mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-26 18:18:25 +00:00
added add-ons that enhance the performance of web application scanners. (#3961)
* added add-ons that enhance the performance of web application scanners. Co-authored-by: weichweich <14820950+weichweich@users.noreply.github.com>
This commit is contained in:
parent
f4aa3ee11c
commit
7fdcbb09e6
0
examples/complex/webscanner_helper/__init__.py
Normal file
0
examples/complex/webscanner_helper/__init__.py
Normal file
144
examples/complex/webscanner_helper/mapping.py
Normal file
144
examples/complex/webscanner_helper/mapping.py
Normal file
@ -0,0 +1,144 @@
|
|||||||
|
import copy
|
||||||
|
import logging
|
||||||
|
import typing
|
||||||
|
from typing import Dict
|
||||||
|
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
|
||||||
|
from mitmproxy.http import HTTPFlow
|
||||||
|
from examples.complex.webscanner_helper.urldict import URLDict
|
||||||
|
|
||||||
|
NO_CONTENT = object()
|
||||||
|
|
||||||
|
|
||||||
|
class MappingAddonConfig:
|
||||||
|
HTML_PARSER = "html.parser"
|
||||||
|
|
||||||
|
|
||||||
|
class MappingAddon:
|
||||||
|
""" The mapping add-on can be used in combination with web application scanners to reduce their false positives.
|
||||||
|
|
||||||
|
Many web application scanners produce false positives caused by dynamically changing content of web applications
|
||||||
|
such as the current time or current measurements. When testing for injection vulnerabilities, web application
|
||||||
|
scanners are tricked into thinking they changed the content with the injected payload. In realty, the content of
|
||||||
|
the web application changed notwithstanding the scanner's input. When the mapping add-on is used to map the content
|
||||||
|
to a fixed value, these false positives can be avoided.
|
||||||
|
"""
|
||||||
|
|
||||||
|
OPT_MAPPING_FILE = "mapping_file"
|
||||||
|
"""File where urls and css selector to mapped content is stored.
|
||||||
|
|
||||||
|
Elements will be replaced with the content given in this file. If the content is none it will be set to the first
|
||||||
|
seen value.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
{
|
||||||
|
"http://10.10.10.10": {
|
||||||
|
"body": "My Text"
|
||||||
|
},
|
||||||
|
"URL": {
|
||||||
|
"css selector": "Replace with this"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
OPT_MAP_PERSISTENT = "map_persistent"
|
||||||
|
"""Whether to store all new content in the configuration file."""
|
||||||
|
|
||||||
|
def __init__(self, filename: str, persistent: bool = False) -> None:
|
||||||
|
""" Initializes the mapping add-on
|
||||||
|
|
||||||
|
Args:
|
||||||
|
filename: str that provides the name of the file in which the urls and css selectors to mapped content is
|
||||||
|
stored.
|
||||||
|
persistent: bool that indicates whether to store all new content in the configuration file.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
The file in which the mapping config is given should be in the following format:
|
||||||
|
{
|
||||||
|
"http://10.10.10.10": {
|
||||||
|
"body": "My Text"
|
||||||
|
},
|
||||||
|
"<URL>": {
|
||||||
|
"<css selector>": "Replace with this"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
self.filename = filename
|
||||||
|
self.persistent = persistent
|
||||||
|
self.logger = logging.getLogger(self.__class__.__name__)
|
||||||
|
with open(filename, "r") as f:
|
||||||
|
self.mapping_templates = URLDict.load(f)
|
||||||
|
|
||||||
|
def load(self, loader):
|
||||||
|
loader.add_option(
|
||||||
|
self.OPT_MAPPING_FILE, str, "",
|
||||||
|
"File where replacement configuration is stored."
|
||||||
|
)
|
||||||
|
loader.add_option(
|
||||||
|
self.OPT_MAP_PERSISTENT, bool, False,
|
||||||
|
"Whether to store all new content in the configuration file."
|
||||||
|
)
|
||||||
|
|
||||||
|
def configure(self, updated):
|
||||||
|
if self.OPT_MAPPING_FILE in updated:
|
||||||
|
self.filename = updated[self.OPT_MAPPING_FILE]
|
||||||
|
with open(self.filename, "r") as f:
|
||||||
|
self.mapping_templates = URLDict.load(f)
|
||||||
|
|
||||||
|
if self.OPT_MAP_PERSISTENT in updated:
|
||||||
|
self.persistent = updated[self.OPT_MAP_PERSISTENT]
|
||||||
|
|
||||||
|
def replace(self, soup: BeautifulSoup, css_sel: str, replace: BeautifulSoup) -> None:
|
||||||
|
"""Replaces the content of soup that matches the css selector with the given replace content."""
|
||||||
|
for content in soup.select(css_sel):
|
||||||
|
self.logger.debug(f"replace \"{content}\" with \"{replace}\"")
|
||||||
|
content.replace_with(copy.copy(replace))
|
||||||
|
|
||||||
|
def apply_template(self, soup: BeautifulSoup, template: Dict[str, typing.Union[BeautifulSoup]]) -> None:
|
||||||
|
"""Applies the given mapping template to the given soup."""
|
||||||
|
for css_sel, replace in template.items():
|
||||||
|
mapped = soup.select(css_sel)
|
||||||
|
if not mapped:
|
||||||
|
self.logger.warning(f"Could not find \"{css_sel}\", can not freeze anything.")
|
||||||
|
else:
|
||||||
|
self.replace(soup, css_sel, BeautifulSoup(replace, features=MappingAddonConfig.HTML_PARSER))
|
||||||
|
|
||||||
|
def response(self, flow: HTTPFlow) -> None:
|
||||||
|
"""If a response is received, check if we should replace some content. """
|
||||||
|
try:
|
||||||
|
templates = self.mapping_templates[flow]
|
||||||
|
res = flow.response
|
||||||
|
if res is not None:
|
||||||
|
encoding = res.headers.get("content-encoding", "utf-8")
|
||||||
|
content_type = res.headers.get("content-type", "text/html")
|
||||||
|
|
||||||
|
if "text/html" in content_type and encoding == "utf-8":
|
||||||
|
content = BeautifulSoup(res.content, MappingAddonConfig.HTML_PARSER)
|
||||||
|
for template in templates:
|
||||||
|
self.apply_template(content, template)
|
||||||
|
res.content = content.encode(encoding)
|
||||||
|
else:
|
||||||
|
self.logger.warning(f"Unsupported content type '{content_type}' or content encoding '{encoding}'")
|
||||||
|
except KeyError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
def done(self) -> None:
|
||||||
|
"""Dumps all new content into the configuration file if self.persistent is set."""
