def bruteforce_wrapper(self, fuzzable_request): self.audit(fuzzable_request.copy()) res = [] for v in kb.kb.get(self.get_name(), 'auth'): if v.get_url() not in self._already_reported: self._already_reported.append(v.get_url()) res.extend(create_fuzzable_requests(v['response'])) return res
def test_add_self(self): body = '' headers = Headers([('content-type', 'text/html')]) http_response = HTTPResponse(200, body, headers, self.url, self.url) request_lst = create_fuzzable_requests(http_response, add_self=True) self.assertEqual(len(request_lst), 1) fr = request_lst[0] self.assertEqual(fr.get_url(), self.url) self.assertFalse('content-type' in fr.get_headers())
def test_redirect_location(self): body = '' redir_url = 'http://www.w3af.org/' headers = Headers([('content-type', 'text/html'), ('location', redir_url)]) http_response = HTTPResponse(200, body, headers, self.url, self.url) redir_fr = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(redir_fr), 1) redir_fr = redir_fr[0] self.assertEqual(redir_fr.get_url().url_string, redir_url)
def test_redirect_uri_relative(self): body = '' redir_url = '/foo.bar' headers = Headers([('content-type', 'text/html'), ('uri', redir_url)]) http_response = HTTPResponse(200, body, headers, self.url, self.url) redir_fr = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(redir_fr), 1) redir_fr = redir_fr[0] self.assertEqual(redir_fr.get_url( ).url_string, self.url.url_string[:-1] + redir_url)
def test_cookie(self): body = '' redir_url = '/foo.bar' headers = Headers([('content-type', 'text/html'), ('uri', redir_url), ('cookie', 'abc=def')]) http_response = HTTPResponse(200, body, headers, self.url, self.url) redir_fr_cookie = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(redir_fr_cookie), 1) redir_fr_cookie = redir_fr_cookie[0] self.assertEqual(str(redir_fr_cookie.get_cookie()), 'abc=def;')
def test_body_parse_form(self): body = """<form action="/foo.bar" method="POST"> A: <input name="a" /> B: <input name="b" value="123" /> </form>""" headers = Headers([('content-type', 'text/html')]) http_response = HTTPResponse(200, body, headers, self.url, self.url) post_request_lst = create_fuzzable_requests( http_response, add_self=False) self.assertEqual(len(post_request_lst), 1) post_request = post_request_lst[0] self.assertEqual( post_request.get_url().url_string, 'http://www.w3af.com/foo.bar') self.assertEqual(post_request.get_data(), 'a=&b=123') self.assertEqual(post_request.get_method(), 'POST') self.assertFalse('content-type' in post_request.get_headers())
def test_is_token_checked_true(self): generator = URL('http://moth/w3af/audit/csrf/secure-replay-allowed/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertTrue(checked)
def test_is_token_checked_false(self): """ This covers the case where there is a token but for some reason it is NOT verified by the web application. """ generator = URL('http://moth/w3af/audit/csrf/vulnerable-token-ignored/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertFalse(checked)
def test_body_parse_a(self): """ TODO: I need to decide if I'm going to implement this in create_fuzzable_requests or if I'm going to delegate this responsability to the web_spider plugin only. Note that all the uses of create_fuzzable_requests can be found with: find . -name '*.py' | xargs grep create_fuzzable_requests And they all need to be analyzed before making a decision. """ raise SkipTest('FIXME: See TODO.') body = '<a href="http://www.google.com/?id=1">click here</a>' headers = Headers([('content-type', 'text/html')]) http_response = HTTPResponse(200, body, headers, self.url, self.url) request_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(request_lst), 1) fr = request_lst[0] self.assertEqual(fr.get_url().url_string, 'http://www.google.com/?id=1')
def test_is_token_checked_false(self): """ This covers the case where there is a token but for some reason it is NOT verified by the web application. """ generator = URL( 'http://moth/w3af/audit/csrf/vulnerable-token-ignored/') http_response = self.uri_opener.GET(generator) # Please note that this freq holds a fresh/valid CSRF token freq_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(freq_lst), 1) freq = freq_lst[0] # FIXME: # And I use this token here to get the original response, and if the # application is properly developed, that token will be invalidated # and that's where this algorithm fails. original_response = self.uri_opener.send_mutant(freq) token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'} checked = self.csrf_plugin._is_token_checked(freq, token, original_response) self.assertFalse(checked)
def _create_fuzzable_requests(self, HTTPResponse, request=None, add_self=True): return create_fuzzable_requests(HTTPResponse, request, add_self)
for url in target_urls: try: # # GET the initial target URLs in order to save them # in a list and use them as our bootstrap URLs # response = self._w3af_core.uri_opener.GET(url, cache=True) except (ScanMustStopOnUrlError, BaseFrameworkException, ScanMustStopException), w3: om.out.error('The target URL: %s is unreachable.' % url) om.out.error('Error description: %s' % w3) except Exception, e: om.out.error('The target URL: %s is unreachable ' 'because of an unhandled exception.' % url) om.out.error('Error description: "%s". See debug ' 'output for more information.' % e) om.out.error('Traceback for this error: %s' % traceback.format_exc()) else: all_fuzzable_requests = create_fuzzable_requests(response) filtered_seeds = filter(in_scope, all_fuzzable_requests) for seed in filtered_seeds: self._out_queue.put((None, None, seed)) # Update the set that lives in the KB kb.kb.add_fuzzable_request(seed) self._out_queue.put(POISON_PILL)
def test_not_add_self(self): body = '' headers = Headers([('content-type', 'text/html')]) http_response = HTTPResponse(200, body, headers, self.url, self.url) request_lst = create_fuzzable_requests(http_response, add_self=False) self.assertEqual(len(request_lst), 0)