add cookie test

librecursebuster/main_test.go

@@ -228,6 +228,20 @@ func TestBlacklist(t *testing.T) {
 	}
 }
 
+func TestCookies(t *testing.T) {
+	finished := make(chan struct{})
+	cfg := getDefaultConfig()
+	cfg.Cookies = "lol=ok; cookie2=test;"
+	urlSlice := preSetupTest(cfg, "2009", finished, t)
+	gState.WordList = append(gState.WordList, "cookiesonly")
+	found := postSetupTest(urlSlice)
+	gState.Wait()
+
+	if x, ok := found["/cookiesonly"]; !ok || !x {
+		panic("Failed Cookie test")
+	}
+}
+
 func postSetupTest(urlSlice []string) (found map[string]bool) {
 	//start up the management goroutines
 	go ManageRequests()

librecursebuster/testserver/main.go

@@ -133,6 +133,18 @@ func handler(w http.ResponseWriter, r *http.Request) {
 		} else {
 			respCode = 404
 		}
+	case "/cookiesonly":
+		x, err := r.Cookie("lol")
+		if err == nil && x.Value != "ok" {
+			respCode = 404
+			break
+		}
+		x, err = r.Cookie("cookie2")
+		if err == nil && x.Value != "test" {
+			respCode = 404
+			break
+		}
+		respCode = 200
 	case "/postbody":
 		if r.Method == "POST" && r.Body != nil {
 			bod, err := ioutil.ReadAll(r.Body)

main.go

@@ -33,17 +33,17 @@ func main() {
 	globalState.Cfg.Version = version //**
 	totesTested := uint64(0)
 	globalState.TotalTested = &totesTested
-	flag.BoolVar(&globalState.Cfg.ShowAll, "all", false, "Show, and write the result of all checks")
+	flag.BoolVar(&globalState.Cfg.ShowAll, "all", false, "Show, and write the result of all checks") // todo: add test
 	flag.BoolVar(&globalState.Cfg.AppendDir, "appendslash", false, "Append a / to all directory bruteforce requests (like extension, but slash instead of .yourthing)")
 	flag.BoolVar(&globalState.Cfg.Ajax, "ajax", false, "Add the X-Requested-With: XMLHttpRequest header to all requests")
 	flag.StringVar(&globalState.Cfg.Auth, "auth", "", "Basic auth. Supply this with the base64 encoded portion to be placed after the word 'Basic' in the Authorization header.")
 	flag.StringVar(&globalState.Cfg.BadResponses, "bad", "404", "Responses to consider 'bad' or 'not found'. Comma-separated. This works the opposite way of gobuster!")
 	flag.Var(&globalState.Cfg.BadHeader, "badheader", "Check for presence of this header. If an exact match is found, the response is considered bad.Supply as key:value. Can specify multiple - eg '-badheader Location:cats -badheader X-ATT-DeviceId:XXXXX'")
 	flag.StringVar(&globalState.Cfg.BodyContent, "body", "", "File containing content to send in the body of the request. Content-length header will be set accordingly")
 	flag.StringVar(&globalState.Cfg.BlacklistLocation, "blacklist", "", "Blacklist of prefixes to not check. Will not check on exact matches.")
-	flag.StringVar(&globalState.Cfg.Canary, "canary", "", "Custom value to use to check for wildcards")
-	flag.BoolVar(&globalState.Cfg.CleanOutput, "clean", false, "Output clean URLs to the output file for easy loading into other tools and whatnot.")
-	flag.StringVar(&globalState.Cfg.Cookies, "cookies", "", "Any cookies to include with requests. This is smashed into the cookies header, so copy straight from burp I guess.")
+	flag.StringVar(&globalState.Cfg.Canary, "canary", "", "Custom value to use to check for wildcards")                                               //todo: add test
+	flag.BoolVar(&globalState.Cfg.CleanOutput, "clean", false, "Output clean URLs to the output file for easy loading into other tools and whatnot.") //todo: add test
+	flag.StringVar(&globalState.Cfg.Cookies, "cookies", "", "Any cookies to include with requests. This is smashed into the cookies header, so copy straight from burp I guess? (-cookies 'cookie1=cookie1content; cookie2=1; cookie3=cookie3lol?!?;'.")
 	flag.BoolVar(&globalState.Cfg.Debug, "debug", false, "Enable debugging")
 	//flag.IntVar(&globalState.Cfg.MaxDirs, "dirs", 1, "Maximum directories to perform busting on concurrently forcing limit to 1 because it's complicated otherwise
 	flag.StringVar(&globalState.Cfg.Extensions, "ext", "", "Extensions to append to checks. Multiple extensions can be specified, comma separate them.")