Examples with Variant org.parosproxy.paros.core.scanner.Variant used on opensource projects

Search in sources :

Example 1 with Variant

use of org.parosproxy.paros.core.scanner.Variant in project zaproxy by zaproxy.

the class VariantFactory method createVariants.

public List<Variant> createVariants(ScannerParam scanOptions, HttpMessage message) {
    List<Variant> listVariant = new ArrayList<>();
    int targets = scanOptions.getTargetParamsInjectable();
    int enabledRPC = scanOptions.getTargetParamsEnabledRPC();
    // First check URL query-string target configuration
    if ((targets & ScannerParam.TARGET_QUERYSTRING) != 0) {
        VariantURLQuery vuq = new VariantURLQuery();
        vuq.setAddQueryParam(scanOptions.isAddQueryParam());
        listVariant.add(vuq);
        if ((enabledRPC & ScannerParam.RPC_ODATA) != 0) {
            listVariant.add(new VariantODataIdQuery());
            listVariant.add(new VariantODataFilterQuery());
        }
        if ((targets & ScannerParam.TARGET_URLPATH) == 0) {
            // If we're not already doing URLPath we should do DDN when doing QueryString
            listVariant.add(new VariantDdnPath());
        }
    }
    // Then check POST data target configuration and RPC enabled methods
    if ((targets & ScannerParam.TARGET_POSTDATA) != 0) {
        listVariant.add(new VariantFormQuery());
        if ((enabledRPC & ScannerParam.RPC_MULTIPART) != 0) {
            listVariant.add(new VariantMultipartFormParameters());
        }
        if ((enabledRPC & ScannerParam.RPC_XML) != 0) {
            listVariant.add(new VariantXMLQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_JSON) != 0) {
            VariantJSONQuery variant = new VariantJSONQuery();
            variant.setScanNullValues(scanOptions.isScanNullJsonValues());
            listVariant.add(variant);
        }
        if ((enabledRPC & ScannerParam.RPC_GWT) != 0) {
            listVariant.add(new VariantGWTQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_DWR) != 0) {
            listVariant.add(new VariantDirectWebRemotingQuery());
        }
    }
    if ((targets & ScannerParam.TARGET_HTTPHEADERS) != 0) {
        boolean addVariant = scanOptions.isScanHeadersAllRequests();
        if (!addVariant) {
            // If not scanning all requests check if it looks like a dynamic or static page
            // (based on query/post parameters)
            char[] query = message.getRequestHeader().getURI().getRawQuery();
            addVariant = (query != null && query.length != 0) || message.getRequestBody().length() != 0;
        }
        if (addVariant) {
            listVariant.add(new VariantHeader());
        }
    }
    if ((targets & ScannerParam.TARGET_URLPATH) != 0) {
        listVariant.add(new VariantURLPath());
    }
    if ((targets & ScannerParam.TARGET_COOKIE) != 0) {
        listVariant.add(new VariantCookie());
    }
    // Now is time to initialize all the custom Variants
    if ((enabledRPC & ScannerParam.RPC_CUSTOM) != 0 && getExtension() != null) {
        List<ScriptWrapper> scripts = getExtension().getScripts(ExtensionActiveScan.SCRIPT_TYPE_VARIANT);
        for (ScriptWrapper script : scripts) {
            if (script.isEnabled()) {
                listVariant.add(new VariantCustom(script, getExtension()));
            }
        }
    }
    if ((enabledRPC & ScannerParam.RPC_USERDEF) != 0) {
        listVariant.add(new VariantUserDefined());
    }
    addCustomVariants(listVariant);
    return listVariant;
}
Also used : VariantODataIdQuery(org.parosproxy.paros.core.scanner.VariantODataIdQuery) VariantJSONQuery(org.parosproxy.paros.core.scanner.VariantJSONQuery) VariantXMLQuery(org.parosproxy.paros.core.scanner.VariantXMLQuery) ArrayList(java.util.ArrayList) VariantURLPath(org.parosproxy.paros.core.scanner.VariantURLPath) VariantMultipartFormParameters(org.parosproxy.paros.core.scanner.VariantMultipartFormParameters) VariantGWTQuery(org.parosproxy.paros.core.scanner.VariantGWTQuery) VariantDirectWebRemotingQuery(org.parosproxy.paros.core.scanner.VariantDirectWebRemotingQuery) Variant(org.parosproxy.paros.core.scanner.Variant) VariantURLQuery(org.parosproxy.paros.core.scanner.VariantURLQuery) VariantFormQuery(org.parosproxy.paros.core.scanner.VariantFormQuery) VariantUserDefined(org.parosproxy.paros.core.scanner.VariantUserDefined) VariantHeader(org.parosproxy.paros.core.scanner.VariantHeader) VariantCookie(org.parosproxy.paros.core.scanner.VariantCookie) ScriptWrapper(org.zaproxy.zap.extension.script.ScriptWrapper) VariantDdnPath(org.parosproxy.paros.core.scanner.VariantDdnPath) VariantODataFilterQuery(org.parosproxy.paros.core.scanner.VariantODataFilterQuery) VariantCustom(org.parosproxy.paros.core.scanner.VariantCustom)

