Search in sources :

Example 6 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class AlertViewPanel method getAlert.

public Alert getAlert() {
    if (!editable && originalAlert != null) {
        Alert alert = originalAlert.newInstance();
        alert.setAlertId(originalAlert.getAlertId());
        alert.setName((String) alertEditName.getSelectedItem());
        alert.setParam((String) alertEditParam.getSelectedItem());
        alert.setRiskConfidence(alertEditRisk.getSelectedIndex(), alertEditConfidence.getSelectedIndex());
        alert.setDescription(alertDescription.getText());
        alert.setOtherInfo(alertOtherInfo.getText());
        alert.setSolution(alertSolution.getText());
        alert.setReference(alertReference.getText());
        alert.setEvidence(alertEvidence.getText());
        alert.setCweId(alertEditCweId.getValue());
        alert.setWascId(alertEditWascId.getValue());
        alert.setHistoryRef(historyRef);
        return alert;
    }
    Alert alert = new Alert(-1, alertEditRisk.getSelectedIndex(), alertEditConfidence.getSelectedIndex(), (String) alertEditName.getSelectedItem());
    alert.setHistoryRef(historyRef);
    if (originalAlert != null) {
        alert.setAlertId(originalAlert.getAlertId());
        alert.setSource(originalAlert.getSource());
    }
    String uri = null;
    HttpMessage msg = null;
    if (httpMessage != null) {
        uri = httpMessage.getRequestHeader().getURI().toString();
        msg = httpMessage;
    } else if (historyRef != null) {
        try {
            uri = historyRef.getURI().toString();
            msg = historyRef.getHttpMessage();
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
        }
    } else if (originalAlert != null) {
        uri = originalAlert.getUri();
        msg = originalAlert.getMessage();
    }
    alert.setDetail(alertDescription.getText(), uri, (String) alertEditParam.getSelectedItem(), alertEditAttack.getText(), alertOtherInfo.getText(), alertSolution.getText(), alertReference.getText(), alertEditEvidence.getText(), alertEditCweId.getValue(), alertEditWascId.getValue(), msg);
    return alert;
}
Also used : Alert(org.parosproxy.paros.core.scanner.Alert) HttpMessage(org.parosproxy.paros.network.HttpMessage)

Example 7 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class ExtensionAutoUpdate method getRemoteConfigurationUrl.

private ZapXmlConfiguration getRemoteConfigurationUrl(String url) throws IOException, ConfigurationException, InvalidCfuUrlException {
    HttpMessage msg = new HttpMessage(new URI(url, true), Model.getSingleton().getOptionsParam().getConnectionParam());
    getHttpSender().sendAndReceive(msg, true);
    if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) {
        throw new IOException();
    }
    if (!msg.getRequestHeader().isSecure()) {
        // Only access the cfu page over https
        throw new InvalidCfuUrlException(msg.getRequestHeader().getURI().toString());
    }
    ZapXmlConfiguration config = new ZapXmlConfiguration();
    config.setDelimiterParsingDisabled(true);
    config.load(new StringReader(msg.getResponseBody().toString()));
    // Save version file so we can report new addons next time
    File f = new File(Constant.FOLDER_LOCAL_PLUGIN, VERSION_FILE_NAME);
    FileWriter out = null;
    try {
        out = new FileWriter(f);
        out.write(msg.getResponseBody().toString());
    } catch (Exception e) {
        logger.error(e.getMessage(), e);
    } finally {
        try {
            if (out != null) {
                out.close();
            }
        } catch (IOException e) {
        // Ignore
        }
    }
    return config;
}
Also used : FileWriter(java.io.FileWriter) StringReader(java.io.StringReader) ZapXmlConfiguration(org.zaproxy.zap.utils.ZapXmlConfiguration) IOException(java.io.IOException) HttpMessage(org.parosproxy.paros.network.HttpMessage) URI(org.apache.commons.httpclient.URI) File(java.io.File) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) InvocationTargetException(java.lang.reflect.InvocationTargetException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) FileAlreadyExistsException(java.nio.file.FileAlreadyExistsException)

Example 8 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class BreakAPI method handleApiAction.

