public function testAllowedHTMLScanningNegative() { $exploits = array(); $exploits['html_1'] = '<a href="http://www.google.de/">Google</a>'; $exploits['html_2'] = '<table width="500"><tr><th>Test</th></tr><tr><td>test</td></tr></table>'; $exploits['html_3'] = '<table><tr><td class="TableRowAlt"> <img src="templates/default/images/carat.gif" border="0" width="8" height="8" alt="" style="vertical-align:middle;" /> <a href="http://sla.ckers.org/forum/read.php?13,22665">FEEDBACK on my thesis on Session Management: SESSION FIXATION</a> </td> <td class="TableRowAlt" align="center">81 </td> <td class="TableRowAlt" align="center" nowrap="nowrap">1 </td> <td class="TableRowAlt" nowrap="nowrap"><a href="http://sla.ckers.org/forum/profile.php">euronymous</a></td> <td class="TableRowAlt SmallFont" nowrap="nowrap"> 06/01/2008 04:05AM <br /><span class="ListSubText"> <a href="http://sla.ckers.org/forum/read.php?13,22665,22665#msg-22665">Last Post</a> by <a href="http://sla.ckers.org/forum/profile.php?13,1410">euronymous</a> </span> </td> </tr></table>'; $exploits['html_4'] = '<img src="http://www.google.de/" />'; $exploits['html_5'] = '<h1>headline</h1><p>copytext</p> <p>bodytext © 2008</p> <h2>test </h2>'; $exploits['html_6'] = '<div id="header"> <div id="headerimg"> <h1><a href="http://php-ids.org/">PHPIDS » Web Application Security 2.0</a></h1> <div class="description"></div> </div></div><hr />'; $this->init->config['General']['HTML_Purifier_Cache'] = dirname(__FILE__) . '/../../lib/IDS/tmp/'; $test = new IDS_Monitor($exploits, $this->init); $test->setHtml(array_keys($exploits)); $result = $test->run(); $this->assertFalse($result->hasEvent(1)); $this->assertEquals(0, $result->getImpact()); }
/** * This method checks for the plain event of every single * exploit array item * * @access private * @param array $exploits */ private function _testForPlainEvent($exploits = array()) { foreach ($exploits as $key => $value) { $test = new IDS_Monitor(array('test' => $value), $this->init); if (preg_match('/^html_/', $key)) { $this->init->config['General']['HTML_Purifier_Cache'] = dirname(__FILE__) . '/../../lib/IDS/tmp/'; $test->setHtml(array('test')); } $result = $test->run(); if ($result->getImpact() === 0) { echo "\n\nNot detected: " . $value . "\n\n"; } $this->assertTrue($result->getImpact() > 0); } }