|
||||||
|
if self.persistent:
|
||||||
|
|
||||||
|
# make sure that all items are strings and not soups.
|
||||||
|
def value_dumper(value):
|
||||||
|
store = {}
|
||||||
|
if value is None:
|
||||||
|
return "None"
|
||||||
|
try:
|
||||||
|
for css_sel, soup in value.items():
|
||||||
|
store[css_sel] = str(soup)
|
||||||
|
except:
|
||||||
|
raise RuntimeError(value)
|
||||||
|
return store
|
||||||
|
|
||||||
|
with open(self.filename, "w") as f:
|
||||||
|
self.mapping_templates.dump(f, value_dumper)
|
90
examples/complex/webscanner_helper/urldict.py
Normal file
90
examples/complex/webscanner_helper/urldict.py
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
import itertools
|
||||||
|
import json
|
||||||
|
import typing
|
||||||
|
from collections.abc import MutableMapping
|
||||||
|
from typing import Any, Dict, Generator, List, TextIO, Callable
|
||||||
|
|
||||||
|
from mitmproxy import flowfilter
|
||||||
|
from mitmproxy.http import HTTPFlow
|
||||||
|
|
||||||
|
|
||||||
|
def f_id(x):
|
||||||
|
return x
|
||||||
|
|
||||||
|
|
||||||
|
class URLDict(MutableMapping):
|
||||||
|
"""Data structure to store information using filters as keys."""
|
||||||
|
def __init__(self):
|
||||||
|
self.store: Dict[flowfilter.TFilter, Any] = {}
|
||||||
|
|
||||||
|
def __getitem__(self, key, *, count=0):
|
||||||
|
if count:
|
||||||
|
ret = itertools.islice(self.get_generator(key), 0, count)
|
||||||
|
else:
|
||||||
|
ret = list(self.get_generator(key))
|
||||||
|
|
||||||
|
if ret:
|
||||||
|
return ret
|
||||||
|
else:
|
||||||
|
raise KeyError
|
||||||
|
|
||||||
|
def __setitem__(self, key: str, value):
|
||||||
|
fltr = flowfilter.parse(key)
|
||||||
|
if fltr:
|
||||||
|
self.store.__setitem__(fltr, value)
|
||||||
|
else:
|
||||||
|
raise ValueError("Not a valid filter")
|
||||||
|
|
||||||
|
def __delitem__(self, key):
|
||||||
|
self.store.__delitem__(key)
|
||||||
|
|
||||||
|
def __iter__(self):
|
||||||
|
return self.store.__iter__()
|
||||||
|
|
||||||
|
def __len__(self):
|
||||||
|
return self.store.__len__()
|
||||||
|
|
||||||
|
def get_generator(self, flow: HTTPFlow) -> Generator[Any, None, None]:
|
||||||
|
|
||||||
|
for fltr, value in self.store.items():
|
||||||
|
if flowfilter.match(fltr, flow):
|
||||||
|
yield value
|
||||||
|
|
||||||
|
def get(self, flow: HTTPFlow, default=None, *, count=0) -> List[Any]:
|
||||||
|
try:
|
||||||
|
return self.__getitem__(flow, count=count)
|
||||||
|
except KeyError:
|
||||||
|
return default
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def _load(cls, json_obj, value_loader: Callable = f_id):
|
||||||
|
url_dict = cls()
|
||||||
|
for fltr, value in json_obj.items():
|
||||||
|
url_dict[fltr] = value_loader(value)
|
||||||
|
return url_dict
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def load(cls, f: TextIO, value_loader: Callable = f_id):
|
||||||
|
json_obj = json.load(f)
|
||||||
|
return cls._load(json_obj, value_loader)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def loads(cls, json_str: str, value_loader: Callable = f_id):
|
||||||
|
json_obj = json.loads(json_str)
|
||||||
|
return cls._load(json_obj, value_loader)
|
||||||
|
|
||||||
|
def _dump(self, value_dumper: Callable = f_id) -> Dict:
|
||||||
|
dumped: Dict[typing.Union[flowfilter.TFilter, str], Any] = {}
|
||||||
|
for fltr, value in self.store.items():
|
||||||
|
if hasattr(fltr, 'pattern'):
|
||||||
|
# cast necessary for mypy
|
||||||
|
dumped[typing.cast(Any, fltr).pattern] = value_dumper(value)
|
||||||
|
else:
|
||||||
|
dumped[str(fltr)] = value_dumper(value)
|
||||||
|
return dumped
|
||||||
|
|
||||||
|
def dump(self, f: TextIO, value_dumper: Callable = f_id):
|
||||||
|
json.dump(self._dump(value_dumper), f)
|
||||||
|
|
||||||
|
def dumps(self, value_dumper: Callable = f_id):
|
||||||
|
return json.dumps(self._dump(value_dumper))
|
168
examples/complex/webscanner_helper/urlindex.py
Normal file
168
examples/complex/webscanner_helper/urlindex.py
Normal file
@ -0,0 +1,168 @@
|
|||||||
|
import abc
|
||||||
|
import datetime
|
||||||
|
import json
|
||||||
|
import logging
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import Type, Dict, Union, Optional
|
||||||
|
|
||||||
|
from mitmproxy import flowfilter
|
||||||
|
from mitmproxy.http import HTTPFlow
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
class UrlIndexWriter(abc.ABC):
|
||||||
|
"""Abstract Add-on to write seen URLs.
|
||||||
|
|
||||||
|
For example, these URLs can be injected in a web application to improve the crawling of web application scanners.
|
||||||
|
The injection can be done using the URLInjection Add-on.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, filename: Path):
|
||||||
|
"""Initializes the UrlIndexWriter.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
filename: Path to file to which the URL index will be written.
|
||||||
|
"""
|
||||||
|
self.filepath = filename
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def load(self):
|
||||||
|
"""Load existing URL index."""
|
||||||
|
pass
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def add_url(self, flow: HTTPFlow):
|
||||||
|
"""Add new URL to URL index."""
|
||||||
|
pass
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def save(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class SetEncoder(json.JSONEncoder):
|
||||||
|
def default(self, obj):
|
||||||
|
if isinstance(obj, set):
|
||||||
|
return list(obj)
|
||||||
|
return json.JSONEncoder.default(self, obj)
|
||||||
|
|
||||||
|
|
||||||
|
class JSONUrlIndexWriter(UrlIndexWriter):
|
||||||
|
"""Writes seen URLs as JSON."""
|
||||||
|
|
||||||
|
def __init__(self, *args, **kwargs):
|
||||||
|
super().__init__(*args, **kwargs)
|
||||||
|
self.host_urls = {}
|
||||||
|
|
||||||
|
def load(self):
|
||||||
|
if self.filepath.exists():
|
||||||
|
with self.filepath.open("r") as f:
|
||||||
|
self.host_urls = json.load(f)
|
||||||
|
for host in self.host_urls.keys():
|
||||||
|
for path, methods in self.host_urls[host].items():
|
||||||
|
for method, codes in methods.items():
|
||||||
|
self.host_urls[host][path] = {method: set(codes)}
|
||||||
|
|
||||||
|
def add_url(self, flow: HTTPFlow):
|
||||||
|
req = flow.request
|
||||||
|
res = flow.response
|
||||||
|
|
||||||
|
if req is not None and res is not None:
|
||||||
|
urls = self.host_urls.setdefault(f"{req.scheme}://{req.host}:{req.port}", dict())
|
||||||
|
methods = urls.setdefault(req.path, {})
|
||||||
|
codes = methods.setdefault(req.method, set())
|
||||||
|
codes.add(res.status_code)
|
||||||
|
|
||||||
|
def save(self):
|
||||||
|
with self.filepath.open("w") as f:
|
||||||
|
json.dump(self.host_urls, f, cls=SetEncoder)
|
||||||
|
|
||||||
|
|
||||||
|
class TextUrlIndexWriter(UrlIndexWriter):
|
||||||
|
"""Writes seen URLs as text."""
