Search in sources :

Example 81 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class PopupMenuExportMessage method exportHistory.

private void exportHistory(HistoryReference ref, Writer writer) {
    if (ref == null) {
        return;
    }
    String s = null;
    try {
        // ZAP: Changed to load the HttpMessage from the database only once.
        HttpMessage msg = ref.getHttpMessage();
        writer.write("==== " + ref.getHistoryId() + " ==========" + EOL);
        s = msg.getRequestHeader().toString();
        writer.write(s);
        s = msg.getRequestBody().toString();
        writer.write(s);
        if (!s.endsWith(EOL)) {
            writer.write(EOL);
        }
        if (!msg.getResponseHeader().isEmpty()) {
            s = msg.getResponseHeader().toString();
            writer.write(s);
            s = msg.getResponseBody().toString();
            writer.write(s);
            if (!s.endsWith(EOL)) {
                writer.write(EOL);
            }
        }
    } catch (Exception e) {
        // ZAP: Log exceptions
        LOG.warn(e.getMessage(), e);
    }
}
Also used : HttpMessage(org.parosproxy.paros.network.HttpMessage)

Example 82 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class AuthenticationMethod method isAuthenticated.

/**
 * Checks if the response received by the Http Message corresponds to an authenticated Web
 * Session.
 *
 * <p>If none of the indicators are set up, the method defaults to returning true, so that no
 * authentications are tried when there is no way to check authentication. A message is also
 * shown on the output console in this case.
 *
 * @param msg the http message
 * @param force always check even if the polling strategy is being used
 * @return true, if is authenticated or no indicators have been set, and false otherwise
 */
public boolean isAuthenticated(HttpMessage msg, User user, boolean force) {
    if (msg == null || user == null) {
        return false;
    }
    AuthenticationState authState = user.getAuthenticationState();
    // Assume logged in if nothing was set up
    if (loggedInIndicatorPattern == null && loggedOutIndicatorPattern == null) {
        try {
            Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_NO_INDICATOR_STATS);
        } catch (URIException e) {
        // Ignore
        }
        if (View.isInitialised()) {
            // Let the user know this
            View.getSingleton().getOutputPanel().append(Constant.messages.getString("authentication.output.indicatorsNotSet", msg.getRequestHeader().getURI()) + "\n");
        }
        return true;
    }
    HttpMessage msgToTest;
    switch(this.authCheckingStrategy) {
        case EACH_REQ:
        case EACH_REQ_RESP:
        case EACH_RESP:
            msgToTest = msg;
            break;
        case POLL_URL:
            if (!force && authState.getLastPollResult() != null && authState.getLastPollResult()) {
                // Check if we really need to poll the relevant URL again
                switch(pollFrequencyUnits) {
                    case SECONDS:
                        if ((System.currentTimeMillis() - authState.getLastPollTime()) / 1000 < pollFrequency) {
                            try {
                                Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
                            } catch (URIException e) {
                            // Ignore
                            }
                            return true;
                        }
                        break;
                    case REQUESTS:
                    default:
                        if (authState.getRequestsSincePoll() < pollFrequency) {
                            authState.incRequestsSincePoll();
                            try {
                                Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
                            } catch (URIException e) {
                            // Ignore
                            }
                            return true;
                        }
                        break;
                }
            }
            // Make the poll request
            try {
                HttpMessage pollMsg = pollAsUser(user);
                msgToTest = pollMsg;
            } catch (Exception e1) {
                LOGGER.warn("Failed sending poll request to " + this.getPollUrl(), e1);
                return false;
            }
            break;
        default:
            return false;
    }
    return evaluateAuthRequest(msgToTest, authState);
}
Also used : URIException(org.apache.commons.httpclient.URIException) HttpMessage(org.parosproxy.paros.network.HttpMessage) URIException(org.apache.commons.httpclient.URIException) IOException(java.io.IOException) AuthenticationState(org.zaproxy.zap.users.AuthenticationState)

Example 83 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class BreakAPI method handleApiAction.

