Fixes #1378

spec/app/finders/passwords/wp_login_spec.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+describe WPScan::Finders::Passwords::WpLogin do
+  subject(:finder) { described_class.new(target) }
+  let(:target)     { WPScan::Target.new(url) }
+  let(:url)        { 'http://ex.lo/' }
+
+  describe '#valid_credentials?' do
+    context 'when a non 302' do
+      it 'returns false' do
+        expect(finder.valid_credentials?(Typhoeus::Response.new(code: 200, headers: {}))).to be_falsey
+      end
+    end
+
+    context 'when a 302' do
+      let(:response) { Typhoeus::Response.new(code: 302, headers: headers) }
+
+      context 'when no cookies set' do
+        let(:headers) { {} }
+
+        it 'returns false' do
+          expect(finder.valid_credentials?(response)).to be_falsey
+        end
+      end
+
+      context 'when no logged_in cookie set' do
+        context 'when only one cookie set' do
+          let(:headers) { 'Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/' }
+
+          it 'returns false' do
+            expect(finder.valid_credentials?(response)).to be_falsey
+          end
+        end
+
+        context 'when multiple cookies set' do
+          let(:headers) do
+            "Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/\r\n" \
+            'Set-Cookie: something=value; path=/'
+          end
+
+          it 'returns false' do
+            expect(finder.valid_credentials?(response)).to be_falsey
+          end
+        end
+      end
+
+      context 'when logged_in cookie set' do
+        let(:headers) do
+          "Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/\r\r" \
+          "Set-Cookie: wordpress_xxx=yyy; path=/wp-content/plugins; httponly\r\n" \
+          "Set-Cookie: wordpress_xxx=yyy; path=/wp-admin; httponly\r\n" \
+          'Set-Cookie: wordpress_logged_in_xxx=yyy; path=/; httponly'
+        end
+
+        it 'returns false' do
+          expect(finder.valid_credentials?(response)).to eql true
+        end
+      end
+    end
+  end
+end