def test_error_null_byte(self): """ https://github.com/andresriancho/w3af/issues/12924 """ plugin_instance = xml_file() plugin_instance.error('\0') plugin_instance.flush()
def test_error_null_byte(self): """ https://github.com/andresriancho/w3af/issues/12924 """ plugin_instance = xml_file() plugin_instance.error("\0") plugin_instance.flush()
def test_no_duplicate_vuln_reports(self): # The xml_file plugin had a bug where vulnerabilities were written to # disk multiple times, this test makes sure I fixed that vulnerability # First we create one vulnerability in the KB self.kb.cleanup() desc = 'Just a test for the XML file output plugin.' v = Vuln('SQL injection', desc, severity.HIGH, 1, 'sqli') self.kb.append('sqli', 'sqli', v) self.assertEqual(len(self.kb.get_all_vulns()), 1) # Setup the plugin plugin_instance = xml_file() # Set the output file for the unittest ol = OptionList() d = 'Output file name where to write the XML data' o = opt_factory('output_file', self.FILENAME, d, OUTPUT_FILE) ol.add(o) # Then we flush() twice to disk, this reproduced the issue plugin_instance.set_options(ol) plugin_instance.flush() plugin_instance.flush() plugin_instance.flush() # Now we parse the vulnerabilities from disk and confirm only one # is there file_vulns = self._from_xml_get_vulns(self.FILENAME) self.assertEqual(len(file_vulns), 1, file_vulns)
def test_render_attr_with_special_chars(self): _id = 2 name = 'A long description with special characters: <&">' vuln = MockVuln(_id=_id) vuln.set_name(name) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertNotIn(name, xml) self.assertIn('A long description with special characters: <&">', xml) self.assertValidXML(xml)
def test_render_with_special_chars(self): _id = 2 desc = ('This is a long description that contains some special' ' characters such as <, & and > which MUST be encoded' ' by jinja2.') vuln = MockVuln(_id=_id) vuln.set_desc(desc) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertNotIn('such as <, & and > which MUST', xml) self.assertIn('such as <, & and > which MUST', xml) self.assertValidXML(xml)
def test_render_with_unicode_control_chars(self): _id = 2 desc = ('This is a long description that contains some special' ' unicode control characters such as \f and \x09') vuln = MockVuln(_id=_id) vuln.set_desc(desc) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertNotIn('unicode control characters such as \f and \x09', xml) self.assertIn('unicode control characters such as <character code="000c"/> and <character code="0009"/>', xml) self.assertValidXML(xml)
def test_render_with_unicode_control_chars(self): _id = 2 desc = ('This is a long description that contains some special' ' unicode control characters such as \f and \x09') vuln = MockVuln(_id=_id) vuln.set_desc(desc) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertNotIn('unicode control characters such as \f and \x09', xml) self.assertIn( 'unicode control characters such as <character code="000c"/> and <character code="0009"/>', xml) self.assertValidXML(xml)
def test_render_attr_with_special_chars(self): _id = 2 name = 'A long description with special characters: <&">' vuln = MockVuln(_id=_id) vuln.set_name(name) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertNotIn(name, xml) self.assertIn( 'A long description with special characters: <&">', xml) self.assertValidXML(xml)
def test_error_null_byte(self): w3af_core = w3afCore() w3af_core.status.start() plugin_instance = xml_file() plugin_instance.set_w3af_core(w3af_core) # https://github.com/andresriancho/w3af/issues/12924 plugin_instance.error('\0') plugin_instance.flush()
def test_render_unicode_bytestring(self): vuln = MockVuln(name='á') vuln.set_id([]) x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() self.assertIn(u'á', xml) self.assertValidXML(xml)
