public void TestSendRequestUsingBrowserWebRequest()
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var context = new Context();
WebRequestContext webRequestContext =
context.SendRequest(new ContextSendRequestParameter
{
Url = targetUrl,
BrowserType = BrowserType.Chrome
});
// check that we got the proper response back
webRequestContext.ResponseHolder.ShouldNotBeNull();
webRequestContext.ResponseHolder.ResponseContent.ShouldNotBeNullOrEmpty();
webRequestContext.ResponseHolder.RequestUserAgent.ShouldContain(BrowserType.Chrome.ToString());
}
}
public void TestSendRequestUsingBrowserWebRequestHandlingHttpException()
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var context = new Context();
WebRequestContext webRequestContext =
context.SendRequest(new ContextSendRequestParameter
{
Url = nonExistingTargetUrl,
BrowserType = BrowserType.Chrome
});
// check that we got the proper response back
webRequestContext.ResponseHolder.ShouldNotBeNull();
webRequestContext.ResponseHolder.ResponseContent.ShouldNotBeEmpty();
webRequestContext.ResponseHolder.RequestUserAgent.ShouldEqual(BrowserType.Chrome.ToString());
webRequestContext.ResponseHolder.StatusCode.ShouldEqual(HttpStatusCode.OK);
webRequestContext.ResponseHolder.BrowserPageTitle.IndexOfOi("404").ShouldBeGreaterThan(-1);
}
}
public void TestOpenRedirectClientSideHttp()
{
// Setup
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var target =
Target.Create(
$"{Constants.VulnerabilitiesAddress}PluginsTestPages/XOpenRedirectToBadPlacesHTTP.aspx?q=junk");
// Execute
var vulns = ExecutePluginTestRequest(target);
// Validate
vulns.Count.ShouldEqual(2);
vulns.ElementAt(0).Title.ShouldEqual("Open Redirect");
vulns.ElementAt(0).Evidence.ShouldEqual("www.example.com");
vulns.ElementAt(1).Title.ShouldEqual("Open Redirect");
vulns.ElementAt(1).Evidence.ShouldEqual("www.example.com");
}
}
public void DomXssTestFalsePositiveResult()
{
const string TestUrl = @"http://www.bing.com/search?q=seattle";
var propertyBag = new ConcurrentDictionary <int, bool>();
var browserMock = CreateMockBrowser();
browserMock
.Setup(m => m.NavigateTo(It.IsAny <string>()))
.Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert()"));
// some pages pop their own dialog boxes, we should ignore these
string alertText = "** Expected message from the page **";
browserMock
.Setup(m => m.DismissedIfAlertDisplayed(out alertText))
.Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]);
browserMock
.SetupGet(m => m.PageSource)
.Returns("pagesource");
browserMock
.SetupGet(m => m.Url)
.Returns("http://foo");
var factoryMock = new Mock <IBrowserFactory>();
factoryMock
.Setup(m => m.Create(It.IsAny <BrowserType>()))
.Returns(browserMock.Object);
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });
browserManagerMock
.Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
.Returns(browserMock.Object);
ObjectResolver.RegisterInstance(browserManagerMock.Object);
var target = Target.Create(TestUrl);
var context = new Context();
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "blah", "alert()", "foo" });
// run the test
instance.DoTests();
// a vuln should be found
instance.Vulnerabilities.ShouldNotBeNull();
instance.Vulnerabilities.Count.ShouldEqual(0);
}
public void TestRegisterInstance()
{
var testClass = new TestClass("default");
ObjectResolver.RegisterInstance(testClass);
ObjectResolver.Resolve <TestClass>().Name.ShouldEqual("default");
}
/// <summary>
/// Initializes this object.
/// </summary>
private static void Initialize()
{
ObjectResolver.RegisterInstance <IPayloads>(new Payloads(Library.Constants.PayloadsQuickDataFolder));
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances));
}
/// <summary>
/// Register the objects.
