From e5e78f268296b82be71ddce6cf58fb7cd997f1e8 Mon Sep 17 00:00:00 2001 From: cwshugg Date: Tue, 22 Mar 2022 16:40:39 -0400 Subject: [PATCH] added test that uses real cookies from web browsers to test a server --- tests/server_unit_test_pserv.py | 53 +++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/tests/server_unit_test_pserv.py b/tests/server_unit_test_pserv.py index cb2ef02..15ac859 100755 --- a/tests/server_unit_test_pserv.py +++ b/tests/server_unit_test_pserv.py @@ -858,6 +858,59 @@ class Single_Conn_Malicious_Case(Doc_Print_Test_Case): self.assertEqual(response.status_code, requests.codes.ok, "Server failed to respond with private file despite being authenticated.") + def test_auth_wrong_cookie2(self): + """ Test Name: test_auth_wrong_cookie2 + Number Connections: N/A + Procedure: Sends cookies that are actually taken from one a web browser + when connecting to courses.cs.vt.edu. They're valid cookies, but they + should not be recognized by the server as valid authentication. + Similar idea for test_auth_wrong_cookie. A failure here means the server + might have crashed or it served a private file despite without checking + for valid authentication. + """ + # set up a few different cookies to try (no, these don't actually work + # - don't try any session hijacking with these cookies ;), we made + # sure they are invalid) + cookies = [ + ["IDMSESSID", "9DD957C450BBCFE9D75022A05DC71D0E701FE23AF0DEE777090831C9FFD087FF0EE5704771BA11D02B3FA5CC13F20B4F8A6758A02768E160AE1E100A8D4BECCE"], + ["auth_token", "[\"hokiebird\"\054 \"Hokie Bird\"].Yhy5-g.HXxh5WxmTawBv_LHPaTLnXNkYiI|5b9df2848955b572910a6ff3d2c98d27febbe6a8949c18cde52c8c11c91ed5437f40accae8f8b77a41e335e83556a3670d5f5178d8ddd4f8eb83e1a82974ce4a"], + ["session", ".eJwlzsFKw0AQgOFXKXuuZXczm93psV4qFBEs2GAkzM7OJEVNIaG2IL67hV7_e_L9mk4nmQezVvqaZWm6YzFrQ947cJoLRslQAaDW3hlSql2JZKUUT5m9S1LFCEKRMaqVKFqSg0hellofmStWUATRANYGmzmRdRA4E6KU2musEFXZ5aBY2hiyoGRukPMs013z3hq-zMO571uzXLTm8TSOp2xxei8fq2ZowkO_2h6uQ3i7fu_plvnpdtsX2u_Gw_Nnc3zyf_8CpUfl.Yjo3NQ.m-n22sd9bMNXyvtXpIS6dZ85Cv4"] + ] + + # loop through each of the cookies + for cookie in cookies: + # clear the session cookies and set a new cookie + self.session.cookies.clear() + self.session.cookies.set(cookie[0], cookie[1]) + + # try making a GET /api/login request + response = None + try: + response = self.session.get('http://%s:%s/api/login' % (self.hostname, self.port), timeout=2) + except requests.exception.RequestException: + raise AssertionError("The server did not respond within 2s") + + # make sure the correct response code was sent + if response.status_code != requests.codes.ok: + raise AssertionError("The server responded with %d instead of 200 OK for a GET /api/login request" % + response.status_code) + + # make sure the JSON data returned is empty + if response.text.strip() != "{}": + raise AssertionError("The server returned something other than an empty JSON object ({}) for a " + "GET /api/login request with invalid cookies. Received: '%s'" % response.text) + + # now, try making a request for a private file + response = None + try: + response = self.session.get('http://%s:%s/private/secure.html' % (self.hostname, self.port), timeout=2) + except requests.exception.RequestException: + raise AssertionError("The server did not respond within 2s") + + # make sure we didn't receive a 200 OK + if response.status_code == requests.codes.ok: + raise AssertionError("The server served a private file despite not being authenticated.") + ############################################################################## ## Class: Single_Conn_Bad_Case