@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    if (ACTION_BREAK.equals(name)) {
        String type = params.getString(PARAM_TYPE).toLowerCase();
        boolean state = ApiUtils.getBooleanParam(params, PARAM_STATE);
        if (type.equals(VALUE_TYPE_HTTP_ALL)) {
            extension.setBreakAllRequests(state);
            extension.setBreakAllResponses(state);
        } else if (type.equals(VALUE_TYPE_HTTP_REQUESTS)) {
            extension.setBreakAllRequests(state);
        } else if (type.equals(VALUE_TYPE_HTTP_RESPONSES)) {
            extension.setBreakAllResponses(state);
        } else {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE + " not in [" + VALUE_TYPE_HTTP_ALL + "," + VALUE_TYPE_HTTP_REQUESTS + "," + VALUE_TYPE_HTTP_RESPONSES + "]");
        }
    } else if (ACTION_BREAK_ON_ID.equals(name)) {
        extension.setBreakOnId(params.getString(PARAM_KEY), params.getString(PARAM_STATE).equalsIgnoreCase("on"));
    } else if (ACTION_CONTINUE.equals(name)) {
        extension.getBreakpointManagementInterface().cont();
    } else if (ACTION_STEP.equals(name)) {
        extension.getBreakpointManagementInterface().step();
    } else if (ACTION_DROP.equals(name)) {
        extension.getBreakpointManagementInterface().drop();
    } else if (ACTION_SET_HTTP_MESSAGE.equals(name)) {
        if (extension.getBreakpointManagementInterface().getMessage() == null) {
            // We've not got an intercepted message
            throw new ApiException(ApiException.Type.DOES_NOT_EXIST);
        }
        String header = params.getString(PARAM_HTTP_HEADER);
        String body = this.getParam(params, PARAM_HTTP_BODY, "");
        if (header.indexOf(HttpHeader.CRLF) < 0) {
            if (header.indexOf("\\n") >= 0) {
                // Makes it easier to use via API UI
                header = header.replace("\\r", "\r").replace("\\n", "\n");
            }
        }
        Message msg = extension.getBreakpointManagementInterface().getMessage();
        if (msg instanceof HttpMessage) {
            HttpMessage httpMsg = (HttpMessage) msg;
            if (extension.getBreakpointManagementInterface().isRequest()) {
                try {
                    httpMsg.setRequestHeader(header);
                    httpMsg.setRequestBody(body);
                    extension.getBreakpointManagementInterface().setMessage(httpMsg, true);
                } catch (HttpMalformedHeaderException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
                }
            } else {
                try {
                    httpMsg.setResponseHeader(header);
                    httpMsg.setResponseBody(body);
                    extension.getBreakpointManagementInterface().setMessage(httpMsg, false);
                } catch (HttpMalformedHeaderException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
                }
            }
        }
    } else if (ACTION_ADD_HTTP_BREAK_POINT.equals(name)) {
        try {
            extension.addHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), ApiUtils.getBooleanParam(params, PARAM_INVERSE), ApiUtils.getBooleanParam(params, PARAM_IGNORECASE));
        } catch (IllegalArgumentException e) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
        }
    } else if (ACTION_REM_HTTP_BREAK_POINT.equals(name)) {
        try {
            extension.removeHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), ApiUtils.getBooleanParam(params, PARAM_INVERSE), ApiUtils.getBooleanParam(params, PARAM_IGNORECASE));
        } catch (IllegalArgumentException e) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
        }
    } else {
        throw new ApiException(ApiException.Type.BAD_ACTION);
    }
    return ApiResponseElement.OK;
}
Also used : Message(org.zaproxy.zap.extension.httppanel.Message) HttpMessage(org.parosproxy.paros.network.HttpMessage) HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException) HttpMessage(org.parosproxy.paros.network.HttpMessage) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 84 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class BreakAPI method handleApiPersistentConnection.

