['Type'], is_(plugin_type))
def test_DeriveAllowedTypes_for_web_should_enable_all_plugins_by_default(
self):
self.plugin_config.DeriveAllowedTypes("web", [])
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_length(5))
def test_DeriveAllowedTypes_for_web_should_enable_all_plugins(self):
expected_types = [
'active', 'external', 'grep', 'passive', 'semi_passive'
]
self.plugin_config.DeriveAllowedTypes("web", ["all"])
print self.plugin_config.AllowedPluginTypes["web"]
for plugin_type in expected_types:
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_item(plugin_type))
def test_DeriveAllowedTypes_for_web_with_quiet_TypeFilter_should_include_passive_and_semi_passive(
self):
self.plugin_config.DeriveAllowedTypes("web", ["quiet"])
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_item("passive"))
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_item("semi_passive"))
def test_DeriveAllowedTypes_for_web_with_semi_passive_or_active_should_include_grep_plugins(
self):
self.plugin_config.DeriveAllowedTypes("web", ["semi_passive"])
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_item("grep"))
self.plugin_config.DeriveAllowedTypes("web", ["active"])
assert_that(self.plugin_config.AllowedPluginTypes["web"],
has_item("grep"))
def test_DeriveAllowedTypes_for_net_should_include_all_types(self):
self.plugin_config.DeriveAllowedTypes("net", ["all"])
assert_that(self.plugin_config.AllowedPluginTypes["net"],
has_item("active"))
assert_that(self.plugin_config.AllowedPluginTypes["net"],
has_item("bruteforce"))
def test_DeriveAllowedTypes_for_net_with_specific_filter_should_only_include_selected(
self):
self.plugin_config.DeriveAllowedTypes("net", ["active"])
assert_that(self.plugin_config.AllowedPluginTypes["net"],
has_length(1))
assert_that(self.plugin_config.AllowedPluginTypes["net"],
has_item("active"))
def test_LoadPluginOrderFromFile_processing(self):
self.plugin_config.LoadPluginOrderFromFile("web",
PLUGIN_ORDER_EXAMPLE_FILE)
web_order = self.plugin_config.PluginOrder["web"]
web_plugin_names = [
"Application_Discovery", # Order defined in the resource file
"AJAX_Vulnerabilities",
"Application_Discovery",
"HTTP_Methods_and_XST",
"Application_Configuration_Management"
]
for i, plugin in enumerate(web_order):
assert_that(plugin["Name"],
equal_to_ignoring_case(web_plugin_names[i]))
def test_init_function_is_used_for_getting_the_instance(self):
proxy = ExpensiveResourceProxy(FunctionMock())
instance = proxy.get_instance()
assert_that(instance, equal_to(EXPENSIVE_RESOURCE_STUB))
def test_init_function_is_used_for_getting_the_instance(self):
proxy = ExpensiveResourceProxy(FunctionMock())
instance = proxy.get_instance()
assert_that(instance, equal_to(EXPENSIVE_RESOURCE_STUB))
