def audit(self, freq, orig_response): """ Plugin entry point. :param freq: A FuzzableRequest """ # Detect if current url provides CORS features if not provides_cors_features(freq, self._uri_opener): return url = freq.get_url() self.analyze_cors_security(url)
def audit(self, freq, orig_response, debugging_id): """ Plugin entry point. :param freq: A FuzzableRequest :param orig_response: The HTTP response associated with the fuzzable request :param debugging_id: A unique identifier for this call to audit() """ # Detect if current url provides CORS features if not provides_cors_features(freq, self._uri_opener, debugging_id): return url = freq.get_url() self.analyze_cors_security(url, debugging_id)
def test_provides_cors_features_false(self): url = URL('http://moth/') fr = FuzzableRequest(url) http_response = HTTPResponse(200, '', Headers(), url, url) url_opener_mock = Mock() url_opener_mock.GET = MagicMock(return_value=http_response) cors = provides_cors_features(fr, url_opener_mock) call_header = Headers({'Origin': 'www.w3af.org'}.items()) url_opener_mock.GET.assert_called_with(url, headers=call_header) self.assertFalse(cors)
def test_provides_cors_features_false(self): url = URL('http://moth/') fr = FuzzableRequest(url) http_response = HTTPResponse(200, '', Headers(), url, url) url_opener_mock = Mock() url_opener_mock.GET = MagicMock(return_value=http_response) cors = provides_cors_features(fr, url_opener_mock, None) call_header = Headers({'Origin': 'www.w3af.org'}.items()) url_opener_mock.GET.assert_called_with(url, headers=call_header) self.assertFalse(cors)
def test_provides_cors_features_true(self): url = URL('http://moth/') fr = FuzzableRequest(url) hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items() cors_headers = Headers(hdrs) http_response = HTTPResponse(200, '', cors_headers, url, url) url_opener_mock = Mock() url_opener_mock.GET = MagicMock(return_value=http_response) cors = provides_cors_features(fr, url_opener_mock) url_opener_mock.GET.assert_called_with(url) self.assertTrue(cors)
def test_provides_cors_features_true(self): url = URL('http://moth/') fr = FuzzableRequest(url) hdrs = {'Access-Control-Allow-Origin': 'http://www.w3af.org/'}.items() cors_headers = Headers(hdrs) http_response = HTTPResponse(200, '', cors_headers, url, url) url_opener_mock = Mock() url_opener_mock.GET = MagicMock(return_value=http_response) cors = provides_cors_features(fr, url_opener_mock, None) url_opener_mock.GET.assert_called_with(url, debugging_id=None) self.assertTrue(cors)