use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.
the class PopupMenuExportMessage method exportHistory.
private void exportHistory(HistoryReference ref, Writer writer) {
if (ref == null) {
return;
}
String s = null;
try {
// ZAP: Changed to load the HttpMessage from the database only once.
HttpMessage msg = ref.getHttpMessage();
writer.write("==== " + ref.getHistoryId() + " ==========" + EOL);
s = msg.getRequestHeader().toString();
writer.write(s);
s = msg.getRequestBody().toString();
writer.write(s);
if (!s.endsWith(EOL)) {
writer.write(EOL);
}
if (!msg.getResponseHeader().isEmpty()) {
s = msg.getResponseHeader().toString();
writer.write(s);
s = msg.getResponseBody().toString();
writer.write(s);
if (!s.endsWith(EOL)) {
writer.write(EOL);
}
}
} catch (Exception e) {
// ZAP: Log exceptions
LOG.warn(e.getMessage(), e);
}
}
use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.
the class AuthenticationMethod method isAuthenticated.
/**
* Checks if the response received by the Http Message corresponds to an authenticated Web
* Session.
*
* <p>If none of the indicators are set up, the method defaults to returning true, so that no
* authentications are tried when there is no way to check authentication. A message is also
* shown on the output console in this case.
*
* @param msg the http message
* @param force always check even if the polling strategy is being used
* @return true, if is authenticated or no indicators have been set, and false otherwise
*/
public boolean isAuthenticated(HttpMessage msg, User user, boolean force) {
if (msg == null || user == null) {
return false;
}
AuthenticationState authState = user.getAuthenticationState();
// Assume logged in if nothing was set up
if (loggedInIndicatorPattern == null && loggedOutIndicatorPattern == null) {
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_NO_INDICATOR_STATS);
} catch (URIException e) {
// Ignore
}
if (View.isInitialised()) {
// Let the user know this
View.getSingleton().getOutputPanel().append(Constant.messages.getString("authentication.output.indicatorsNotSet", msg.getRequestHeader().getURI()) + "\n");
}
return true;
}
HttpMessage msgToTest;
switch(this.authCheckingStrategy) {
case EACH_REQ:
case EACH_REQ_RESP:
case EACH_RESP:
msgToTest = msg;
break;
case POLL_URL:
if (!force && authState.getLastPollResult() != null && authState.getLastPollResult()) {
// Check if we really need to poll the relevant URL again
switch(pollFrequencyUnits) {
case SECONDS:
if ((System.currentTimeMillis() - authState.getLastPollTime()) / 1000 < pollFrequency) {
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
} catch (URIException e) {
// Ignore
}
return true;
}
break;
case REQUESTS:
default:
if (authState.getRequestsSincePoll() < pollFrequency) {
authState.incRequestsSincePoll();
try {
Stats.incCounter(SessionStructure.getHostName(msg), AUTH_STATE_ASSUMED_IN_STATS);
} catch (URIException e) {
// Ignore
}
return true;
}
break;
}
}
// Make the poll request
try {
HttpMessage pollMsg = pollAsUser(user);
msgToTest = pollMsg;
} catch (Exception e1) {
LOGGER.warn("Failed sending poll request to " + this.getPollUrl(), e1);
return false;
}
break;
default:
return false;
}
return evaluateAuthRequest(msgToTest, authState);
}
use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.
the class BreakAPI method handleApiAction.
