STRLCPY/tsunami-security-scanner

Reduce complexity of the framework interface by removing the use_callback_server option and always preferring a callback server payload if the callback server is configured. Also simplify by removing NoCallbackServerException and associated config.
Albert Cui committed with Copybara-Service 2 years ago

1cc88929

1 parent b1c8bc8d

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

plugin/src/main/java/com/google/tsunami/plugin/payload/NoCallbackServerException.java

1	-	/*
2	-	* Copyright 2022 Google LLC
3	-	*
4	-	* Licensed under the Apache License, Version 2.0 (the "License");
5	-	* you may not use this file except in compliance with the License.
6	-	* You may obtain a copy of the License at
7	-	*
8	-	* http://www.apache.org/licenses/LICENSE-2.0
9	-	*
10	-	* Unless required by applicable law or agreed to in writing, software
11	-	* distributed under the License is distributed on an "AS IS" BASIS,
12	-	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	-	* See the License for the specific language governing permissions and
14	-	* limitations under the License.
15	-	*/
16	-
17	-	package com.google.tsunami.plugin.payload;
18	-
19	-	/**
20	-	* Thrown if {@link PayloadFrameworkConfigs#throwErrorIfCallbackServerUnconfigured} is true and
21	-	* {@link PayloadGenerator} is asked to return a payload that uses the callback server but either
22	-	* the Tsunami instance does not have the callback server configured OR no callback-enabled payload
23	-	* exists for the requested payload configuration.
24	-	*
25	-	* <p>To reduce the burden on callers, this is an unchecked exception.
26	-	*/
27	-	public final class NoCallbackServerException extends RuntimeException {
28	-
29	-	public NoCallbackServerException() {
30	-	super(
31	-	"Received a request for a payload that uses the callback server, but no callback server is"
32	-	+ " configured. To have the payload generator attempt to find a fallback payload that"
33	-	+ " doesn't use the callback server, set"
34	-	+ " PayloadFrameworkConfigs.throwErrorIfCallbackServerUnconfigured to false.");
35	-	}
36	-	}
37	-

■ ■ ■ ■ ■ ■

plugin/src/main/java/com/google/tsunami/plugin/payload/PayloadFrameworkConfigs.java

1	-	/*
2	-	* Copyright 2022 Google LLC
3	-	*
4	-	* Licensed under the Apache License, Version 2.0 (the "License");
5	-	* you may not use this file except in compliance with the License.
6	-	* You may obtain a copy of the License at
7	-	*
8	-	* http://www.apache.org/licenses/LICENSE-2.0
9	-	*
10	-	* Unless required by applicable law or agreed to in writing, software
11	-	* distributed under the License is distributed on an "AS IS" BASIS,
12	-	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	-	* See the License for the specific language governing permissions and
14	-	* limitations under the License.
15	-	*/
16	-	package com.google.tsunami.plugin.payload;
17	-
18	-	import com.google.tsunami.common.config.annotations.ConfigProperties;
19	-
20	-	/** Configuration options for {@link PayloadGenerator}. */
21	-	@ConfigProperties("plugin.payload")
22	-	public final class PayloadFrameworkConfigs {
23	-	// If true, the payload generator will throw an error if a callback-server-enabled
24	-	// payload is requested but could not be fulfilled because Tsunami is not configured
25	-	// to use the callback server. If false, the payload generator will still try to find
26	-	// a payload that doesn't use the callback server but meets the remaining requested parameters.
27	-	public boolean throwErrorIfCallbackServerUnconfigured;
28	-	}
29	-

