Added support for basic authentication

[thesp0nge]

Hi there... sometimes it happens that web agencies publish their wordpress powered website on the Internet using Basic Authentication to protected the blog in the "pre release" moments.

In order to be able to test a wp site even if password protected I add the -b option having the "username:password" parameter.

[erwanlr]

Nice one :)

Just a few things :

• Bad indentation spotted (browser.rb, lines 157-160) :

if !params.has_key?(:headers)
params = params.merge(:headers => {'Authorization' => @basic_auth})
elsif !params[:headers].has_key?('Authorization')
params[:headers]['Authorization'] = @basic_auth

• The require 'base64' from wpscan_options.rb line 54 is useless because it's already done in lib/environment.rb line 29
• Please write the rspec :)

[thesp0nge]

Fixed the firmer twos...

On 18 October 2012 15:12, erwanlr [email protected] wrote:

Nice one :)

Just a few things :

• Bad indentation spotted (browser.rb, lines 157-160) :

if !params.has_key?(:headers)params = params.merge(:headers => {'Authorization' => @basic_auth})elsif !params[:headers].has_key?('Authorization')params[:headers]['Authorization'] = @basic_auth

The require 'base64' from wpscan_options.rb line 54 is useless because
it's already done in lib/environment.rb line 29

Please write the rspec :)

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/45#issuecomment-9563695.

$ cd /pub
$ more beer

The blog that fills the gap between appsec and developers:
http://armoredcode.com

[thesp0nge]

There is no Rakefile (I'll add later). How do you run the spec suite?

[erwanlr]

Just type "rspec" into the root dir of wpscan :)

You may have to install some gems : rspec, webmock and simplecov

[thesp0nge]

Actually it was easier than expected. However I was able to write a test for the has_basic_auth? method but I was not able to write the test that says, if the site returns 401, than add a basic_auth to wp_target and then the site whould return 200. :-(

[ethicalhack3r]

@erwanlr do you have any pointers on this? my rspec knowledge is pretty limited too, I need to learn. :)

[thesp0nge]

Another question guys... is there some background decision on about not creating wpscan as a rubygem? I think packing the scanner in a standard rubish CLI way can be a great deal don't you?

[ethicalhack3r]

Opened an issue. :)

#46

[thesp0nge]

Great @ethicalhack3r I'll work on it

[erwanlr]

For rpsec, you have only 2 more tests to do :

• The code into browser.rb in the method merge_request_params
• The code in wpscan_options.rb for the method basic_auth=

You can check if you cover your code by opening coverage/index.html after running rspec an then clicking on the file where your code is :)

[erwanlr]

Do not forget to modify the readme in order to include the new option :)

[erwanlr]

Basic auth done, just need to update the readme

[erwanlr]

Done (i forgot to reference the commits :x)

[ethicalhack3r]

Awesome! :D

[thesp0nge]

Sorry for being SO LATE in writing the file your requested. I just became father for the second time and I started working real hard on codesake

[erwanlr]

No problem :)