Example 1 with StructuralNode
use of org.zaproxy.zap.model.StructuralNode in project zaproxy by zaproxy.
the class ActiveScanAPI method scanURL.
private int scanURL(String url, User user, boolean scanChildren, boolean scanJustInScope, String method, String postData, ScanPolicy policy, Context context) throws ApiException {
boolean useUrl = true;
if (url == null || url.isEmpty()) {
if (context == null || !context.hasNodesInContextFromSiteTree()) {
throw new ApiException(Type.MISSING_PARAMETER, PARAM_URL);
}
useUrl = false;
} else if (context != null && !context.isInContext(url)) {
throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_URL);
}
StructuralNode node = null;
if (useUrl) {
URI startURI;
try {
startURI = new URI(url, true);
} catch (URIException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
String scheme = startURI.getScheme();
if (scheme == null || (!scheme.equalsIgnoreCase("http") && !scheme.equalsIgnoreCase("https"))) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
try {
long sessionId = Model.getSingleton().getSession().getSessionId();
node = SessionStructure.find(sessionId, startURI, method, postData);
if (node == null && "GET".equalsIgnoreCase(method)) {
// Check if there's a non-leaf node that matches the URI, to scan the subtree.
// (GET is the default method, but non-leaf nodes do not have any method.)
node = SessionStructure.find(sessionId, startURI, null, postData);
}
} catch (Exception e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e);
}
if (node == null) {
throw new ApiException(ApiException.Type.URL_NOT_FOUND);
}
}
Target target;
if (useUrl) {
target = new Target(node);
target.setContext(context);
} else {
target = new Target(context);
}
target.setRecurse(scanChildren);
target.setInScopeOnly(scanJustInScope);
switch(Control.getSingleton().getMode()) {
case safe:
throw new ApiException(ApiException.Type.MODE_VIOLATION);
case protect:
if ((useUrl && !Model.getSingleton().getSession().isInScope(url)) || (context != null && !context.isInScope())) {
throw new ApiException(ApiException.Type.MODE_VIOLATION);
}
// No problem
break;
case standard:
// No problem
break;
case attack:
// No problem
break;
}
Object[] objs = new Object[] {};
if (policy != null) {
objs = new Object[] { policy };
}
return controller.startScan(null, target, user, objs);
}
Also used :
StructuralNode(org.zaproxy.zap.model.StructuralNode)
Target(org.zaproxy.zap.model.Target)
URIException(org.apache.commons.httpclient.URIException)
JSONObject(net.sf.json.JSONObject)
URI(org.apache.commons.httpclient.URI)
URIException(org.apache.commons.httpclient.URIException)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
ConfigurationException(org.apache.commons.configuration.ConfigurationException)
JSONException(net.sf.json.JSONException)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 2 with StructuralNode
use of org.zaproxy.zap.model.StructuralNode in project zaproxy by zaproxy.
the class ExtensionActiveScan method startScan.
@Override
public int startScan(String name, Target target, User user, Object[] contextSpecificObjects) {
if (name == null) {
name = target.getDisplayName();
}
switch(Control.getSingleton().getMode()) {
case safe:
throw new InvalidParameterException("Scans are not allowed in Safe mode");
case protect:
List<StructuralNode> nodes = target.getStartNodes();
if (nodes != null) {
for (StructuralNode node : nodes) {
if (node instanceof StructuralSiteNode) {
SiteNode siteNode = ((StructuralSiteNode) node).getSiteNode();
if (!siteNode.isIncludedInScope()) {
throw new InvalidParameterException("Scans are not allowed on nodes not in scope Protected mode " + target.getStartNode().getHierarchicNodeName());
}
}
}
}
// No problem
break;
case standard:
// No problem
break;
case attack:
// No problem
break;
}
int id = this.ascanController.startScan(name, target, user, contextSpecificObjects);
if (View.isInitialised()) {
ActiveScan scanner = this.ascanController.getScan(id);
// So the UI get updated
scanner.addScannerListener(getActiveScanPanel());
this.getActiveScanPanel().scannerStarted(scanner);
this.getActiveScanPanel().switchView(scanner);
this.getActiveScanPanel().setTabFocus();
}
return id;
}
Also used :
StructuralSiteNode(org.zaproxy.zap.model.StructuralSiteNode)
InvalidParameterException(java.security.InvalidParameterException)
StructuralNode(org.zaproxy.zap.model.StructuralNode)
SiteNode(org.parosproxy.paros.model.SiteNode)
StructuralSiteNode(org.zaproxy.zap.model.StructuralSiteNode)
Example 3 with StructuralNode
use of org.zaproxy.zap.model.StructuralNode in project zaproxy by zaproxy.
the class Analyser method getChildSuffix.