@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    if (ACTION_BREAK.equals(name)) {
        String type = params.getString(PARAM_TYPE).toLowerCase();
        if (type.equals(VALUE_TYPE_HTTP_ALL)) {
            extension.setBreakAllRequests(params.getBoolean(PARAM_STATE));
            extension.setBreakAllResponses(params.getBoolean(PARAM_STATE));
        } else if (type.equals(VALUE_TYPE_HTTP_REQUESTS)) {
            extension.setBreakAllRequests(params.getBoolean(PARAM_STATE));
        } else if (type.equals(VALUE_TYPE_HTTP_RESPONSES)) {
            extension.setBreakAllResponses(params.getBoolean(PARAM_STATE));
        } else {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE + " not in [" + VALUE_TYPE_HTTP_ALL + "," + VALUE_TYPE_HTTP_REQUESTS + "," + VALUE_TYPE_HTTP_RESPONSES + "]");
        }
    } else if (ACTION_BREAK_ON_ID.equals(name)) {
        extension.setBreakOnId(params.getString(PARAM_KEY), params.getString(PARAM_STATE).toLowerCase().equals("on"));
    } else if (ACTION_CONTINUE.equals(name)) {
        extension.getBreakpointManagementInterface().cont();
    } else if (ACTION_STEP.equals(name)) {
        extension.getBreakpointManagementInterface().step();
    } else if (ACTION_DROP.equals(name)) {
        extension.getBreakpointManagementInterface().drop();
    } else if (ACTION_SET_HTTP_MESSAGE.equals(name)) {
        if (extension.getBreakpointManagementInterface().getMessage() == null) {
            // We've not got an intercepted message
            throw new ApiException(ApiException.Type.DOES_NOT_EXIST);
        }
        String header = params.getString(PARAM_HTTP_HEADER);
        String body = this.getParam(params, PARAM_HTTP_BODY, "");
        if (header.indexOf(HttpHeader.CRLF) < 0) {
            if (header.indexOf("\\n") >= 0) {
                // Makes it easier to use via API UI
                header = header.replace("\\r", "\r").replace("\\n", "\n");
            }
        }
        Message msg = extension.getBreakpointManagementInterface().getMessage();
        if (msg instanceof HttpMessage) {
            HttpMessage httpMsg = (HttpMessage) msg;
            if (extension.getBreakpointManagementInterface().isRequest()) {
                try {
                    httpMsg.setRequestHeader(header);
                    httpMsg.setRequestBody(body);
                    extension.getBreakpointManagementInterface().setMessage(httpMsg, true);
                } catch (HttpMalformedHeaderException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
                }
            } else {
                try {
                    httpMsg.setResponseHeader(header);
                    httpMsg.setResponseBody(body);
                    extension.getBreakpointManagementInterface().setMessage(httpMsg, false);
                } catch (HttpMalformedHeaderException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
                }
            }
        }
    } else if (ACTION_ADD_HTTP_BREAK_POINT.equals(name)) {
        try {
            extension.addHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), params.getBoolean(PARAM_INVERSE), params.getBoolean(PARAM_IGNORECASE));
        } catch (Exception e) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
        }
    } else if (ACTION_REM_HTTP_BREAK_POINT.equals(name)) {
        try {
            extension.removeHttpBreakpoint(params.getString(PARAM_STRING), params.getString(PARAM_LOCATION), params.getString(PARAM_MATCH), params.getBoolean(PARAM_INVERSE), params.getBoolean(PARAM_IGNORECASE));
        } catch (Exception e) {
            throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, e.getMessage());
        }
    } else {
        throw new ApiException(ApiException.Type.BAD_ACTION);
    }
    return ApiResponseElement.OK;
}
Also used : Message(org.zaproxy.zap.extension.httppanel.Message) HttpMessage(org.parosproxy.paros.network.HttpMessage) HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException) HttpMessage(org.parosproxy.paros.network.HttpMessage) ApiException(org.zaproxy.zap.extension.api.ApiException) HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 9 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class HttpBreakpointManagementDaemonImpl method setMessage.

