https://pastein.ru/t/eJZ
Загрузка данных
└─$ cat test_http_methods.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
HTTP Methods Security Tester for Flask app (WSTG-CONF-06)
- логинится через Flask-WTF + CSRF
- тестирует анонимную / user / admin сессии
- понимает 403 Forbidden
- не путает 302 redirect на login с успешным доступом
- НЕ тестирует /logout
"""
import argparse
import re
from urllib.parse import urljoin, urlparse, parse_qs
import requests
from requests.exceptions import RequestException, Timeout, ConnectionError
DEFAULT_URL = "http://10.0.20.5:5000"
ENDPOINTS = [
"/",
"/register",
"/home",
"/home_admin",
"/add_card",
"/recharge_balance",
"/delete_card",
"/cart",
"/checkout",
"/like",
"/users",
"/news",
"/admin/news",
"/admin/news/add",
"/admin/news/edit/1",
"/admin/news/delete/1",
"/edit_user/1",
"/delete_game/1",
"/search_suggestions",
"/search_suggestions1",
"/add_game",
"/editor_game/1",
"/ban_user/1",
"/add_to_cart/1",
"/remove_from_cart/1",
"/add_to_likes/1",
"/remove_from_likes/1",
]
TEST_METHODS = [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"OPTIONS",
"HEAD",
"TRACE",
"CONNECT",
"FOO",
]
METHOD_ALLOWED_CODES = {200, 201, 202, 204}
REDIRECT_CODES = {301, 302, 303, 307, 308}
DANGEROUS_METHODS = {"PUT", "DELETE", "TRACE", "CONNECT", "PATCH"}
def make_session() -> requests.Session:
session = requests.Session()
session.headers.update({
"User-Agent": "Mozilla/5.0 (HTTP-Methods-Tester)",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
})
return session
def extract_csrf_token(html: str) -> str | None:
patterns = [
r'<input[^>]*name=["\']csrf_token["\'][^>]*value=["\']([^"\']+)["\']',
r'<input[^>]*value=["\']([^"\']+)["\'][^>]*name=["\']csrf_token["\']',
]
for pattern in patterns:
m = re.search(pattern, html, re.IGNORECASE | re.DOTALL)
if m:
return m.group(1)
return None
def login(session: requests.Session, base_url: str, email: str, password: str, timeout: int = 5) -> bool:
login_url = urljoin(base_url, "/")
try:
resp = session.get(login_url, timeout=timeout)
resp.raise_for_status()
csrf_token = extract_csrf_token(resp.text)
if not csrf_token:
print(f"[-] Не найден csrf_token на странице логина для {email}")
return False
payload = {
"email": email,
"password": password,
"remember_me": "y",
"submit": "Login",
"csrf_token": csrf_token,
}
resp = session.post(login_url, data=payload, timeout=timeout, allow_redirects=True)
final_path = urlparse(resp.url).path
if final_path in ("/home", "/home_admin"):
print(f"[+] Успешный вход как {email} -> {resp.url}")
return True
print(f"[-] Не удалось войти как {email} (финальный URL: {resp.url}, статус: {resp.status_code})")
return False
except RequestException as e:
print(f"[-] Ошибка логина для {email}: {e}")
return False
def is_login_redirect(location: str | None) -> bool:
if not location:
return False
parsed = urlparse(location)
path = parsed.path or ""
qs = parse_qs(parsed.query)
return path == "/" or "next" in qs or "login" in path.lower()
def classify_response(status: int | None, location: str | None) -> str:
if status is None:
return "error"
if status == 403:
return "forbidden"
if status == 405:
return "method_not_allowed"
if status in METHOD_ALLOWED_CODES:
return "allowed"
if status in REDIRECT_CODES:
if is_login_redirect(location):
return "auth_required"
return "redirect"
return "other"
def test_method(session: requests.Session, base_url: str, endpoint: str, method: str, timeout: int = 5) -> dict:
url = urljoin(base_url, endpoint)
try:
if method == "HEAD":
resp = session.head(url, timeout=timeout, allow_redirects=False)
elif method == "OPTIONS":
resp = session.options(url, timeout=timeout, allow_redirects=False)
else:
resp = session.request(method, url, timeout=timeout, allow_redirects=False)
return {
"status": resp.status_code,
"location": resp.headers.get("Location"),
"content_type": resp.headers.get("Content-Type", ""),
}
except (ConnectionError, Timeout) as e:
return {"status": None, "location": None, "content_type": "", "error": str(e)}
except RequestException as e:
return {"status": None, "location": None, "content_type": "", "error": str(e)}
def print_result(method: str, info: dict):
if info.get("error"):
print(f" {method:<8} -> ERROR: {info['error']}")
return
status = info["status"]
location = info.get("location")
kind = classify_response(status, location)
extra = ""
if location:
extra = f" -> {location}"
if kind == "allowed":
if method in DANGEROUS_METHODS:
extra += " !!! ОПАСНЫЙ МЕТОД РАЗРЕШЁН !!!"