Example 2 with Variant

use of org.parosproxy.paros.core.scanner.Variant in project zaproxy by zaproxy.

the class VariantFactoryUnitTest method shouldReturnDefaultVariants.

@Test
void shouldReturnDefaultVariants() {
    // Given
    ScannerParam scanOptions = new ScannerParam();
    HttpMessage message = new HttpMessage();
    // When
    List<Variant> variants = factory.createVariants(scanOptions, message);
    // Then
    assertThat(variants.size(), is(equalTo(10)));
    assertThat(variants.get(0).getClass(), is(equalTo(VariantURLQuery.class)));
    assertThat(variants.get(1).getClass(), is(equalTo(VariantODataIdQuery.class)));
    assertThat(variants.get(2).getClass(), is(equalTo(VariantODataFilterQuery.class)));
    assertThat(variants.get(3).getClass(), is(equalTo(VariantDdnPath.class)));
    assertThat(variants.get(4).getClass(), is(equalTo(VariantFormQuery.class)));
    assertThat(variants.get(5).getClass(), is(equalTo(VariantMultipartFormParameters.class)));
    assertThat(variants.get(6).getClass(), is(equalTo(VariantXMLQuery.class)));
    assertThat(variants.get(7).getClass(), is(equalTo(VariantJSONQuery.class)));
    assertThat(variants.get(8).getClass(), is(equalTo(VariantGWTQuery.class)));
    assertThat(variants.get(9).getClass(), is(equalTo(VariantDirectWebRemotingQuery.class)));
}
Also used : Variant(org.parosproxy.paros.core.scanner.Variant) ScannerParam(org.parosproxy.paros.core.scanner.ScannerParam) HttpMessage(org.parosproxy.paros.network.HttpMessage) Test(org.junit.jupiter.api.Test) WithConfigsTest(org.zaproxy.zap.WithConfigsTest) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 3 with Variant

use of org.parosproxy.paros.core.scanner.Variant in project zaproxy by zaproxy.

the class VariantFactoryUnitTest method shouldReturnAllVariantsWhenSet.

@Test
void shouldReturnAllVariantsWhenSet() throws Exception {
    // Given
    ScannerParam scanOptions = Mockito.mock(ScannerParam.class, withSettings().lenient());
    Mockito.when(scanOptions.getConfig()).thenReturn(new ZapXmlConfiguration());
    Mockito.when(scanOptions.getTargetParamsInjectable()).thenReturn(-1);
    Mockito.when(scanOptions.getTargetParamsEnabledRPC()).thenReturn(-1);
    HttpMessage message = new HttpMessage(new URI("https://www.example.com/path?query", true));
    // When
    List<Variant> variants = factory.createVariants(scanOptions, message);
    // Then
    assertThat(variants.size(), is(equalTo(13)));
    assertThat(variants.get(0).getClass(), is(equalTo(VariantURLQuery.class)));
    assertThat(variants.get(1).getClass(), is(equalTo(VariantODataIdQuery.class)));
    assertThat(variants.get(2).getClass(), is(equalTo(VariantODataFilterQuery.class)));
    assertThat(variants.get(3).getClass(), is(equalTo(VariantFormQuery.class)));
    assertThat(variants.get(4).getClass(), is(equalTo(VariantMultipartFormParameters.class)));
    assertThat(variants.get(5).getClass(), is(equalTo(VariantXMLQuery.class)));
    assertThat(variants.get(6).getClass(), is(equalTo(VariantJSONQuery.class)));
    assertThat(variants.get(7).getClass(), is(equalTo(VariantGWTQuery.class)));
    assertThat(variants.get(8).getClass(), is(equalTo(VariantDirectWebRemotingQuery.class)));
    assertThat(variants.get(9).getClass(), is(equalTo(VariantHeader.class)));
    assertThat(variants.get(10).getClass(), is(equalTo(VariantURLPath.class)));
    assertThat(variants.get(11).getClass(), is(equalTo(VariantCookie.class)));
    assertThat(variants.get(12).getClass(), is(equalTo(VariantUserDefined.class)));
}
Also used : Variant(org.parosproxy.paros.core.scanner.Variant) ScannerParam(org.parosproxy.paros.core.scanner.ScannerParam) ZapXmlConfiguration(org.zaproxy.zap.utils.ZapXmlConfiguration) HttpMessage(org.parosproxy.paros.network.HttpMessage) URI(org.apache.commons.httpclient.URI) Test(org.junit.jupiter.api.Test) WithConfigsTest(org.zaproxy.zap.WithConfigsTest) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 4 with Variant