/**
* Get a suffix from the children which exists in staticSuffixList. An
* option is provided to check recursively. Note that the immediate children
* are always checked first before further recursive check is done.
*
* @param node the node used to obtain the suffix
* @param performRecursiveCheck True = get recursively the suffix from all
* the children.
* @return The suffix ".xxx" is returned. If there is no suffix found, an
* empty string is returned.
*/
private String getChildSuffix(StructuralNode node, boolean performRecursiveCheck) {
String resultSuffix = "";
String suffix = null;
StructuralNode child = null;
try {
for (int i = 0; i < staticSuffixList.length; i++) {
suffix = staticSuffixList[i];
Iterator<StructuralNode> iter = node.getChildIterator();
while (iter.hasNext()) {
child = iter.next();
try {
if (child.getURI().getPath().endsWith(suffix)) {
return suffix;
}
} catch (Exception e) {
}
}
}
if (performRecursiveCheck) {
Iterator<StructuralNode> iter = node.getChildIterator();
while (iter.hasNext()) {
child = iter.next();
resultSuffix = getChildSuffix(child, performRecursiveCheck);
if (!resultSuffix.equals("")) {
return resultSuffix;
}
}
}
} catch (Exception e) {
}
return resultSuffix;
}
Also used :
StructuralNode(org.zaproxy.zap.model.StructuralNode)
IOException(java.io.IOException)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
URIException(org.apache.commons.httpclient.URIException)
HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException)
HttpException(org.apache.commons.httpclient.HttpException)
Example 4 with StructuralNode
use of org.zaproxy.zap.model.StructuralNode in project zaproxy by zaproxy.
the class HostProcess method run.
/**
* Main execution method
*/
@Override
public void run() {
log.debug("HostProcess.run");
try {
TraverseCounter counter = new TraverseCounter();
hostProcessStartTime = System.currentTimeMillis();
for (StructuralNode node : startNodes) {
// ZAP: before all get back the size of this scan
traverse(node, true, counter);
// ZAP: begin to analyze the scope
getAnalyser().start(node);
}
nodeInScopeCount = counter.getCount();
logScanInfo();
Plugin plugin;
while (!isStop() && pluginFactory.existPluginToRun()) {
plugin = pluginFactory.nextPlugin();
if (plugin != null) {
plugin.setDelayInMs(this.scannerParam.getDelayInMs());
plugin.setTechSet(this.techSet);
processPlugin(plugin);
} else {
// waiting for dependency - no test ready yet
Util.sleep(1000);
}
}
threadPool.waitAllThreadComplete(300000);
} catch (Exception e) {
log.error("An error occurred while active scanning:", e);
stop();
} finally {
notifyHostProgress(null);
notifyHostComplete();
getHttpSender().shutdown();
}
}
Also used :
StructuralNode(org.zaproxy.zap.model.StructuralNode)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
Example 5 with StructuralNode
use of org.zaproxy.zap.model.StructuralNode in project zaproxy by zaproxy.
the class SpiderAPI method scanURL.
/**
* Starts a spider scan at the given {@code url} and, optionally, with the perspective of the given {@code user}.