@Override
public void handleApiPersistentConnection(HttpMessage msg, HttpInputStream httpIn, HttpOutputStream httpOut, String name, JSONObject params) throws ApiException {
    if (PCONN_WAIT_FOR_HTTP_BREAK.equals(name)) {
        int poll = params.optInt(PARAM_POLL, 500);
        int keepAlive = params.optInt(PARAM_KEEP_ALIVE, -1);
        try {
            String contentType;
            int nextKeepAlive = keepAlive * 1000;
            int alive = 0;
            if (keepAlive > 0) {
                contentType = "text/plain";
            } else {
                contentType = "text/event-stream";
            }
            msg.setResponseHeader(API.getDefaultResponseHeader(contentType, -1));
            msg.getResponseHeader().setHeader(HttpHeader.CONNECTION, HttpHeader._KEEP_ALIVE);
            httpOut.write(msg.getResponseHeader());
            while (true) {
                Message brkMsg = extension.getBreakpointManagementInterface().getMessage();
                if (brkMsg != null && brkMsg instanceof HttpMessage) {
                    String event;
                    HttpMessage httpMsg = (HttpMessage) brkMsg;
                    JSONObject jo = new JSONObject();
                    if (extension.getBreakpointManagementInterface().isRequest()) {
                        event = "httpRequest";
                        jo.put("header", httpMsg.getRequestHeader().toString());
                        jo.put("body", httpMsg.getRequestBody().toString());
                    } else {
                        event = "httpResponse";
                        jo.put("header", httpMsg.getResponseHeader().toString());
                        jo.put("body", httpMsg.getResponseBody().toString());
                    }
                    httpOut.write("event: " + event + "\n");
                    httpOut.write("data: " + jo.toString() + "\n\n");
                    httpOut.flush();
                    break;
                }
                try {
                    Thread.sleep(poll);
                    alive += poll;
                } catch (InterruptedException e) {
                // Ignore
                }
                if (keepAlive > 0 && alive > nextKeepAlive) {
                    httpOut.write("event: keepalive\n");
                    httpOut.write("data: {}\n\n");
                    httpOut.flush();
                    nextKeepAlive = alive + (keepAlive * 1000);
                }
            }
        } catch (IOException e) {
        // Ignore - likely to just mean the client has closed the connection
        } finally {
            httpOut.close();
            httpIn.close();
        }
        return;
    }
    throw new ApiException(ApiException.Type.BAD_PCONN);
}
Also used : Message(org.zaproxy.zap.extension.httppanel.Message) HttpMessage(org.parosproxy.paros.network.HttpMessage) JSONObject(net.sf.json.JSONObject) IOException(java.io.IOException) HttpMessage(org.parosproxy.paros.network.HttpMessage) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 85 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class SearchThread method search.