print(f" {method:<8} -> {status} [+]{extra}")
elif kind == "forbidden":
print(f" {method:<8} -> {status} [! FORBIDDEN]{extra}")
elif kind == "method_not_allowed":
print(f" {method:<8} -> {status} [-] (method not allowed){extra}")
elif kind == "auth_required":
print(f" {method:<8} -> {status} [-] (auth required){extra}")
elif kind == "redirect":
print(f" {method:<8} -> {status} [-] (redirect){extra}")
else:
print(f" {method:<8} -> {status} [?]{extra}")
def analyze_endpoint(endpoint: str, results: dict, label: str):
print(f"\n--- Эндпоинт: {endpoint} (Сессия: {label}) ---")
for method, info in results.items():
print_result(method, info)
def run_tests(session: requests.Session, base_url: str, label: str, timeout: int = 5) -> dict:
results_by_endpoint = {}
for endpoint in ENDPOINTS:
endpoint_results = {}
for method in TEST_METHODS:
endpoint_results[method] = test_method(session, base_url, endpoint, method, timeout=timeout)
results_by_endpoint[endpoint] = endpoint_results
analyze_endpoint(endpoint, endpoint_results, label)
return results_by_endpoint
def generate_report(all_results: dict):
print("\n" + "=" * 80)
print("ИТОГОВЫЙ ОТЧЁТ")
print("=" * 80)
dangerous_found = False
forbidden_found = False
for endpoint, by_session in all_results.items():
for session_name, results in by_session.items():
for method, info in results.items():
status = info.get("status")
location = info.get("location")
kind = classify_response(status, location)
if kind == "forbidden":
forbidden_found = True
if method in DANGEROUS_METHODS and kind == "allowed":
print(f"[!] {endpoint} [{session_name}]: метод {method} разрешён (код {status})")
dangerous_found = True
if not dangerous_found:
print("[+] Опасные методы (PUT, DELETE, TRACE, CONNECT, PATCH) нигде не разрешены.")
else:
print("[!] Найдены разрешённые опасные методы.")
if forbidden_found:
print("[+] На части эндпоинтов корректно возвращается 403 Forbidden для недостаточных прав.")
print("=" * 80)
def main():
parser = argparse.ArgumentParser(description="HTTP Methods Security Tester (Flask/WTF)")
parser.add_argument("--url", default=DEFAULT_URL, help=f"Базовый URL (по умолчанию {DEFAULT_URL})")
parser.add_argument("--timeout", type=int, default=5, help="Таймаут запроса в секундах")
parser.add_argument("--user-login", default=None, help="Email обычного пользователя")
parser.add_argument("--user-password", default=None, help="Пароль обычного пользователя")
parser.add_argument("--admin-login", default=None, help="Email администратора")
parser.add_argument("--admin-password", default=None, help="Пароль администратора")
args = parser.parse_args()
base_url = args.url.rstrip("/")
print(f"[*] Начинаем тестирование HTTP-методов для {base_url}")
print(f"[*] Эндпоинтов для проверки: {len(ENDPOINTS)}")
all_results = {}
print("\n[1] ТЕСТИРОВАНИЕ БЕЗ АУТЕНТИФИКАЦИИ")
anon_session = make_session()
all_results["anon"] = run_tests(anon_session, base_url, "anon", timeout=args.timeout)
if args.user_login and args.user_password:
print("\n[2] ТЕСТИРОВАНИЕ ОТ ИМЕНИ ОБЫЧНОГО ПОЛЬЗОВАТЕЛЯ")
user_session = make_session()
if login(user_session, base_url, args.user_login, args.user_password, timeout=args.timeout):
all_results["user"] = run_tests(user_session, base_url, "user", timeout=args.timeout)
else:
print("[-] Тесты от имени обычного пользователя пропущены из-за неудачного входа.")
else:
print("\n[2] Пропуск тестов от обычного пользователя")
if args.admin_login and args.admin_password:
print("\n[3] ТЕСТИРОВАНИЕ ОТ ИМЕНИ АДМИНИСТРАТОРА")
admin_session = make_session()
if login(admin_session, base_url, args.admin_login, args.admin_password, timeout=args.timeout):
all_results["admin"] = run_tests(admin_session, base_url, "admin", timeout=args.timeout)
else:
print("[-] Тесты от имени администратора пропущены из-за неудачного входа.")
else:
print("\n[3] Пропуск тестов от администратора")
generate_report(all_results)
if __name__ == "__main__":
main()