use of org.parosproxy.paros.core.scanner.Variant in project zaproxy by zaproxy.

the class ScriptsActiveScannerUnitTest method shouldStopScanningParamsWithActiveScriptWhenScanStopped.

@Test
@SuppressWarnings("unchecked")
void shouldStopScanningParamsWithActiveScriptWhenScanStopped() throws Exception {
    // Given
    ActiveScript script1 = mock(ActiveScript.class);
    doAnswer(stopScan()).when(script1).scan(any(), any(), any(), any());
    ScriptWrapper scriptWrapper1 = createScriptWrapper(script1, ActiveScript.class);
    ActiveScript script2 = mock(ActiveScript.class);
    ScriptWrapper scriptWrapper2 = createScriptWrapper(script2, ActiveScript.class);
    given(extensionScript.getScripts(SCRIPT_TYPE)).willReturn(asList(scriptWrapper1, scriptWrapper2));
    ScriptsCache<ActiveScript> scriptsCache = createScriptsCache(createCachedScript(script1, scriptWrapper1), createCachedScript(script2, scriptWrapper2));
    given(extensionScript.<ActiveScript>createScriptsCache(any())).willReturn(scriptsCache);
    given(parent.getScannerParam()).willReturn(mock(ScannerParam.class));
    String name1 = "Name1";
    String value1 = "Value1";
    NameValuePair param1 = param(name1, value1);
    String name2 = "Name2";
    String value2 = "Value2";
    NameValuePair param2 = param(name2, value2);
    Variant variant = mock(Variant.class);
    given(variant.getParamList()).willReturn(asList(param1, param2));
    VariantFactory variantFactory = mock(VariantFactory.class);
    given(variantFactory.createVariants(any(), any())).willReturn(asList(variant));
    given(model.getVariantFactory()).willReturn(variantFactory);
    ScriptsActiveScanner scriptsActiveScanner = new ScriptsActiveScanner();
    scriptsActiveScanner.init(message, parent);
    // When
    scriptsActiveScanner.scan();
    // Then
    verify(scriptsCache, times(1)).refresh();
    verify(scriptsCache, times(1)).getCachedScripts();
    verify(script1, times(1)).scan(scriptsActiveScanner, message, name1, value1);
    verify(script1, times(0)).scan(scriptsActiveScanner, message, name2, value2);
    verify(script2, times(0)).scan(any(), any(), any(), any());
}
Also used : Variant(org.parosproxy.paros.core.scanner.Variant) NameValuePair(org.parosproxy.paros.core.scanner.NameValuePair) ScannerParam(org.parosproxy.paros.core.scanner.ScannerParam) ScriptWrapper(org.zaproxy.zap.extension.script.ScriptWrapper) Test(org.junit.jupiter.api.Test) WithConfigsTest(org.zaproxy.zap.WithConfigsTest)

Example 5 with Variant

use of org.parosproxy.paros.core.scanner.Variant in project zaproxy by zaproxy.

the class ScriptsActiveScannerUnitTest method shouldHandleExceptionsThrownByActiveScript.