|
||||||
|
|
||||||
|
def load(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def add_url(self, flow: HTTPFlow):
|
||||||
|
res = flow.response
|
||||||
|
req = flow.request
|
||||||
|
if res is not None and req is not None:
|
||||||
|
with self.filepath.open("a+") as f:
|
||||||
|
f.write(f"{datetime.datetime.utcnow().isoformat()} STATUS: {res.status_code} METHOD: "
|
||||||
|
f"{req.method} URL:{req.url}\n")
|
||||||
|
|
||||||
|
def save(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
WRITER: Dict[str, Type[UrlIndexWriter]] = {
|
||||||
|
"json": JSONUrlIndexWriter,
|
||||||
|
"text": TextUrlIndexWriter,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def filter_404(flow) -> bool:
|
||||||
|
"""Filters responses with status code 404."""
|
||||||
|
return flow.response.status_code != 404
|
||||||
|
|
||||||
|
|
||||||
|
class UrlIndexAddon:
|
||||||
|
"""Add-on to write seen URLs, either as JSON or as text.
|
||||||
|
|
||||||
|
For example, these URLs can be injected in a web application to improve the crawling of web application scanners.
|
||||||
|
The injection can be done using the URLInjection Add-on.
|
||||||
|
"""
|
||||||
|
|
||||||
|
index_filter: Optional[Union[str, flowfilter.TFilter]]
|
||||||
|
writer: UrlIndexWriter
|
||||||
|
|
||||||
|
OPT_FILEPATH = "URLINDEX_FILEPATH"
|
||||||
|
OPT_APPEND = "URLINDEX_APPEND"
|
||||||
|
OPT_INDEX_FILTER = "URLINDEX_FILTER"
|
||||||
|
|
||||||
|
def __init__(self, file_path: Union[str, Path], append: bool = True,
|
||||||
|
index_filter: Union[str, flowfilter.TFilter] = filter_404, index_format: str = "json"):
|
||||||
|
""" Initializes the urlindex add-on.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
file_path: Path to file to which the URL index will be written. Can either be given as str or Path.
|
||||||
|
append: Bool to decide whether to append new URLs to the given file (as opposed to overwrite the contents
|
||||||
|
of the file)
|
||||||
|
index_filer: A mitmproxy filter with which the seen URLs will be filtered before being written. Can either
|
||||||
|
be given as str or as flowfilter.TFilter
|
||||||
|
index_format: The format of the URL index, can either be "json" or "text".
|
||||||
|
"""
|
||||||
|
|
||||||
|
if isinstance(index_filter, str):
|
||||||
|
self.index_filter = flowfilter.parse(index_filter)
|
||||||
|
if self.index_filter is None:
|
||||||
|
raise ValueError("Invalid filter expression.")
|
||||||
|
else:
|
||||||
|
self.index_filter = index_filter
|
||||||
|
|
||||||
|
file_path = Path(file_path)
|
||||||
|
try:
|
||||||
|
self.writer = WRITER[index_format.lower()](file_path)
|
||||||
|
except KeyError:
|
||||||
|
raise ValueError(f"Format '{index_format}' is not supported.")
|
||||||
|
|
||||||
|
if not append and file_path.exists():
|
||||||
|
file_path.unlink()
|
||||||
|
|
||||||
|
self.writer.load()
|
||||||
|
|
||||||
|
def response(self, flow: HTTPFlow):
|
||||||
|
"""Checks if the response should be included in the URL based on the index_filter and adds it to the URL index
|
||||||
|
if appropriate.
|
||||||
|
"""
|
||||||
|
if isinstance(self.index_filter, str) or self.index_filter is None:
|
||||||
|
raise ValueError("Invalid filter expression.")
|
||||||
|
else:
|
||||||
|
if self.index_filter(flow):
|
||||||
|
self.writer.add_url(flow)
|
||||||
|
|
||||||
|
def done(self):
|
||||||
|
"""Writes the URL index."""
|
||||||
|
self.writer.save()
|
173
examples/complex/webscanner_helper/urlinjection.py
Normal file
173
examples/complex/webscanner_helper/urlinjection.py
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
import abc
|
||||||
|
import html
|
||||||
|
import json
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from mitmproxy import flowfilter
|
||||||
|
from mitmproxy.http import HTTPFlow
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
class InjectionGenerator:
|
||||||
|
"""Abstract class for an generator of the injection content in order to inject the URL index."""
|
||||||
|
ENCODING = "UTF8"
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def inject(self, index, flow: HTTPFlow):
|
||||||
|
"""Injects the given URL index into the given flow."""
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class HTMLInjection(InjectionGenerator):
|
||||||
|
"""Injects the URL index either by creating a new HTML page or by appending is to an existing page."""
|
||||||
|
|
||||||
|
def __init__(self, insert: bool = False):
|
||||||
|
"""Initializes the HTMLInjection.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
insert: boolean to decide whether to insert the URL index to an existing page (True) or to create a new
|
||||||
|
page containing the URL index.
|
||||||
|
"""
|
||||||
|
self.insert = insert
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def _form_html(cls, url):
|
||||||
|
return f"<form action=\"{url}\" method=\"POST\"></form>"
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def _link_html(cls, url):
|
||||||
|
return f"<a href=\"{url}\">link to {url}</a>"
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def index_html(cls, index):
|
||||||
|
link_htmls = []
|
||||||
|
for scheme_netloc, paths in index.items():
|
||||||
|
for path, methods in paths.items():
|
||||||
|
url = scheme_netloc + path
|
||||||
|
if "POST" in methods:
|
||||||
|
link_htmls.append(cls._form_html(url))
|
||||||
|
|
||||||
|
if "GET" in methods:
|
||||||
|
link_htmls.append(cls._link_html(url))
|
||||||
|
return "</ br>".join(link_htmls)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def landing_page(cls, index):
|
||||||
|
return (
|
||||||
|
"<head><meta charset=\"UTF-8\"></head><body>"
|
||||||
|
+ cls.index_html(index)
|
||||||
|
+ "</body>"
|
||||||
|
)
|
||||||
|
|
||||||
|
def inject(self, index, flow: HTTPFlow):
|
||||||
|
if flow.response is not None:
|
||||||
|
if flow.response.status_code != 404 and not self.insert:
|
||||||
|
logger.warning(
|
||||||
|
f"URL '{flow.request.url}' didn't return 404 status, "
|
||||||
|
f"index page would overwrite valid page.")
|
||||||
|
elif self.insert:
|
||||||
|
content = (flow.response
|
||||||
|
.content
|
||||||
|
.decode(self.ENCODING, "backslashreplace"))
|
||||||
|
if "</body>" in content:
|
||||||
|
content = content.replace("</body>", self.index_html(index) + "</body>")
|
||||||
|
else:
|
||||||
|
content += self.index_html(index)
|
||||||
|
flow.response.content = content.encode(self.ENCODING)
|
||||||
|
else:
|
||||||
|
flow.response.content = (self.landing_page(index)
|
||||||
|
.encode(self.ENCODING))
|
||||||
|
|
||||||
|
|
||||||
|
class RobotsInjection(InjectionGenerator):
|
||||||
|
"""Injects the URL index by creating a new robots.txt including the URLs."""
|
||||||
|
|
||||||
|
def __init__(self, directive="Allow"):
|
||||||
|
self.directive = directive
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def robots_txt(cls, index, directive="Allow"):
|
||||||
|
lines = ["User-agent: *"]
|
||||||
|
for scheme_netloc, paths in index.items():
|
||||||
|
for path, methods in paths.items():
|
||||||
|
lines.append(directive + ": " + path)
|
||||||
|
return "\n".join(lines)
|
||||||
|
|
||||||
|
def inject(self, index, flow: HTTPFlow):
|
||||||
|
if flow.response is not None:
|
||||||
|
if flow.response.status_code != 404:
|
||||||
|
logger.warning(
|
||||||
|
f"URL '{flow.request.url}' didn't return 404 status, "
|
||||||
|
f"index page would overwrite valid page.")
|
||||||
|
else:
|
||||||
|
flow.response.content = self.robots_txt(index,
|
||||||
|
self.directive).encode(
|
||||||
|
self.ENCODING)
|
||||||
|
|
||||||
|
|
||||||
|
class SitemapInjection(InjectionGenerator):
|
||||||
|
"""Injects the URL index by creating a new sitemap including the URLs."""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def sitemap(cls, index):
|
||||||
|
lines = [
|
||||||
|
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">"]
|
||||||
|
for scheme_netloc, paths in index.items():
|
||||||
|
for path, methods in paths.items():
|
||||||
|
url = scheme_netloc + path
|
||||||
|
lines.append(f"<url><loc>{html.escape(url)}</loc></url>")
|
||||||
|
lines.append("</urlset>")
|
||||||
|
return "\n".join(lines)
|
||||||
|
|
||||||
|
def inject(self, index, flow: HTTPFlow):
|
||||||
|
if flow.response is not None:
|
||||||
|
if flow.response.status_code != 404:
|
||||||
|
logger.warning(
|
||||||
|
f"URL '{flow.request.url}' didn't return 404 status, "
|
||||||
|
f"index page would overwrite valid page.")
|
||||||
|
else:
|
||||||
|
flow.response.content = self.sitemap(index).encode(self.ENCODING)
|
||||||
|
|
||||||
|
|
||||||
|
class UrlInjectionAddon:
|
||||||
|
""" The UrlInjection add-on can be used in combination with web application scanners to improve their crawling
|
||||||
|
performance.
|
||||||
|
|
||||||
|
The given URls will be injected into the web application. With this, web application scanners can find pages to
|
||||||
|
crawl much easier. Depending on the Injection generator, the URLs will be injected at different places of the
|
||||||
|
web application. It is possible to create a landing page which includes the URL (HTMLInjection()), to inject the
|
||||||
|
URLs to an existing page (HTMLInjection(insert=True)), to create a robots.txt containing the URLs
|
||||||
|
(RobotsInjection()) or to create a sitemap.xml which includes the URLS (SitemapInjection()).
|
||||||
|
It is necessary that the web application scanner can find the newly created page containing the URL index. For
|
||||||
|
example, the newly created page can be set as starting point for the web application scanner.
|
||||||
|
The URL index needed for the injection can be generated by the UrlIndex Add-on.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, flt: str, url_index_file: str,
|
||||||
|
injection_gen: InjectionGenerator):
|
||||||
|
"""Initializes the UrlIndex add-on.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
flt: mitmproxy filter to decide on which pages the URLs will be injected (str).
|
||||||
|
url_index_file: Path to the file which includes the URL index in JSON format (e.g. generated by the UrlIndexAddon), given
|
||||||
|
as str.
|
||||||
|
injection_gen: InjectionGenerator that should be used to inject the URLs into the web application.
|
||||||
|
"""
|
||||||
|
self.name = f"{self.__class__.__name__}-{injection_gen.__class__.__name__}-{self.__hash__()}"
|
||||||
|
self.flt = flowfilter.parse(flt)
|
||||||
|
self.injection_gen = injection_gen
|
||||||
|
with open(url_index_file, "r") as f:
|
||||||
|
self.url_store = json.load(f)
|
||||||
|
|
||||||
|
def response(self, flow: HTTPFlow):
|
||||||
|
"""Checks if the response matches the filter and such should be injected.
|
||||||
|
Injects the URL index if appropriate.
|
||||||
|
"""
|
||||||
|
if flow.response is not None:
|
||||||
|
if self.flt is not None and self.flt(flow):
|
||||||
|
self.injection_gen.inject(self.url_store, flow)
|
||||||
|
flow.response.status_code = 200
|
||||||
|
flow.response.headers["content-type"] = "text/html"
|
||||||
|
logger.debug(f"Set status code to 200 and set content to logged "
|
||||||
|
f"urls. Method: {self.injection_gen}")
|
71
examples/complex/webscanner_helper/watchdog.py
Normal file
71
examples/complex/webscanner_helper/watchdog.py
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
import pathlib
|
||||||
|
import time
|
||||||
|
import typing
|
||||||
|
import logging
|
||||||
|
from datetime import datetime
|
||||||
|
|
||||||
|
import mitmproxy.connections
|
||||||
|
import mitmproxy.http
|
||||||
|
from mitmproxy.addons.export import curl_command, raw
|
||||||
|
from mitmproxy.exceptions import HttpSyntaxException
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
class WatchdogAddon():
|
||||||
|
""" The Watchdog Add-on can be used in combination with web application scanners in oder to check if the device
|
||||||
|
under test responds correctls to the scanner's responses.
|
||||||
|
|
||||||
|
The Watchdog Add-on checks if the device under test responds correctly to the scanner's responses.
|
||||||
|
If the Watchdog sees that the DUT is no longer responding correctly, an multiprocessing event is set.
|
||||||
|
This information can be used to restart the device under test if necessary.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, event, outdir: pathlib.Path, timeout=None):
|
||||||
|
"""Initializes the Watchdog.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
event: multiprocessing.Event that will be set if the watchdog is triggered.
|
||||||
|
outdir: path to a directory in which the triggering requests will be saved (curl and raw).
|
||||||
|
timeout_conn: float that specifies the timeout for the server connection
|
||||||
|
"""
|
||||||
|
self.error_event = event
|
||||||
|
self.flow_dir = outdir
|
||||||
|
if self.flow_dir.exists() and not self.flow_dir.is_dir():
|
||||||
|
raise RuntimeError("Watchtdog output path must be a directory.")
|
||||||
|
elif not self.flow_dir.exists():
|
||||||
|
self.flow_dir.mkdir(parents=True)
|
||||||
|
self.last_trigger: typing.Union[None, float] = None
|
||||||
|
self.timeout: typing.Union[None, float] = timeout
|
||||||
|
|
||||||
|
def serverconnect(self, conn: mitmproxy.connections.ServerConnection):
|
||||||
|
if self.timeout is not None:
|
||||||
|
conn.settimeout(self.timeout)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def not_in_timeout(cls, last_triggered, timeout):
|
||||||
|
"""Checks if current error lies not in timeout after last trigger (potential reset of connection)."""
|
||||||
|
return last_triggered is None or timeout is None or (time.time() - last_triggered > timeout)
|
||||||
|
|
||||||
|
def error(self, flow):
|
||||||
|
""" Checks if the watchdog will be triggered.
|
||||||
|
|
||||||
|
Only triggers watchdog for timeouts after last reset and if flow.error is set (shows that error is a server
|
||||||
|
error). Ignores HttpSyntaxException Errors since this can be triggered on purpose by web application scanner.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
flow: mitmproxy.http.flow
|
||||||
|
"""
|
||||||
|
if (self.not_in_timeout(self.last_trigger, self.timeout)
|
||||||
|
and flow.error is not None and not isinstance(flow.error, HttpSyntaxException)):
|
||||||
|
|
||||||
|
self.last_trigger = time.time()
|
||||||
|
logger.error(f"Watchdog triggered! Cause: {flow}")
|
||||||
|
self.error_event.set()
|
||||||
|
|
||||||
|
# save the request which might have caused the problem
|
||||||
|
if flow.request:
|
||||||
|
with (self.flow_dir / f"{datetime.utcnow().isoformat()}.curl").open("w") as f:
|
||||||
|
f.write(curl_command(flow))
|
||||||
|
with (self.flow_dir / f"{datetime.utcnow().isoformat()}.raw").open("wb") as f:
|
||||||
|
f.write(raw(flow))
|
0
test/examples/webscanner_helper/__init__.py
Normal file
0
test/examples/webscanner_helper/__init__.py
Normal file
165
test/examples/webscanner_helper/test_mapping.py
Normal file
165
test/examples/webscanner_helper/test_mapping.py
Normal file
@ -0,0 +1,165 @@
|
|||||||
|
from typing import TextIO, Callable
|
||||||
|
from unittest import mock
|
||||||
|
from unittest.mock import MagicMock
|
||||||
|
|
||||||
|
from mitmproxy.test import tflow
|
||||||
|
from mitmproxy.test import tutils
|
||||||
|
|
||||||
|
from examples.complex.webscanner_helper.mapping import MappingAddon, MappingAddonConfig
|
||||||
|
|
||||||
|
|
||||||
|
class TestConfig:
|
||||||
|
|
||||||
|
def test_config(self):
|
||||||
|
assert MappingAddonConfig.HTML_PARSER == "html.parser"
|
||||||
|
|
||||||
|
|
||||||
|
url = "http://10.10.10.10"
|
||||||
|
new_content = "My Text"
|
||||||
|
mapping_content = f'{{"{url}": {{"body": "{new_content}"}}}}'
|
||||||
|
|
||||||
|
|
||||||
|
class TestMappingAddon:
|
||||||
|
|
||||||
|
def test_init(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
assert "My Text" in str(mapping.mapping_templates._dump())
|
||||||
|
|
||||||
|
def test_load(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
loader = MagicMock()
|
||||||
|
|
||||||
|
mapping.load(loader)
|
||||||
|
assert 'mapping_file' in str(loader.add_option.call_args_list)
|
||||||
|
assert 'map_persistent' in str(loader.add_option.call_args_list)
|
||||||
|
|
||||||
|
def test_configure(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
new_filename = "My new filename"
|
||||||
|
updated = {str(mapping.OPT_MAPPING_FILE): new_filename, str(mapping.OPT_MAP_PERSISTENT): True}
|
||||||
|
|
||||||
|
open_mock = mock.mock_open(read_data="{}")
|
||||||
|
with mock.patch("builtins.open", open_mock):
|
||||||
|
mapping.configure(updated)
|
||||||
|
assert new_filename in str(open_mock.mock_calls)
|
||||||
|
assert mapping.filename == new_filename
|
||||||
|
assert mapping.persistent
|
||||||
|
|
||||||
|
def test_response_filtered(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
test_content = b"Test"
|
||||||
|
f.response.content = test_content
|
||||||
|
|
||||||
|
mapping.response(f)
|
||||||
|
assert f.response.content == test_content
|
||||||
|
|
||||||
|
def test_response(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
test_content = b"<body> Test </body>"
|
||||||
|
f.response.content = test_content
|
||||||
|
f.request.url = url
|
||||||
|
|
||||||
|
mapping.response(f)
|
||||||
|
assert f.response.content.decode("utf-8") == new_content
|
||||||
|
|
||||||
|
def test_response_content_type(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
test_content = b"<body> Test </body>"
|
||||||
|
f.response.content = test_content
|
||||||
|
f.request.url = url
|
||||||
|
f.response.headers.add("content-type", "content-type")
|
||||||
|
|
||||||
|
mapping.response(f)
|
||||||
|
assert f.response.content == test_content
|
||||||
|
|
||||||
|
def test_response_not_existing(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
test_content = b"<title> Test </title>"
|
||||||
|
f.response.content = test_content
|
||||||
|
f.request.url = url
|
||||||
|
mapping.response(f)
|
||||||
|
assert f.response.content == test_content
|
||||||
|
|
||||||
|
def test_persistance_false(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile)
|
||||||
|
|
||||||
|
open_mock = mock.mock_open(read_data="{}")
|
||||||
|
with mock.patch("builtins.open", open_mock):
|
||||||
|
mapping.done()
|
||||||
|
assert len(open_mock.mock_calls) == 0
|
||||||
|
|
||||||
|
def test_persistance_true(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile, persistent=True)
|
||||||
|
|
||||||
|
open_mock = mock.mock_open(read_data="{}")
|
||||||
|
with mock.patch("builtins.open", open_mock):
|
||||||
|
mapping.done()
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
results = tfile.read()
|
||||||
|
assert len(open_mock.mock_calls) != 0
|
||||||
|
assert results == mapping_content
|
||||||
|
|
||||||
|
def test_persistance_true_add_content(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(mapping_content)
|
||||||
|
mapping = MappingAddon(tmpfile, persistent=True)
|
||||||
|
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
test_content = b"<title> Test </title>"
|
||||||
|
f.response.content = test_content
|
||||||
|
f.request.url = url
|
||||||
|
|
||||||
|
mapping.response(f)
|
||||||
|
mapping.done()
