Search in sources :

Example 1 with ExtensionHttpSessions

use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.

the class SiteParameters method addParam.

public HtmlParameterStats addParam(String site, HtmlParameter param, HttpMessage msg) {
    Map<String, HtmlParameterStats> params = null;
    HtmlParameterStats p;
    switch(param.getType()) {
        case cookie:
            params = cookieParams;
            break;
        case url:
            params = urlParams;
            break;
        case form:
            params = formParams;
            break;
    }
    if (params != null && params.containsKey(param.getName())) {
        p = params.get(param.getName());
        p.incTimesUsed();
        p.addValue(param.getValue());
    } else {
        // It's a new parameter
        p = new HtmlParameterStats(site, param.getName(), param.getType(), param.getValue(), param.getFlags());
        // If the HttpSessions extension is active, check if the token is a session token and,
        // if it is, mark it so
        ExtensionHttpSessions extSession = extension.getExtensionHttpSessions();
        if (extSession != null) {
            if (param.getType().equals(Type.cookie) && extSession.isSessionToken(site, param.getName())) {
                // Only Cookies can be session params
                // TODO: Add support for URL tokens
                p.addFlag(HtmlParameter.Flags.session.name());
            }
        }
        if (params == null) {
            params = new HashMap<>();
        }
        params.put(param.getName(), p);
        model.addHtmlParameterStats(p);
    }
    return p;
}
Also used : ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)

Example 2 with ExtensionHttpSessions

use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.

the class ManualAuthenticationMethodType method getSetCredentialsForUserApiAction.

@Override
public ApiDynamicActionImplementor getSetCredentialsForUserApiAction() {
    return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_SESSION_NAME }, null) {

        @Override
        public void handleAction(JSONObject params) throws ApiException {
            Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
            int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
            // Make sure the type of authentication method is compatible
            if (!isTypeForMethod(context.getAuthenticationMethod())) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
            }
            // NOTE: no need to check if extension is loaded as this method
            // is called only if
            // the Users
            // extension is loaded
            ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
            User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
            if (user == null) {
                throw new ApiException(Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
            }
            String sessionName = ApiUtils.getNonEmptyStringParam(params, PARAM_SESSION_NAME);
            // Get the matching session
            ExtensionHttpSessions extensionHttpSessions = (ExtensionHttpSessions) Control.getSingleton().getExtensionLoader().getExtension(ExtensionHttpSessions.NAME);
            if (extensionHttpSessions == null) {
                throw new ApiException(Type.NO_IMPLEMENTOR, "HttpSessions extension is not loaded.");
            }
            List<HttpSession> sessions = extensionHttpSessions.getHttpSessionsForContext(context);
            HttpSession matchedSession = null;
            for (HttpSession session : sessions) {
                if (session.getName().equals(sessionName)) {
                    matchedSession = session;
                    break;
                }
            }
            if (matchedSession == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SESSION_NAME);
            }
            // Set the credentials
            ManualAuthenticationCredentials credentials = createAuthenticationCredentials();
            credentials.setSelectedSession(matchedSession);
            user.setAuthenticationCredentials(credentials);
        }
    };
}
Also used : ApiDynamicActionImplementor(org.zaproxy.zap.extension.api.ApiDynamicActionImplementor) Context(org.zaproxy.zap.model.Context) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) User(org.zaproxy.zap.users.User) JSONObject(net.sf.json.JSONObject) HttpSession(org.zaproxy.zap.extension.httpsessions.HttpSession) ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 3 with ExtensionHttpSessions

use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.

the class ExtensionParams method removeSessionToken.

/**
	 * Removes the currently selected parameter as a session token. Also notifies the
	 * {@link ExtensionHttpSessions} if it's active.
	 */
public void removeSessionToken() {
    HtmlParameterStats item = this.getParamsPanel().getSelectedParam();
    if (item != null) {
        // If the HttpSessions extension is active, notify it of the removed session token
        ExtensionHttpSessions extSession = this.getExtensionHttpSessions();
        if (extSession != null) {
            extSession.removeHttpSessionToken(this.getParamsPanel().getCurrentSite(), item.getName());
        }
        // Unflag the item accordingly
        item.removeFlag(HtmlParameter.Flags.session.name());
        // Repaint so change shows up
        this.getParamsPanel().getParamsTable().repaint();
    }
}
Also used : ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)

Example 4 with ExtensionHttpSessions

use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.

the class ExtensionParams method addSessionToken.

/**
	 * Adds a new session token from the selected parameter. Also notifies the
	 * {@link ExtensionHttpSessions} if it's active.
	 */
public void addSessionToken() {
    // Get the selected parameter
    HtmlParameterStats item = this.getParamsPanel().getSelectedParam();
    if (item != null) {
        // If the HttpSessions extension is active, notify it of the new session token
        ExtensionHttpSessions extSession = this.getExtensionHttpSessions();
        if (extSession != null) {
            extSession.addHttpSessionToken(this.getParamsPanel().getCurrentSite(), item.getName());
        }
        // Flag the item accordingly
        item.addFlag(HtmlParameter.Flags.session.name());
        // Repaint so change shows up
        this.getParamsPanel().getParamsTable().repaint();
    }
}
Also used : ExtensionHttpSessions(org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)

Aggregations

ExtensionHttpSessions (org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions)4 JSONObject (net.sf.json.JSONObject)1 ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)1 ApiException (org.zaproxy.zap.extension.api.ApiException)1 HttpSession (org.zaproxy.zap.extension.httpsessions.HttpSession)1 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)1 Context (org.zaproxy.zap.model.Context)1 User (org.zaproxy.zap.users.User)1