From 6cbb156a01e8dcb700cfff38cc0b1bbda901baea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20St=C3=A1rek?= Date: Thu, 24 Oct 2019 15:57:28 +0200 Subject: [PATCH] Adding query attributes --- fuzzer/src/blocks_generator.py | 2 +- fuzzer/src/request_build_helper.py | 46 +++++++++++++++++++++--------- parser/Models/UriAttribute.cs | 1 + parser/Parser/AttributeParser.cs | 3 +- 4 files changed, 37 insertions(+), 15 deletions(-) diff --git a/fuzzer/src/blocks_generator.py b/fuzzer/src/blocks_generator.py index 8954028..ed47cae 100644 --- a/fuzzer/src/blocks_generator.py +++ b/fuzzer/src/blocks_generator.py @@ -89,7 +89,7 @@ def _generate_content_body(is_body_json, json_decoder, body_string_example, fuzz def _generate_http_header(request, endpoint, fuzzable): s_static(request["Method"].upper() + " ") - RequestBuildHelper.generate_uri(endpoint["Uri"], request["UriAttributes"], ConfigurationManager.config, fuzzable) + RequestBuildHelper.generate_uri(endpoint["Uri"], request["UriAttributes"], fuzzable) s_static(" HTTP/1.1\r\n") RequestBuildHelper.generate_headers(ConfigurationManager.config) s_static("\r\n\r\n") diff --git a/fuzzer/src/request_build_helper.py b/fuzzer/src/request_build_helper.py index 6e2be4a..d8e8e81 100644 --- a/fuzzer/src/request_build_helper.py +++ b/fuzzer/src/request_build_helper.py @@ -1,8 +1,10 @@ import json -from boofuzz import s_static, s_size +from typing import List +from boofuzz import s_static, s_size, s_render from fuzz_payloads import s_http_string, s_http_number, s_http_boolean from encodings_helper import EncodingTypes from parameter import Parameter +from configuration_manager import ConfigurationManager class RequestBuildHelper(object): @@ -34,10 +36,12 @@ class RequestBuildHelper(object): return headers is not None and header_name in headers @staticmethod - def generate_uri(uri, uri_parameters, config, fuzzable=False): - fixed_attributes = config["fixed_url_attributes"] if "fixed_url_attributes" in config else None + def generate_uri(uri, uri_parameters, fuzzable=False): id_generator = _unique_uri_attribute_id() + already_used_parameters: List[str] = [] + + # 1] Generate URI as it is in payloads file while True: try: # Find first not yet found parameter, if there is one @@ -48,24 +52,40 @@ class RequestBuildHelper(object): index = uri.index("}") parameter_name = uri[0:index] - parameter: Parameter = RequestBuildHelper._get_parameter(parameter_name, fixed_attributes, uri_parameters) - name = "URI attribute, default value: " + parameter.value + ", id: " + next(id_generator) - is_part_fuzzable = fuzzable and not parameter.is_from_config - - if parameter.data_type and (parameter.data_type == 'integer' or parameter.data_type == 'number'): - s_http_number(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) - elif parameter.data_type and parameter.data_type == 'string': - s_http_boolean(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) - else: - s_http_string(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) + RequestBuildHelper._append_parameter(parameter_name, id_generator, uri_parameters, fuzzable) uri = uri[index + 1:] + already_used_parameters.append(parameter_name) except ValueError: if len(uri) > 0: name = "URI attribute, default value: " + uri + ", id: " + next(id_generator) s_http_string(uri, fuzzable=False, encoding=EncodingTypes.ascii, name=name) break + # 2] Append another URI attributes + for uri_parameter in uri_parameters: + parameter_name = uri_parameter["Name"] + if parameter_name not in already_used_parameters and uri_parameter["Location"] == "Query": + prefix = "?" if "?" not in s_render() else "&" + name = "URI attribute, default value: " + uri + ", id: " + next(id_generator) + s_http_string(prefix + parameter_name + "=", fuzzable=False, encoding=EncodingTypes.ascii, name=name) + RequestBuildHelper._append_parameter(parameter_name, id_generator, uri_parameters, fuzzable) + + @staticmethod + def _append_parameter(parameter_name, id_generator, uri_parameters, fuzzable): + fixed_attributes = ConfigurationManager.config["fixed_url_attributes"] if "fixed_url_attributes" in ConfigurationManager.config else None + + parameter: Parameter = RequestBuildHelper._get_parameter(parameter_name, fixed_attributes, uri_parameters) + name = "URI attribute, default value: " + parameter.value + ", id: " + next(id_generator) + is_part_fuzzable = fuzzable and not parameter.is_from_config + + if parameter.data_type and (parameter.data_type == 'integer' or parameter.data_type == 'number'): + s_http_number(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) + elif parameter.data_type and parameter.data_type == 'string': + s_http_boolean(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) + else: + s_http_string(parameter.value, fuzzable=is_part_fuzzable, encoding=EncodingTypes.urlencoded, name=name) + # Getting parameter value from these sources (ordered): # 1] Fixed attributes from config # 2] Example value from documentation diff --git a/parser/Models/UriAttribute.cs b/parser/Models/UriAttribute.cs index 36809e4..a74a143 100644 --- a/parser/Models/UriAttribute.cs +++ b/parser/Models/UriAttribute.cs @@ -10,6 +10,7 @@ namespace Models public string Type { get; set; } public string Format { get; set; } + public string Location { get; set; } public UriAttribute(string name, bool required) { diff --git a/parser/Parser/AttributeParser.cs b/parser/Parser/AttributeParser.cs index b1bd001..8d1ce4f 100644 --- a/parser/Parser/AttributeParser.cs +++ b/parser/Parser/AttributeParser.cs @@ -21,7 +21,8 @@ namespace Parser ContentParser.GetSingleExample(parameter.Schema?.Example) ?? PrimitiveDataTypeExampleGenerator.GenerateExampleValueByType(parameter.Schema.Type, parameter.Schema.Format), Type = parameter.Schema.Type, - Format = parameter.Schema.Format + Format = parameter.Schema.Format, + Location = parameter.In == ParameterLocation.Path ? "Path" : "Query" }; return attribute; }