/// </summary>
/// <param name="useFullPayloadsData">
/// use full payloads data
/// </param>
public static void Register(bool useFullPayloadsData)
{
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
ObjectResolver.RegisterInstance <IPayloads>(
new Payloads(useFullPayloadsData
? Library.Constants.PayloadsFullDataFolder
: Library.Constants.PayloadsQuickDataFolder));
ObjectResolver.RegisterInstance <IProcessManager>(new ProcessManager());
ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances));
}
public void DomXssTestDoublePositiveResult()
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var target = Target.Create($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=xyz");
var context = new Context();
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "blah" });
// run the test
instance.DoTests();
// a vuln should be found
instance.Vulnerabilities.ShouldNotBeNull();
instance.Vulnerabilities.Count.ShouldEqual(1);
// the vuln record should be well formed
var vuln = instance.Vulnerabilities.First();
vuln.Level.ShouldEqual(0);
vuln.TestedParam.ShouldEqual("q");
vuln.TestedVal.ShouldEqual("blah");
vuln.Evidence.ShouldEqual("Found by Chrome");
vuln.TestPlugin.ShouldEqual("TestableDomXssTest");
vuln.Title.ShouldEqual("DOM XSS - Script injection");
// the http details should be consistent for browser generated request
vuln.HttpResponse.ShouldNotBeNull();
vuln.HttpResponse.Headers.Count.ShouldEqual(0);
vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty);
vuln.HttpResponse.RequestAbsolutUri.ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah");
vuln.HttpResponse.ResponseContent.ShouldNotBeNullOrEmpty();
vuln.HttpResponse.ResponseUri.ShouldNotBeNull();
vuln.HttpResponse.ResponseUri.ToString().ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah");
vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK);
vuln.HttpResponse.HttpError.ShouldEqual(string.Empty);
}
}
public void DomXssTestNegativeResult()
{
const string TestUrl = @"http://www.bing.com/search?q=seattle";
var browserMock = CreateMockBrowser();
string alertText;
browserMock
.Setup(m => m.DismissedIfAlertDisplayed(out alertText))
.Returns(false);
var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });
browserManagerMock
.Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
.Returns(browserMock.Object);
ObjectResolver.RegisterInstance(browserManagerMock.Object);
var target = Target.Create(TestUrl);
var context = new Context();
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "alert()", "alert2()" });
// run the test
instance.DoTests();
// no vulns found
instance.Vulnerabilities.ShouldNotBeNull();
instance.Vulnerabilities.Count.ShouldEqual(0);
// a browser was borrowed from the pool for request
browserManagerMock.Verify(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)), Times.Exactly(2));
// the browser requested the expected url combinations
browserMock.Verify(m => m.NavigateTo(It.IsAny <string>()), Times.Exactly(2));
browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert()")), Times.Once());
browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert2()")), Times.Once());
// each browser was returned to the pool
browserManagerMock.Verify(m => m.ReleaseBrowser(It.Is <BrowserAbstract>(b => b == browserMock.Object)), Times.Exactly(2));
}
public void TestRegisterMultipleInstances()
{
var testClassInstance1 = new TestClass("instance1");
var testClassInstance2 = new TestClass("instance2");
ObjectResolver.RegisterInstance(testClassInstance1, testClassInstance1.Name);
ObjectResolver.RegisterInstance(testClassInstance2, testClassInstance2.Name);
var instance1 = ObjectResolver.Resolve <TestClass>("instance1");
instance1.Name.ShouldEqual("instance1");
instance1.ShouldEqual(testClassInstance1);
var instance2 = ObjectResolver.Resolve <TestClass>("instance2");
instance2.Name.ShouldEqual("instance2");
instance2.ShouldEqual(testClassInstance2);
}
/// <summary>
/// The dom xss test_integration_test.
/// </summary>
/// <param name="browserType">
/// The browser type.