*
* @param url the url to start the spider scan
* @param user the user to scan as, or null if the scan is done without the perspective of any user
* @param maxChildren Max number of children to scan
* @param recurse Whether or not to scan recursively
* @param context the context that will be used during spider process, might be {@code null}
* @param subtreeOnly if the scan should be done only under a site's subtree
* @return the ID of the newly started scan
* @throws ApiException if the {@code url} is not valid
*/
private int scanURL(String url, User user, int maxChildren, boolean recurse, Context context, boolean subtreeOnly) throws ApiException {
log.debug("API Spider scanning url: " + url);
boolean useUrl = true;
if (url == null || url.isEmpty()) {
if (context == null || !context.hasNodesInContextFromSiteTree()) {
throw new ApiException(Type.MISSING_PARAMETER, PARAM_URL);
}
useUrl = false;
} else if (context != null && !context.isInContext(url)) {
throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_URL);
}
StructuralNode node = null;
URI startURI = null;
if (useUrl) {
try {
// Try to build uri
startURI = new URI(url, true);
} catch (URIException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
String scheme = startURI.getScheme();
if (scheme == null || (!scheme.equalsIgnoreCase("http") && !scheme.equalsIgnoreCase("https"))) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_URL);
}
try {
node = SessionStructure.find(Model.getSingleton().getSession().getSessionId(), new URI(url, false), "GET", "");
} catch (Exception e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR);
}
}
Target target;
if (useUrl) {
target = new Target(node);
target.setContext(context);
} else {
target = new Target(context);
}
target.setRecurse(recurse);
switch(Control.getSingleton().getMode()) {
case safe:
throw new ApiException(ApiException.Type.MODE_VIOLATION);
case protect:
if ((useUrl && !Model.getSingleton().getSession().isInScope(url)) || (context != null && !context.isInScope())) {
throw new ApiException(ApiException.Type.MODE_VIOLATION);
}
// No problem
break;
case standard:
// No problem
break;
case attack:
// No problem
break;
}
List<Object> objs = new ArrayList<>(4);
if (startURI != null) {
objs.add(startURI);
if (subtreeOnly) {
objs.add(new HttpPrefixFetchFilter(startURI));
}
}
if (maxChildren > 0) {
// Add the filters to filter on maximum number of children
MaxChildrenFetchFilter maxChildrenFetchFilter = new MaxChildrenFetchFilter();
maxChildrenFetchFilter.setMaxChildren(maxChildren);
maxChildrenFetchFilter.setModel(extension.getModel());
MaxChildrenParseFilter maxChildrenParseFilter = new MaxChildrenParseFilter();
maxChildrenParseFilter.setMaxChildren(maxChildren);
maxChildrenParseFilter.setModel(extension.getModel());
objs.add(maxChildrenFetchFilter);
objs.add(maxChildrenParseFilter);
}
return extension.startScan(target, user, objs.toArray(new Object[objs.size()]));
}
Also used :
StructuralNode(org.zaproxy.zap.model.StructuralNode)
MaxChildrenParseFilter(org.zaproxy.zap.spider.filters.MaxChildrenParseFilter)
MaxChildrenFetchFilter(org.zaproxy.zap.spider.filters.MaxChildrenFetchFilter)
ArrayList(java.util.ArrayList)
URI(org.apache.commons.httpclient.URI)
URIException(org.apache.commons.httpclient.URIException)
HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException)
JSONException(net.sf.json.JSONException)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
Target(org.zaproxy.zap.model.Target)
URIException(org.apache.commons.httpclient.URIException)
HttpPrefixFetchFilter(org.zaproxy.zap.spider.filters.HttpPrefixFetchFilter)
JSONObject(net.sf.json.JSONObject)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Aggregations
StructuralNode (org.zaproxy.zap.model.StructuralNode)10
DatabaseException (org.parosproxy.paros.db.DatabaseException)5
URI (org.apache.commons.httpclient.URI)4
ArrayList (java.util.ArrayList)3
URIException (org.apache.commons.httpclient.URIException)3
StructuralSiteNode (org.zaproxy.zap.model.StructuralSiteNode)3
Target (org.zaproxy.zap.model.Target)3
InvalidParameterException (java.security.InvalidParameterException)2
PatternSyntaxException (java.util.regex.PatternSyntaxException)2
JSONException (net.sf.json.JSONException)2
JSONObject (net.sf.json.JSONObject)2
SiteNode (org.parosproxy.paros.model.SiteNode)2
HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)2
ApiException (org.zaproxy.zap.extension.api.ApiException)2
HttpPrefixFetchFilter (org.zaproxy.zap.spider.filters.HttpPrefixFetchFilter)2
IOException (java.io.IOException)1
URL (java.net.URL)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
List (java.util.List)1
