<?php
error_reporting(E_ALL | E_STRICT);
ini_set("track_errors", "On");
$test_normal = TRUE;
$INC = dirname(__FILE__) . "/../inc";
require_once(dirname(__FILE__) . "/config.php");
require_once($INC . "/init.inc.php");
require_once($INC . "/util.inc.php");
require_once("helpers.inc.php");
require_once("http.inc.php");
rg_log_set_file("http_login.log");
require_once("common.php");
$_testns = 'http_login';
rg_test_create_user($db, $rg_ui);
$info = array('id' => $rg_ui['username']);
prepare_http($info);
$info_bad = array('id' => 'http_login_bad');
prepare_http($info_bad);
rg_log("Test login operation");
// First we need to load the form so we can get the token
// We provide junk cookies to test if we generate a new pre-login one
$data = array();
$headers = array();
$r = do_req($info, $test_url . "/op/login", $data, $headers);
if ($r === FALSE) {
rg_log("Cannot load login form.");
exit(1);
}
$good_sid = $r['sid'];
$good_token = $r['tokens']['login'];
rg_log('good: token=' . $good_token);
if (strncmp($good_sid, 'X', 1) != 0) {
rg_log('Seems we did not get a pre-login session! sid=[' . $good_sid . ']');
exit(1);
}
// we need a valid token of the attacker, so we do a new request
$data = array();
$headers = array();
$r = do_req($info_bad, $test_url . '/op/login', $data, $headers);
if ($r === FALSE) {
rg_log("Cannot load login form.");
exit(1);
}
$bad_token = $r['tokens']['login'];
rg_log("bad_token=$bad_token");
rg_log("Now we can attack, we use attacker token but good cookie...");
rg_log("Sending wrong token, because bad guy cannot control it");
$data = array(
"doit" => 1,
"token" => $bad_token,
"user" => $rg_ui['username'],
"pass" => $rg_ui['pass'],
"lock_ip" => 1
);
$headers = array();
$r = do_req($info, $test_url . "/op/login?t=bad_token_good_sid", $data, $headers);
if ($r === FALSE) {
rg_log_ml(print_r($r, TRUE));
rg_log_ml("Cannot do the request. Check above.");
exit(1);
}
if (!strstr($r['body'], "invalid token")) {
rg_log_ml(print_r($r, TRUE));
rg_log("We sould get an invalid token error message. Check above!");
exit(1);
}
rg_log("Do the good login post request");
$data = array(
"doit" => 1,
"token" => $good_token,
"user" => $rg_ui['username'],
"pass" => $rg_ui['pass'],
"lock_ip" => 1
);
$headers = array();
$r = do_req($info, $test_url . "/op/login?t=good_sid_good_token", $data, $headers);
if ($r === FALSE) {
rg_log_ml("Cannot login: " . print_r($r, TRUE));
exit(1);
}
if (strstr($r['body'], "invalid user")) {
rg_log_ml(print_r($r, TRUE));
rg_log("Login invalid. Check above!");
exit(1);
}
rg_log("Check what happens if we are logged in and want to login again");
$r = test_login($test_url, $rg_ui);
if ($r === FALSE) {
rg_log_ml(print_r($r, TRUE));
rg_log("Seems we cannot login again if we are already logged in!");
exit(1);
}
rg_log('OK!');