/authtest_apr20.py
Created Apr 23, 2012
TeamMentor python - Parameterless methods tested for 2 roles and sample output uploaded (by arvinddoraiswamy)
| import suds | |
| import re | |
| import sys | |
| import os | |
| import traceback | |
| url='http://....:8000//aspx_pages/TM_WebServices.asmx?WSDL' | |
| users={} | |
| def main(): | |
| client=connect_and_login(url) | |
| users=get_users_passwords() | |
| methods=get_methods_parameters_datatypes(client) | |
| methods=map_adversaries_to_methods(methods) | |
| report=analysis(client,users,methods) | |
| def connect_and_login(url): | |
| client = suds.client.Client(url) | |
| client.service.Login('admin','............................') | |
| match = re.search(r'ASP.NET_SessionId=.*Cookie Session=', str(client.options.transport.cookiejar)) | |
| if match: | |
| user_properties=client.service.Current_User() | |
| client.set_options(headers={'CSRF_Token': user_properties['CSRF_Token']}) | |
| return client | |
| client.service.Logout() | |
| def get_users_passwords(): | |
| f=open('users','rU') | |
| for line in f: | |
| t1=line.split('\t') | |
| t1[1]=re.sub(r'\s+$',r'',t1[1]) | |
| users[t1[0]]=t1[1] | |
| f.close() | |
| return users | |
| def get_methods_parameters_datatypes(client): | |
| t1=re.findall(r'.*Methods\ \(\d+\)(.*)Types\ \(\d+\)',str(client),re.DOTALL) | |
| t3=t1[0].split('\n') | |
| methods={} | |
| for i in t3: | |
| t2=re.sub(r'^\s*',r'',i) | |
| if re.search(r'^\w',t2): | |
| methods[t2]='' | |
| return methods | |
| def map_adversaries_to_methods(methods): | |
| manual_action_adversary_map={} | |
| f=open('method_attacker_mapping','rU') | |
| for line in f: | |
| t1=line.split('\t') | |
| t1[1]=re.sub(r'\n$',r'',t1[1]) | |
| manual_action_adversary_map[t1[0]]=t1[1] | |
| for key in methods.keys(): | |
| t2=key.split('(') | |
| if t2[0] in manual_action_adversary_map: | |
| methods[key]=manual_action_adversary_map[t2[0]] | |
| return methods | |
| def analysis(client,users,methods): | |
| ignored_methods = ['GetAllGuidanceItems()','GitHub_Push_Origin()','Logout()','GetAllUserLogs()','GetDeletedLibraries()','GitHub_Push_Commit()','DeleteDeletedGuidanceTypes()','DeleteDeletedLibraries()','GitHub_Pull_Origin()','GetGuidanceTypes()','GetGuidanceTypes()','GetGuidanceTypes()','GetUploadToken()'] | |
| os.remove('report.csv') | |
| for key in users.keys(): | |
| print "User -- " + key | |
| d = dict(http='127.0.0.1:8080') | |
| client.set_options(proxy=d) | |
| client.service.Login(key,users[key]) | |
| match = re.search(r'ASP.NET_SessionId=.*Cookie Session=', str(client.options.transport.cookiejar)) | |
| if match: | |
| user_properties=client.service.Current_User() | |
| client.set_options(headers={'CSRF_Token': user_properties['CSRF_Token']}) | |
| analysis_methods_no_params(key,client,methods,ignored_methods) | |
| analysis_methods_params(key,client,methods,ignored_methods) | |
| def analysis_methods_no_params(key,client,methods,ignored_methods): | |
| k=0 | |
| f=open('report.csv','a') | |
| for method in methods.keys(): | |
| if not method in ignored_methods: | |
| try: | |
| t2=methods[method].split(',') | |
| if re.search(r'\(\)',method) and key in t2: | |
| k+=1 | |
| b=eval('client.service.'+method) | |
| f.write(key+'^'+method+'^'+'OK\n') | |
| except Exception: | |
| exc_type, exc_value = sys.exc_info()[:2] | |
| t1=str(exc_value).split('\n') | |
| f.write(key+'^'+method+'^'+t1[0]+'\n') | |
| pass | |
| client.service.Logout() | |
| def analysis_methods_params(key,client,methods,ignored_methods): | |
| print 'Inside function which analyzes methods which contain parameters\n' | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment