def test_simple_int_param_in_qs(self): specification_as_string = IntParamQueryString().get_specification() http_response = self.generate_response(specification_as_string) handler = SpecificationHandler(http_response) data = [d for d in handler.get_api_information()] # The specification says that this query string parameter is not # required, thus we get two operations, one for the parameter with # a value and another without the parameter self.assertEqual(len(data), 2) # # Assertions on call #1 # data_i = data[0] factory = RequestFactory(*data_i) fuzzable_request = factory.get_fuzzable_request() e_url = 'http://w3af.org/api/pets' e_headers = Headers([('Content-Type', 'application/json')]) self.assertEqual(fuzzable_request.get_method(), 'GET') self.assertEqual(fuzzable_request.get_uri().url_string, e_url) self.assertEqual(fuzzable_request.get_headers(), e_headers) self.assertEqual(fuzzable_request.get_data(), '') # # Assertions on call #2 # data_i = data[1] factory = RequestFactory(*data_i) fuzzable_request = factory.get_fuzzable_request() e_url = 'http://w3af.org/api/pets?limit=42' e_headers = Headers([('Content-Type', 'application/json')]) self.assertEqual(fuzzable_request.get_method(), 'GET') self.assertEqual(fuzzable_request.get_uri().url_string, e_url) self.assertEqual(fuzzable_request.get_headers(), e_headers) self.assertEqual(fuzzable_request.get_data(), '')
def test_simple_int_param_in_qs(self): specification_as_string = IntParamQueryString().get_specification() http_response = self.generate_response(specification_as_string) handler = SpecificationHandler(http_response) data = [d for d in handler.get_api_information()] # The specification says that this query string parameter is not # required, thus we get two operations, one for the parameter with # a value and another without the parameter self.assertEqual(len(data), 2) (spec, api_resource_name, resource, operation_name, operation, parameters) = data[0] self.assertEqual(api_resource_name, 'pets') self.assertEqual(operation_name, 'findPets') self.assertEqual(operation.consumes, [u'application/json']) self.assertEqual(operation.produces, [u'application/json']) self.assertEqual(operation.path_name, '/pets') # Now we check the parameters for the operation self.assertEqual(len(operation.params), 1) param = operation.params.get('limit') self.assertEqual(param.param_spec['required'], False) self.assertEqual(param.param_spec['in'], 'query') self.assertEqual(param.param_spec['type'], 'integer') self.assertEqual(param.fill, None) # And check the second one too (spec, api_resource_name, resource, operation_name, operation, parameters) = data[1] self.assertEqual(len(operation.params), 1) param = operation.params.get('limit') self.assertEqual(param.param_spec['required'], False) self.assertEqual(param.param_spec['in'], 'query') self.assertEqual(param.param_spec['type'], 'integer') self.assertEqual(param.fill, 42)
class TestOpenAPIFindAllEndpointsWithAuth(PluginTest): target_url = 'http://w3af.org/' _run_configs = { 'cfg': { 'target': target_url, 'plugins': { 'crawl': (PluginConfig( 'open_api', ('query_string_auth', 'api_key=0x12345', PluginConfig.QUERY_STRING), ), ) } } } MOCK_RESPONSES = [ MockResponse('http://w3af.org/swagger.json', IntParamQueryString().get_specification()) ] def test_find_all_endpoints_with_auth(self): cfg = self._run_configs['cfg'] self._scan(cfg['target'], cfg['plugins']) # # Since we configured authentication we should only get one of the Info # infos = self.kb.get('open_api', 'open_api') self.assertEqual(len(infos), 1, infos) info_i = infos[0] self.assertEqual(info_i.get_name(), 'Open API specification found') # # Now check that we found all the fuzzable requests # fuzzable_requests = self.kb.get_all_known_fuzzable_requests() self.assertEqual(len(fuzzable_requests), 4) # Remove the /swagger.json and / fuzzable_requests = [ f for f in fuzzable_requests if f.get_url().get_path() not in ('/swagger.json', '/') ] # Order them to be able to easily assert things def by_path(fra, frb): return cmp(fra.get_url().url_string, frb.get_url().url_string) fuzzable_requests.sort(by_path) # # Assertions on call #1 # fuzzable_request = fuzzable_requests[0] e_url = 'http://w3af.org/api/pets?api_key=0x12345' e_headers = Headers([('Content-Type', 'application/json')]) self.assertEqual(fuzzable_request.get_method(), 'GET') self.assertEqual(fuzzable_request.get_uri().url_string, e_url) self.assertEqual(fuzzable_request.get_headers(), e_headers) self.assertEqual(fuzzable_request.get_data(), '') # # Assertions on call #2 # fuzzable_request = fuzzable_requests[1] e_url = 'http://w3af.org/api/pets?limit=42&api_key=0x12345' e_headers = Headers([('Content-Type', 'application/json')]) self.assertEqual(fuzzable_request.get_method(), 'GET') self.assertEqual(fuzzable_request.get_uri().url_string, e_url) self.assertEqual(fuzzable_request.get_headers(), e_headers) self.assertEqual(fuzzable_request.get_data(), '')
def test_parameter_handler_simple_int_param_in_qs(self): specification_as_string = IntParamQueryString().get_specification() http_response = self.generate_response(specification_as_string) handler = SpecificationHandler(http_response) self.check_parameter_setting(handler)