■ ■ ■ ■ ■ ■

plugin/src/main/java/com/google/tsunami/plugin/payload/PayloadGenerator.java

		skipped 18 lines
19	19		import static java.lang.annotation.RetentionPolicy.RUNTIME;
20	20
21	21		import com.google.common.collect.ImmutableList;
22		-	import com.google.common.flogger.GoogleLogger;
23	22		import com.google.protobuf.ByteString;
24	23		import com.google.tsunami.plugin.TcsClient;
25	24		import com.google.tsunami.proto.PayloadAttributes;
		skipped 6 lines
32	31
33	32		/** Holds the generate function to get a detection payload given config parameters */
34	33		public final class PayloadGenerator {
35		-	private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
36		-
37	34		private static final int SECRET_LENGTH = 8;
38	35		private static final String TOKEN_CALLBACK_SERVER_URL = "$TSUNAMI_PAYLOAD_TOKEN_URL";
39	36		private static final String TOKEN_RANDOM_STRING = "$TSUNAMI_PAYLOAD_TOKEN_RANDOM";
		skipped 1 lines
41	38		private final TcsClient tcsClient;
42	39		private final PayloadSecretGenerator secretGenerator;
43	40		private final ImmutableList<PayloadDefinition> payloads;
44		-	private final PayloadFrameworkConfigs frameworkConfig;
45	41
46	42		@Inject
47	43		PayloadGenerator(
48	44		TcsClient tcsClient,
49	45		PayloadSecretGenerator secretGenerator,
50		-	@Payloads ImmutableList<PayloadDefinition> payloads,
51		-	PayloadFrameworkConfigs config) {
	46	+	@Payloads ImmutableList<PayloadDefinition> payloads) {
52	47		this.tcsClient = checkNotNull(tcsClient);
53	48		this.secretGenerator = checkNotNull(secretGenerator);
54	49		this.payloads = checkNotNull(payloads);
55		-	this.frameworkConfig = checkNotNull(config);
56	50		}
57	51
58	52		public boolean isCallbackServerEnabled() {
59	53		return tcsClient.isCallbackServerEnabled();
60	54		}
61	55
	56	+	/**
	57	+	* Returns a {@link Payload} for a given {@link PayloadGeneratorConfig}.
	58	+	*
	59	+	* <p>The framework prioritizes finding a callback server payload if callback server is enabled
	60	+	* and falls back to any payload that matches.
	61	+	*/
62	62		public Payload generate(PayloadGeneratorConfig config) {
63	63		PayloadDefinition selectedPayload = null;
64	64
65		-	// If a payload that uses callback server is requested, prioritize finding
66		-	// one. If there's none, fallback to any payload that matches.
67		-	if (config.getUseCallbackServer()) {
68		-	if (tcsClient.isCallbackServerEnabled()) {
69		-	for (PayloadDefinition candidate : payloads) {
70		-	if (isMatchingPayload(candidate, config)
71		-	&& candidate.getUsesCallbackServer().getValue()) {
72		-	selectedPayload = candidate;
73		-	break;
74		-	}
75		-	}
76		-	}
77		-
78		-	if (selectedPayload == null) { // or implictly the callback server is not enabled
79		-	if (frameworkConfig.throwErrorIfCallbackServerUnconfigured) {
80		-	throw new NoCallbackServerException();
81		-	} else {
82		-	logger.atWarning().log(
83		-	"Received request for payload that uses the callback server but no callback server is"
84		-	+ " configured. Attemping to fallback and find a suitable payload that does not"
85		-	+ " use the callback server. To disable this behavior and error instead, set"
86		-	+ " PayloadFrameworkConfigs.throwErrorIfCallbackServerUnconfigured to true.");
	65	+	if (tcsClient.isCallbackServerEnabled()) {
	66	+	for (PayloadDefinition candidate : payloads) {
	67	+	if (isMatchingPayload(candidate, config) && candidate.getUsesCallbackServer().getValue()) {
	68	+	selectedPayload = candidate;
	69	+	break;
87	70		}
88	71		}
89	72		}
		skipped 67 lines

■ ■ ■ ■ ■ ■

plugin/src/main/java/com/google/tsunami/plugin/payload/testing/FakePayloadGeneratorModule.java

		skipped 18 lines
19	19		import com.google.auto.value.AutoBuilder;
20	20		import com.google.inject.AbstractModule;
21	21		import com.google.tsunami.plugin.TcsConfigProperties;
22		-	import com.google.tsunami.plugin.payload.PayloadFrameworkConfigs;
23	22		import com.google.tsunami.plugin.payload.PayloadGenerator;
24	23		import com.google.tsunami.plugin.payload.PayloadGeneratorModule;
25	24		import java.security.SecureRandom;
		skipped 7 lines
33	32		*/
34	33		public final class FakePayloadGeneratorModule extends AbstractModule {
35	34		private final TcsConfigProperties tcsConfig = new TcsConfigProperties();
36		-	private final PayloadFrameworkConfigs frameworkConfigs;
37	35		private final SecureRandom secureRng;
38	36
39	37		/**
		skipped 3 lines
43	41		* in tests, leave this empty.
44	42		*/
45	43		FakePayloadGeneratorModule(
46		-	Optional<MockWebServer> callbackServer,
47		-	Optional<PayloadFrameworkConfigs> frameworkConfigs,
48		-	Optional<SecureRandom> secureRng) {
	44	+	Optional<MockWebServer> callbackServer, Optional<SecureRandom> secureRng) {
49	45
50	46		this.tcsConfig.callbackAddress = callbackServer.map(c -> c.getHostName()).orElse(null);
51	47		this.tcsConfig.callbackPort = callbackServer.map(c -> c.getPort()).orElse(null);
52	48		this.tcsConfig.pollingUri = callbackServer.map(c -> c.url("/").toString()).orElse(null);
53	49		this.secureRng = secureRng.orElse(new SecureRandom());
54		-
55		-	PayloadFrameworkConfigs defaultFrameworkConfigs = new PayloadFrameworkConfigs();
56		-	defaultFrameworkConfigs.throwErrorIfCallbackServerUnconfigured = false;
57		-	this.frameworkConfigs = frameworkConfigs.orElse(defaultFrameworkConfigs);
58	50		}
59	51
60	52		@Override
61	53		protected void configure() {
62	54		install(new PayloadGeneratorModule(secureRng));
63	55		bind(TcsConfigProperties.class).toInstance(tcsConfig);
64		-	bind(PayloadFrameworkConfigs.class).toInstance(frameworkConfigs);
65	56		}
66	57
67	58		/** Returns a builder for configuring the module */
		skipped 2 lines
70	61		}
71	62
72	63		static FakePayloadGeneratorModule build(
73		-	@Nullable MockWebServer callbackServer,
74		-	@Nullable PayloadFrameworkConfigs frameworkConfigs,
75		-	@Nullable SecureRandom secureRng) {
	64	+	@Nullable MockWebServer callbackServer, @Nullable SecureRandom secureRng) {
76	65		return new FakePayloadGeneratorModule(
77		-	Optional.ofNullable(callbackServer),
78		-	Optional.ofNullable(frameworkConfigs),
79		-	Optional.ofNullable(secureRng));
	66	+	Optional.ofNullable(callbackServer), Optional.ofNullable(secureRng));
80	67		}
81	68
82	69		/** Configures {@link FakePayloadGeneratorModule}. */
		skipped 4 lines
87	74		}
88	75
89	76		public abstract Builder setCallbackServer(MockWebServer callbackServer);
90		-
91		-	public abstract Builder setFrameworkConfigs(PayloadFrameworkConfigs config);
92	77
93	78		public abstract Builder setSecureRng(SecureRandom secureRng);
94	79
		skipped 4 lines