def test_render_url_special_chars(self): self.maxDiff = None _id = 2 vuln = MockVuln(_id=_id) url = URL( u'https://w3af.com/._basebind/node_modules/lodash._basecreate/' u'LICENSE.txt\x00=ڞ') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) vuln.set_uri(url) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() expected = ( u'<vulnerability id="[2]" method="GET" name="TestCase" plugin="plugin_name" severity="High" url="https://w3af.com/._basebind/node_modules/lodash._basecreate/LICENSE.txt<character code="0000"/>=\u069e" var="None">\n' u' <description>Foo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggs</description>\n\n\n' u' <http-transactions>\n' u' <http-transaction id="2">\n\n' u' <http-request>\n' u' <status>POST https://w3af.com/._basebind/node_modules/lodash._basecreate/LICENSE.txt%00=%DA%9E HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n' u'</http-transaction>\n' u' </http-transactions>\n' u'</vulnerability>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_render_simple(self): w3af_core = w3afCore() w3af_core.status.start() w3af_core.status.set_running_plugin('crawl', 'web_spider') status = w3af_core.status.get_status_as_dict() total_urls = 150 x = xml_file() scan_status = ScanStatus(x._get_jinja2_env(), status, total_urls) xml = scan_status.to_string() self.maxDiff = None expected = (u'<scan-status>\n' u' <status>Running</status>\n' u' <is-paused>False</is-paused>\n' u' <is-running>True</is-running>\n' u'\n' u' <active-plugin>\n' u' <crawl>web_spider</crawl>\n' u' <audit>None</audit>\n' u' </active-plugin>\n' u'\n' u' <current-request>\n' u' <crawl>None</crawl>\n' u' <audit>None</audit>\n' u' </current-request>\n' u'\n' u' <queues>\n' u' <crawl>\n' u' <input-speed>None</input-speed>\n' u' <output-speed>None</output-speed>\n' u' <length>None</length>\n' u' </crawl>\n' u'\n' u' <audit>\n' u' <input-speed>None</input-speed>\n' u' <output-speed>None</output-speed>\n' u' <length>None</length>\n' u' </audit>\n' u' </queues>\n' u'\n' u' <eta>\n' u' <crawl>None</crawl>\n' u' <audit>None</audit>\n' u' </eta>\n' u'\n' u' <rpm>0</rpm>\n' u'\n' u' <total-urls>150</total-urls>\n' u'</scan-status>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_render_simple(self): w3af_core = w3afCore() w3af_core.plugins.set_plugins(['sqli'], 'audit') w3af_core.plugins.set_plugins(['web_spider'], 'crawl') plugin_inst = w3af_core.plugins.get_plugin_inst('crawl', 'web_spider') web_spider_options = plugin_inst.get_options() w3af_core.plugins.set_plugin_options('crawl', 'web_spider', web_spider_options) plugins_dict = w3af_core.plugins.get_all_enabled_plugins() options_dict = w3af_core.plugins.get_all_plugin_options() scan_target = 'https://w3af.org' x = xml_file() scan_info = ScanInfo(x._get_jinja2_env(), scan_target, plugins_dict, options_dict) xml = scan_info.to_string() expected = ( u'<scan-info target="https://w3af.org">\n' u' <audit>\n' u' <plugin name="sqli">\n' u' </plugin>\n' u' </audit>\n' u' <infrastructure>\n' u' </infrastructure>\n' u' <bruteforce>\n' u' </bruteforce>\n' u' <grep>\n' u' </grep>\n' u' <evasion>\n' u' </evasion>\n' u' <output>\n' u' </output>\n' u' <mangle>\n' u' </mangle>\n' u' <crawl>\n' u' <plugin name="web_spider">\n' u' <config parameter="only_forward" value="False"/>\n' u' <config parameter="follow_regex" value=".