private void search() {
    Session session = Model.getSingleton().getSession();
    Matcher matcher = null;
    try {
        if (Type.Custom.equals(reqType)) {
            if (searchers != null && customSearcherName != null) {
                HttpSearcher searcher = searchers.get(customSearcherName);
                if (searcher != null) {
                    List<SearchResult> results;
                    if (pcc.hasMaximumMatches()) {
                        results = searcher.search(pattern, inverse, pcc.getMaximumMatches());
                    } else {
                        results = searcher.search(pattern, inverse);
                    }
                    for (SearchResult sr : results) {
                        searchListenner.addSearchResult(sr);
                    }
                }
            }
            return;
        }
        ExtensionHistory extensionHistory = Control.getSingleton().getExtensionLoader().getExtension(ExtensionHistory.class);
        List<Integer> list = Model.getSingleton().getDb().getTableHistory().getHistoryIdsOfHistType(session.getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER, HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_SPIDER_AJAX);
        int last = list.size();
        int currentRecordId = 0;
        for (int index = 0; index < last; index++) {
            if (stopSearch) {
                break;
            }
            int historyId = list.get(index);
            try {
                currentRecordId = index;
                // Create the href to ensure the msg is set up correctly
                HistoryReference href = null;
                if (extensionHistory != null) {
                    href = extensionHistory.getHistoryReference(historyId);
                }
                if (href == null) {
                    href = new HistoryReference(historyId);
                }
                HttpMessage message = href.getHttpMessage();
                if (searchJustInScope && !session.isInScope(message.getRequestHeader().getURI().toString())) {
                    // Not in scope, so ignore
                    continue;
                }
                if (this.baseUrl != null && !message.getRequestHeader().getURI().toString().startsWith(baseUrl)) {
                    // doesn't start with the specified baseurl
                    continue;
                }
                if (Type.URL.equals(reqType)) {
                    // URL
                    String url = message.getRequestHeader().getURI().toString();
                    matcher = pattern.matcher(url);
                    if (inverse && !pcc.allMatchesProcessed()) {
                        if (!matcher.find()) {
                            notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
                        }
                    } else {
                        int urlStartPos = message.getRequestHeader().getPrimeHeader().indexOf(url);
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, urlStartPos + matcher.start(), urlStartPos + matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                    }
                }
                if (Type.Header.equals(reqType)) {
                    // Header
                    // Request header
                    matcher = pattern.matcher(message.getRequestHeader().toString());
                    if (inverse && !pcc.allMatchesProcessed()) {
                        if (!matcher.find()) {
                            notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
                        }
                    } else {
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                    }
                    // Response header
                    matcher = pattern.matcher(message.getResponseHeader().toString());
                    if (inverse && !pcc.allMatchesProcessed()) {
                        if (!matcher.find()) {
                            notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
                        }
                    } else {
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                    }
                }
                if (Type.Request.equals(reqType) || Type.All.equals(reqType)) {
                    if (inverse && !pcc.allMatchesProcessed()) {
                        // Check for no matches in either Request Header or Body
                        if (!pattern.matcher(message.getRequestHeader().toString()).find() && !pattern.matcher(message.getRequestBody().toString()).find()) {
                            notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
                        }
                    } else {
                        // Request Header
                        matcher = pattern.matcher(message.getRequestHeader().toString());
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                        // Request Body
                        matcher = pattern.matcher(message.getRequestBody().toString());
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_BODY, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                    }
                }
                if (Type.Response.equals(reqType) || Type.All.equals(reqType)) {
                    if (inverse && !pcc.allMatchesProcessed()) {
                        // Check for no matches in either Response Header or Body
                        if (!pattern.matcher(message.getResponseHeader().toString()).find() && !pattern.matcher(message.getResponseBody().toString()).find()) {
                            notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
                        }
                    } else {
                        // Response header
                        matcher = pattern.matcher(message.getResponseHeader().toString());
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                        // Response body
                        matcher = pattern.matcher(message.getResponseBody().toString());
                        while (matcher.find() && !pcc.allMatchesProcessed()) {
                            notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_BODY, matcher.start(), matcher.end());
                            if (!searchAllOccurrences) {
                                break;
                            }
                        }
                    }
                }
            } catch (HttpMalformedHeaderException e1) {
                log.error(e1.getMessage(), e1);
            }
            if (pcc.hasPageEnded()) {
                break;
            }
        }
    } catch (DatabaseException e) {
        log.error(e.getMessage(), e);
    }
}
Also used : Matcher(java.util.regex.Matcher) ExtensionHistory(org.parosproxy.paros.extension.history.ExtensionHistory) HistoryReference(org.parosproxy.paros.model.HistoryReference) HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException) HttpMessage(org.parosproxy.paros.network.HttpMessage) DatabaseException(org.parosproxy.paros.db.DatabaseException) Session(org.parosproxy.paros.model.Session)

Aggregations

HttpMessage (org.parosproxy.paros.network.HttpMessage)460 Test (org.junit.jupiter.api.Test)360 Source (net.htmlparser.jericho.Source)86 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)86 WithConfigsTest (org.zaproxy.zap.WithConfigsTest)57 CustomPage (org.zaproxy.zap.extension.custompages.CustomPage)48 SpiderParam (org.zaproxy.zap.spider.SpiderParam)36 URI (org.apache.commons.httpclient.URI)34 HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)32 IOException (java.io.IOException)26 DatabaseException (org.parosproxy.paros.db.DatabaseException)26 ArrayList (java.util.ArrayList)24 HashMap (java.util.HashMap)17 FilterResult (org.zaproxy.zap.spider.filters.ParseFilter.FilterResult)17 HistoryReference (org.parosproxy.paros.model.HistoryReference)14 HttpRequestHeader (org.parosproxy.paros.network.HttpRequestHeader)14 AuthenticationState (org.zaproxy.zap.users.AuthenticationState)14 URIException (org.apache.commons.httpclient.URIException)13 User (org.zaproxy.zap.users.User)13 IHTTPSession (fi.iki.elonen.NanoHTTPD.IHTTPSession)11