■ ■ ■ ■ ■ ■

plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorTest.java

1	-	/*
2	-	* Copyright 2022 Google LLC
3	-	*
4	-	* Licensed under the Apache License, Version 2.0 (the "License");
5	-	* you may not use this file except in compliance with the License.
6	-	* You may obtain a copy of the License at
7	-	*
8	-	* http://www.apache.org/licenses/LICENSE-2.0
9	-	*
10	-	* Unless required by applicable law or agreed to in writing, software
11	-	* distributed under the License is distributed on an "AS IS" BASIS,
12	-	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	-	* See the License for the specific language governing permissions and
14	-	* limitations under the License.
15	-	*/
16	-	package com.google.tsunami.plugin.payload;
17	-
18	-	import static com.google.common.truth.Truth.assertThat;
19	-	import static org.junit.Assert.assertFalse;
20	-	import static org.junit.Assert.assertThrows;
21	-	import static org.junit.Assert.assertTrue;
22	-
23	-	import com.google.inject.Guice;
24	-	import com.google.protobuf.ByteString;
25	-	import com.google.tsunami.common.net.http.HttpClientModule;
26	-	import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule;
27	-	import com.google.tsunami.plugin.payload.testing.PayloadTestHelper;
28	-	import com.google.tsunami.proto.PayloadGeneratorConfig;
29	-	import java.io.IOException;
30	-	import java.security.SecureRandom;
31	-	import java.util.Arrays;
32	-	import javax.inject.Inject;
33	-	import okhttp3.mockwebserver.MockWebServer;
34	-	import org.junit.Before;
35	-	import org.junit.Test;
36	-	import org.junit.runner.RunWith;
37	-	import org.junit.runners.JUnit4;
38	-
39	-	/** Tests for {@link PayloadGenerator}. */
40	-	@RunWith(JUnit4.class)
41	-	public final class PayloadGeneratorTest {
42	-
43	-	@Inject private PayloadGenerator payloadGenerator;
44	-
45	-	private MockWebServer mockCallbackServer;
46	-	private final SecureRandom testSecureRandom =
47	-	new SecureRandom() {
48	-	@Override
49	-	public void nextBytes(byte[] bytes) {
50	-	Arrays.fill(bytes, (byte) 0xFF);
51	-	}
52	-	};
53	-	private static final PayloadGeneratorConfig LINUX_REFLECTIVE_RCE_CONFIG =
54	-	PayloadGeneratorConfig.newBuilder()
55	-	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
56	-	.setInterpretationEnvironment(
57	-	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
58	-	.setExecutionEnvironment(
59	-	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
60	-	.build();
61	-	private static final PayloadGeneratorConfig JAVA_REFLECTIVE_RCE_CONFIG =
62	-	PayloadGeneratorConfig.newBuilder()
63	-	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
64	-	.setInterpretationEnvironment(PayloadGeneratorConfig.InterpretationEnvironment.JAVA)
65	-	.setExecutionEnvironment(
66	-	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
67	-	.build();
68	-	private static final PayloadGeneratorConfig ANY_SSRF_CONFIG =
69	-	PayloadGeneratorConfig.newBuilder()
70	-	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
71	-	.setInterpretationEnvironment(
72	-	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
73	-	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
74	-	.build();
75	-	private static final String CORRECT_PRINTF =
76	-	"printf %s%s%s TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END";
77	-
78	-	@Before
79	-	public void setUp() throws IOException {
80	-	mockCallbackServer = new MockWebServer();
81	-	mockCallbackServer.start();
82	-	Guice.createInjector(
83	-	new HttpClientModule.Builder().build(),
84	-	FakePayloadGeneratorModule.builder()
85	-	.setCallbackServer(mockCallbackServer)
86	-	.setSecureRng(testSecureRandom)
87	-	.build())
88	-	.injectMembers(this);
89	-	}
90	-
91	-	@Test
92	-	public void isCallbackServerEnabled_withConfiguredCallbackServer_returnsTrue() {
93	-	assertTrue(payloadGenerator.isCallbackServerEnabled());
94	-	}
95	-
96	-	@Test
97	-	public void isCallbackServerEnabled_withUnconfiguredCallbackServer_returnsFalse() {
98	-	// Replace PayloadGenerator with a version without a configured callback server
99	-	Guice.createInjector(
100	-	new HttpClientModule.Builder().build(),
101	-	FakePayloadGeneratorModule.builder().setSecureRng(testSecureRandom).build())
102	-	.injectMembers(this);
103	-
104	-	assertFalse(payloadGenerator.isCallbackServerEnabled());
105	-	}
106	-
107	-	@Test
108	-	public void generate_withLinuxConfiguration_andCallbackServer_returnsCurlPayload() {
109	-	Payload payload =
110	-	payloadGenerator.generate(
111	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(true).build());