@Test
@SuppressWarnings("unchecked")
void shouldHandleExceptionsThrownByActiveScript() throws Exception {
    // Given
    ActiveScript script1 = mock(ActiveScript.class);
    ScriptWrapper scriptWrapper1 = createScriptWrapper(script1, ActiveScript.class);
    ActiveScript script2 = mock(ActiveScript.class);
    ScriptWrapper scriptWrapper2 = createScriptWrapper(script2, ActiveScript.class);
    given(extensionScript.getScripts(SCRIPT_TYPE)).willReturn(asList(scriptWrapper1, scriptWrapper2));
    ScriptsCache<ActiveScript> scriptsCache = createScriptsCache(createCachedScript(script1, scriptWrapper1), createCachedScript(script2, scriptWrapper2));
    given(extensionScript.<ActiveScript>createScriptsCache(any())).willReturn(scriptsCache);
    given(parent.getScannerParam()).willReturn(mock(ScannerParam.class));
    String name1 = "Name1";
    String value1 = "Value1";
    NameValuePair param1 = param(name1, value1);
    ScriptException exception = mock(ScriptException.class);
    doThrow(exception).when(script1).scan(any(), any(), eq(name1), eq(value1));
    String name2 = "Name2";
    String value2 = "Value2";
    NameValuePair param2 = param(name2, value2);
    Variant variant = mock(Variant.class);
    given(variant.getParamList()).willReturn(asList(param1, param2));
    VariantFactory variantFactory = mock(VariantFactory.class);
    given(variantFactory.createVariants(any(), any())).willReturn(asList(variant));
    given(model.getVariantFactory()).willReturn(variantFactory);
    ScriptsActiveScanner scriptsActiveScanner = new ScriptsActiveScanner();
    scriptsActiveScanner.init(message, parent);
    // When
    scriptsActiveScanner.scan();
    // Then
    verify(scriptsCache, times(2)).refresh();
    verify(scriptsCache, times(2)).getCachedScripts();
    verify(script1, times(1)).scan(scriptsActiveScanner, message, name1, value1);
    verify(extensionScript, times(1)).handleScriptException(scriptWrapper1, exception);
    verify(script2, times(1)).scan(scriptsActiveScanner, message, name1, value1);
    verify(script2, times(1)).scan(scriptsActiveScanner, message, name2, value2);
}
Also used : Variant(org.parosproxy.paros.core.scanner.Variant) NameValuePair(org.parosproxy.paros.core.scanner.NameValuePair) ScriptException(javax.script.ScriptException) ScannerParam(org.parosproxy.paros.core.scanner.ScannerParam) ScriptWrapper(org.zaproxy.zap.extension.script.ScriptWrapper) Test(org.junit.jupiter.api.Test) WithConfigsTest(org.zaproxy.zap.WithConfigsTest)

Aggregations

Variant (org.parosproxy.paros.core.scanner.Variant)11 Test (org.junit.jupiter.api.Test)9 WithConfigsTest (org.zaproxy.zap.WithConfigsTest)9 ScannerParam (org.parosproxy.paros.core.scanner.ScannerParam)8 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)7 HttpMessage (org.parosproxy.paros.network.HttpMessage)6 ScriptWrapper (org.zaproxy.zap.extension.script.ScriptWrapper)4 NameValuePair (org.parosproxy.paros.core.scanner.NameValuePair)3 URI (org.apache.commons.httpclient.URI)2 VariantJSONQuery (org.parosproxy.paros.core.scanner.VariantJSONQuery)2 ZapXmlConfiguration (org.zaproxy.zap.utils.ZapXmlConfiguration)2 ArrayList (java.util.ArrayList)1 ScriptException (javax.script.ScriptException)1 ValueSource (org.junit.jupiter.params.provider.ValueSource)1 VariantCookie (org.parosproxy.paros.core.scanner.VariantCookie)1 VariantCustom (org.parosproxy.paros.core.scanner.VariantCustom)1 VariantDdnPath (org.parosproxy.paros.core.scanner.VariantDdnPath)1 VariantDirectWebRemotingQuery (org.parosproxy.paros.core.scanner.VariantDirectWebRemotingQuery)1 VariantFormQuery (org.parosproxy.paros.core.scanner.VariantFormQuery)1 VariantGWTQuery (org.parosproxy.paros.core.scanner.VariantGWTQuery)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial