Example 71 with URI
use of org.apache.commons.httpclient.URI in project zaproxy by zaproxy.
the class Analyser method analyse.
/**
* Analyse a single folder entity. Results are stored into
* mAnalysedEntityTable.
* @param node the node that will be analysed
* @throws Exception if an error occurred while analysing the node (for example, failed to send the message)
*/
private void analyse(StructuralNode node) throws Exception {
// move to host part
if (node.getHistoryReference() == null) {
return;
}
if (!parent.nodeInScope(node.getName())) {
return;
}
// ZAP: Removed unnecessary cast.
HttpMessage baseMsg = node.getHistoryReference().getHttpMessage();
URI baseUri = (URI) baseMsg.getRequestHeader().getURI().clone();
baseUri.setQuery(null);
// already exist one. no need to test
if (mapVisited.get(baseUri.toString()) != null) {
return;
}
String path = getRandomPathSuffix(node, baseUri);
HttpMessage msg = baseMsg.cloneRequest();
URI uri = (URI) baseUri.clone();
uri.setPath(path);
msg.getRequestHeader().setURI(uri);
//System.out.println("analysing 2: " + uri);
sendAndReceive(msg);
// standard RFC response, no further check is needed
if (msg.getResponseHeader().getStatusCode() == HttpStatusCode.NOT_FOUND) {
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_RFC);
return;
}
if (HttpStatusCode.isRedirection(msg.getResponseHeader().getStatusCode())) {
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_REDIRECT);
return;
}
if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) {
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_NON_RFC);
return;
}
HttpMessage msg2 = baseMsg.cloneRequest();
URI uri2 = msg2.getRequestHeader().getURI();
String path2 = getRandomPathSuffix(node, uri2);
uri2 = (URI) baseUri.clone();
uri2.setPath(path2);
msg2.getRequestHeader().setURI(uri2);
sendAndReceive(msg2);
// remove HTML HEAD as this may contain expiry time which dynamic changes
String resBody1 = msg.getResponseBody().toString().replaceAll(p_REMOVE_HEADER, "");
String resBody2 = msg2.getResponseBody().toString().replaceAll(p_REMOVE_HEADER, "");
// check if page is static. If so, remember this static page
if (resBody1.equals(resBody2)) {
msg.getResponseBody().setBody(resBody1);
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_STATIC);
return;
}
// else check if page is dynamic but deterministic
resBody1 = resBody1.replaceAll(getPathRegex(uri), "").replaceAll("\\s[012]\\d:[0-5]\\d:[0-5]\\d\\s", "");
resBody2 = resBody2.replaceAll(getPathRegex(uri2), "").replaceAll("\\s[012]\\d:[0-5]\\d:[0-5]\\d\\s", "");
if (resBody1.equals(resBody2)) {
msg.getResponseBody().setBody(resBody1);
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_DYNAMIC_BUT_DETERMINISTIC);
return;
}
// else mark app "undeterministic".
addAnalysedHost(baseUri, msg, SampleResponse.ERROR_PAGE_UNDETERMINISTIC);
}
Also used :
HttpMessage(org.parosproxy.paros.network.HttpMessage)
URI(org.apache.commons.httpclient.URI)
Example 72 with URI
use of org.apache.commons.httpclient.URI in project zaproxy by zaproxy.
the class ExtensionCompare method buildHistoryMap.
private void buildHistoryMap(TableHistory th, Map<String, String> map) throws DatabaseException, HttpMalformedHeaderException {
// Get the first session id
RecordHistory rh = null;
for (int i = 0; i < 100; i++) {
rh = th.read(i);
if (rh != null) {
break;
}
}
if (rh == null) {
return;
}
List<Integer> hIds = th.getHistoryIdsOfHistType(rh.getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER);
for (Integer hId : hIds) {
RecordHistory recH = th.read(hId);
URI uri = recH.getHttpMessage().getRequestHeader().getURI();
String mapKey = recH.getHttpMessage().getRequestHeader().getMethod() + " " + uri.toString();
// TODO Optionally strip off params?
if (mapKey.indexOf("?") > -1) {
mapKey = mapKey.substring(0, mapKey.indexOf("?"));
}
String val = map.get(mapKey);
String code = recH.getHttpMessage().getResponseHeader().getStatusCode() + " ";
if (val == null) {
map.put(mapKey, code);
} else if (val.indexOf(code) < 0) {
map.put(mapKey, val + code);
}
}
}
Also used :
RecordHistory(org.parosproxy.paros.db.RecordHistory)
URI(org.apache.commons.httpclient.URI)
Example 73 with URI
use of org.apache.commons.httpclient.URI in project zaproxy by zaproxy.
the class VariantODataUnitTest method shouldBeAbleToHandleURIwithoutPath.
/**
* Test that the variant handles URLs without path element
*
* @throws org.apache.commons.httpclient.URIException
* @throws NullPointerException
* @throws CloneNotSupportedException
*/
@Test
public void shouldBeAbleToHandleURIwithoutPath() throws URIException, NullPointerException, CloneNotSupportedException {
URI sourceURI = new URI("http", null, "localhost", 15050);
doTestInjectParameter(VARIANT_ODATA_ID_QUERY, sourceURI, "param2", "6", "hacked", "http://localhost:15050");
}Example 74 with URI
use of org.apache.commons.httpclient.URI in project zaproxy by zaproxy.
the class HttpMessage method mutateHttpMethod.