112	-
113	-	assertThat(payload.getPayload()).contains("curl");
114	-	assertThat(payload.getPayload()).contains(mockCallbackServer.getHostName());
115	-	assertThat(payload.getPayload()).contains(Integer.toString(mockCallbackServer.getPort(), 10));
116	-	assertTrue(payload.getPayloadAttributes().getUsesCallbackServer());
117	-	}
118	-
119	-	@Test
120	-	public void
121	-	checkIfExecuted_withLinuxConfiguration_andCallbackServer_andExecutedCallbackUrl_returnsTrue()
122	-	throws IOException {
123	-
124	-	mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse());
125	-	Payload payload =
126	-	payloadGenerator.generate(
127	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(true).build());
128	-
129	-	assertTrue(payload.checkIfExecuted());
130	-	}
131	-
132	-	@Test
133	-	public void
134	-	checkIfExecuted_withLinuxConfiguration_andCallbackServer_andNotExecutedCallbackUrl_returnsFalse() {
135	-
136	-	mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse());
137	-	Payload payload =
138	-	payloadGenerator.generate(
139	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(true).build());
140	-
141	-	assertFalse(payload.checkIfExecuted());
142	-	}
143	-
144	-	@Test
145	-	public void getPayload_withLinuxConfiguration_andNoCallbackServer_returnsPrintfPayload() {
146	-	Payload payload =
147	-	payloadGenerator.generate(
148	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(false).build());
149	-
150	-	assertThat(payload.getPayload()).contains(CORRECT_PRINTF);
151	-	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
152	-	}
153	-
154	-	@Test
155	-	public void
156	-	getPayload_withLinuxConfiguration_andUnconfiguredCallbackServer_returnsPrintfPayload() {
157	-
158	-	// Replace PayloadGenerator with a version without a configured callback server
159	-	Guice.createInjector(
160	-	new HttpClientModule.Builder().build(),
161	-	FakePayloadGeneratorModule.builder().setSecureRng(testSecureRandom).build())
162	-	.injectMembers(this);
163	-
164	-	Payload payload =
165	-	payloadGenerator.generate(
166	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(true).build());
167	-
168	-	assertThat(payload.getPayload()).contains(CORRECT_PRINTF);
169	-	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
170	-	}
171	-
172	-	@Test
173	-	public void
174	-	checkIfExecuted_withLinuxConfiguration_andNoCallbackServer_andCorrectInput_returnsTrue() {
175	-	Payload payload =
176	-	payloadGenerator.generate(
177	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(false).build());
178	-
179	-	assertTrue(
180	-	payload.checkIfExecuted(
181	-	ByteString.copyFromUtf8(
182	-	"RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
183	-	}
184	-
185	-	@Test
186	-	public void
187	-	checkIfExecuted_withLinuxConfiguration_andNoCallbackServer_andIncorectInput_returnsFalse() {
188	-	Payload payload =
189	-	payloadGenerator.generate(
190	-	LINUX_REFLECTIVE_RCE_CONFIG.toBuilder().setUseCallbackServer(false).build());
191	-
192	-	assertFalse(payload.checkIfExecuted(ByteString.copyFromUtf8(CORRECT_PRINTF)));
193	-	}
194	-
195	-	@Test
196	-	public void getPayload_withJavaConfiguration_andNoCallbackServer_returnsPrintfPayload() {
197	-	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
198	-
199	-	assertThat(payload.getPayload())
200	-	.contains(
201	-	"String.format(\"%s%s%s\", \"TSUNAMI_PAYLOAD_START\", \"ffffffffffffffff\","
202	-	+ " \"TSUNAMI_PAYLOAD_END\")");
203	-	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
204	-	}
205	-
206	-	@Test
207	-	public void
208	-	checkIfExecuted_withJavaConfiguration_andNoCallbackServer_andCorrectInput_returnsTrue() {
209	-	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
210	-
211	-	assertTrue(
212	-	payload.checkIfExecuted(
213	-	ByteString.copyFromUtf8(
214	-	"RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
215	-	}
216	-
217	-	@Test
218	-	public void
219	-	checkIfExecuted_withJavaConfiguration_andNoCallbackServer_andIncorrectInput_returnsFalse() {
220	-	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
221	-
222	-	assertFalse(
223	-	payload.checkIfExecuted(
224	-	ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
225	-	}
226	-
227	-	@Test
228	-	public void getPayload_withSsrfConfiguration_andCallbackServer_returnsCallbackUrl() {
229	-	Payload payload =
230	-	payloadGenerator.generate(ANY_SSRF_CONFIG.toBuilder().setUseCallbackServer(true).build());
231	-
232	-	assertTrue(payload.getPayloadAttributes().getUsesCallbackServer());
233	-	assertThat(payload.getPayload()).contains(mockCallbackServer.getHostName());
