# Web GUI Fuzzing

We apply our techniques on Graphical User Interfaces (GUIs), notably on Web interfaces.

**Prerequisites**

* _Refer to earlier chapters as notebooks here, as here:_ [Earlier Chapter](Fuzzer.ipynb).

## A Web User Interface

In [None]:
import fuzzingbook_utils

In [None]:
from IPython.core.display import HTML, display

In [None]:
fuzzingbook_swag = {
    "tshirt": "One FuzzingBook T-Shirt",
    "drill": "One FuzzingBook Rotary Hammer",
    "lockset": "One FuzzingBook Lock Set"
}

In [None]:
html_order_form = """
<form action="/order" style="border:3px; border-style:solid; border-color:#FF0000; padding: 1em;">
  <h3>Fuzzingbook Swag Order Form</h3>
  Yes! Please send me at your earliest convenience
  <select name="item">
  """
for item in fuzzingbook_swag:
    html_order_form += '<option value="{item}">{name}</option>'.format(item=item, name=fuzzingbook_swag[item])
html_order_form += """
  </select>
  <br>
  <table>
  <tr><td>
  <label for="name">Name: </label><input type="text" name="name">
  </td><td>
  <label for="email">Email: </label><input type="email" name="email"><br>
  </td></tr>
  <tr><td>
  <label for="city">City: </label><input type="text" name="city">
  </td><td>
  <label for="zip">ZIP Code: </label><input type="number" name="zip">
  </tr></tr>
  </table>
  <input type="checkbox" name="tandc"><label for="tandc">I have read the <a href="/">terms and conditions</a></label><br>
  <button>Place order</button>
</form>
"""

In [None]:
HTML(html_order_form)

In [None]:
html_order_received = """
<div style="border:3px; border-style:solid; border-color:#FF0000; padding: 1em;">
  <h3>Thank you for your Order!</h3>
  We will send <strong>{item_name}</strong> to {name} in {city}, {zip}<br>
  A confirmation mail will be sent to {email}.
</div>
"""

In [None]:
HTML(html_order_received.format(item_name="One FuzzingBook Rotary Hammer", 
                                name="Jane Doe", 
                                email="doe@example.com",
                                city="Seattle",
                                zip="98104"))

1. Start a Web Server (in the background)
2. Send it a request, say "GET /"
3. Get the Web Form
4. Create a "GET" string

To render, check out imgkit: https://pypi.org/project/imgkit/

In [None]:
from multiprocessing import Process

In [None]:
from http.server import HTTPServer, BaseHTTPRequestHandler, HTTPStatus

In [None]:
import urllib.parse

In [None]:
import html

In [None]:
class MyHTTPRequestHandler(BaseHTTPRequestHandler):
    def do_HEAD(self):
        print("HEAD " + self.path)
        self.send_response(HTTPStatus.OK)
        self.send_header("Content-type", "text/html")
        self.end_headers()
            
    def do_GET(self):
        print("GET " + self.path)
        if self.path == "/":
            self.send_order_form()
        elif self.path.startswith("/order"):
            self.send_order_received()
        else:
            self.send_response(HTTPStatus.NOT_FOUND, "Not found")

In [None]:
class MyHTTPRequestHandler(MyHTTPRequestHandler):
    def send_order_form(self):
        self.send_response(HTTPStatus.OK, "Place your order")
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(html_order_form.encode("utf8"))

In [None]:
from Coverage import cgi_decode

In [None]:
class MyHTTPRequestHandler(MyHTTPRequestHandler):
    def send_order_received(self):
        self.send_response(HTTPStatus.OK, "Order received")
        self.send_header("Content-type", "text/html")
        self.end_headers()

        # self.path is sth like "/order?item=foo&name=bar"
        # Note: this fails to decode non-ASCII characters properly
        query_string = urllib.parse.urlparse(self.path).query
        
        # fields is { 'item': ['tshirt'], 'name': ['Jane Doe'], ...}
        fields = urllib.parse.parse_qs(query_string, keep_blank_values=True)

        values = {}
        html_values = {}
        for key in fields:
            values[key] = urllib.parse.unquote(html.unescape(fields[key][0]))
            html_values[key] = html.escape(urllib.parse.unquote(values[key]))
            
        values["item_name"] = fuzzingbook_swag[values["item"]]
        html_values["item_name"] = html.escape(values["item_name"])
        
        confirmation = html_order_received.format(**html_values)
        self.wfile.write(confirmation.encode("utf8"))

In [None]:
class MyHTTPRequestHandler(MyHTTPRequestHandler):
    def not_found(self):
        self.send_response(HTTPStatus.NOT_FOUND, "Not found")

In [None]:
def run_httpd():
    localhost = "127.0.0.1"
    for port in range(8800, 9000):
        httpd_address = (localhost, port)
        # httpd_url = "http://" + httpd_address[0] + ":" + repr(httpd_address[1]) + "/"
        
        try:
            httpd = HTTPServer(httpd_address, MyHTTPRequestHandler)
            break
        except OSError:
            continue
    
    print("Running on port", port)
    with open("httpd_port.txt", "w") as f:
        f.write(repr(port))
    httpd.serve_forever()    

In [None]:
http_process = Process(target=run_httpd)
http_process.start()

In [None]:
import time

In [None]:
time.sleep(1)
with open("httpd_port.txt") as f:
    httpd_port = int(f.read())
    
    # Better yet: https://stackoverflow.com/questions/2311510/getting-a-machines-external-ip-address-with-python

httpd_port

We need to get a URL for the server.  If you are running this notebook on the same machine as our Web server, we can access it locally; otherwise, we have to access the remote Web server just as we access the notebook server.

In [None]:
import urllib.request
import socket

In [None]:
def httpd_url(ip, port):
    return "http://" + ip + ":" + repr(port) + "/"

In [None]:
local_ip = "127.0.0.1"

# Get external IP (needed if running on a remote server)
external_ip = urllib.request.urlopen('https://ident.me').read().decode('utf8')

# Get hostname
hostname_ip = socket.gethostname()

for ip in [external_ip, hostname_ip, local_ip]:
    try:
        response = urllib.request.urlopen(httpd_url(ip, httpd_port))
        break
    except urllib.request.URLError:
        response = None
        
if response is not None:
    httpd_ip = ip

In [None]:
HTML('<a href="' + httpd_url(httpd_ip, httpd_port) + '">' + httpd_url(httpd_ip, httpd_port) + "</a>")

In [None]:
HTML('<iframe src="' + httpd_url(httpd_ip, httpd_port) + '" width="100%" height="220">')

In [None]:
from Carver import webbrowser

In [None]:
contents = webbrowser(httpd_url(httpd_ip, httpd_port))

In [None]:
HTML(contents)

How can we test this?  By sending one command after another.

In [None]:
HTML(webbrowser(httpd_url(httpd_ip, httpd_port) + "order?item=tshirt&name=Jane+Doe&email=doe%40example.com&city=Seattle&zip=98104"))

In [None]:
from Grammars import crange, is_valid_grammar

In [None]:
ORDER_GRAMMAR = {
    "<start>": [ "<order>" ],
    "<order>": [ "order?item=<item>&name=<name>&email=<email>&city=<city>&zip=<zip>" ],
    "<item>": [ "tshirt", "drill", "lockset" ],
    "<name>": [ "Jane Doe", "John Smith" ],
    "<email>": [ "foo@example.com"],
    "<city>": [ "Seattle", "New York"],
    "<zip>": [ "<digit>" * 5 ],
    "<digit>": crange('0', '9')
}
assert is_valid_grammar(ORDER_GRAMMAR)

More interesting, though: Values that are not as common as these

In [None]:
BAD_ORDER_GRAMMAR = {
    "<name>": [ "Robert'; drop table students; --"],  # https://xkcd.com/327/
    "<city>": [ "Mötley Crüe" ],
}
...

Continue with:

* Extract generic grammar from HTML automatically (including bad inputs)

Then, add selenium to fuzz arbitrary Web pages

* Adding selenium https://selenium-python.readthedocs.io
* Synthesize selenium calls


Clean up:

In [None]:
time.sleep(5)
http_process.terminate()

In [None]:
import os

In [None]:
os.remove("httpd_port.txt")

## Lessons Learned

* _Lesson one_
* _Lesson two_
* _Lesson three_

## Next Steps

_Link to subsequent chapters (notebooks) here, as in:_

* [use _mutations_ on existing inputs to get more valid inputs](MutationFuzzer.ipynb)
* [use _grammars_ (i.e., a specification of the input format) to get even more valid inputs](Grammars.ipynb)
* [reduce _failing inputs_ for efficient debugging](Reducer.ipynb)


## Background

_Cite relevant works in the literature and put them into context, as in:_

The idea of ensuring that each expansion in the grammar is used at least once goes back to Burkhardt \cite{Burkhardt1967}, to be later rediscovered by Paul Purdom \cite{Purdom1972}.

## Exercises

_Close the chapter with a few exercises such that people have things to do.  To make the solutions hidden (to be revealed by the user), have them start with_

```markdown
**Solution.**
```

_Your solution can then extend up to the next title (i.e., any markdown cell starting with `#`)._

_Running `make metadata` will automatically add metadata to the cells such that the cells will be hidden by default, and can be uncovered by the user.  The button will be introduced above the solution._

### Exercise 1: _Title_

_Text of the exercise_

In [None]:
# Some code that is part of the exercise
pass

_Some more text for the exercise_

**Solution.** _Some text for the solution_

In [None]:
# Some code for the solution
2 + 2

_Some more text for the solution_

### Exercise 2: _Title_

_Text of the exercise_

**Solution.** _Solution for the exercise_