1
# frozen_string_literal: true
2

3
describe WPScan::Finders::Passwords::XMLRPC do
4
  subject(:finder) { described_class.new(target) }
5
  let(:target)     { WPScan::Model::XMLRPC.new(url) }
6
  let(:url)        { 'http://ex.lo/xmlrpc.php' }
7

8
  RESPONSE_403_BODY = '<?xml version="1.0" encoding="UTF-8"?>
9
    <methodResponse>
10
      <fault>
11
        <value>
12
          <struct>
13
            <member>
14
              <name>faultCode</name>
15
              <value><int>403</int></value>
16
            </member>
17
            <member>
18
              <name>faultString</name>
19
              <value><string>Incorrect username or password.</string></value>
20
            </member>
21
          </struct>
22
        </value>
23
      </fault>
24
    </methodResponse>'
25

26
  describe '#attack' do
27
    let(:wordlist_path) { FINDERS_FIXTURES.join('passwords.txt').to_s }
28

29
    context 'when no valid credentials' do
30
      before do
31
        stub_request(:post, url).to_return(status: status, body: RESPONSE_403_BODY)
32

33
        finder.attack(users, wordlist_path)
34
      end
35

36
      let(:users) { %w[admin].map { |username| WPScan::Model::User.new(username) } }
37

38
      context 'when status = 200' do
39
        let(:status) { 200 }
40

41
        its('progress_bar.log') { should be_empty }
42
      end
43

44
      context 'when status = 403' do
45
        let(:status) { 403 }
46

47
        its('progress_bar.log') { should be_empty }
48
      end
49
    end
50
  end
51
end
52

53