234	-	assertThat(payload.getPayload()).contains(Integer.toString(mockCallbackServer.getPort(), 10));
235	-	}
236	-
237	-	@Test
238	-	public void checkIfExecuted_withSsrfConfiguration_andCallbackServer_andExecutedUrl_returnsTrue()
239	-	throws IOException {
240	-	mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse());
241	-	Payload payload =
242	-	payloadGenerator.generate(ANY_SSRF_CONFIG.toBuilder().setUseCallbackServer(true).build());
243	-
244	-	assertTrue(payload.checkIfExecuted());
245	-	}
246	-
247	-	@Test
248	-	public void getPayload_withSsrfConfiguration_andCallbackServer_andNotExecutedUrl_returnsFalse() {
249	-	mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse());
250	-	Payload payload =
251	-	payloadGenerator.generate(ANY_SSRF_CONFIG.toBuilder().setUseCallbackServer(true).build());
252	-
253	-	assertFalse(payload.checkIfExecuted());
254	-	}
255	-
256	-	@Test
257	-	public void
258	-	checkIfExecuted_withSsrfConfiguration_andNoCallbackServer_andCorrectInput_returnsTrue() {
259	-	Payload payload =
260	-	payloadGenerator.generate(ANY_SSRF_CONFIG.toBuilder().setUseCallbackServer(false).build());
261	-
262	-	assertTrue(payload.checkIfExecuted("<title>Error 404 (Not Found)!!1</title>"));
263	-	}
264	-
265	-	@Test
266	-	public void
267	-	checkIfExecuted_withSsrfConfiguration_andNoCallbackServer_andIncorrectInput_returnsFalse() {
268	-	Payload payload =
269	-	payloadGenerator.generate(ANY_SSRF_CONFIG.toBuilder().setUseCallbackServer(false).build());
270	-
271	-	assertFalse(payload.checkIfExecuted("404 not found"));
272	-	}
273	-
274	-	@Test
275	-	public void generate_withoutVulnerabilityType_throwsNotImplementedException() {
276	-	assertThrows(
277	-	NotImplementedException.class,
278	-	() ->
279	-	payloadGenerator.generate(
280	-	PayloadGeneratorConfig.newBuilder()
281	-	.setInterpretationEnvironment(
282	-	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
283	-	.setExecutionEnvironment(
284	-	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
285	-	.build()));
286	-	}
287	-
288	-	@Test
289	-	public void generate_withoutInterpretationEnvironment_throwsNotImplementedException() {
290	-	assertThrows(
291	-	NotImplementedException.class,
292	-	() ->
293	-	payloadGenerator.generate(
294	-	PayloadGeneratorConfig.newBuilder()
295	-	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
296	-	.setExecutionEnvironment(
297	-	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
298	-	.build()));
299	-	}
300	-
301	-	@Test
302	-	public void generate_withoutExecutionEnvironment_throwsNotImplementedException() {
303	-	assertThrows(
304	-	NotImplementedException.class,
305	-	() ->
306	-	payloadGenerator.generate(
307	-	PayloadGeneratorConfig.newBuilder()
308	-	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
309	-	.setInterpretationEnvironment(
310	-	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
311	-	.build()));
312	-	}
313	-
314	-	@Test
315	-	public void generate_withoutConfig_throwsNotImplementedException() {
316	-	assertThrows(
317	-	NotImplementedException.class,
318	-	() -> payloadGenerator.generate(PayloadGeneratorConfig.getDefaultInstance()));
319	-	}
320	-
321	-	/**
322	-	* Tests that NoCallbackServerException is correctly thrown.
323	-	*
324	-	* <p>We expect the exception to be thrown when all the following circumstances are met:
325	-	* <ol>
326	-	* <li>throwErrorIfCallbackServerUnconfigured flag is set
327	-	* <li>the callback server is configured
328	-	* <li>callback-server-utilizing payload is requested
329	-	* <li>there is no payload defined that meets the other requested parameters
330	-	* </ol>
331	-	*/
332	-	@Test
333	-	public void
334	-	generate_with_andThrowErrorIfCallbackServerUnconfigured_throwsNoCallbackServerException() {
335	-	PayloadFrameworkConfigs config = new PayloadFrameworkConfigs();
336	-	config.throwErrorIfCallbackServerUnconfigured = true;
337	-	Guice.createInjector(
338	-	new HttpClientModule.Builder().build(),
339	-	FakePayloadGeneratorModule.builder()
340	-	.setFrameworkConfigs(config)
341	-	.setCallbackServer(mockCallbackServer)
342	-	.build())
343	-	.injectMembers(this);
344	-
345	-	assertThrows(
346	-	NoCallbackServerException.class,
347	-	() ->
348	-	payloadGenerator.generate(
349	-	// We keep the other parameters e.g. VulnerabilityType unset so that we will never
350	-	// find a payload since the definition doesn't exist.
351	-	PayloadGeneratorConfig.newBuilder().setUseCallbackServer(true).build()));
352	-	}
353	-	}
354	-

