def test_dl_1(self, *args):
"""
ws link is dynamically created
"""
body = """header<script>new WebSocket(url("data"))
function url(s) {
var l = window.location;
return ((l.protocol === "https:") ? "wss://" : "ws://") +
l.hostname + (((l.port != 80) &&
(l.port != 443)) ? ":" + l.port : "") +
l.pathname + s;}</script>footer"""
url = URL('https://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(
len(kb.kb.get('websockets_links', 'websockets_links')), 0)
def test_upload_file_using_fuzzable_request(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([('name', 'uploadedfile')])
form_params['uploadedfile'][0] = NamedStringIO('file content',
name='test.txt')
form_params.add_field_by_attr_items([('name', 'MAX_FILE_SIZE'),
('type', 'hidden'),
('value', '10000')])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.MOTH_FILE_UP_URL,
post_data=mpc,
method='POST')
resp = self.opener.send_mutant(freq)
self.assertIn('was successfully uploaded', resp.get_body())
def test_get_clean_body_simple(self):
payload = 'payload'
body = 'abc %s def' % payload
url = URL('http://w3af.com')
headers = Headers([('Content-Type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url)
freq = FuzzableRequest(URL('http://w3af.com/?a=1'))
created_mutants = FakeMutant.create_mutants(freq, [payload], [],
False, {})
mutant = created_mutants[0]
clean_body = get_clean_body(mutant, response)
self.assertEqual(clean_body, body.replace(payload, ''))
self.assertIsInstance(clean_body, unicode)
def test_mutant_creation_append(self):
qs = QueryString(self.SIMPLE_KV)
freq = FuzzableRequest(self.url)
freq.set_querystring(qs)
created_mutants = FakeMutant.create_mutants(freq, self.payloads, [],
True, self.fuzzer_config)
expected_dcs = [
'a=1abc&b=2',
'a=1&b=2abc',
'a=1def&b=2',
'a=1&b=2def',
]
created_dcs = [str(i.get_dc()) for i in created_mutants]
self.assertEquals(expected_dcs, created_dcs)
def test_get_clean_body_double_encoded(self):
payload = 'hello/world'
body = 'abc %s def' % urllib.quote_plus(urllib.quote_plus(payload))
url = URL('http://w3af.com')
headers = Headers([('Content-Type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url)
freq = FuzzableRequest(URL('http://w3af.com/?a=1'))
created_mutants = FakeMutant.create_mutants(freq, [payload], [], False,
{})
mutant = created_mutants[0]
clean_body = get_clean_body(mutant, response)
self.assertEqual(clean_body, 'abc def')
self.assertIsInstance(clean_body, unicode)
def test_cache_control_incorrect_headers(self):
"""
Sensitive content with INCORRECT cache control headers bug should be
stored in KB.
"""
body = 'abc'
url = URL('https://www.w3af.com/')
headers = Headers([('content-type', 'text/html'),
('Pragma', 'Cache'),
('Cache-Control', 'Store')])
request = FuzzableRequest(url, method='GET')
resp = HTTPResponse(200, body, headers, url, url, _id=1)
self.plugin.grep(request, resp)
self.plugin.end()
infos = kb.kb.get('cache_control', 'cache_control')
self.assertEquals(len(infos), 1)
def test_cache_control_no_headers(self):
"""
Sensitive content without cache control headers so bug is stored in KB.
"""
body = 'abc'
url = URL('https://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
request = FuzzableRequest(url, method='GET')
resp = HTTPResponse(200, body, headers, url, url, _id=1)
self.plugin.grep(request, resp)
self.plugin.end()
infos = kb.kb.get('cache_control', 'cache_control')
self.assertEquals(len(infos), 1)
info = infos[0]
self.assertEqual(info.get_name(), 'Missing cache control for HTTPS content')
def get_fuzzable_request(self):
"""
Creates a fuzzable request by querying different parts of the spec
parameters, operation, etc.
:return: A fuzzable request.
