Examples with VariantMultipartFormParameters org.parosproxy.paros.core.scanner.VariantMultipartFormParameters used on opensource projects

Example 1 with VariantMultipartFormParameters

use of org.parosproxy.paros.core.scanner.VariantMultipartFormParameters in project zaproxy by zaproxy.

the class VariantFactory method createVariants.

public List<Variant> createVariants(ScannerParam scanOptions, HttpMessage message) {
    List<Variant> listVariant = new ArrayList<>();
    int targets = scanOptions.getTargetParamsInjectable();
    int enabledRPC = scanOptions.getTargetParamsEnabledRPC();
    // First check URL query-string target configuration
    if ((targets & ScannerParam.TARGET_QUERYSTRING) != 0) {
        VariantURLQuery vuq = new VariantURLQuery();
        vuq.setAddQueryParam(scanOptions.isAddQueryParam());
        listVariant.add(vuq);
        if ((enabledRPC & ScannerParam.RPC_ODATA) != 0) {
            listVariant.add(new VariantODataIdQuery());
            listVariant.add(new VariantODataFilterQuery());
        }
        if ((targets & ScannerParam.TARGET_URLPATH) == 0) {
            // If we're not already doing URLPath we should do DDN when doing QueryString
            listVariant.add(new VariantDdnPath());
        }
    }
    // Then check POST data target configuration and RPC enabled methods
    if ((targets & ScannerParam.TARGET_POSTDATA) != 0) {
        listVariant.add(new VariantFormQuery());
        if ((enabledRPC & ScannerParam.RPC_MULTIPART) != 0) {
            listVariant.add(new VariantMultipartFormParameters());
        }
        if ((enabledRPC & ScannerParam.RPC_XML) != 0) {
            listVariant.add(new VariantXMLQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_JSON) != 0) {
            VariantJSONQuery variant = new VariantJSONQuery();
            variant.setScanNullValues(scanOptions.isScanNullJsonValues());
            listVariant.add(variant);
        }
        if ((enabledRPC & ScannerParam.RPC_GWT) != 0) {
            listVariant.add(new VariantGWTQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_DWR) != 0) {
            listVariant.add(new VariantDirectWebRemotingQuery());
        }
    }
    if ((targets & ScannerParam.TARGET_HTTPHEADERS) != 0) {
        boolean addVariant = scanOptions.isScanHeadersAllRequests();
        if (!addVariant) {
            // If not scanning all requests check if it looks like a dynamic or static page
            // (based on query/post parameters)
            char[] query = message.getRequestHeader().getURI().getRawQuery();
            addVariant = (query != null && query.length != 0) || message.getRequestBody().length() != 0;
        }
        if (addVariant) {
            listVariant.add(new VariantHeader());
        }
    }
    if ((targets & ScannerParam.TARGET_URLPATH) != 0) {
        listVariant.add(new VariantURLPath());
    }
    if ((targets & ScannerParam.TARGET_COOKIE) != 0) {
        listVariant.add(new VariantCookie());
    }
    // Now is time to initialize all the custom Variants
    if ((enabledRPC & ScannerParam.RPC_CUSTOM) != 0 && getExtension() != null) {
        List<ScriptWrapper> scripts = getExtension().getScripts(ExtensionActiveScan.SCRIPT_TYPE_VARIANT);
        for (ScriptWrapper script : scripts) {
            if (script.isEnabled()) {
                listVariant.add(new VariantCustom(script, getExtension()));
            }
        }
    }
    if ((enabledRPC & ScannerParam.RPC_USERDEF) != 0) {
        listVariant.add(new VariantUserDefined());
    }
    addCustomVariants(listVariant);
    return listVariant;
}

Example 2 with VariantMultipartFormParameters

use of org.parosproxy.paros.core.scanner.VariantMultipartFormParameters in project zaproxy by zaproxy.

the class ExtensionParams method onHttpRequestSend.

public boolean onHttpRequestSend(HttpMessage msg) {
    // Check we know the site
    String site = msg.getRequestHeader().getHostName() + ":" + msg.getRequestHeader().getHostPort();
    if (getView() != null) {
        this.getParamsPanel().addSite(site);
    }
    SiteParameters sps = this.siteParamsMap.get(site);
    if (sps == null) {
        sps = new SiteParameters(this, site);
        this.siteParamsMap.put(site, sps);
    }
    // Cookie Parameters
    TreeSet<HtmlParameter> params;
    Iterator<HtmlParameter> iter;
    try {
        params = msg.getRequestHeader().getCookieParams();
        iter = params.iterator();
        while (iter.hasNext()) {
            persist(sps.addParam(site, iter.next(), msg));
        }
    } catch (IllegalArgumentException e) {
        logger.warn("Failed to obtain the cookies: " + e.getMessage(), e);
    }
    // URL Parameters
    params = msg.getUrlParams();
    iter = params.iterator();
    while (iter.hasNext()) {
        persist(sps.addParam(site, iter.next(), msg));
    }
    // Form Parameters
    // TODO flag anti csrf url ones too?
    ExtensionAntiCSRF extAntiCSRF = Control.getSingleton().getExtensionLoader().getExtension(ExtensionAntiCSRF.class);
    params = msg.getFormParams();
    iter = params.iterator();
    HtmlParameter param;
    while (iter.hasNext()) {
        param = iter.next();
        if (extAntiCSRF != null && extAntiCSRF.isAntiCsrfToken(param.getName())) {
            param.addFlag(HtmlParameter.Flags.anticsrf.name());
        }
        persist(sps.addParam(site, param, msg));
    }
    VariantMultipartFormParameters params2 = new VariantMultipartFormParameters();
    params2.setMessage(msg);
    for (NameValuePair nvp : params2.getParamList()) {
        if (nvp.getType() == NameValuePair.TYPE_MULTIPART_DATA_PARAM || nvp.getType() == NameValuePair.TYPE_MULTIPART_DATA_FILE_NAME) {
            persist(sps.addParam(site, new HtmlParameter(HtmlParameter.Type.multipart, nvp.getName(), nvp.getValue()), msg));
        }
    }
    return true;
}