*"/>\n' u' <config parameter="ignore_regex" value=""/>\n' u' </plugin>\n' u' </crawl>\n' u' <auth>\n' u' </auth>\n' u'</scan-info>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_cache(self): url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) _id = 2 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() http_transaction = HTTPTransaction(x._get_jinja2_env(), _id) self.assertIsNone(http_transaction.get_node_from_cache()) # Writes to cache xml = http_transaction.to_string() expected = ( u'<http-transaction id="2">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n</http-transaction>') self.assertEqual(expected, xml) # Yup, we're cached self.assertIsNotNone(http_transaction.get_node_from_cache()) # Make sure they are all the same cached_xml = http_transaction.get_node_from_cache() self.assertEqual(cached_xml, expected) xml = http_transaction.to_string() self.assertEqual(expected, xml)
def test_cache(self): url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) _id = 2 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() http_transaction = HTTPTransaction(x._get_jinja2_env(), _id) self.assertIsNone(http_transaction.get_node_from_cache()) # Writes to cache xml = http_transaction.to_string() expected = (u'<http-transaction id="2">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n</http-transaction>') self.assertEqual(expected, xml) # Yup, we're cached self.assertIsNotNone(http_transaction.get_node_from_cache()) # Make sure they are all the same cached_xml = http_transaction.get_node_from_cache() self.assertEqual(cached_xml, expected) xml = http_transaction.to_string() self.assertEqual(expected, xml)
def test_render_simple(self): w3af_core = w3afCore() w3af_core.plugins.set_plugins(['sqli'], 'audit') w3af_core.plugins.set_plugins(['web_spider'], 'crawl') plugin_inst = w3af_core.plugins.get_plugin_inst('crawl', 'web_spider') web_spider_options = plugin_inst.get_options() w3af_core.plugins.set_plugin_options('crawl', 'web_spider', web_spider_options) plugins_dict = w3af_core.plugins.get_all_enabled_plugins() options_dict = w3af_core.plugins.get_all_plugin_options() scan_target = 'https://w3af.org' x = xml_file() scan_info = ScanInfo(x._get_jinja2_env(), scan_target, plugins_dict, options_dict) xml = scan_info.to_string() expected = (u'<scan-info target="https://w3af.org">\n' u' <audit>\n' u' <plugin name="sqli">\n' u' </plugin>\n' u' </audit>\n' u' <infrastructure>\n' u' </infrastructure>\n' u' <bruteforce>\n' u' </bruteforce>\n' u' <grep>\n' u' </grep>\n' u' <evasion>\n' u' </evasion>\n' u' <output>\n' u' </output>\n' u' <mangle>\n' u' </mangle>\n' u' <crawl>\n' u' <plugin name="web_spider">\n' u' <config parameter="only_forward" value="False"/>\n' u' <config parameter="follow_regex" value=".*"/>\n' u' <config parameter="ignore_regex" value=""/>\n' u' </plugin>\n' u' </crawl>\n' u' <auth>\n' u' </auth>\n' u'</scan-info>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_render_simple(self): _id = 2 vuln = MockVuln(_id=_id) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() expected = ( u'<vulnerability id="[2]" method="GET" name="TestCase" plugin="plugin_name" severity="High" url="None" var="None">\n' u' <description>Foo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggs</description>\n\n\n' u' <http-transactions>\n' u' <http-transaction id="2">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n' u'</http-transaction>\n' u' </http-transactions>\n' u'</vulnerability>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_no_duplicate_vuln_reports(self): # The xml_file plugin had a bug where vulnerabilities were written to # disk multiple times, this test makes sure I fixed that vulnerability # Write the HTTP request / response to the DB url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>syntax error near', hdr, url, url) _id = 1 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() # Create one vulnerability in the KB pointing to the request- # response we just created desc = 'Just a test for the XML file output plugin.' v = Vuln('SQL injection', desc, severity.HIGH, _id, 