"""
method = self.get_method()
uri = self.get_uri()
headers = self.get_headers()
data_container = self.get_data_container(headers)
fuzzable_request = FuzzableRequest(uri,
headers=headers,
post_data=data_container,
method=method)
return fuzzable_request
def test_valid_results(self):
freq = FuzzableRequest(URL('http://www.w3af.com/foo/bar.htm'))
generated_mutants = FileNameMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
self.assertEqual(len(generated_mutants), 4, generated_mutants)
expected_urls = [
URL('http://www.w3af.com/foo/abc.htm'),
URL('http://www.w3af.com/foo/def.htm'),
URL('http://www.w3af.com/foo/bar.abc'),
URL('http://www.w3af.com/foo/bar.def')
]
generated_urls = [m.get_url() for m in generated_mutants]
self.assertEqual(expected_urls, generated_urls)
def test_should_inject_form_hidden(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("type", "text")])
form_params.add_field_by_attr_items([("name", "csrf_token"),
("type", "hidden")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/'),
post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
self.assertFalse(self.plugin._should_inject(m, 'python'))
m.get_dc().set_token(('csrf_token', 0))
self.assertTrue(self.plugin._should_inject(m, 'python'))
def build_ws_upgrade_request(web_socket_url,
extra_headers=None,
web_socket_version=DEFAULT_PROTOCOL_VERSION,
origin=None):
"""
Create a GET request with the required HTTP headers to upgrade to web
sockets
:param web_socket_url: The URL instance where to upgrade
:param extra_headers: Any extra headers that will override the defaults
:param web_socket_version: The websocket version to use
:param origin: Origin header value
:return: An HTTP request
"""
request_headers = Headers()
request_headers['Sec-WebSocket-Key'] = gen_ws_sec_key()
for key, value in WEBSOCKET_UPGRADE_HEADERS.items():
request_headers[key] = value
if extra_headers is not None:
for key, value in extra_headers:
request_headers[key] = value
# Allows me to connect to web socket endpoints with different versions
request_headers['Sec-WebSocket-Version'] = str(web_socket_version)
if origin is not None:
request_headers['Origin'] = origin
else:
# If no origin is specified, guess:
scheme = 'https://' if 'wss://' in web_socket_url else 'http://'
args = (scheme, web_socket_url.get_domain())
request_headers['Origin'] = '%s%s' % args
# Replace the protocol so we can easily send a request
forged_url = web_socket_url.url_string.replace('wss://', 'https://', 1)
forged_url = forged_url.replace('ws://', 'http://', 1)
forged_url = URL(forged_url)
upgrade_request = FuzzableRequest(forged_url,
'GET',
headers=request_headers)
return upgrade_request
def test_form_file_post_no_files(self):
cf_singleton.save('fuzzable_headers', [])
cf_singleton.save('fuzz_cookies', False)
cf_singleton.save('fuzz_url_filenames', False)
cf_singleton.save('fuzzed_files_extension', 'gif')
cf_singleton.save('fuzz_form_files', True) # This one changed
cf_singleton.save('fuzz_url_parts', False)
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("value", "")])
form_params.add_field_by_attr_items([("name", "address"),
("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'),
post_data=form,
method='PUT')
mutants = create_mutants(freq, self.payloads)
self.assertTrue(all(isinstance(m, QSMutant) for m in mutants[:2]))
self.assertTrue(all(
isinstance(m, PostDataMutant) for m in mutants[4:]))
self.assertTrue(all(m.get_method() == 'PUT' for m in mutants))
expected_uris = {
'http://www.w3af.com/?id=abc', 'http://www.w3af.com/?id=def',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3',
'http://www.w3af.com/?id=3', 'http://www.w3af.com/?id=3'
}
created_uris = set([i.get_uri().url_string for i in mutants])
self.assertEqual(expected_uris, created_uris)
expected_dcs = {
'id=abc', 'id=def', 'username=abc&address=Bonsai%20Street%20123',
'username=def&address=Bonsai%20Street%20123',
'username=John8212&address=abc', 'username=John8212&address=def'
}
created_dcs = set([str(i.get_dc()) for i in mutants])
self.assertEqual(created_dcs, expected_dcs)
def test_equal(self):
u = URL('http://www.w3af.com/')
fr1 = FuzzableRequest(u)
fr2 = FuzzableRequest(u)
self.assertEqual(fr1, fr2)
fr1 = FuzzableRequest(URL("http://www.w3af.com/a"))
fr2 = FuzzableRequest(URL("http://www.w3af.com/b"))
self.assertNotEqual(fr1, fr2)
fr1 = FuzzableRequest(u)
fr2 = FuzzableRequest(u, method='POST')
self.assertNotEqual(fr1, fr2)
def test_valid_results(self):
cookie = Cookie('foo=bar; spam=eggs')
freq = FuzzableRequest(self.url, cookie=cookie)
generated_mutants = CookieMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
self.assertEqual(len(generated_mutants), 4, generated_mutants)
expected_cookies = [
'foo=bar; spam=abc', 'foo=def; spam=eggs', 'foo=abc; spam=eggs',
'foo=bar; spam=def'
]
generated_cookies = [str(m.get_cookie()) for m in generated_mutants]
self.assertEqual(set(expected_cookies), set(generated_cookies))
generated_cookies = [str(m.get_dc()) for m in generated_mutants]
self.assertEqual(set(expected_cookies), set(generated_cookies))
def test_is_token_checked_true(self):
generator = URL(
get_w3af_moth_http('/w3af/audit/csrf/secure-replay-allowed/'))
http_response = self.uri_opener.GET(generator)
# Please note that this freq holds a fresh/valid CSRF token
cookie = Cookie.from_http_response(http_response)
freq = FuzzableRequest(generator, cookie=cookie)
# FIXME:
# And I use this token here to get the original response, and if the
# application is properly developed, that token will be invalidated
# and that's where this algorithm fails.
original_response = self.uri_opener.send_mutant(freq)
token = {'token': 'cc2544ba4af772c31bc3da928e4e33a8'}
checked = self.csrf_plugin._is_token_checked(freq, token,
original_response)
self.assertTrue(checked)
def test_forced_url_parts(self):
freq = FuzzableRequest(URL('http://www.w3af.com/static/foo/bar.ext'))
freq.set_force_fuzzing_url_parts([('/static/', False), ('foo', True),
('/bar.', False), ('ext', True)])
generated_mutants = URLPartsMutant.create_mutants(
freq, self.payloads, [], False, self.fuzzer_config)
expected_urls = [
'http://www.w3af.com/static/abc/bar.ext',
'http://www.w3af.com/static/def/bar.ext',
'http://www.w3af.com/static/foo/bar.abc',
'http://www.w3af.com/static/foo/bar.def'
]
generated_urls = set(
[m.get_url().url_string for m in generated_mutants])
self.assertEqual(set(expected_urls), generated_urls)
def test_user_defined_regex(self):
body = '<html><head><script>xhr = new XMLHttpRequest(); xhr.open(GET, "data.txt", true);'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
options = self.plugin.get_options()
options['single_regex'].set_value('".*?"')
self.plugin.set_options(options)
self.plugin.grep(request, response)
self.assertEquals(
len(kb.kb.get('user_defined_regex', 'user_defined_regex')), 1)
info_obj = kb.kb.get('user_defined_regex', 'user_defined_regex')[0]
self.assertTrue(info_obj.get_desc().startswith(
'User defined regular expression "'))
self.assertIn('data.txt', info_obj.get_desc())
def test_d1(self, *args):
"""
Vulnerable to MITM with double password input
"""
body = 'header <form action="https://www.w3af.com/">' \
'<input type="password" name="passwd1" />' \
'<input type="password" name="passwd2" />' \
'</form>footer'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(
len(kb.kb.get('form_cleartext_password',
'form_cleartext_password')), 1)
self.assertEqual(
kb.kb.get('form_cleartext_password', 'form_cleartext_password')
[0].get_name() == 'Insecure password form access over HTTP', 1)
def test_teardown_with_must_stop_exception(self):
w3af_core = w3afCore()
xss_instance = xss()
xss_instance.set_url_opener(w3af_core.uri_opener)
xss_instance.set_worker_pool(w3af_core.worker_pool)
audit_plugins = [xss_instance]
audit_consumer = audit(audit_plugins, w3af_core)
audit_consumer.start()
url = 'http://w3af.org/?id=1'
httpretty.register_uri(httpretty.GET,
url,
body='hello world',
content_type='application/html')
url = URL(url)
fr = FuzzableRequest(url)
# This will trigger a few HTTP requests to the target URL which will
# also initialize all the xss plugin internals to be able to run end()
# later.
audit_consumer.in_queue_put(fr)
kb.kb.add_fuzzable_request(fr)
# Now that xss.audit() was called, we want to simulate network errors
# that will put the uri opener in a state where it always answers with
# ScanMustStopException
w3af_core.uri_opener._stop_exception = ScanMustStopException('mock')
# And now we just call terminate() which injects the poison pill and will
# call teardown, which should call xss.end(), which should try to send HTTP
# requests, which will raise a ScanMustStopException
with patch('w3af.core.controllers.core_helpers.consumers.audit.om.out'
) as om_mock:
audit_consumer.terminate()
msg = ('Spent 0.00 seconds running xss.end() until a scan must'
' stop exception was raised.')