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
if (ACTION_BREAK.equals(name)) {
String type = params.getString(PARAM_TYPE).toLowerCase();
boolean state = ApiUtils.getBooleanParam(params, PARAM_STATE);
if (type.equals(VALUE_TYPE_HTTP_ALL)) {
extension.setBreakAllRequests(state);
extension.setBreakAllResponses(state);
} else if (type.equals(VALUE_TYPE_HTTP_REQUESTS)) {
extension.setBreakAllRequests(state);
} else if (type.equals(VALUE_TYPE_HTTP_RESPONSES)) {
extension.setBreakAllResponses(state);
} else {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE + " not in [" + VALUE_TYPE_HTTP_ALL + "," + VALUE_TYPE_HTTP_REQUESTS + "," + VALUE_TYPE_HTTP_RESPONSES + "]");
}
} else if (ACTION_BREAK_ON_ID.equals(name)) {
extension.setBreakOnId(params.getString(PARAM_KEY), params.getString(PARAM_STATE).equalsIgnoreCase("on"));
} else if (ACTION_CONTINUE.equals(name)) {
extension.getBreakpointManagementInterface().cont();
} else if (ACTION_STEP.equals(name)) {
extension.getBreakpointManagementInterface().step();
} else if (ACTION_DROP.equals(name)) {
extension.getBreakpointManagementInterface().drop();
} else if (ACTION_SET_HTTP_MESSAGE.equals(name)) {
if (extension.getBreakpointManagementInterface().getMessage() == null) {
// We've not got an intercepted message
throw new ApiException(ApiException.Type.DOES_NOT_EXIST);
}
String header = params.getString(PARAM_HTTP_HEADER);
String body = this.getParam(params, PARAM_HTTP_BODY, "");
if (header.indexOf(HttpHeader.CRLF) < 0) {
if (header.indexOf("\\n") >= 0) {
// Makes it easier to use via API UI
header = header.replace("\\r", "\r").replace("\\n", "\n");
}
}
Message msg = extension.getBreakpointManagementInterface().getMessage();
if (msg instanceof HttpMessage) {
HttpMessage httpMsg = (HttpMessage) msg;
if (extension.getBreakpointManagementInterface().isRequest()) {
try {
httpMsg.setRequestHeader(header);
httpMsg.setRequestBody(body);
extension.getBreakpointManagementInterface().setMessage(httpMsg, true);
} catch (HttpMalformedHeaderException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
}
} else {
try {
httpMsg.setResponseHeader(header);
httpMsg.setResponseBody(body);
extension.getBreakpointManagementInterface().setMessage(httpMsg, false);
} catch (HttpMalformedHeaderException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
}
}
}
} else if (ACTION_ADD_HTTP_BREAK_POINT.equals(name)) {
try {
extension.addHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), ApiUtils.getBooleanParam(params, PARAM_INVERSE), ApiUtils.getBooleanParam(params, PARAM_IGNORECASE));
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
}
} else if (ACTION_REM_HTTP_BREAK_POINT.equals(name)) {
try {
extension.removeHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), ApiUtils.getBooleanParam(params, PARAM_INVERSE), ApiUtils.getBooleanParam(params, PARAM_IGNORECASE));
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
}
} else {
throw new ApiException(ApiException.Type.BAD_ACTION);
}
return ApiResponseElement.OK;
}
use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.
the class BreakAPI method handleApiPersistentConnection.
@Override
public void handleApiPersistentConnection(HttpMessage msg, HttpInputStream httpIn, HttpOutputStream httpOut, String name, JSONObject params) throws ApiException {
if (PCONN_WAIT_FOR_HTTP_BREAK.equals(name)) {
int poll = params.optInt(PARAM_POLL, 500);
int keepAlive = params.optInt(PARAM_KEEP_ALIVE, -1);
try {
String contentType;
int nextKeepAlive = keepAlive * 1000;
int alive = 0;
if (keepAlive > 0) {
contentType = "text/plain";
} else {
contentType = "text/event-stream";
}
msg.setResponseHeader(API.getDefaultResponseHeader(contentType, -1));
msg.getResponseHeader().setHeader(HttpHeader.CONNECTION, HttpHeader._KEEP_ALIVE);
httpOut.write(msg.getResponseHeader());
while (true) {
Message brkMsg = extension.getBreakpointManagementInterface().getMessage();
if (brkMsg != null && brkMsg instanceof HttpMessage) {
String event;
HttpMessage httpMsg = (HttpMessage) brkMsg;
JSONObject jo = new JSONObject();
if (extension.getBreakpointManagementInterface().isRequest()) {
event = "httpRequest";
jo.put("header", httpMsg.getRequestHeader().toString());
jo.put("body", httpMsg.getRequestBody().toString());
} else {
event = "httpResponse";
jo.put("header", httpMsg.getResponseHeader().toString());
jo.put("body", httpMsg.getResponseBody().toString());
}
httpOut.write("event: " + event + "\n");
httpOut.write("data: " + jo.toString() + "\n\n");
httpOut.flush();
break;
}
try {
Thread.sleep(poll);
alive += poll;
} catch (InterruptedException e) {
// Ignore
}
if (keepAlive > 0 && alive > nextKeepAlive) {
httpOut.write("event: keepalive\n");
httpOut.write("data: {}\n\n");
httpOut.flush();
nextKeepAlive = alive + (keepAlive * 1000);
}
}
} catch (IOException e) {
// Ignore - likely to just mean the client has closed the connection
} finally {
httpOut.close();
httpIn.close();
}
return;
}
throw new ApiException(ApiException.Type.BAD_PCONN);
}
use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.