'sqli') kb.kb.append('sqli', 'sqli', v) self.assertEqual(len(kb.kb.get_all_vulns()), 1) # Setup the plugin plugin_instance = xml_file() plugin_instance.set_w3af_core(self.w3af_core) # Set the output file for the unittest ol = OptionList() d = 'Output file name where to write the XML data' o = opt_factory('output_file', self.FILENAME, d, OUTPUT_FILE) ol.add(o) # Then we flush() twice to disk, this reproduced the issue plugin_instance.set_options(ol) plugin_instance.flush() plugin_instance.flush() plugin_instance.flush() # Now we parse the vulnerabilities from disk and confirm only one # is there file_vulns = get_vulns_from_xml(self.FILENAME) self.assertEqual(len(file_vulns), 1, file_vulns)
def test_no_duplicate_vuln_reports(self): # The xml_file plugin had a bug where vulnerabilities were written to # disk multiple times, this test makes sure I fixed that vulnerability # Write the HTTP request / response to the DB url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>syntax error near', hdr, url, url) _id = 1 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() # Create one vulnerability in the KB pointing to the request- # response we just created desc = 'Just a test for the XML file output plugin.' v = Vuln('SQL injection', desc, severity.HIGH, _id, 'sqli') kb.kb.append('sqli', 'sqli', v) self.assertEqual(len(kb.kb.get_all_vulns()), 1) # Setup the plugin plugin_instance = xml_file() # Set the output file for the unittest ol = OptionList() d = 'Output file name where to write the XML data' o = opt_factory('output_file', self.FILENAME, d, OUTPUT_FILE) ol.add(o) # Then we flush() twice to disk, this reproduced the issue plugin_instance.set_options(ol) plugin_instance.flush() plugin_instance.flush() plugin_instance.flush() # Now we parse the vulnerabilities from disk and confirm only one # is there file_vulns = get_vulns_from_xml(self.FILENAME) self.assertEqual(len(file_vulns), 1, file_vulns)
def test_render_simple(self): _id = 2 vuln = MockVuln(_id=_id) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() finding = Finding(x._get_jinja2_env(), vuln) xml = finding.to_string() expected = (u'<vulnerability id="[2]" method="GET" name="TestCase" plugin="plugin_name" severity="High" url="None" var="None">\n' u' <description>Foo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggsFoo bar spam eggs</description>\n\n\n' u' <http-transactions>\n' u' <http-transaction id="2">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n' u'</http-transaction>\n' u' </http-transactions>\n' u'</vulnerability>') self.assertEqual(xml, expected) self.assertValidXML(xml)
def test_render_simple(self): url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) _id = 1 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() http_transaction = HTTPTransaction(x._get_jinja2_env(), _id) xml = http_transaction.to_string() expected = ( u'<http-transaction id="1">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n</http-transaction>') self.assertEqual(expected, xml) self.assertValidXML(xml)
def test_render_simple(self): url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) _id = 1 h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() x = xml_file() http_transaction = HTTPTransaction(x._get_jinja2_env(), _id) xml = http_transaction.to_string() expected = (u'<http-transaction id="1">\n\n' u' <http-request>\n' u' <status>POST http://w3af.com/a/b/c.php HTTP/1.1</status>\n' u' <headers>\n' u' <header field="User-agent" content="w3af" />\n' u' </headers>\n' u' <body content-encoding="base64">YT0x\n</body>\n' u' </http-request>\n\n' u' <http-response>\n' u' <status>HTTP/1.1 200 OK</status>\n' u' <headers>\n' u' <header field="Content-Type" content="text/html" />\n' u' </headers>\n' u' <body content-encoding="base64">PGh0bWw+\n</body>\n' u' </http-response>\n\n</http-transaction>') self.assertEqual(expected, xml) self.assertValidXML(xml)
