github.com/merlinepedra/gopphish-attack@v0.9.0/models/page_test.go

github.com/merlinepedra/gopphish-attack@v0.9.0/models/page_test.go (about)

     1  package models
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/PuerkitoBio/goquery"
     7  	"gopkg.in/check.v1"
     8  )
     9  
    10  func (s *ModelsSuite) TestPostPage(c *check.C) {
    11  	html := `<html>
    12  			<head></head>
    13  			<body><form action="example.com">
    14  				<input name="username"/>
    15  				<input name="password" type="password"/>
    16  			</form></body>
    17  		  </html>`
    18  	p := Page{
    19  		Name:        "Test Page",
    20  		HTML:        html,
    21  		RedirectURL: "http://example.com",
    22  	}
    23  	// Check the capturing credentials and passwords
    24  	p.CaptureCredentials = true
    25  	p.CapturePasswords = true
    26  	err := PostPage(&p)
    27  	c.Assert(err, check.Equals, nil)
    28  	c.Assert(p.RedirectURL, check.Equals, "http://example.com")
    29  	d, err := goquery.NewDocumentFromReader(strings.NewReader(p.HTML))
    30  	c.Assert(err, check.Equals, nil)
    31  	forms := d.Find("form")
    32  	forms.Each(func(i int, f *goquery.Selection) {
    33  		// Check the action has been set
    34  		a, _ := f.Attr("action")
    35  		c.Assert(a, check.Equals, "")
    36  		// Check the password still has a name
    37  		_, ok := f.Find("input[type=\"password\"]").Attr("name")
    38  		c.Assert(ok, check.Equals, true)
    39  		// Check the username is still correct
    40  		u, ok := f.Find("input").Attr("name")
    41  		c.Assert(ok, check.Equals, true)
    42  		c.Assert(u, check.Equals, "username")
    43  	})
    44  
    45  	// Check what happens when we don't capture passwords
    46  	p.CapturePasswords = false
    47  	p.HTML = html
    48  	p.RedirectURL = ""
    49  	err = PutPage(&p)
    50  	c.Assert(err, check.Equals, nil)
    51  	c.Assert(p.RedirectURL, check.Equals, "")
    52  	d, err = goquery.NewDocumentFromReader(strings.NewReader(p.HTML))
    53  	c.Assert(err, check.Equals, nil)
    54  	forms = d.Find("form")
    55  	forms.Each(func(i int, f *goquery.Selection) {
    56  		// Check the action has been set
    57  		a, _ := f.Attr("action")
    58  		c.Assert(a, check.Equals, "")
    59  		// Check the password name has been removed
    60  		_, ok := f.Find("input[type=\"password\"]").Attr("name")
    61  		c.Assert(ok, check.Equals, false)
    62  		// Check the username is still correct
    63  		u, ok := f.Find("input").Attr("name")
    64  		c.Assert(ok, check.Equals, true)
    65  		c.Assert(u, check.Equals, "username")
    66  	})
    67  
    68  	// Check when we don't capture credentials
    69  	p.CaptureCredentials = false
    70  	p.HTML = html
    71  	err = PutPage(&p)
    72  	c.Assert(err, check.Equals, nil)
    73  	d, err = goquery.NewDocumentFromReader(strings.NewReader(p.HTML))
    74  	c.Assert(err, check.Equals, nil)
    75  	forms = d.Find("form")
    76  	forms.Each(func(i int, f *goquery.Selection) {
    77  		// Check the action has been set
    78  		a, _ := f.Attr("action")
    79  		c.Assert(a, check.Equals, "")
    80  		// Check the password name has been removed
    81  		_, ok := f.Find("input[type=\"password\"]").Attr("name")
    82  		c.Assert(ok, check.Equals, false)
    83  		// Check the username name has been removed
    84  		_, ok = f.Find("input").Attr("name")
    85  		c.Assert(ok, check.Equals, false)
    86  	})
    87  
    88  	// Finally, re-enable capturing passwords (ref: #1267)
    89  	p.CaptureCredentials = true
    90  	p.CapturePasswords = true
    91  	err = PutPage(&p)
    92  	c.Assert(err, check.Equals, nil)
    93  	d, err = goquery.NewDocumentFromReader(strings.NewReader(p.HTML))
    94  	c.Assert(err, check.Equals, nil)
    95  	forms = d.Find("form")
    96  	forms.Each(func(i int, f *goquery.Selection) {
    97  		// Check the password still has a name
    98  		_, ok := f.Find("input[type=\"password\"]").Attr("name")
    99  		c.Assert(ok, check.Equals, true)
   100  	})
   101  }
   102  
   103  func (s *ModelsSuite) TestPageValidation(c *check.C) {
   104  	html := `<html>
   105  			<head></head>
   106  			<body>{{.BaseURL}}</body>
   107  		  </html>`
   108  	p := Page{
   109  		HTML:        html,
   110  		RedirectURL: "http://example.com",
   111  	}
   112  	// Validate that a name is required
   113  	err := p.Validate()
   114  	c.Assert(err, check.Equals, ErrPageNameNotSpecified)
   115  
   116  	p.Name = "Test Page"
   117  
   118  	// Validate that CaptureCredentials is automatically set if somehow the
   119  	// user fails to set it, but does indicate that passwords should be
   120  	// captured
   121  	p.CapturePasswords = true
   122  	c.Assert(p.CaptureCredentials, check.Equals, false)
   123  	err = p.Validate()
   124  	c.Assert(err, check.Equals, nil)
   125  	c.Assert(p.CaptureCredentials, check.Equals, true)
   126  
   127  	// Validate that if the HTML contains an invalid template tag, that we
   128  	// catch it
   129  	p.HTML = `<html>
   130  		<head></head>
   131  		<body>{{.INVALIDTAG}}</body>
   132  	  </html>`
   133  	err = p.Validate()
   134  	c.Assert(err, check.NotNil)
   135  
   136  	// Validate that if the RedirectURL contains an invalid template tag, that
   137  	// we catch it
   138  	p.HTML = "valid data"
   139  	p.RedirectURL = "http://example.com/{{.INVALIDTAG}}"
   140  	err = p.Validate()
   141  	c.Assert(err, check.NotNil)
   142  }