public void mutateHttpMethod(String method) {
// String header = reqPanel.getTxtHeader().getText();
String header = getRequestHeader().toString();
try {
HttpRequestHeader hrh = new HttpRequestHeader(header);
URI uri = hrh.getURI();
// String body = reqPanel.getTxtBody().getText();
String body = getRequestBody().toString();
String prevMethod = hrh.getMethod();
if (prevMethod.equalsIgnoreCase(method)) {
return;
}
if (prevMethod.equals(HttpRequestHeader.POST)) {
// Was POST, move all params onto the URL
if (body != null && body.length() > 0) {
StringBuilder sb = new StringBuilder();
if (uri.getQuery() != null) {
sb.append(uri.getQuery());
}
String[] params = body.split("&");
for (String param : params) {
if (sb.length() > 0) {
sb.append('&');
}
String[] nv = param.split("=");
if (nv.length == 1) {
// This effectively strips out the equals if theres
// no value
sb.append(nv[0]);
} else {
sb.append(param);
}
}
uri.setQuery(sb.toString());
}
hrh.setURI(uri);
// Clear the body
body = "";
} else if (method.equals(HttpRequestHeader.POST)) {
// To be a port, move all URL query params into the body
String query = uri.getQuery();
if (query != null) {
StringBuilder sb = new StringBuilder();
String[] params = query.split("&");
for (String param : params) {
if (sb.length() > 0) {
sb.append('&');
}
sb.append(param);
String[] nv = param.split("=");
if (nv.length == 1) {
// Cope with URL params with no values e.g.
// http://www.example.com/test?key
sb.append('=');
}
}
body = sb.toString();
uri.setQuery(null);
hrh.setURI(uri);
}
}
hrh.setMethod(method);
getRequestHeader().setMessage(hrh.toString());
getRequestBody().setBody(body);
} catch (HttpMalformedHeaderException e) {
// Ignore?
log.error(e.getMessage(), e);
} catch (URIException e) {
log.error(e.getMessage(), e);
}
}
Also used :
URIException(org.apache.commons.httpclient.URIException)
URI(org.apache.commons.httpclient.URI)
Example 75 with URI
use of org.apache.commons.httpclient.URI in project zaproxy by zaproxy.
the class HttpMethodHelper method createRequestMethodNew.
// Not used - all abstract using Generic method but GET cannot be used.
public HttpMethod createRequestMethodNew(HttpRequestHeader header, HttpBody body) throws URIException {
HttpMethod httpMethod = null;
String method = header.getMethod();
URI uri = header.getURI();
String version = header.getVersion();
httpMethod = new GenericMethod(method);
httpMethod.setURI(uri);
HttpMethodParams httpParams = httpMethod.getParams();
// default to use HTTP 1.0
httpParams.setVersion(HttpVersion.HTTP_1_0);
if (version.equalsIgnoreCase(HttpHeader.HTTP11)) {
httpParams.setVersion(HttpVersion.HTTP_1_1);
}
// set various headers
int pos = 0;
// ZAP: FindBugs fix - always initialise pattern
Pattern pattern = patternCRLF;
String delimiter = CRLF;
String msg = header.getHeadersAsString();
if ((pos = msg.indexOf(CRLF)) < 0) {
if ((pos = msg.indexOf(LF)) < 0) {
delimiter = LF;
pattern = patternLF;
}
} else {
delimiter = CRLF;
pattern = patternCRLF;
}
String[] split = pattern.split(msg);
String token = null;
String name = null;
String value = null;
for (int i = 0; i < split.length; i++) {
token = split[i];
if (token.equals("")) {
continue;
}
if ((pos = token.indexOf(":")) < 0) {
return null;
}
name = token.substring(0, pos).trim();
value = token.substring(pos + 1).trim();
httpMethod.addRequestHeader(name, value);
}
// set body if post method or put method
if (body != null && body.length() > 0) {
EntityEnclosingMethod generic = (EntityEnclosingMethod) httpMethod;
// generic.setRequestEntity(new StringRequestEntity(body.toString()));
generic.setRequestEntity(new ByteArrayRequestEntity(body.getBytes()));
}
httpMethod.setFollowRedirects(false);
return httpMethod;
}
Also used :
Pattern(java.util.regex.Pattern)
EntityEnclosingMethod(org.apache.commons.httpclient.methods.EntityEnclosingMethod)
HttpMethodParams(org.apache.commons.httpclient.params.HttpMethodParams)
URI(org.apache.commons.httpclient.URI)
HttpMethod(org.apache.commons.httpclient.HttpMethod)
ByteArrayRequestEntity(org.apache.commons.httpclient.methods.ByteArrayRequestEntity)
Aggregations
URI (org.apache.commons.httpclient.URI)129
Test (org.junit.Test)72
FetchStatus (org.zaproxy.zap.spider.filters.FetchFilter.FetchStatus)33
URIException (org.apache.commons.httpclient.URIException)28
HttpMessage (org.parosproxy.paros.network.HttpMessage)10
ArrayList (java.util.ArrayList)9
HttpRequestHeader (org.parosproxy.paros.network.HttpRequestHeader)8
DatabaseException (org.parosproxy.paros.db.DatabaseException)7
HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)6
HandleParametersOption (org.zaproxy.zap.spider.SpiderParam.HandleParametersOption)6
IOException (java.io.IOException)5
Header (org.apache.commons.httpclient.Header)4
InvalidParameterException (java.security.InvalidParameterException)3
Matcher (java.util.regex.Matcher)3
Pattern (java.util.regex.Pattern)3
PatternSyntaxException (java.util.regex.PatternSyntaxException)3
JSONException (net.sf.json.JSONException)3
StructuralNode (org.zaproxy.zap.model.StructuralNode)3
File (java.io.File)2
List (java.util.List)2