def test_cache_works_as_expected(self): # # Cache starts empty # cache = FindingsCache() self.assertEquals(cache.list(), []) # # Create two vulnerabilities with their HTTP requests and responses # _id = 1 name = 'I have a name' vuln1 = MockVuln(_id=_id) vuln1.set_name(name) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h1 = HistoryItem() h1.request = request res.set_id(_id) h1.response = res h1.save() _id = 2 name = 'Just a name' vuln2 = MockVuln(_id=_id) vuln2.set_name(name) url = URL('http://w3af.com/a/b/c.php') hdr = Headers([('User-Agent', 'w3af')]) request = HTTPRequest(url, data='a=1') request.set_headers(hdr) hdr = Headers([('Content-Type', 'text/html')]) res = HTTPResponse(200, '<html>', hdr, url, url) h2 = HistoryItem() h2.request = request res.set_id(_id) h2.response = res h2.save() # # Save one vulnerability to the KB and call the cache-user # kb.kb.append('a', 'b', vuln1) x = xml_file() list(x.findings()) self.assertEquals(cache.list(), [vuln1.get_uniq_id()]) # # Save another vulnerability to the KB and call the cache-user # kb.kb.append('a', 'c', vuln2) list(x.findings()) expected = {vuln1.get_uniq_id(), vuln2.get_uniq_id()} self.assertEquals(set(cache.list()), expected) # # Remove one vulnerability and see how it is removed from the cache # kb.kb.raw_write('a', 'c', 'noop') list(x.findings()) expected = {vuln1.get_uniq_id()} self.assertEquals(set(cache.list()), expected)
def test_render_simple(self): w3af_core = w3afCore() w3af_core.status.start() w3af_core.status.set_running_plugin('crawl', 'web_spider') status = w3af_core.status.get_status_as_dict() known_urls = URLTree() known_urls.add_url(URL('http://w3af.org/')) known_urls.add_url(URL('http://w3af.org/foo/')) known_urls.add_url(URL('http://w3af.org/foo/abc.html')) known_urls.add_url(URL('http://w3af.org/foo/bar/')) known_urls.add_url(URL('http://w3af.org/123.txt')) total_urls = 150 x = xml_file() scan_status = ScanStatus(x._get_jinja2_env(), status, total_urls, known_urls) xml = scan_status.to_string() self.maxDiff = None expected = ( u'<scan-status>\n' u' <status>Running</status>\n' u' <is-paused>False</is-paused>\n' u' <is-running>True</is-running>\n' u'\n' u' <active-plugin>\n' u' <crawl>web_spider</crawl>\n' u' <audit>None</audit>\n' u' </active-plugin>\n' u'\n' u' <current-request>\n' u' <crawl>None</crawl>\n' u' <audit>None</audit>\n' u' </current-request>\n' u'\n' u' <queues>\n' u' <crawl>\n' u' <input-speed>0</input-speed>\n' u' <output-speed>0</output-speed>\n' u' <length>0</length>\n' u' <processed-tasks>0</processed-tasks>\n' u' </crawl>\n' u'\n' u' <audit>\n' u' <input-speed>0</input-speed>\n' u' <output-speed>0</output-speed>\n' u' <length>0</length>\n' u' <processed-tasks>0</processed-tasks>\n' u' </audit>\n' u'\n' u' <grep>\n' u' <input-speed>0</input-speed>\n' u' <output-speed>0</output-speed>\n' u' <length>0</length>\n' u' <processed-tasks>None</processed-tasks>\n' u' </grep>\n' u' </queues>\n' u'\n' u' <eta>\n' u' <crawl>0 seconds.</crawl>\n' u' <audit>0 seconds.</audit>\n' u' <grep>0 seconds.</grep>\n' u' <all>0 seconds.</all>\n' u' </eta>\n' u'\n' u' <rpm>0</rpm>\n' u' <sent-request-count>0</sent-request-count>\n' u' <progress>100</progress>\n' u'\n' u' <total-urls>150</total-urls>\n' u' <known-urls> \n' u' <node url="http://w3af.org">\n' u' \n' u' <node url="foo">\n' u' \n' u' <node url="bar" /> \n' u' <node url="abc.html" />\n' u' \n' u' </node> \n' u' <node url="123.txt" />\n' u' \n' u' </node>\n' u' </known-urls>\n' u'</scan-status>') self.assertEqual(xml, expected) self.assertValidXML(xml)