def extract_link_from_set_cookie_header(http_response, header_name, header_value):
"""
Extract links from the "path" key of a cookie
Example headers we can parse:
set-cookie: __cfduid=...; path=/; domain=.w3af.org; HttpOnly
:param http_response: The http response object
:param header_name: The http response header name
:param header_value: The http response header value (where the URL lives)
:return: Yield URL instances
:see: https://github.com/andresriancho/w3af/issues/9493
"""
try:
cookie = parse_cookie(header_value)
except:
raise StopIteration
for key in cookie.keys():
try:
path = cookie[key]["path"]
except KeyError:
continue
if path:
try:
yield http_response.get_url().url_join(path)
except ValueError:
msg = (
'The application sent a "%s" header that w3af'
" failed to correctly parse as an URL, the header"
' value was: "%s"'
)
om.out.debug(msg % (header_name, header_value))
def _parse_cookie(self, request, response, cookie_header_value):
"""
If the response sets more than one Cookie, this method will
be called once for each "Set-Cookie" header.
BUGBUG: The urllib2 library concatenates , values of repeated headers.
See HTTPMessage.addheader() in httplib.py
:param request: The HTTP request object.
:param response: The HTTP response object
:param cookie_header_value: The cookie, as sent in the HTTP response
:return: The cookie object or None if the parsing failed
"""
try:
# Note to self: This line may print some chars to the console
return parse_cookie(cookie_header_value)
except Cookie.CookieError:
desc = 'The remote Web application sent a cookie with an' \
' incorrect format: "%s" that does NOT respect the RFC.'
desc = desc % cookie_header_value
i = CookieInfo('Invalid cookie', desc, response.id,
self.get_name())
i.set_url(response.get_url())
i.set_cookie_string(cookie_header_value)
# The cookie is invalid, this is worth mentioning ;)
kb.kb.append(self, 'invalid-cookies', i)
return None
def _parse_cookie(self, request, response, cookie_header_value):
"""
If the response sets more than one Cookie, this method will
be called once for each "Set-Cookie" header.
BUGBUG: The urllib2 library concatenates , values of repeated headers.
See HTTPMessage.addheader() in httplib.py
:param request: The HTTP request object.
:param response: The HTTP response object
:param cookie_header_value: The cookie, as sent in the HTTP response
:return: The cookie object or None if the parsing failed
"""
try:
# Note to self: This line may print some chars to the console
return parse_cookie(cookie_header_value)
except Cookie.CookieError:
desc = 'The remote Web application sent a cookie with an' \
' incorrect format: "%s" that does NOT respect the RFC.'
desc = desc % cookie_header_value
i = CookieInfo('Invalid cookie', desc, response.id, self.get_name())
i.set_url(response.get_url())
i.set_cookie_string(cookie_header_value)
# The cookie is invalid, this is worth mentioning ;)
kb.kb.append(self, 'invalid-cookies', i)
return None
def extract_link_from_set_cookie_header(http_response, header_name,
header_value):
"""
Extract links from the "path" key of a cookie
Example headers we can parse:
set-cookie: __cfduid=...; path=/; domain=.w3af.org; HttpOnly
:param http_response: The http response object
:param header_name: The http response header name
:param header_value: The http response header value (where the URL lives)
:return: Yield URL instances
:see: https://github.com/andresriancho/w3af/issues/9493
"""
try:
cookie = parse_cookie(header_value)
except:
raise StopIteration
for key in cookie.keys():
try:
path = cookie[key]['path']
except KeyError:
continue
if path:
try:
yield http_response.get_url().url_join(path)
except ValueError:
msg = ('The application sent a "%s" header that w3af'
' failed to correctly parse as an URL, the header'
' value was: "%s"')
om.out.debug(msg % (header_name, header_value))
def test_with_path(self):
cookie = parse_cookie('abc=def; path=/x')
self.assertEqual(cookie['abc']['path'], '/x')
def test_basic(self):
cookie = parse_cookie('abc=def')
self.assertIn('abc', cookie)