■ ■ ■ ■ ■ ■

plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithCallbackServerTest.java

1	+	/*
2	+	* Copyright 2022 Google LLC
3	+	*
4	+	* Licensed under the Apache License, Version 2.0 (the "License");
5	+	* you may not use this file except in compliance with the License.
6	+	* You may obtain a copy of the License at
7	+	*
8	+	* http://www.apache.org/licenses/LICENSE-2.0
9	+	*
10	+	* Unless required by applicable law or agreed to in writing, software
11	+	* distributed under the License is distributed on an "AS IS" BASIS,
12	+	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	+	* See the License for the specific language governing permissions and
14	+	* limitations under the License.
15	+	*/
16	+	package com.google.tsunami.plugin.payload;
17	+
18	+	import static com.google.common.truth.Truth.assertThat;
19	+	import static org.junit.Assert.assertFalse;
20	+	import static org.junit.Assert.assertThrows;
21	+	import static org.junit.Assert.assertTrue;
22	+
23	+	import com.google.inject.Guice;
24	+	import com.google.tsunami.common.net.http.HttpClientModule;
25	+	import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule;
26	+	import com.google.tsunami.plugin.payload.testing.PayloadTestHelper;
27	+	import com.google.tsunami.proto.PayloadGeneratorConfig;
28	+	import java.io.IOException;
29	+	import java.security.SecureRandom;
30	+	import java.util.Arrays;
31	+	import javax.inject.Inject;
32	+	import okhttp3.mockwebserver.MockWebServer;
33	+	import org.junit.Before;
34	+	import org.junit.Test;
35	+	import org.junit.runner.RunWith;
36	+	import org.junit.runners.JUnit4;
37	+
38	+	/** Tests for {@link PayloadGenerator} for cases which utilize the callback server. */
39	+	@RunWith(JUnit4.class)
40	+	public final class PayloadGeneratorWithCallbackServerTest {
41	+
42	+	@Inject private PayloadGenerator payloadGenerator;
43	+
44	+	private MockWebServer mockCallbackServer;
45	+	private final SecureRandom testSecureRandom =
46	+	new SecureRandom() {
47	+	@Override
48	+	public void nextBytes(byte[] bytes) {
49	+	Arrays.fill(bytes, (byte) 0xFF);
50	+	}
51	+	};
52	+	private static final PayloadGeneratorConfig LINUX_REFLECTIVE_RCE_CONFIG =
53	+	PayloadGeneratorConfig.newBuilder()
54	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
55	+	.setInterpretationEnvironment(
56	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
57	+	.setExecutionEnvironment(
58	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
59	+	.build();
60	+	private static final PayloadGeneratorConfig ANY_SSRF_CONFIG =
61	+	PayloadGeneratorConfig.newBuilder()
62	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
63	+	.setInterpretationEnvironment(
64	+	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
65	+	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
66	+	.build();
67	+
68	+	@Before
69	+	public void setUp() throws IOException {
70	+	mockCallbackServer = new MockWebServer();
71	+	mockCallbackServer.start();
72	+	Guice.createInjector(
73	+	new HttpClientModule.Builder().build(),
74	+	FakePayloadGeneratorModule.builder()
75	+	.setCallbackServer(mockCallbackServer)
76	+	.setSecureRng(testSecureRandom)
77	+	.build())
78	+	.injectMembers(this);
79	+	}
80	+
81	+	@Test
82	+	public void isCallbackServerEnabled_returnsTrue() {
83	+	assertTrue(payloadGenerator.isCallbackServerEnabled());
84	+	}
85	+
86	+	@Test
87	+	public void generate_withLinuxConfiguration_returnsCurlPayload() {
88	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
89	+
90	+	assertThat(payload.getPayload()).contains("curl");
91	+	assertThat(payload.getPayload()).contains(mockCallbackServer.getHostName());
92	+	assertThat(payload.getPayload()).contains(Integer.toString(mockCallbackServer.getPort(), 10));
93	+	assertTrue(payload.getPayloadAttributes().getUsesCallbackServer());
94	+	}
95	+
96	+	@Test
97	+	public void checkIfExecuted_withLinuxConfiguration_andExecutedCallbackUrl_returnsTrue()
98	+	throws IOException {
99	+
100	+	mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse());
101	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
102	+
103	+	assertTrue(payload.checkIfExecuted());
104	+	}
105	+
106	+	@Test
107	+	public void checkIfExecuted_withLinuxConfiguration_andNotExecutedCallbackUrl_returnsFalse() {
108	+
109	+	mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse());
110	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
111	+
112	+	assertFalse(payload.checkIfExecuted());
113	+	}
114	+
115	+	@Test
116	+	public void getPayload_withSsrfConfiguration_returnsCallbackUrl() {
117	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
118	+
119	+	assertTrue(payload.getPayloadAttributes().getUsesCallbackServer());
120	+	assertThat(payload.getPayload()).contains(mockCallbackServer.getHostName());
121	+	assertThat(payload.getPayload()).contains(Integer.toString(mockCallbackServer.getPort(), 10));
122	+	}
123	+
124	+	@Test
125	+	public void checkIfExecuted_withSsrfConfiguration_andExecutedUrl_returnsTrue()
126	+	throws IOException {
127	+	mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse());
128	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
129	+
130	+	assertTrue(payload.checkIfExecuted());
131	+	}
132	+
133	+	@Test
134	+	public void getPayload_withSsrfConfiguration_andNotExecutedUrl_returnsFalse() {
135	+	mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse());
136	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
137	+
138	+	assertFalse(payload.checkIfExecuted());
139	+	}
140	+
141	+	@Test
142	+	public void generate_withoutVulnerabilityType_throwsNotImplementedException() {
143	+	assertThrows(
144	+	NotImplementedException.class,
145	+	() ->
146	+	payloadGenerator.generate(
147	+	PayloadGeneratorConfig.newBuilder()
148	+	.setInterpretationEnvironment(
149	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
150	+	.setExecutionEnvironment(
151	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
152	+	.build()));
153	+	}
154	+
155	+	@Test
156	+	public void generate_withoutInterpretationEnvironment_throwsNotImplementedException() {
157	+	assertThrows(
158	+	NotImplementedException.class,
159	+	() ->
160	+	payloadGenerator.generate(
161	+	PayloadGeneratorConfig.newBuilder()
162	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
163	+	.setExecutionEnvironment(
164	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
165	+	.build()));
166	+	}
167	+
168	+	@Test
169	+	public void generate_withoutExecutionEnvironment_throwsNotImplementedException() {
170	+	assertThrows(
171	+	NotImplementedException.class,
172	+	() ->
173	+	payloadGenerator.generate(
174	+	PayloadGeneratorConfig.newBuilder()
175	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
176	+	.setInterpretationEnvironment(
177	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
178	+	.build()));
179	+	}
180	+
181	+	@Test
182	+	public void generate_withoutConfig_throwsNotImplementedException() {
183	+	assertThrows(
184	+	NotImplementedException.class,
185	+	() -> payloadGenerator.generate(PayloadGeneratorConfig.getDefaultInstance()));
186	+	}
187	+	}
188	+