/// </param>
private void DomXssTestIntegrationTest(BrowserType browserType)
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ browserType, 2 }
};
ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances));
var target = Target.Create($"{Constants.VulnerabilitiesAddress}vuln_domxss.html?a=1");
var context = new Context();
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")", "%22+onload=%22javascript:alert(" + TestBaseHelper.AttackSignature + ")%22" });
instance.DoTests();
// cleanly shutdown the browser manager
var disposable = ObjectResolver.Resolve <IBrowserManager>() as IDisposable;
Assert.IsNotNull(disposable);
disposable.Dispose();
// a vuln should be found
instance.Vulnerabilities.ShouldNotBeNull();
instance.Vulnerabilities.Count.ShouldEqual(1);
// the vuln record should be well formed
var vuln = instance.Vulnerabilities.First();
vuln.Level.ShouldEqual(0);
vuln.TestedParam.ShouldEqual("a");
vuln.TestedVal.ShouldEqual("alert(" + TestBaseHelper.AttackSignature + ")");
vuln.Evidence.ShouldEqual("Found by " + browserType);
vuln.TestPlugin.ShouldStartWith("TestableDomXssTest");
vuln.Title.ShouldEqual("DOM XSS - Script injection");
instance.Vulnerabilities.Count(v => v.TestPlugin == "TestableDomXssTest")
.ShouldEqual(1);
}
public void TestPostRequestXssNegative()
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
// Setup
var target = Target.Create("http://www.bing.com");
// Execute
var vulns = ExecutePluginTestRequest(target);
vulns.Count.ShouldEqual(0);
}
}
public void TestPostRequestXssPositive()
{
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var target = Target.Create($"{Constants.VulnerabilitiesAddress}PluginsTestPages/PostRequestXssTest.html");
// Execute
var vulns = ExecutePluginTestRequest(target);
vulns.Count.ShouldEqual(1);
vulns.ElementAt(0).TestedVal.ShouldEqual("alert(501337)");
}
}
public void TestNoOpenRedirects()
{
// Setup
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserInstances = new Dictionary <BrowserType, int> {
{ BrowserType.Chrome, 1 }
};
using (var browserManager = new BrowserManager(browserInstances))
{
ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);
var target =
Target.Create($"{Constants.VulnerabilitiesAddress}PluginsTestPages/XNoJavascript.aspx?q=junk");
// Execute
var vulns = ExecutePluginTestRequest(target);
// Validate
vulns.ShouldBeEmpty();
}
}
public static void AssemblyInit(TestContext context)
{
AssertFailureExceptionFactory.ConfigureForMicrosoftTest();
ObjectResolver.RegisterInstance <PlatformInitialization>(new NullPlatformInitialization());
}
public static void ClassInit(TestContext testContext)
{
ObjectResolver.RegisterInstance <IPayloads>(new Payloads(WebSec.Library.Constants.PayloadsQuickDataFolder));
}
public void DomXssTestPassesAndReceivesCookiesCorrectly()
{
const string TestUrl = @"http://www.bing.com/search?q=seattle";
var url = new Uri(TestUrl);
// create our own cookies
var expectedCookie1 = this.CreateTestCookie(1);
var expectedCookie2 = this.CreateTestCookie(2);
var expectedCookie3 = this.CreateTestCookie(3);
var expectedCookie4 = this.CreateTestCookie(4);
var expectedCookie5 = this.CreateTestCookie(5);
var requestCollection = new CookieCollection {
expectedCookie1, expectedCookie2, expectedCookie3
};
var responseCollection = new CookieCollection {
expectedCookie4, expectedCookie5
};
var browserMock = CreateMockBrowser();
string alertText;
browserMock
.Setup(m => m.DismissedIfAlertDisplayed(out alertText))
.Returns(true);
browserMock
.SetupGet(m => m.AllCookies)
.Returns(responseCollection);
browserMock
.SetupGet(m => m.PageSource)
.Returns("pagesource");
browserMock
.SetupGet(m => m.AlertMessageDisplayed)
.Returns(new HashSet <string> {
TestBaseHelper.AttackSignature
});
var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });
browserManagerMock
.Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
.Returns(browserMock.Object);
ObjectResolver.RegisterInstance(browserManagerMock.Object);
var target = Target.Create(TestUrl);
var context = new Context();