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
results = tfile.read()
|
||||||
|
assert mapping_content in results
|
||||||
|
|
||||||
|
def mock_dump(self, f: TextIO, value_dumper: Callable):
|
||||||
|
assert value_dumper(None) == "None"
|
||||||
|
try:
|
||||||
|
value_dumper("Test")
|
||||||
|
except RuntimeError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_dump(selfself, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write("{}")
|
||||||
|
mapping = MappingAddon(tmpfile, persistent=True)
|
||||||
|
with mock.patch('examples.complex.webscanner_helper.urldict.URLDict.dump', selfself.mock_dump):
|
||||||
|
mapping.done()
|
89
test/examples/webscanner_helper/test_urldict.py
Normal file
89
test/examples/webscanner_helper/test_urldict.py
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
from mitmproxy.test import tflow, tutils
|
||||||
|
from examples.complex.webscanner_helper.urldict import URLDict
|
||||||
|
|
||||||
|
url = "http://10.10.10.10"
|
||||||
|
new_content_body = "New Body"
|
||||||
|
new_content_title = "New Title"
|
||||||
|
content = f'{{"body": "{new_content_body}", "title": "{new_content_title}"}}'
|
||||||
|
url_error = "i~nvalid"
|
||||||
|
input_file_content = f'{{"{url}": {content}}}'
|
||||||
|
input_file_content_error = f'{{"{url_error}": {content}}}'
|
||||||
|
|
||||||
|
|
||||||
|
class TestUrlDict:
|
||||||
|
|
||||||
|
def test_urldict_empty(self):
|
||||||
|
urldict = URLDict()
|
||||||
|
dump = urldict.dumps()
|
||||||
|
assert dump == '{}'
|
||||||
|
|
||||||
|
def test_urldict_loads(self):
|
||||||
|
urldict = URLDict.loads(input_file_content)
|
||||||
|
dump = urldict.dumps()
|
||||||
|
assert dump == input_file_content
|
||||||
|
|
||||||
|
def test_urldict_set_error(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(input_file_content_error)
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
try:
|
||||||
|
URLDict.load(tfile)
|
||||||
|
except ValueError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_urldict_get(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(input_file_content)
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
urldict = URLDict.load(tfile)
|
||||||
|
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.request.url = url
|
||||||
|
selection = urldict[f]
|
||||||
|
assert "body" in selection[0]
|
||||||
|
assert new_content_body in selection[0]["body"]
|
||||||
|
assert "title" in selection[0]
|
||||||
|
assert new_content_title in selection[0]["title"]
|
||||||
|
|
||||||
|
selection_get = urldict.get(f)
|
||||||
|
assert "body" in selection_get[0]
|
||||||
|
assert new_content_body in selection_get[0]["body"]
|
||||||
|
assert "title" in selection_get[0]
|
||||||
|
assert new_content_title in selection_get[0]["title"]
|
||||||
|
|
||||||
|
try:
|
||||||
|
urldict["body"]
|
||||||
|
except KeyError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
assert urldict.get("body", default="default") == "default"
|
||||||
|
|
||||||
|
def test_urldict_dumps(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(input_file_content)
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
urldict = URLDict.load(tfile)
|
||||||
|
|
||||||
|
dump = urldict.dumps()
|
||||||
|
assert dump == input_file_content
|
||||||
|
|
||||||
|
def test_urldict_dump(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
outfile = tmpdir.join("outfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(input_file_content)
|
||||||
|
with open(tmpfile, "r") as tfile:
|
||||||
|
urldict = URLDict.load(tfile)
|
||||||
|
with open(outfile, "w") as ofile:
|
||||||
|
urldict.dump(ofile)
|
||||||
|
|
||||||
|
with open(outfile, "r") as ofile:
|
||||||
|
output = ofile.read()
|
||||||
|
assert output == input_file_content
|
234
test/examples/webscanner_helper/test_urlindex.py
Normal file
234
test/examples/webscanner_helper/test_urlindex.py
Normal file
@ -0,0 +1,234 @@
|
|||||||
|
import json
|
||||||
|
from json import JSONDecodeError
|
||||||
|
from pathlib import Path
|
||||||
|
from unittest import mock
|
||||||
|
from typing import List
|
||||||
|
from unittest.mock import patch
|
||||||
|
|
||||||
|
from mitmproxy.test import tflow
|
||||||
|
from mitmproxy.test import tutils
|
||||||
|
|
||||||
|
from examples.complex.webscanner_helper.urlindex import UrlIndexWriter, SetEncoder, JSONUrlIndexWriter, TextUrlIndexWriter, WRITER, \
|
||||||
|
filter_404, \
|
||||||
|
UrlIndexAddon
|
||||||
|
|
||||||
|
|
||||||
|
class TestBaseClass:
|
||||||
|
|
||||||
|
@patch.multiple(UrlIndexWriter, __abstractmethods__=set())
|
||||||
|
def test_base_class(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
index_writer = UrlIndexWriter(tmpfile)
|
||||||
|
index_writer.load()
|
||||||
|
index_writer.add_url(tflow.tflow())
|
||||||
|
index_writer.save()
|
||||||
|
|
||||||
|
|
||||||
|
class TestSetEncoder:
|
||||||
|
|
||||||
|
def test_set_encoder_set(self):
|
||||||
|
test_set = {"foo", "bar", "42"}
|
||||||
|
result = SetEncoder.default(SetEncoder(), test_set)
|
||||||
|
assert isinstance(result, List)
|
||||||
|
assert 'foo' in result
|
||||||
|
assert 'bar' in result
|
||||||
|
assert '42' in result
|
||||||
|
|
||||||
|
def test_set_encoder_str(self):
|
||||||
|
test_str = "test"
|
||||||
|
try:
|
||||||
|
SetEncoder.default(SetEncoder(), test_str)
|
||||||
|
except TypeError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
|
||||||
|
class TestJSONUrlIndexWriter:
|
||||||
|
|
||||||
|
def test_load(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(
|
||||||
|
"{\"http://example.com:80\": {\"/\": {\"GET\": [301]}}, \"http://www.example.com:80\": {\"/\": {\"GET\": [302]}}}")
|
||||||
|
writer = JSONUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert 'http://example.com:80' in writer.host_urls
|
||||||
|
assert '/' in writer.host_urls['http://example.com:80']
|
||||||
|
assert 'GET' in writer.host_urls['http://example.com:80']['/']
|
||||||
|
assert 301 in writer.host_urls['http://example.com:80']['/']['GET']
|
||||||
|
|
||||||
|
def test_load_empty(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write("{}")
|
||||||
|
writer = JSONUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert len(writer.host_urls) == 0
|
||||||
|
|
||||||
|
def test_load_nonexisting(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = JSONUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert len(writer.host_urls) == 0
|
||||||
|
|
||||||
|
def test_add(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = JSONUrlIndexWriter(filename=tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
url = f"{f.request.scheme}://{f.request.host}:{f.request.port}"
|
||||||
|
writer.add_url(f)
|
||||||
|
assert url in writer.host_urls
|
||||||
|
assert f.request.path in writer.host_urls[url]
|
||||||
|
|
||||||
|
def test_save(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = JSONUrlIndexWriter(filename=tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
url = f"{f.request.scheme}://{f.request.host}:{f.request.port}"
|
||||||
|
writer.add_url(f)
|
||||||
|
writer.save()
|
||||||
|
|
||||||
|
with open(tmpfile, "r") as results:
|
||||||
|
try:
|
||||||
|
content = json.load(results)
|
||||||
|
except JSONDecodeError:
|
||||||
|
assert False
|
||||||
|
assert url in content
|
||||||
|
|
||||||
|
|
||||||
|
class TestTestUrlIndexWriter:
|
||||||
|
def test_load(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write(
|
||||||
|
"2020-04-22T05:41:08.679231 STATUS: 200 METHOD: GET URL:http://example.com")
|
||||||
|
writer = TextUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert True
|
||||||
|
|
||||||
|
def test_load_empty(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write("{}")
|
||||||
|
writer = TextUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert True
|
||||||
|
|
||||||
|
def test_load_nonexisting(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = TextUrlIndexWriter(filename=tmpfile)
|
||||||
|
writer.load()
|
||||||
|
assert True
|
||||||
|
|
||||||
|
def test_add(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = TextUrlIndexWriter(filename=tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
url = f"{f.request.scheme}://{f.request.host}:{f.request.port}"
|
||||||
|
method = f.request.method
|
||||||
|
code = f.response.status_code
|
||||||
|
writer.add_url(f)
|
||||||
|
|
||||||
|
with open(tmpfile, "r") as results:
|
||||||
|
content = results.read()
|
||||||
|
assert url in content
|
||||||
|
assert method in content
|
||||||
|
assert str(code) in content
|
||||||
|
|
||||||
|
def test_save(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
writer = TextUrlIndexWriter(filename=tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
url = f"{f.request.scheme}://{f.request.host}:{f.request.port}"
|
||||||
|
method = f.request.method
|
||||||
|
code = f.response.status_code
|
||||||
|
writer.add_url(f)
|
||||||
|
writer.save()
|
||||||
|
|
||||||
|
with open(tmpfile, "r") as results:
|
||||||
|
content = results.read()
|
||||||
|
assert url in content
|
||||||
|
assert method in content
|
||||||
|
assert str(code) in content
|
||||||
|
|
||||||
|
|
||||||
|
class TestWriter:
|
||||||
|
def test_writer_dict(self):
|
||||||
|
assert "json" in WRITER
|
||||||
|
assert isinstance(WRITER["json"], JSONUrlIndexWriter.__class__)
|
||||||
|
assert "text" in WRITER
|
||||||
|
assert isinstance(WRITER["text"], TextUrlIndexWriter.__class__)
|
||||||
|
|
||||||
|
|
||||||
|
class TestFilter:
|
||||||
|
def test_filer_true(self):
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
assert filter_404(f)
|
||||||
|
|
||||||
|
def test_filter_false(self):
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.response.status_code = 404
|
||||||
|
assert not filter_404(f)
|
||||||
|
|
||||||
|
|
||||||
|
class TestUrlIndexAddon:
|
||||||
|
|
||||||
|
def test_init(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
UrlIndexAddon(tmpfile)
|
||||||
|
|
||||||
|
def test_init_format(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
try:
|
||||||
|
UrlIndexAddon(tmpfile, index_format="test")
|
||||||
|
except ValueError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_init_filter(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
try:
|
||||||
|
UrlIndexAddon(tmpfile, index_filter="i~nvalid")
|
||||||
|
except ValueError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_init_append(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write("")
|
||||||
|
url_index = UrlIndexAddon(tmpfile, append=False)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
with mock.patch('examples.complex.webscanner_helper.urlindex.JSONUrlIndexWriter.add_url'):
|
||||||
|
url_index.response(f)
|
||||||
|
assert not Path(tmpfile).exists()
|
||||||
|
|
||||||
|
def test_response(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
url_index = UrlIndexAddon(tmpfile)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
with mock.patch('examples.complex.webscanner_helper.urlindex.JSONUrlIndexWriter.add_url') as mock_add_url:
|
||||||
|
url_index.response(f)
|
||||||
|
mock_add_url.assert_called()
|
||||||
|
|
||||||
|
def test_response_None(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
url_index = UrlIndexAddon(tmpfile)
|
||||||
|
url_index.index_filter = None
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
try:
|
||||||
|
url_index.response(f)
|
||||||
|
except ValueError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_done(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
url_index = UrlIndexAddon(tmpfile)
|
||||||
|
with mock.patch('examples.complex.webscanner_helper.urlindex.JSONUrlIndexWriter.save') as mock_save:
|
||||||
|
url_index.done()
|
||||||
|
mock_save.assert_called()
|
111
test/examples/webscanner_helper/test_urlinjection.py
Normal file
111
test/examples/webscanner_helper/test_urlinjection.py
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
import json
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
|
from mitmproxy import flowfilter
|
||||||
|
from mitmproxy.test import tflow
|
||||||
|
from mitmproxy.test import tutils
|
||||||
|
|
||||||
|
from examples.complex.webscanner_helper.urlinjection import InjectionGenerator, HTMLInjection, RobotsInjection, SitemapInjection, \
|
||||||
|
UrlInjectionAddon, logger
|
||||||
|
|
||||||
|
index = json.loads(
|
||||||
|
"{\"http://example.com:80\": {\"/\": {\"GET\": [301]}}, \"http://www.example.com:80\": {\"/test\": {\"POST\": [302]}}}")
|
||||||
|
|
||||||
|
|
||||||
|
class TestInjectionGenerator:
|
||||||
|
|
||||||
|
def test_inject(self):
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
injection_generator = InjectionGenerator()
|
||||||
|
injection_generator.inject(index=index, flow=f)
|
||||||
|
assert True
|
||||||
|
|
||||||
|
|
||||||
|
class TestHTMLInjection:
|
||||||
|
|
||||||
|
def test_inject_not404(self):
|
||||||
|
html_injection = HTMLInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
|
||||||
|
with mock.patch.object(logger, 'warning') as mock_warning:
|
||||||
|
html_injection.inject(index, f)
|
||||||
|
assert mock_warning.called
|
||||||
|
|
||||||
|
def test_inject_insert(self):
|
||||||
|
html_injection = HTMLInjection(insert=True)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
