public void TestSendRequestUsingBrowserWebRequest() { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var context = new Context(); WebRequestContext webRequestContext = context.SendRequest(new ContextSendRequestParameter { Url = targetUrl, BrowserType = BrowserType.Chrome }); // check that we got the proper response back webRequestContext.ResponseHolder.ShouldNotBeNull(); webRequestContext.ResponseHolder.ResponseContent.ShouldNotBeNullOrEmpty(); webRequestContext.ResponseHolder.RequestUserAgent.ShouldContain(BrowserType.Chrome.ToString()); } }
public void TestSendRequestUsingBrowserWebRequestHandlingHttpException() { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var context = new Context(); WebRequestContext webRequestContext = context.SendRequest(new ContextSendRequestParameter { Url = nonExistingTargetUrl, BrowserType = BrowserType.Chrome }); // check that we got the proper response back webRequestContext.ResponseHolder.ShouldNotBeNull(); webRequestContext.ResponseHolder.ResponseContent.ShouldNotBeEmpty(); webRequestContext.ResponseHolder.RequestUserAgent.ShouldEqual(BrowserType.Chrome.ToString()); webRequestContext.ResponseHolder.StatusCode.ShouldEqual(HttpStatusCode.OK); webRequestContext.ResponseHolder.BrowserPageTitle.IndexOfOi("404").ShouldBeGreaterThan(-1); } }
public void TestOpenRedirectClientSideHttp() { // Setup ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var target = Target.Create( $"{Constants.VulnerabilitiesAddress}PluginsTestPages/XOpenRedirectToBadPlacesHTTP.aspx?q=junk"); // Execute var vulns = ExecutePluginTestRequest(target); // Validate vulns.Count.ShouldEqual(2); vulns.ElementAt(0).Title.ShouldEqual("Open Redirect"); vulns.ElementAt(0).Evidence.ShouldEqual("www.example.com"); vulns.ElementAt(1).Title.ShouldEqual("Open Redirect"); vulns.ElementAt(1).Evidence.ShouldEqual("www.example.com"); } }
public void DomXssTestFalsePositiveResult() { const string TestUrl = @"http://www.bing.com/search?q=seattle"; var propertyBag = new ConcurrentDictionary <int, bool>(); var browserMock = CreateMockBrowser(); browserMock .Setup(m => m.NavigateTo(It.IsAny <string>())) .Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert()")); // some pages pop their own dialog boxes, we should ignore these string alertText = "** Expected message from the page **"; browserMock .Setup(m => m.DismissedIfAlertDisplayed(out alertText)) .Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]); browserMock .SetupGet(m => m.PageSource) .Returns("pagesource"); browserMock .SetupGet(m => m.Url) .Returns("http://foo"); var factoryMock = new Mock <IBrowserFactory>(); factoryMock .Setup(m => m.Create(It.IsAny <BrowserType>())) .Returns(browserMock.Object); ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome }); browserManagerMock .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome))) .Returns(browserMock.Object); ObjectResolver.RegisterInstance(browserManagerMock.Object); var target = Target.Create(TestUrl); var context = new Context(); var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "blah", "alert()", "foo" }); // run the test instance.DoTests(); // a vuln should be found instance.Vulnerabilities.ShouldNotBeNull(); instance.Vulnerabilities.Count.ShouldEqual(0); }
public void TestRegisterInstance() { var testClass = new TestClass("default"); ObjectResolver.RegisterInstance(testClass); ObjectResolver.Resolve <TestClass>().Name.ShouldEqual("default"); }
/// <summary> /// Initializes this object. /// </summary> private static void Initialize() { ObjectResolver.RegisterInstance <IPayloads>(new Payloads(Library.Constants.PayloadsQuickDataFolder)); ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances)); }
/// <summary> /// Register the objects. /// </summary> /// <param name="useFullPayloadsData"> /// use full payloads data /// </param> public static void Register(bool useFullPayloadsData) { var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; ObjectResolver.RegisterInstance <IPayloads>( new Payloads(useFullPayloadsData ? Library.Constants.PayloadsFullDataFolder : Library.Constants.PayloadsQuickDataFolder)); ObjectResolver.RegisterInstance <IProcessManager>(new ProcessManager()); ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances)); }