■ ■ ■ ■ ■ ■

plugin/src/test/java/com/google/tsunami/plugin/payload/PayloadGeneratorWithoutCallbackServerTest.java

1	+	/*
2	+	* Copyright 2022 Google LLC
3	+	*
4	+	* Licensed under the Apache License, Version 2.0 (the "License");
5	+	* you may not use this file except in compliance with the License.
6	+	* You may obtain a copy of the License at
7	+	*
8	+	* http://www.apache.org/licenses/LICENSE-2.0
9	+	*
10	+	* Unless required by applicable law or agreed to in writing, software
11	+	* distributed under the License is distributed on an "AS IS" BASIS,
12	+	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	+	* See the License for the specific language governing permissions and
14	+	* limitations under the License.
15	+	*/
16	+	package com.google.tsunami.plugin.payload;
17	+
18	+	import static com.google.common.truth.Truth.assertThat;
19	+	import static org.junit.Assert.assertFalse;
20	+	import static org.junit.Assert.assertThrows;
21	+	import static org.junit.Assert.assertTrue;
22	+
23	+	import com.google.inject.Guice;
24	+	import com.google.protobuf.ByteString;
25	+	import com.google.tsunami.common.net.http.HttpClientModule;
26	+	import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule;
27	+	import com.google.tsunami.proto.PayloadGeneratorConfig;
28	+	import java.security.SecureRandom;
29	+	import java.util.Arrays;
30	+	import javax.inject.Inject;
31	+	import okhttp3.mockwebserver.MockWebServer;
32	+	import org.junit.Before;
33	+	import org.junit.Test;
34	+	import org.junit.runner.RunWith;
35	+	import org.junit.runners.JUnit4;
36	+
37	+	/** Tests for {@link PayloadGenerator} for cases which do not utilize the callback server. */
38	+	@RunWith(JUnit4.class)
39	+	public final class PayloadGeneratorWithoutCallbackServerTest {
40	+
41	+	@Inject private PayloadGenerator payloadGenerator;
42	+
43	+	private MockWebServer mockCallbackServer;
44	+	private final SecureRandom testSecureRandom =
45	+	new SecureRandom() {
46	+	@Override
47	+	public void nextBytes(byte[] bytes) {
48	+	Arrays.fill(bytes, (byte) 0xFF);
49	+	}
50	+	};
51	+	private static final PayloadGeneratorConfig LINUX_REFLECTIVE_RCE_CONFIG =
52	+	PayloadGeneratorConfig.newBuilder()
53	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
54	+	.setInterpretationEnvironment(
55	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
56	+	.setExecutionEnvironment(
57	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
58	+	.build();
59	+	private static final PayloadGeneratorConfig JAVA_REFLECTIVE_RCE_CONFIG =
60	+	PayloadGeneratorConfig.newBuilder()
61	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
62	+	.setInterpretationEnvironment(PayloadGeneratorConfig.InterpretationEnvironment.JAVA)
63	+	.setExecutionEnvironment(
64	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
65	+	.build();
66	+	private static final PayloadGeneratorConfig ANY_SSRF_CONFIG =
67	+	PayloadGeneratorConfig.newBuilder()
68	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF)
69	+	.setInterpretationEnvironment(
70	+	PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY)
71	+	.setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY)
72	+	.build();
73	+	private static final String CORRECT_PRINTF =
74	+	"printf %s%s%s TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END";
75	+
76	+	@Before
77	+	public void setUp() {
78	+	Guice.createInjector(
79	+	new HttpClientModule.Builder().build(),
80	+	FakePayloadGeneratorModule.builder().setSecureRng(testSecureRandom).build())
81	+	.injectMembers(this);
82	+	}
83	+
84	+	@Test
85	+	public void isCallbackServerEnabled_returnsFalse() {
86	+	assertFalse(payloadGenerator.isCallbackServerEnabled());
87	+	}
88	+
89	+	@Test
90	+	public void getPayload_withLinuxConfiguration_returnsPrintfPayload() {
91	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
92	+
93	+	assertThat(payload.getPayload()).isEqualTo(CORRECT_PRINTF);
94	+	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
95	+	}
96	+
97	+	@Test
98	+	public void checkIfExecuted_withLinuxConfiguration_andCorrectInput_returnsTrue() {
99	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
100	+
101	+	assertTrue(
102	+	payload.checkIfExecuted(
103	+	ByteString.copyFromUtf8(
104	+	"RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
105	+	}
106	+
107	+	@Test
108	+	public void checkIfExecuted_withLinuxConfiguration_andIncorectInput_returnsFalse() {
109	+	Payload payload = payloadGenerator.generate(LINUX_REFLECTIVE_RCE_CONFIG);
110	+
111	+	assertFalse(payload.checkIfExecuted(ByteString.copyFromUtf8(CORRECT_PRINTF)));