assert "example.com" not in str(f.response.content)
|
||||||
|
html_injection.inject(index, f)
|
||||||
|
assert "example.com" in str(f.response.content)
|
||||||
|
|
||||||
|
def test_inject_insert_body(self):
|
||||||
|
html_injection = HTMLInjection(insert=True)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.response.text = "<body></body>"
|
||||||
|
assert "example.com" not in str(f.response.content)
|
||||||
|
html_injection.inject(index, f)
|
||||||
|
assert "example.com" in str(f.response.content)
|
||||||
|
|
||||||
|
def test_inject_404(self):
|
||||||
|
html_injection = HTMLInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.response.status_code = 404
|
||||||
|
assert "example.com" not in str(f.response.content)
|
||||||
|
html_injection.inject(index, f)
|
||||||
|
assert "example.com" in str(f.response.content)
|
||||||
|
|
||||||
|
|
||||||
|
class TestRobotsInjection:
|
||||||
|
|
||||||
|
def test_inject_not404(self):
|
||||||
|
robots_injection = RobotsInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
|
||||||
|
with mock.patch.object(logger, 'warning') as mock_warning:
|
||||||
|
robots_injection.inject(index, f)
|
||||||
|
assert mock_warning.called
|
||||||
|
|
||||||
|
def test_inject_404(self):
|
||||||
|
robots_injection = RobotsInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.response.status_code = 404
|
||||||
|
assert "Allow: /test" not in str(f.response.content)
|
||||||
|
robots_injection.inject(index, f)
|
||||||
|
assert "Allow: /test" in str(f.response.content)
|
||||||
|
|
||||||
|
|
||||||
|
class TestSitemapInjection:
|
||||||
|
|
||||||
|
def test_inject_not404(self):
|
||||||
|
sitemap_injection = SitemapInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
|
||||||
|
with mock.patch.object(logger, 'warning') as mock_warning:
|
||||||
|
sitemap_injection.inject(index, f)
|
||||||
|
assert mock_warning.called
|
||||||
|
|
||||||
|
def test_inject_404(self):
|
||||||
|
sitemap_injection = SitemapInjection()
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.response.status_code = 404
|
||||||
|
assert "<url><loc>http://example.com:80/</loc></url>" not in str(f.response.content)
|
||||||
|
sitemap_injection.inject(index, f)
|
||||||
|
assert "<url><loc>http://example.com:80/</loc></url>" in str(f.response.content)
|
||||||
|
|
||||||
|
|
||||||
|
class TestUrlInjectionAddon:
|
||||||
|
|
||||||
|
def test_init(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
json.dump(index, tfile)
|
||||||
|
flt = f"~u .*/site.html$"
|
||||||
|
url_injection = UrlInjectionAddon(f"~u .*/site.html$", tmpfile, HTMLInjection(insert=True))
|
||||||
|
assert "http://example.com:80" in url_injection.url_store
|
||||||
|
fltr = flowfilter.parse(flt)
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.request.url = "http://example.com/site.html"
|
||||||
|
assert fltr(f)
|
||||||
|
assert "http://example.com:80" not in str(f.response.content)
|
||||||
|
url_injection.response(f)
|
||||||
|
assert "http://example.com:80" in str(f.response.content)
|
84
test/examples/webscanner_helper/test_watchdog.py
Normal file
84
test/examples/webscanner_helper/test_watchdog.py
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
import time
|
||||||
|
from pathlib import Path
|
||||||
|
from unittest import mock
|
||||||
|
|
||||||
|
from mitmproxy.connections import ServerConnection
|
||||||
|
from mitmproxy.exceptions import HttpSyntaxException
|
||||||
|
from mitmproxy.test import tflow
|
||||||
|
from mitmproxy.test import tutils
|
||||||
|
import multiprocessing
|
||||||
|
|
||||||
|
from examples.complex.webscanner_helper.watchdog import WatchdogAddon, logger
|
||||||
|
|
||||||
|
|
||||||
|
class TestWatchdog:
|
||||||
|
|
||||||
|
def test_init_file(self, tmpdir):
|
||||||
|
tmpfile = tmpdir.join("tmpfile")
|
||||||
|
with open(tmpfile, "w") as tfile:
|
||||||
|
tfile.write("")
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
try:
|
||||||
|
WatchdogAddon(event, Path(tmpfile))
|
||||||
|
except RuntimeError:
|
||||||
|
assert True
|
||||||
|
else:
|
||||||
|
assert False
|
||||||
|
|
||||||
|
def test_init_dir(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
mydir = tmpdir.join("mydir")
|
||||||
|
assert not Path(mydir).exists()
|
||||||
|
WatchdogAddon(event, Path(mydir))
|
||||||
|
assert Path(mydir).exists()
|
||||||
|
|
||||||
|
def test_serverconnect(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
w = WatchdogAddon(event, Path(tmpdir), timeout=10)
|
||||||
|
with mock.patch('mitmproxy.connections.ServerConnection.settimeout') as mock_set_timeout:
|
||||||
|
w.serverconnect(ServerConnection("127.0.0.1"))
|
||||||
|
mock_set_timeout.assert_called()
|
||||||
|
|
||||||
|
def test_serverconnect_None(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
w = WatchdogAddon(event, Path(tmpdir))
|
||||||
|
with mock.patch('mitmproxy.connections.ServerConnection.settimeout') as mock_set_timeout:
|
||||||
|
w.serverconnect(ServerConnection("127.0.0.1"))
|
||||||
|
assert not mock_set_timeout.called
|
||||||
|
|
||||||
|
def test_trigger(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
w = WatchdogAddon(event, Path(tmpdir))
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.error = "Test Error"
|
||||||
|
|
||||||
|
with mock.patch.object(logger, 'error') as mock_error:
|
||||||
|
open_mock = mock.mock_open()
|
||||||
|
with mock.patch("pathlib.Path.open", open_mock, create=True):
|
||||||
|
w.error(f)
|
||||||
|
mock_error.assert_called()
|
||||||
|
open_mock.assert_called()
|
||||||
|
|
||||||
|
def test_trigger_http_synatx(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
w = WatchdogAddon(event, Path(tmpdir))
|
||||||
|
f = tflow.tflow(resp=tutils.tresp())
|
||||||
|
f.error = HttpSyntaxException()
|
||||||
|
assert isinstance(f.error, HttpSyntaxException)
|
||||||
|
|
||||||
|
with mock.patch.object(logger, 'error') as mock_error:
|
||||||
|
open_mock = mock.mock_open()
|
||||||
|
with mock.patch("pathlib.Path.open", open_mock, create=True):
|
||||||
|
w.error(f)
|
||||||
|
assert not mock_error.called
|
||||||
|
assert not open_mock.called
|
||||||
|
|
||||||
|
def test_timeout(self, tmpdir):
|
||||||
|
event = multiprocessing.Event()
|
||||||
|
w = WatchdogAddon(event, Path(tmpdir))
|
||||||
|
|
||||||
|
assert w.not_in_timeout(None, None)
|
||||||
|
assert w.not_in_timeout(time.time, None)
|
||||||
|
with mock.patch('time.time', return_value=5):
|
||||||
|
assert not w.not_in_timeout(3, 20)
|
||||||
|
assert w.not_in_timeout(3, 1)
|
Loading…
Reference in New Issue
Block a user