2016-09-15 03:24:51 +00:00
|
|
|
package controllers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2017-12-11 00:11:32 +00:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/PuerkitoBio/goquery"
|
2016-09-15 03:24:51 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (s *ControllersSuite) TestLoginCSRF() {
|
2018-12-15 21:42:32 +00:00
|
|
|
resp, err := http.PostForm(fmt.Sprintf("%s/login", s.adminServer.URL),
|
2016-09-15 03:24:51 +00:00
|
|
|
url.Values{
|
|
|
|
"username": {"admin"},
|
|
|
|
"password": {"gophish"},
|
|
|
|
})
|
|
|
|
|
2017-12-11 00:11:32 +00:00
|
|
|
s.Equal(resp.StatusCode, http.StatusForbidden)
|
2016-09-15 03:24:51 +00:00
|
|
|
fmt.Println(err)
|
|
|
|
}
|
2017-12-11 00:11:32 +00:00
|
|
|
|
|
|
|
func (s *ControllersSuite) TestInvalidCredentials() {
|
2018-12-15 21:42:32 +00:00
|
|
|
resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
|
2017-12-11 00:11:32 +00:00
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusOK)
|
|
|
|
|
|
|
|
doc, err := goquery.NewDocumentFromResponse(resp)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
elem := doc.Find("input[name='csrf_token']").First()
|
|
|
|
token, ok := elem.Attr("value")
|
|
|
|
s.Equal(ok, true)
|
|
|
|
|
|
|
|
client := &http.Client{}
|
2018-12-15 21:42:32 +00:00
|
|
|
req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{
|
2017-12-11 00:11:32 +00:00
|
|
|
"username": {"admin"},
|
|
|
|
"password": {"invalid"},
|
|
|
|
"csrf_token": {token},
|
|
|
|
}.Encode()))
|
|
|
|
s.Equal(err, nil)
|
|
|
|
|
|
|
|
req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
|
|
|
|
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
|
|
|
|
resp, err = client.Do(req)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusUnauthorized)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *ControllersSuite) TestSuccessfulLogin() {
|
2018-12-15 21:42:32 +00:00
|
|
|
resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
|
2017-12-11 00:11:32 +00:00
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusOK)
|
|
|
|
|
|
|
|
doc, err := goquery.NewDocumentFromResponse(resp)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
elem := doc.Find("input[name='csrf_token']").First()
|
|
|
|
token, ok := elem.Attr("value")
|
|
|
|
s.Equal(ok, true)
|
|
|
|
|
|
|
|
client := &http.Client{}
|
2018-12-15 21:42:32 +00:00
|
|
|
req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", s.adminServer.URL), strings.NewReader(url.Values{
|
2017-12-11 00:11:32 +00:00
|
|
|
"username": {"admin"},
|
|
|
|
"password": {"gophish"},
|
|
|
|
"csrf_token": {token},
|
|
|
|
}.Encode()))
|
|
|
|
s.Equal(err, nil)
|
|
|
|
|
|
|
|
req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
|
|
|
|
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
|
|
|
|
resp, err = client.Do(req)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusOK)
|
|
|
|
}
|
2017-12-11 03:40:46 +00:00
|
|
|
|
|
|
|
func (s *ControllersSuite) TestSuccessfulRedirect() {
|
|
|
|
next := "/campaigns"
|
2018-12-15 21:42:32 +00:00
|
|
|
resp, err := http.Get(fmt.Sprintf("%s/login", s.adminServer.URL))
|
2017-12-11 03:40:46 +00:00
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusOK)
|
|
|
|
|
|
|
|
doc, err := goquery.NewDocumentFromResponse(resp)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
elem := doc.Find("input[name='csrf_token']").First()
|
|
|
|
token, ok := elem.Attr("value")
|
|
|
|
s.Equal(ok, true)
|
|
|
|
|
|
|
|
client := &http.Client{
|
|
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
},
|
|
|
|
}
|
2018-12-15 21:42:32 +00:00
|
|
|
req, err := http.NewRequest("POST", fmt.Sprintf("%s/login?next=%s", s.adminServer.URL, next), strings.NewReader(url.Values{
|
2017-12-11 03:40:46 +00:00
|
|
|
"username": {"admin"},
|
|
|
|
"password": {"gophish"},
|
|
|
|
"csrf_token": {token},
|
|
|
|
}.Encode()))
|
|
|
|
s.Equal(err, nil)
|
|
|
|
|
|
|
|
req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
|
|
|
|
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
|
|
|
|
resp, err = client.Do(req)
|
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(resp.StatusCode, http.StatusFound)
|
|
|
|
url, err := resp.Location()
|
|
|
|
s.Equal(err, nil)
|
|
|
|
s.Equal(url.Path, next)
|
|
|
|
}
|