context.CurrentCookies[url.Host] = requestCollection;
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")" });
// run the test
instance.DoTests();
var vuln = instance.Vulnerabilities.First();
// the response cookies should be pulled back from the browser
vuln.HttpResponse.Cookies.Count.ShouldEqual(responseCollection.Count);
vuln.HttpResponse.Cookies[0].ShouldBeTheSameAs(expectedCookie4);
vuln.HttpResponse.Cookies[1].ShouldBeTheSameAs(expectedCookie5);
// The expected cookies were given to the browser
this.CookieWasAddedToBrowser(browserMock, expectedCookie1);
this.CookieWasAddedToBrowser(browserMock, expectedCookie2);
this.CookieWasAddedToBrowser(browserMock, expectedCookie3);
}
public void DomXssTestPositiveResult()
{
const string TestUrl = @"http://www.bing.com/search?q=seattle";
var propertyBag = new ConcurrentDictionary <int, bool>();
var browserMock = CreateMockBrowser(browserType: BrowserType.Chrome);
browserMock
.Setup(m => m.NavigateTo(It.IsAny <string>()))
.Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert(456)"));
string alertText;
browserMock
.Setup(m => m.DismissedIfAlertDisplayed(out alertText))
.Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]);
browserMock
.SetupGet(m => m.PageSource)
.Returns("pagesource");
browserMock
.SetupGet(m => m.Url)
.Returns("http://foo");
browserMock
.SetupGet(m => m.AlertMessageDisplayed)
.Returns(new HashSet <string> {
TestBaseHelper.AttackSignature
});
var factoryMock = new Mock <IBrowserFactory>();
factoryMock
.Setup(m => m.Create(It.IsAny <BrowserType>()))
.Returns(browserMock.Object);
ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });
browserManagerMock
.Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
.Returns(browserMock.Object);
ObjectResolver.RegisterInstance(browserManagerMock.Object);
var target = Target.Create(TestUrl);
var context = new Context();
var instance = new TestableDomXssTest();
instance.Init(context, target);
// introduce our known injection strings
instance.InjectTestCaseStrings(new[] { "blah", "alert(" + TestBaseHelper.AttackSignature + ")", "foo" });
// run the test
instance.DoTests();
// the scan should have run on multiple threads.
propertyBag.Count.ShouldBeGreaterThanOrEqualTo(1);
// a vuln should be found
instance.Vulnerabilities.ShouldNotBeNull();
instance.Vulnerabilities.Count.ShouldEqual(3);
// the vuln record should be well formed
var vuln = instance.Vulnerabilities.First(t => t.TestedVal == "blah");
vuln.Level.ShouldEqual(0);
vuln.TestedParam.ShouldEqual("q");
vuln.TestedVal.ShouldEqual("blah");
vuln.Evidence.ShouldEqual("Found by Chrome");
vuln.TestPlugin.ShouldEqual("TestableDomXssTest");
vuln.Title.ShouldEqual("DOM XSS - Script injection");
// the http details should be consistent for browser generated request
vuln.HttpResponse.ShouldNotBeNull();
vuln.HttpResponse.Headers.Count.ShouldEqual(0);
vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty);
vuln.HttpResponse.RequestAbsolutUri.ShouldEqual("http://www.bing.com/search?q=blah");
vuln.HttpResponse.RequestHost.ShouldEqual("www.bing.com");
vuln.HttpResponse.ResponseContent.ShouldEqual(browserMock.Object.PageSource);
vuln.HttpResponse.ResponseUri.ShouldNotBeNull();
vuln.HttpResponse.ResponseUri.ToString().ShouldEqual("http://foo/");
vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK);
vuln.HttpResponse.HttpError.ShouldEqual(string.Empty);
// the browser requested all of the expected urls, even after a vuln was found
browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=blah")), Times.Once());
browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert(" + TestBaseHelper.AttackSignature + ")")), Times.Once());
browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=foo")), Times.Once());
}
public static void ClassInit(TestContext testContext)
{
// configure the firewall for browser control since these tests use live browsers.
BrowserManagerTests.CreateFirewallRules();
ObjectResolver.RegisterInstance <IPayloads>(new Payloads(Library.Constants.PayloadsQuickDataFolder));
}