public void DomXssTestDoublePositiveResult() { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var target = Target.Create($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=xyz"); var context = new Context(); var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "blah" }); // run the test instance.DoTests(); // a vuln should be found instance.Vulnerabilities.ShouldNotBeNull(); instance.Vulnerabilities.Count.ShouldEqual(1); // the vuln record should be well formed var vuln = instance.Vulnerabilities.First(); vuln.Level.ShouldEqual(0); vuln.TestedParam.ShouldEqual("q"); vuln.TestedVal.ShouldEqual("blah"); vuln.Evidence.ShouldEqual("Found by Chrome"); vuln.TestPlugin.ShouldEqual("TestableDomXssTest"); vuln.Title.ShouldEqual("DOM XSS - Script injection"); // the http details should be consistent for browser generated request vuln.HttpResponse.ShouldNotBeNull(); vuln.HttpResponse.Headers.Count.ShouldEqual(0); vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty); vuln.HttpResponse.RequestAbsolutUri.ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah"); vuln.HttpResponse.ResponseContent.ShouldNotBeNullOrEmpty(); vuln.HttpResponse.ResponseUri.ShouldNotBeNull(); vuln.HttpResponse.ResponseUri.ToString().ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah"); vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK); vuln.HttpResponse.HttpError.ShouldEqual(string.Empty); } }
public void DomXssTestNegativeResult() { const string TestUrl = @"http://www.bing.com/search?q=seattle"; var browserMock = CreateMockBrowser(); string alertText; browserMock .Setup(m => m.DismissedIfAlertDisplayed(out alertText)) .Returns(false); var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome }); browserManagerMock .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome))) .Returns(browserMock.Object); ObjectResolver.RegisterInstance(browserManagerMock.Object); var target = Target.Create(TestUrl); var context = new Context(); var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "alert()", "alert2()" }); // run the test instance.DoTests(); // no vulns found instance.Vulnerabilities.ShouldNotBeNull(); instance.Vulnerabilities.Count.ShouldEqual(0); // a browser was borrowed from the pool for request browserManagerMock.Verify(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)), Times.Exactly(2)); // the browser requested the expected url combinations browserMock.Verify(m => m.NavigateTo(It.IsAny <string>()), Times.Exactly(2)); browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert()")), Times.Once()); browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert2()")), Times.Once()); // each browser was returned to the pool browserManagerMock.Verify(m => m.ReleaseBrowser(It.Is <BrowserAbstract>(b => b == browserMock.Object)), Times.Exactly(2)); }
public void TestRegisterMultipleInstances() { var testClassInstance1 = new TestClass("instance1"); var testClassInstance2 = new TestClass("instance2"); ObjectResolver.RegisterInstance(testClassInstance1, testClassInstance1.Name); ObjectResolver.RegisterInstance(testClassInstance2, testClassInstance2.Name); var instance1 = ObjectResolver.Resolve <TestClass>("instance1"); instance1.Name.ShouldEqual("instance1"); instance1.ShouldEqual(testClassInstance1); var instance2 = ObjectResolver.Resolve <TestClass>("instance2"); instance2.Name.ShouldEqual("instance2"); instance2.ShouldEqual(testClassInstance2); }