112	+	}
113	+
114	+	@Test
115	+	public void getPayload_withJavaConfiguration_returnsPrintfPayload() {
116	+	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
117	+
118	+	assertThat(payload.getPayload()).isEqualTo(
119	+	"String.format(\"%s%s%s\", \"TSUNAMI_PAYLOAD_START\", \"ffffffffffffffff\","
120	+	+ " \"TSUNAMI_PAYLOAD_END\")");
121	+	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
122	+	}
123	+
124	+	@Test
125	+	public void checkIfExecuted_withJavaConfiguration_andCorrectInput_returnsTrue() {
126	+	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
127	+
128	+	assertTrue(
129	+	payload.checkIfExecuted(
130	+	ByteString.copyFromUtf8(
131	+	"RANDOMOUTPUTTSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END")));
132	+	}
133	+
134	+	@Test
135	+	public void checkIfExecuted_withJavaConfiguration_andIncorrectInput_returnsFalse() {
136	+	Payload payload = payloadGenerator.generate(JAVA_REFLECTIVE_RCE_CONFIG);
137	+
138	+	assertFalse(
139	+	payload.checkIfExecuted(
140	+	ByteString.copyFromUtf8("TSUNAMI_PAYLOAD_START ffffffffffffffff TSUNAMI_PAYLOAD_END")));
141	+	}
142	+
143	+	@Test
144	+	public void getPayload_withSsrfConfiguration_returnsGooglePayload() {
145	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
146	+
147	+	assertThat(payload.getPayload()).isEqualTo("http://google.com/page-does-not-exist");
148	+	assertFalse(payload.getPayloadAttributes().getUsesCallbackServer());
149	+	}
150	+
151	+	@Test
152	+	public void checkIfExecuted_withSsrfConfiguration_andCorrectInput_returnsTrue() {
153	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
154	+
155	+	assertTrue(payload.checkIfExecuted("<title>Error 404 (Not Found)!!1</title>"));
156	+	}
157	+
158	+	@Test
159	+	public void checkIfExecuted_withSsrfConfiguration_andIncorrectInput_returnsFalse() {
160	+	Payload payload = payloadGenerator.generate(ANY_SSRF_CONFIG);
161	+
162	+	assertFalse(payload.checkIfExecuted("404 not found"));
163	+	}
164	+
165	+	@Test
166	+	public void generate_withoutVulnerabilityType_throwsNotImplementedException() {
167	+	assertThrows(
168	+	NotImplementedException.class,
169	+	() ->
170	+	payloadGenerator.generate(
171	+	PayloadGeneratorConfig.newBuilder()
172	+	.setInterpretationEnvironment(
173	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
174	+	.setExecutionEnvironment(
175	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
176	+	.build()));
177	+	}
178	+
179	+	@Test
180	+	public void generate_withoutInterpretationEnvironment_throwsNotImplementedException() {
181	+	assertThrows(
182	+	NotImplementedException.class,
183	+	() ->
184	+	payloadGenerator.generate(
185	+	PayloadGeneratorConfig.newBuilder()
186	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
187	+	.setExecutionEnvironment(
188	+	PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT)
189	+	.build()));
190	+	}
191	+
192	+	@Test
193	+	public void generate_withoutExecutionEnvironment_throwsNotImplementedException() {
194	+	assertThrows(
195	+	NotImplementedException.class,
196	+	() ->
197	+	payloadGenerator.generate(
198	+	PayloadGeneratorConfig.newBuilder()
199	+	.setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE)
200	+	.setInterpretationEnvironment(
201	+	PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL)
202	+	.build()));
203	+	}
204	+
205	+	@Test
206	+	public void generate_withoutConfig_throwsNotImplementedException() {
207	+	assertThrows(
208	+	NotImplementedException.class,
209	+	() -> payloadGenerator.generate(PayloadGeneratorConfig.getDefaultInstance()));
210	+	}
211	+	}
212	+

■ ■ ■ ■ ■ ■

proto/payload_generator.proto

		skipped 67 lines
68	68		EXEC_ANY = 2;
69	69		}
70	70
71		-	// If set, the generator prefers selecting payloads which
72		-	// utilize the Tsunami callback server to reduce the chance of false
73		-	// positives, and the generator will throw an exception if a selected
74		-	// payload will use the Tsuanmi callback server and it is not enabled.
75		-	// If Tsunami is not configured to use the callback server, a
76		-	// callback-server-enabled payload should not be selected.
77		-	bool use_callback_server = 1;
78		-
79	71		VulnerabilityType vulnerability_type = 2;
80	72
81	73		InterpretationEnvironment interpretation_environment = 3;
		skipped 64 lines

Reduce complexity of the framework interface by removing the use_callback_server option and always preferring a callback server payload if the callback server is configured. Also simplify by removing NoCallbackServerException and associated config.