the class SearchThread method search.
private void search() {
Session session = Model.getSingleton().getSession();
Matcher matcher = null;
try {
if (Type.Custom.equals(reqType)) {
if (searchers != null && customSearcherName != null) {
HttpSearcher searcher = searchers.get(customSearcherName);
if (searcher != null) {
List<SearchResult> results;
if (pcc.hasMaximumMatches()) {
results = searcher.search(pattern, inverse, pcc.getMaximumMatches());
} else {
results = searcher.search(pattern, inverse);
}
for (SearchResult sr : results) {
searchListenner.addSearchResult(sr);
}
}
}
return;
}
ExtensionHistory extensionHistory = Control.getSingleton().getExtensionLoader().getExtension(ExtensionHistory.class);
List<Integer> list = Model.getSingleton().getDb().getTableHistory().getHistoryIdsOfHistType(session.getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER, HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_SPIDER_AJAX);
int last = list.size();
int currentRecordId = 0;
for (int index = 0; index < last; index++) {
if (stopSearch) {
break;
}
int historyId = list.get(index);
try {
currentRecordId = index;
// Create the href to ensure the msg is set up correctly
HistoryReference href = null;
if (extensionHistory != null) {
href = extensionHistory.getHistoryReference(historyId);
}
if (href == null) {
href = new HistoryReference(historyId);
}
HttpMessage message = href.getHttpMessage();
if (searchJustInScope && !session.isInScope(message.getRequestHeader().getURI().toString())) {
// Not in scope, so ignore
continue;
}
if (this.baseUrl != null && !message.getRequestHeader().getURI().toString().startsWith(baseUrl)) {
// doesn't start with the specified baseurl
continue;
}
if (Type.URL.equals(reqType)) {
// URL
String url = message.getRequestHeader().getURI().toString();
matcher = pattern.matcher(url);
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
int urlStartPos = message.getRequestHeader().getPrimeHeader().indexOf(url);
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, urlStartPos + matcher.start(), urlStartPos + matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Header.equals(reqType)) {
// Header
// Request header
matcher = pattern.matcher(message.getRequestHeader().toString());
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
// Response header
matcher = pattern.matcher(message.getResponseHeader().toString());
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
}
} else {
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Request.equals(reqType) || Type.All.equals(reqType)) {
if (inverse && !pcc.allMatchesProcessed()) {
// Check for no matches in either Request Header or Body
if (!pattern.matcher(message.getRequestHeader().toString()).find() && !pattern.matcher(message.getRequestBody().toString()).find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
// Request Header
matcher = pattern.matcher(message.getRequestHeader().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
// Request Body
matcher = pattern.matcher(message.getRequestBody().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_BODY, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Response.equals(reqType) || Type.All.equals(reqType)) {
if (inverse && !pcc.allMatchesProcessed()) {
// Check for no matches in either Response Header or Body
if (!pattern.matcher(message.getResponseHeader().toString()).find() && !pattern.matcher(message.getResponseBody().toString()).find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
}
} else {
// Response header
matcher = pattern.matcher(message.getResponseHeader().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
// Response body
matcher = pattern.matcher(message.getResponseBody().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_BODY, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
} catch (HttpMalformedHeaderException e1) {
log.error(e1.getMessage(), e1);
}
if (pcc.hasPageEnded()) {
break;
}
}
} catch (DatabaseException e) {
log.error(e.getMessage(), e);
}
}
Aggregations