self.assertIn(call.debug(msg), om_mock.mock_calls)
def test_mutant_generic_methods(self):
qs = QueryString(self.SIMPLE_KV)
freq = FuzzableRequest(self.url)
freq.set_querystring(qs)
created_mutants = FakeMutant.create_mutants(freq, self.payloads, [],
False, self.fuzzer_config)
mutant = created_mutants[0]
self.assertEqual(repr(mutant),
'<mutant-generic | GET | http://moth/?a=abc&b=2 >')
self.assertNotEqual(id(mutant.copy()), id(mutant))
self.assertRaises(ValueError, mutant.get_original_response_body)
body = 'abcdef123'
mutant.set_original_response_body(body)
self.assertEqual(mutant.get_original_response_body(), body)
def test_no_cookie_in_request(self):
cf_singleton.save('fuzzable_headers', [])
cf_singleton.save('fuzz_cookies', True) # This one changed
cf_singleton.save('fuzz_url_filenames', False)
cf_singleton.save('fuzzed_files_extension', 'gif')
cf_singleton.save('fuzz_form_files', False)
cf_singleton.save('fuzz_url_parts', False)
url = URL('http://moth/?id=1')
# But there is no cookie
freq = FuzzableRequest(url)
generated_mutants = create_mutants(freq, self.payloads)
expected_urls = ['http://moth/?id=abc', 'http://moth/?id=def']
generated_urls = [m.get_uri().url_string for m in generated_mutants]
self.assertEqual(generated_urls, expected_urls)
self.assertAllInstance(generated_mutants, QSMutant)
self.assertAllHaveTokens(generated_mutants)
def test_handles_404_exception(self):
body = '<meta test="user/pass"></script>'
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
request = FuzzableRequest(url, method='GET')
resp = HTTPResponse(200, body, headers, url, url, _id=1)
with patch('w3af.plugins.grep.meta_tags.is_404') as is_404_mock,\
patch('w3af.core.controllers.plugins.grep_plugin.om.out') as om_mock:
msg = 'Exception found while detecting 404: "UnitTest"'
is_404_mock.side_effect = FourOhFourDetectionException(msg)
self.plugin.grep_wrapper(request, resp)
ecall = call.debug(msg)
vulns = kb.kb.get('meta_tags', 'meta_tags')
self.assertIn(ecall, om_mock.mock_calls)
self.assertEqual(vulns, [])
def test_no_code_disclosure(self, *args):
body = """Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Integer
eu lacus accumsan arcu fermentum euismod. Donec pulvinar porttitor
tellus. Aliquam venenatis. Donec facilisis pharetra tortor. In nec
mauris eget magna consequat convallis. Nam sed sem vitae odio
pellentesque interdum. Sed consequat viverra nisl. Suspendisse arcu
metus, blandit quis, rhoncus <a>,</a> pharetra eget, velit. Mauris
urna. Morbi nonummy molestie orci. Praesent nisi elit, fringilla ac,
suscipit non, tristique vel, ma<?uris. Curabitur vel lorem id nisl porta
adipiscing. Suspendisse eu lectus. In nunc. Duis vulputate tristique
enim. Donec quis lectus a justo imperdiet tempus."""
url = URL('http://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
self.assertEqual(len(kb.kb.get('code_disclosure', 'code_disclosure')),
0)
def test_image_with_text_html_content_type(self, *args):
"""
Verify that our plugins don't break when we send them an image with
a text/html content type.
"""
file_path = os.path.join(ROOT_PATH, 'plugins', 'tests', 'grep', 'data',
'w3af.png')
body = file(file_path).read()
# Here is the change from the previous test:
hdrs = Headers({'Content-Type': 'text/html'}.items())
response = HTTPResponse(200,
body,
hdrs,
self.url_inst,
self.url_inst,
_id=random.randint(1, 5000))
request = FuzzableRequest(self.url_inst)
for pinst in self._plugins:
pinst.grep(request, response)
def test_analyze_cookies_collect_one(self):
body = ''
url = URL('http://www.w3af.com/')
headers = Headers({
'content-type': 'text/html',
'Set-Cookie': 'abc=def'
}.items())
response = HTTPResponse(200, body, headers, url, url, _id=1)
request = FuzzableRequest(url, method='GET')
self.plugin.grep(request, response)
cookie_infosets = kb.kb.get('analyze_cookies', 'cookies')
self.assertEqual(len(cookie_infosets), 1)
expected_desc = u'The application sent the "abc" cookie in 1 ' \
u'different URLs. The first ten URLs are:\n' \
u' - http://www.w3af.com/\n'
info_set = cookie_infosets[0]
self.assertEqual(len(info_set.infos), 1)
self.assertEqual(info_set.get_desc(), expected_desc)
def test_cache_control_correct_meta(self):
"""
Sensitive content with cache control meta tags so no bug is stored in KB.
