Created
March 7, 2011 17:44
-
-
Save antonlindstrom/858861 to your computer and use it in GitHub Desktop.
Tests for mod_sec laboration in DA516G
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/ruby | |
| # | |
| # Tests for rules in mod_security | |
| require 'test/unit' | |
| require 'net/http' | |
| require 'rubygems' | |
| require 'uri' | |
| class TestRules < Test::Unit::TestCase | |
| def setup | |
| @server = "http://www.idslabb.local" | |
| end | |
| def get_response_from(url) | |
| uri = URI.parse(url) | |
| http = Net::HTTP.new(uri.host, uri.port) | |
| request = Net::HTTP::Get.new(uri.request_uri) | |
| request["User-Agent"] = "IDS Tests" | |
| request["Accept"] = "*/*" | |
| response = http.request(request) | |
| response.code | |
| end | |
| def get_response_with_login(url, login, password) | |
| uri = URI.parse(url) | |
| http = Net::HTTP.new(uri.host, uri.port) | |
| request = Net::HTTP::Post.new(uri.request_uri) | |
| request.set_form_data({"login_username" => login, "password" => password}, ';') | |
| request["User-Agent"] = "IDS Tests" | |
| request["Accept"] = "*/*" | |
| response = http.request(request) | |
| end | |
| # Testing for OK on base_path | |
| def test_index | |
| response_code = get_response_from("#@server/src/login.php") | |
| assert_equal '200', response_code | |
| end | |
| # Testing the first custom rule | |
| def test_first_blah | |
| response_code = get_response_from("#@server/?test=blah") | |
| assert_equal '503', response_code | |
| end | |
| # Testing if an IP is in the request | |
| def test_ip_in_request | |
| response_code = get_response_from("#@server/?test=http://10.5.5.50/") | |
| assert_equal '503', response_code | |
| end | |
| # Testing if the php include() is used in the request | |
| def test_php_include | |
| response_code = get_response_from("#@server/?test=include(%22http://example.com/%22)") | |
| assert_equal '503', response_code | |
| end | |
| # Testing if there is a questionmark at the end of the request | |
| def test_questionmark_end | |
| response_code = get_response_from("#@server/?test=http://example.com?") | |
| assert_equal '503', response_code | |
| end | |
| # Testing if the request host (Host in headers) is not in the request | |
| def test_not_local | |
| response_code = get_response_from("#@server/?test=http://192.168.164.154/index.html") | |
| assert_equal '503', response_code | |
| end | |
| # Test unavailable login with squirrelmail | |
| #def test_squirrelmail_no_login | |
| # response = get_response_with_login("#@server/src/redirect.php", "false_login", "false_pass") | |
| # assert_match /Unknown user or password incorrect/, response.body | |
| #end | |
| # Testing squirrelmail bruteforce prevention | |
| def test_squirrelmail_bruteforce_prevention | |
| response_code = 0 | |
| 10.times do | |
| response_code = get_response_with_login("#@server/src/redirect.php", "false_login", "false_pass").code | |
| end | |
| assert_equal '403', response_code | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment