class TestVariantDB(unittest.TestCase): def setUp(self): create_temp_dir() self.vdb = VariantDB() def test_db_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % i) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) extra_url = URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1,)) self.assertFalse(self.vdb.need_more_variants(extra_url)) def test_db_int_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=1' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % i) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants(URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1,)))) def test_db_int_int_var(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants(URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) def test_db_int_str(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, 'abc' * i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse(self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, 'abc' * (DEFAULT_MAX_VARIANTS + 1))))) def test_db_int_str_then_int_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' # Add (int, str) for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, 'abc' * i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) # Please note that in this case I'm asking for (int, int) and I added # (int, str) before self.assertTrue( self.vdb.need_more_variants(URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) # Add (int, int) for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants(URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) def test_clean_reference_simple(self): self.assertEqual(self.vdb._clean_reference(URL('http://w3af.org/')), u'(GET)-http://w3af.org/') def test_clean_reference_file(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/index.php')), u'(GET)-http://w3af.org/index.php') def test_clean_reference_directory_file(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/foo/index.php')), u'(GET)-http://w3af.org/foo/index.php') def test_clean_reference_directory_file_int(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/foo/index.php?id=2')), u'(GET)-http://w3af.org/foo/index.php?id=number') def test_clean_reference_int(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/index.php?id=2')), u'(GET)-http://w3af.org/index.php?id=number') def test_clean_reference_int_str(self): self.assertEqual( self.vdb._clean_reference( URL('http://w3af.org/index.php?id=2&foo=bar')), u'(GET)-http://w3af.org/index.php?id=number&foo=string') def test_clean_reference_int_str_empty(self): self.assertEqual( self.vdb._clean_reference( URL('http://w3af.org/index.php?id=2&foo=bar&spam=')), u'(GET)-http://w3af.org/index.php?id=number&foo=string&spam=string') def test_clean_form_fuzzable_request(self): fr = FuzzableRequest(URL("http://www.w3af.com/"), headers=Headers([('Host', 'www.w3af.com')]), method='POST', post_data=KeyValueContainer(init_val=[('data', ['23'])])) expected = u'(POST)-http://www.w3af.com/!data=number' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected) def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)
class TestVariantDB(unittest.TestCase): def setUp(self): create_temp_dir() self.vdb = VariantDB() def test_db_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % i) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) extra_url = URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, )) self.assertFalse(self.vdb.need_more_variants(extra_url)) def test_db_int_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=1' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % i) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, )))) def test_db_int_int_var(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) def test_db_int_str(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, 'abc' * i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, 'abc' * (DEFAULT_MAX_VARIANTS + 1))))) def test_db_int_str_then_int_int(self): url_fmt = 'http://w3af.org/foo.htm?id=%s&bar=%s' # Add (int, str) for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, 'abc' * i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) # Please note that in this case I'm asking for (int, int) and I added # (int, str) before self.assertTrue( self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) # Add (int, int) for i in xrange(DEFAULT_MAX_VARIANTS): url = URL(url_fmt % (i, i)) self.assertTrue(self.vdb.need_more_variants(url)) self.vdb.append(url) self.assertFalse( self.vdb.need_more_variants( URL(url_fmt % (DEFAULT_MAX_VARIANTS + 1, DEFAULT_MAX_VARIANTS + 1)))) def test_clean_reference_simple(self): self.assertEqual(self.vdb._clean_reference(URL('http://w3af.org/')), u'(GET)-http://w3af.org/') def test_clean_reference_file(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/index.php')), u'(GET)-http://w3af.org/index.php') def test_clean_reference_directory_file(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/foo/index.php')), u'(GET)-http://w3af.org/foo/index.php') def test_clean_reference_directory_file_int(self): self.assertEqual( self.vdb._clean_reference( URL('http://w3af.org/foo/index.php?id=2')), u'(GET)-http://w3af.org/foo/index.php?id=number') def test_clean_reference_int(self): self.assertEqual( self.vdb._clean_reference(URL('http://w3af.org/index.php?id=2')), u'(GET)-http://w3af.org/index.php?id=number') def test_clean_reference_int_str(self): self.assertEqual( self.vdb._clean_reference( URL('http://w3af.org/index.php?id=2&foo=bar')), u'(GET)-http://w3af.org/index.php?id=number&foo=string') def test_clean_reference_int_str_empty(self): self.assertEqual( self.vdb._clean_reference( URL('http://w3af.org/index.php?id=2&foo=bar&spam=')), u'(GET)-http://w3af.org/index.php?id=number&foo=string&spam=string' ) def test_clean_form_fuzzable_request(self): fr = FuzzableRequest(URL("http://www.w3af.com/"), headers=Headers([('Host', 'www.w3af.com')]), method='POST', post_data=KeyValueContainer(init_val=[('data', ['23'])])) expected = u'(POST)-http://www.w3af.com/!data=number' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected) def test_clean_form_fuzzable_request_form(self): form_params = FormParameters() form_params.add_input([("name", "username"), ("value", "abc")]) form_params.add_input([("name", "address"), ("value", "")]) form_params.set_action(URL('http://example.com/?id=1')) form_params.set_method('post') form = dc_from_form_params(form_params) fr = FuzzableRequest.from_form(form) expected = u'(POST)-http://example.com/?id=number!username=string&address=string' self.assertEqual(self.vdb._clean_fuzzable_request(fr), expected)