"""
body = 'abc'
meta_1 = '<meta http-equiv="Pragma" content="no-cache">'
meta_2 = '<meta http-equiv="Cache-Control" content="no-store">'
html = '<html><head>%s%s</head><body>%s</body></html>'
response_body = html % (meta_1, meta_2, body)
url = URL('https://www.w3af.com/')
headers = Headers([('content-type', 'text/html')])
request = FuzzableRequest(url, method='GET')
resp = HTTPResponse(200, response_body, headers, url, url, _id=1)
self.plugin.grep(request, resp)
self.plugin.end()
infos = kb.kb.get('cache_control', 'cache_control')
self.assertEquals(len(infos), 0)
def test_dump_mangle(self):
fr = FuzzableRequest(URL('http://www.w3af.com/'),
headers=Headers([('Host', 'www.w3af.com')]))
expected = u'\r\n'.join([
u'GET http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'',
u''
])
self.assertEqual(fr.dump(), expected)
fr.set_method('POST')
fr.set_data(KeyValueContainer(init_val=[('data', ['23'])]))
expected = u'\r\n'.join([
u'POST http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'',
u'data=23'
])
self.assertEqual(fr.dump(), expected)
def test_dump_mangle(self):
fr = FuzzableRequest(URL("http://www.w3af.com/"),\
headers=Headers([('Host','www.w3af.com'),]))
expected = u'\r\n'.join([
u'GET http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'',
u''
])
self.assertEqual(fr.dump(), expected)
fr.set_method('POST')
fr.set_data('data=23')
expected = u'\r\n'.join([
u'POST http://www.w3af.com/ HTTP/1.1', u'Host: www.w3af.com', u'',
u'data=23'
])
self.assertEqual(fr.dump(), expected)
def _parse_xssed_vuln_page(self, xss_report_response):
"""
Parse the HTTP response for a vulnerability page such as
http://www.xssed.com/mirror/76754/ and create the vulnerability object
to the KB.
"""
body = xss_report_response.get_body()
url_matches = self.XSSED_URL_RE.findall(body)
for xss_url in url_matches:
# Ugly but required because of how xssed.com writes stuff
xss_url = xss_url.replace('<br>', '')
xss_url = htmldecode(xss_url)
xss_url = urllib2.unquote(xss_url)
xss_url = URL(xss_url)
if self.UNFIXED in xss_report_response.get_body():
vuln_severity = severity.HIGH
verb = 'contains'
else:
vuln_severity = severity.LOW
verb = 'contained'
desc_fmt = ('According to xssed.com the target domain %s a XSS'
' vulnerability, see %s for more information')
desc = desc_fmt % (verb, xss_report_response.get_url())
v = Vuln('Potential XSS vulnerability', desc, vuln_severity,
xss_report_response.id, self.get_name())
v.set_url(xss_url)
#
# Add the fuzzable request, this is useful if I have the
# XSS plugin enabled because it will re-test this and
# possibly confirm the vulnerability
#
fr = FuzzableRequest(xss_url)
self.output_queue.put(fr)
# Save the vuln to the KB and print to output
self.kb_append(self, 'xss', v)
def test_special_url_characters(self):
initial_url = 'http://w3af.org/' \
'?__VIEWSTATE=/' \
'&__EVENTVALIDATION=\\X+W==' \
'&_ctl0:TextBox1=%s'
url = URL(initial_url % '')
freq = FuzzableRequest(url)
generated_mutants = create_mutants(freq, self.payloads)
decoded_url = 'http://w3af.org/' \
'?__VIEWSTATE=/' \
'&__EVENTVALIDATION=\\X%%20W==' \
'&_ctl0:TextBox1=%s'
expected_urls = [decoded_url % 'abc', decoded_url % 'def']
generated_urls = [str(m.get_uri()) for m in generated_mutants]
self.assertEqual(generated_urls, expected_urls)
self.assertAllInstance(generated_mutants, QSMutant)
self.assertAllHaveTokens(generated_mutants)
