Fixes:
1) Crashes in runner and file_utils
2) Binary strings being read in as payloads
Updates:
1) Clarified error messages in parser
2) Confusing variable names in test cases vs issues
Adds:
1) A `syntribos root` CLI sub command to display the current syntribos root dir
Change-Id: I22edf7a1f3d39724522aee88d08b00d299b67248
1) Allows for YAML body in request templates. If a content-type
is specified for a request template, Syntribos will validate the
body against the header. This is to prevent templates from silently
failing to parse and sending unintended data to the target.
2) Added extension to support basicauth
3) Lowered confidence ratings for various tests
Change-Id: I672b0e0aa3da1aa6dd7e9a8456da73f0a15759b7
This change:
1) rewrites the runner to spawn a thread pool for each template
and assigns a worker for each test case
2) makes the output colorized by default
3) makes minor changes to the output
Change-Id: I49906f5daaa339ca9429913680203c762a0ad9fe
Syntribos now allows the user to specify variables in their request
templates by reading from a meta.json file. This is part 1 of 3 of
the full effort, dealing primarily with the template parser itself.
Change-Id: Id41d331f595cd3bc32f085ef49cb5d1b16779a5c
Changing six.iteritems(kwargs) to kwargs.items() to improve
readability of code and reduce the use of python package six
Change-Id: I7460c0274b790efcd53ee9d1c0bc538effb950dd
Adding ReDoS test to syntribos. ReDos was earlier merged with
string_validation test, as ReDoS is a pure test in itself, adding
the same.
Change-Id: I04b2c80486d897eef2764223e2ba0f4433bc9144
There is a possibility for the json parser to reach depth limit
and crash. This test checks for that and raises an issue if the
parser crashes.
Change-Id: I2ecb77e2e9aef2379321142d608eb714b33d970a
During the first set of tests we did, it became clear that we
would need a way to test specific user provided string and check
them against user defined failure keys.
This test adds that functionality to the suite.
Change-Id: I53833c2ab11813d746d9fc97355adaf51eb6096e
Syntribos now downloads payloads as part of the initialization process, and
also can download payloads and templates as part of the 'syntribos download'
command.
Change-Id: I17501535e5fd341c2705e07e3797643dc2d4a7df
When syntribos attempts to download templates, it fails with
unicode error. This patch fixes it.
Closes-Bug: #1636609
Change-Id: Id62e9ed70d1b4501fe531587947c1f6d88bf034a
POC on loading payloads using remote URI. This is part of a larger
effort in packaging syntribos to ensure that the project would
work without much configuration post install from pypi.
Change-Id: Id61e840d4f49d5b6deb72bce2e8bcc0e1096fa52
As we are moving to the next iteration of the project for Ocata,
I think it would be helpul to makesure that the codebase is
fully compatible in py27 and in py35. Also, some minor styling
changes, removing uncessary spaces etc.
Change-Id: I9aac07dc180cd3a7c7885661bdad985c183ae0a9
Results are now formatted in the schema as defined here:
https://gist.github.com/cneill/a511451284a0c5f33295477150bd94d4
Furthermore, the json formatter is no longer responsible for the aggregation
of issues. Instead, this logic has been moved to the IssueTestResult class
Change-Id: Id39e122b2b4c1c9cafab09fdbc5d172dec012d22
The data file buffer-overflow.txt is never used, instead the string
generated in buffer_overflow.py is used for testing buffer overflow,
so the text file dependency is removed.
Change-Id: I4928926aa42b568502bd0b99b15b06d0667968ca
This change adds some commands to syntribos
sub commands:
- list_tests
- run
- dry_run
Also, refactoring runner.py and added utils/cli.py
to add all utility methods used for cli output.
Change-Id: Ieed2e06e0fb6eec34be640ae1db86785403546df
Adding a simple counter based id to tests to track them in debug
log and results log. Also, this patch improves the result output
like adding a progress bar and uniform test names..
Change-Id: Ib83181b25a0c18c7993f491cde98d73555b01404
- This removes FuzzRequest as a type of RequestObject. All requests are
now RequestObjects, and are parsed by the
syntribos.clients.http.parser
- Fuzzing a request is now done via
syntribos.tests.fuzz.datagen.fuzz_request()
- Moved _remove_attr_names and _remove_braces to the RequestObject
- Added unittests for fuzz datagen, http client models
Change-Id: Ib589c34ad80da58daab875d7383210d22d82d764
This updates the BTC/BFTC class methods based on the changes we agreed
on in our 7/13 meeting.
Details here: https://etherpad.openstack.org/p/syntribos-planning
Change-Id: I05e426ee1832385ec42d64ba930caea9ddd5374f
Removed data driven pass case and refactored data driven failure case
with a string presence check
Change-Id: I1abce36296676e2c7d4a3eacaf16c619b80199f1
Currently, no signals are printed with the output, so now, the slugs of signals
associated with each issue are now printed in the results output. We may
revisit this to add strengths and tags should they be needed in the future.
Change-Id: Ib58127a9d6bb296b9731668e957c15e5c2ef71f4
- Merges arguments.py and and existing config.py files into one file
- Removes dependencies on cafe.* config file / CLI parsing
- Adds "register_opts" to BTC to allow Tests to specify config options
- Moves us completely from cclogging to Python logging
Change-Id: I0d4a84563d54307c94c0064be429919f9d91d67b
- Removed unnecessary code from BTC
- Moved some components from BFTC to BTC
- Start using signals for all tests
- Renamed several variables in BTC for clarity
- Cleaned up BaseAuthTestCase somewhat
Change-Id: I3efc44b33aa4416e1f9853910485a8c5703a9057
Added SSL test case to check the returned response for http urls
over https urls
Implements blueprint test-transport-layer-security
Change-Id: I87eb6b075e5b528f0634500bc0ed2b52ff19e241
The all_attack test payload is extraordinarily long and serves little purpose.
Therefore it's now removed.
Change-Id: Ifd3ccdd9cb5d4b05f365dba45b61ea4d6875a64a
Extended the extend_class() method from BaseTestCase in BaseFuzzTestCase, as
only BaseFuzzTestCase should have fuzz_string and param_path as parameters to
the method.
Change-Id: If39629caed9d9659bb4c7c39eb8199b25610b5b1
Andreas Jaeger