@Override
public void setMessage(Message msg, boolean isRequest) {
    if (msg instanceof HttpMessage) {
        switch(Control.getSingleton().getMode()) {
            case safe:
                throw new IllegalStateException("Not allowed in safe mode");
            case protect:
                if (!msg.isInScope()) {
                    throw new IllegalStateException("Not allowed in protected mode for out of scope message");
                }
                break;
            case standard:
                break;
            case attack:
                break;
        }
        HttpMessage httpMsg = (HttpMessage) msg;
        if (this.msg == null) {
            this.msg = httpMsg;
            this.request = isRequest;
        } else {
            if (isRequest) {
                this.msg.setRequestHeader(httpMsg.getRequestHeader());
                this.msg.setRequestBody(httpMsg.getRequestBody());
            } else {
                this.msg.setResponseHeader(httpMsg.getResponseHeader());
                this.msg.setResponseBody(httpMsg.getResponseBody());
            }
        }
    } else {
        throw new IllegalArgumentException("Not an HttpMessage");
    }
}
Also used : HttpMessage(org.parosproxy.paros.network.HttpMessage)

Example 10 with HttpMessage

use of org.parosproxy.paros.network.HttpMessage in project zaproxy by zaproxy.

the class HttpBreakpointMessage method match.

@Override
public boolean match(Message aMessage, boolean isRequest, boolean onlyIfInScope) {
    if (aMessage instanceof HttpMessage) {
        HttpMessage messge = (HttpMessage) aMessage;
        try {
            String uri = messge.getRequestHeader().getURI().toString();
            if (onlyIfInScope) {
                if (!Model.getSingleton().getSession().isInScope(uri)) {
                    return false;
                }
            }
            String src = null;
            switch(location) {
                case url:
                    src = uri;
                    break;
                case request_header:
                    if (!isRequest) {
                        return false;
                    }
                    src = messge.getRequestHeader().toString();
                    break;
                case request_body:
                    if (!isRequest) {
                        return false;
                    }
                    src = messge.getRequestBody().toString();
                    break;
                case response_header:
                    if (isRequest) {
                        return false;
                    }
                    src = messge.getResponseHeader().toString();
                    break;
                case response_body:
                    if (isRequest) {
                        return false;
                    }
                    src = messge.getResponseBody().toString();
                    break;
            }
            boolean res;
            if (Match.contains.equals(this.match)) {
                if (ignoreCase) {
                    res = src.toLowerCase().contains(string.toLowerCase());
                } else {
                    res = src.contains(string);
                }
            } else {
                res = pattern.matcher(src).find();
            }
            if (inverse) {
                return !res;
            } else {
                return res;
            }
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
        }
    }
    return false;
}
Also used : HttpMessage(org.parosproxy.paros.network.HttpMessage)

Aggregations

HttpMessage (org.parosproxy.paros.network.HttpMessage)205 Test (org.junit.Test)144 Source (net.htmlparser.jericho.Source)73 SpiderParam (org.zaproxy.zap.spider.SpiderParam)29 HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)22 DatabaseException (org.parosproxy.paros.db.DatabaseException)19 IOException (java.io.IOException)14 URI (org.apache.commons.httpclient.URI)10 URIException (org.apache.commons.httpclient.URIException)10 HttpException (org.apache.commons.httpclient.HttpException)7 HistoryReference (org.parosproxy.paros.model.HistoryReference)6 HttpRequestHeader (org.parosproxy.paros.network.HttpRequestHeader)6 WithConfigsTest (org.zaproxy.zap.WithConfigsTest)6 DefaultValueGenerator (org.zaproxy.zap.model.DefaultValueGenerator)6 SocketTimeoutException (java.net.SocketTimeoutException)5 RecordHistory (org.parosproxy.paros.db.RecordHistory)4 HttpResponseHeader (org.parosproxy.paros.network.HttpResponseHeader)4 File (java.io.File)3 SocketException (java.net.SocketException)3 UnknownHostException (java.net.UnknownHostException)3