/// <summary> /// The dom xss test_integration_test. /// </summary> /// <param name="browserType"> /// The browser type. /// </param> private void DomXssTestIntegrationTest(BrowserType browserType) { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { browserType, 2 } }; ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances)); var target = Target.Create($"{Constants.VulnerabilitiesAddress}vuln_domxss.html?a=1"); var context = new Context(); var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")", "%22+onload=%22javascript:alert(" + TestBaseHelper.AttackSignature + ")%22" }); instance.DoTests(); // cleanly shutdown the browser manager var disposable = ObjectResolver.Resolve <IBrowserManager>() as IDisposable; Assert.IsNotNull(disposable); disposable.Dispose(); // a vuln should be found instance.Vulnerabilities.ShouldNotBeNull(); instance.Vulnerabilities.Count.ShouldEqual(1); // the vuln record should be well formed var vuln = instance.Vulnerabilities.First(); vuln.Level.ShouldEqual(0); vuln.TestedParam.ShouldEqual("a"); vuln.TestedVal.ShouldEqual("alert(" + TestBaseHelper.AttackSignature + ")"); vuln.Evidence.ShouldEqual("Found by " + browserType); vuln.TestPlugin.ShouldStartWith("TestableDomXssTest"); vuln.Title.ShouldEqual("DOM XSS - Script injection"); instance.Vulnerabilities.Count(v => v.TestPlugin == "TestableDomXssTest") .ShouldEqual(1); }
public void TestPostRequestXssNegative() { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); // Setup var target = Target.Create("http://www.bing.com"); // Execute var vulns = ExecutePluginTestRequest(target); vulns.Count.ShouldEqual(0); } }
public void TestPostRequestXssPositive() { ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var target = Target.Create($"{Constants.VulnerabilitiesAddress}PluginsTestPages/PostRequestXssTest.html"); // Execute var vulns = ExecutePluginTestRequest(target); vulns.Count.ShouldEqual(1); vulns.ElementAt(0).TestedVal.ShouldEqual("alert(501337)"); } }
public void TestNoOpenRedirects() { // Setup ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserInstances = new Dictionary <BrowserType, int> { { BrowserType.Chrome, 1 } }; using (var browserManager = new BrowserManager(browserInstances)) { ObjectResolver.RegisterInstance <IBrowserManager>(browserManager); var target = Target.Create($"{Constants.VulnerabilitiesAddress}PluginsTestPages/XNoJavascript.aspx?q=junk"); // Execute var vulns = ExecutePluginTestRequest(target); // Validate vulns.ShouldBeEmpty(); } }
public static void AssemblyInit(TestContext context) { AssertFailureExceptionFactory.ConfigureForMicrosoftTest(); ObjectResolver.RegisterInstance <PlatformInitialization>(new NullPlatformInitialization()); }
public static void ClassInit(TestContext testContext) { ObjectResolver.RegisterInstance <IPayloads>(new Payloads(WebSec.Library.Constants.PayloadsQuickDataFolder)); }
public void DomXssTestPassesAndReceivesCookiesCorrectly() { const string TestUrl = @"http://www.bing.com/search?q=seattle"; var url = new Uri(TestUrl); // create our own cookies var expectedCookie1 = this.CreateTestCookie(1); var expectedCookie2 = this.CreateTestCookie(2); var expectedCookie3 = this.CreateTestCookie(3); var expectedCookie4 = this.CreateTestCookie(4); var expectedCookie5 = this.CreateTestCookie(5); var requestCollection = new CookieCollection { expectedCookie1, expectedCookie2, expectedCookie3 }; var responseCollection = new CookieCollection { expectedCookie4, expectedCookie5 }; var browserMock = CreateMockBrowser(); string alertText; browserMock .Setup(m => m.DismissedIfAlertDisplayed(out alertText)) .Returns(true); browserMock .SetupGet(m => m.AllCookies) .Returns(responseCollection); browserMock .SetupGet(m => m.PageSource) .Returns("pagesource"); browserMock .SetupGet(m => m.AlertMessageDisplayed) .Returns(new HashSet <string> { TestBaseHelper.AttackSignature }); var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome }); browserManagerMock .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome))) .Returns(browserMock.Object); ObjectResolver.RegisterInstance(browserManagerMock.Object); var target = Target.Create(TestUrl); var context = new Context(); context.CurrentCookies[url.Host] = requestCollection; var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")" }); // run the test instance.DoTests(); var vuln = instance.Vulnerabilities.First(); // the response cookies should be pulled back from the browser vuln.HttpResponse.Cookies.Count.ShouldEqual(responseCollection.Count); vuln.HttpResponse.Cookies[0].ShouldBeTheSameAs(expectedCookie4); vuln.HttpResponse.Cookies[1].ShouldBeTheSameAs(expectedCookie5); // The expected cookies were given to the browser this.CookieWasAddedToBrowser(browserMock, expectedCookie1); this.CookieWasAddedToBrowser(browserMock, expectedCookie2); this.CookieWasAddedToBrowser(browserMock, expectedCookie3); }
public void DomXssTestPositiveResult() { const string TestUrl = @"http://www.bing.com/search?q=seattle"; var propertyBag = new ConcurrentDictionary <int, bool>(); var browserMock = CreateMockBrowser(browserType: BrowserType.Chrome); browserMock .Setup(m => m.NavigateTo(It.IsAny <string>())) .Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert(456)")); string alertText; browserMock .Setup(m => m.DismissedIfAlertDisplayed(out alertText)) .Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]); browserMock .SetupGet(m => m.PageSource) .Returns("pagesource"); browserMock .SetupGet(m => m.Url) .Returns("http://foo"); browserMock .SetupGet(m => m.AlertMessageDisplayed) .Returns(new HashSet <string> { TestBaseHelper.AttackSignature }); var factoryMock = new Mock <IBrowserFactory>(); factoryMock .Setup(m => m.Create(It.IsAny <BrowserType>())) .Returns(browserMock.Object); ObjectResolver.RegisterType <IProcessManager, ProcessManager>(); var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome }); browserManagerMock .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome))) .Returns(browserMock.Object); ObjectResolver.RegisterInstance(browserManagerMock.Object); var target = Target.Create(TestUrl); var context = new Context(); var instance = new TestableDomXssTest(); instance.Init(context, target); // introduce our known injection strings instance.InjectTestCaseStrings(new[] { "blah", "alert(" + TestBaseHelper.AttackSignature + ")", "foo" }); // run the test instance.DoTests(); // the scan should have run on multiple threads. propertyBag.Count.ShouldBeGreaterThanOrEqualTo(1); // a vuln should be found instance.Vulnerabilities.ShouldNotBeNull(); instance.Vulnerabilities.Count.ShouldEqual(3); // the vuln record should be well formed var vuln = instance.Vulnerabilities.First(t => t.TestedVal == "blah"); vuln.Level.ShouldEqual(0); vuln.TestedParam.ShouldEqual("q"); vuln.TestedVal.ShouldEqual("blah"); vuln.Evidence.ShouldEqual("Found by Chrome"); vuln.TestPlugin.ShouldEqual("TestableDomXssTest"); vuln.Title.ShouldEqual("DOM XSS - Script injection"); // the http details should be consistent for browser generated request vuln.HttpResponse.ShouldNotBeNull(); vuln.HttpResponse.Headers.Count.ShouldEqual(0); vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty); vuln.HttpResponse.RequestAbsolutUri.ShouldEqual("http://www.bing.com/search?q=blah"); vuln.HttpResponse.RequestHost.ShouldEqual("www.bing.com"); vuln.HttpResponse.ResponseContent.ShouldEqual(browserMock.Object.PageSource); vuln.HttpResponse.ResponseUri.ShouldNotBeNull(); vuln.HttpResponse.ResponseUri.ToString().ShouldEqual("http://foo/"); vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK); vuln.HttpResponse.HttpError.ShouldEqual(string.Empty); // the browser requested all of the expected urls, even after a vuln was found browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=blah")), Times.Once()); browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert(" + TestBaseHelper.AttackSignature + ")")), Times.Once()); browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=foo")), Times.Once()); }
public static void ClassInit(TestContext testContext) { // configure the firewall for browser control since these tests use live browsers. BrowserManagerTests.CreateFirewallRules(); ObjectResolver.RegisterInstance <IPayloads>(new Payloads(Library.Constants.PayloadsQuickDataFolder)); }