From d1cb59a728463243f1e35918e57dc1e5b7ca6aca Mon Sep 17 00:00:00 2001 From: Ben Passmore Date: Sun, 18 Aug 2019 13:46:20 +1000 Subject: [PATCH] Pulled api rate limit test to rspec --- spec/beef/api/auth_rate_spec.rb | 62 ++++++++++++++++ spec/spec_helper.rb | 1 + .../support/simple_rest_client.rb | 0 test/api/1333_auth_rate.rb | 73 ------------------- 4 files changed, 63 insertions(+), 73 deletions(-) create mode 100644 spec/beef/api/auth_rate_spec.rb rename test/api/lib/beef_rest_client.rb => spec/support/simple_rest_client.rb (100%) delete mode 100644 test/api/1333_auth_rate.rb diff --git a/spec/beef/api/auth_rate_spec.rb b/spec/beef/api/auth_rate_spec.rb new file mode 100644 index 000000000..1bbbcbec0 --- /dev/null +++ b/spec/beef/api/auth_rate_spec.rb @@ -0,0 +1,62 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# + +RSpec.describe 'BeEF API Rate Limit' do + + before(:all) do + DataMapper.setup(:default, 'sqlite3::memory:') + DataMapper.auto_migrate! + @config = BeEF::Core::Configuration.instance + http_hook_server = BeEF::Core::Server.instance + http_hook_server.prepare + BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'pre_http_start', http_hook_server) + @pid = fork do + http_hook_server.start + end + # wait for server to start + sleep 1 + end + + after(:all) do + Process.kill("INT",@pid) + end + + it 'adheres to auth rate limits' do + passwds = (1..9).map { |i| "broken_pass"} + passwds.push BEEF_PASSWD + apis = passwds.map { |pswd| BeefRestClient.new('http', ATTACK_DOMAIN, '3000', BEEF_USER, pswd) } + l = apis.length + (0..2).each do |again| # multiple sets of auth attempts + # first pass -- apis in order, valid passwd on 9th attempt + # subsequent passes apis shuffled + puts "speed requesets" # all should return 401 + (0..50).each do |i| + # t = Time.now() + #puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}" + test_api = apis[i%l] + expect(test_api.auth()[:payload]).to eql("401 Unauthorized") # all (unless the valid is first 1 in 10 chance) + # t0 = t + end + # again with more time between calls -- there should be success (1st iteration) + puts "delayed requests" + (0..(l*2)).each do |i| + # t = Time.now() + #puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}" + test_api = apis[i%l] + if (test_api.is_pass?(BEEF_PASSWD)) + expect(test_api.auth()[:payload]["success"]).to be(true) # valid pass should succeed + else + expect(test_api.auth()[:payload]).to eql("401 Unauthorized") + end + sleep(0.5) + # t0 = t + end + apis.shuffle! # new order for next iteration + apis.reverse if (apis[0].is_pass?(BEEF_PASSWD)) # prevent the first from having valid passwd + end # multiple sets of auth attempts + end + +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index a8c0f7d7a..bf8a453aa 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -12,6 +12,7 @@ $root_dir = Dir.pwd require 'core/bootstrap.rb' require 'rack/test' require 'curb' +require 'rest-client' # Require supports Dir['spec/support/*.rb'].each do |f| diff --git a/test/api/lib/beef_rest_client.rb b/spec/support/simple_rest_client.rb similarity index 100% rename from test/api/lib/beef_rest_client.rb rename to spec/support/simple_rest_client.rb diff --git a/test/api/1333_auth_rate.rb b/test/api/1333_auth_rate.rb deleted file mode 100644 index 7205c94d9..000000000 --- a/test/api/1333_auth_rate.rb +++ /dev/null @@ -1,73 +0,0 @@ -# -# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net -# Browser Exploitation Framework (BeEF) - http://beefproject.com -# See the file 'doc/COPYING' for copying permission -# - -require 'test/unit' - -#require 'pry-byebug' -require 'rest-client' -require 'json' -require 'optparse' -require 'pp' - -require '../common/test_constants' -require_relative './lib/beef_rest_client' - -class TC_1333_auth_rate < Test::Unit::TestCase - - def test_auth_rate - # tests rate of auth calls - # this takes some time - with no output - # beef must be running - - passwds = (1..9).map { |i| "broken_pass"} - passwds.push BEEF_PASSWD - apis = passwds.map { |pswd| BeefRestClient.new('http', ATTACK_DOMAIN, '3000', BEEF_USER, pswd) } - l = apis.length - - # t0 = Time.now() - - - (0..2).each do |again| # multiple sets of auth attempts - # first pass -- apis in order, valid passwd on 9th attempt - # subsequent passes apis shuffled - - # puts "speed requesets" # all should return 401 - (0..50).each do |i| - # t = Time.now() - # puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}" - - test_api = apis[i%l] - assert_match("401", test_api.auth()[:payload]) # all (unless the valid is first 1 in 10 chance) - - # t0 = t - end - - # again with more time between calls -- there should be success (1st iteration) - # puts "delayed requests" - (0..(l*2)).each do |i| - # t = Time.now() - # puts "#{i} : #{t - t0} : #{apis[i%l].auth()[:payload]}" - - test_api = apis[i%l] - if (test_api.is_pass?(BEEF_PASSWD)) - assert(test_api.auth()[:payload]["success"]) # valid pass should succeed - else - assert_match("401", test_api.auth()[:payload]) - end - - sleep(0.5) - # t0 = t - end - - apis.shuffle! # new order for next iteration - apis.reverse if (apis[0].is_pass?(BEEF_PASSWD)) # prevent the first from having valid passwd - - end # multiple sets of auth attempts - - end # test_auth_rate - - -end