use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.
the class SiteParameters method addParam.
public HtmlParameterStats addParam(String site, HtmlParameter param, HttpMessage msg) {
Map<String, HtmlParameterStats> params = null;
HtmlParameterStats p;
switch(param.getType()) {
case cookie:
params = cookieParams;
break;
case url:
params = urlParams;
break;
case form:
params = formParams;
break;
}
if (params != null && params.containsKey(param.getName())) {
p = params.get(param.getName());
p.incTimesUsed();
p.addValue(param.getValue());
} else {
// It's a new parameter
p = new HtmlParameterStats(site, param.getName(), param.getType(), param.getValue(), param.getFlags());
// If the HttpSessions extension is active, check if the token is a session token and,
// if it is, mark it so
ExtensionHttpSessions extSession = extension.getExtensionHttpSessions();
if (extSession != null) {
if (param.getType().equals(Type.cookie) && extSession.isSessionToken(site, param.getName())) {
// Only Cookies can be session params
// TODO: Add support for URL tokens
p.addFlag(HtmlParameter.Flags.session.name());
}
}
if (params == null) {
params = new HashMap<>();
}
params.put(param.getName(), p);
model.addHtmlParameterStats(p);
}
return p;
}
use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.
the class ManualAuthenticationMethodType method getSetCredentialsForUserApiAction.
@Override
public ApiDynamicActionImplementor getSetCredentialsForUserApiAction() {
return new ApiDynamicActionImplementor(ACTION_SET_CREDENTIALS, new String[] { PARAM_SESSION_NAME }, null) {
@Override
public void handleAction(JSONObject params) throws ApiException {
Context context = ApiUtils.getContextByParamId(params, UsersAPI.PARAM_CONTEXT_ID);
int userId = ApiUtils.getIntParam(params, UsersAPI.PARAM_USER_ID);
// Make sure the type of authentication method is compatible
if (!isTypeForMethod(context.getAuthenticationMethod())) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "User's credentials should match authentication method type of the context: " + context.getAuthenticationMethod().getType().getName());
}
// NOTE: no need to check if extension is loaded as this method
// is called only if
// the Users
// extension is loaded
ExtensionUserManagement extensionUserManagement = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
User user = extensionUserManagement.getContextUserAuthManager(context.getIndex()).getUserById(userId);
if (user == null) {
throw new ApiException(Type.USER_NOT_FOUND, UsersAPI.PARAM_USER_ID);
}
String sessionName = ApiUtils.getNonEmptyStringParam(params, PARAM_SESSION_NAME);
// Get the matching session
ExtensionHttpSessions extensionHttpSessions = (ExtensionHttpSessions) Control.getSingleton().getExtensionLoader().getExtension(ExtensionHttpSessions.NAME);
if (extensionHttpSessions == null) {
throw new ApiException(Type.NO_IMPLEMENTOR, "HttpSessions extension is not loaded.");
}
List<HttpSession> sessions = extensionHttpSessions.getHttpSessionsForContext(context);
HttpSession matchedSession = null;
for (HttpSession session : sessions) {
if (session.getName().equals(sessionName)) {
matchedSession = session;
break;
}
}
if (matchedSession == null) {
throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SESSION_NAME);
}
// Set the credentials
ManualAuthenticationCredentials credentials = createAuthenticationCredentials();
credentials.setSelectedSession(matchedSession);
user.setAuthenticationCredentials(credentials);
}
};
}
use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.
the class ExtensionParams method removeSessionToken.
/**
* Removes the currently selected parameter as a session token. Also notifies the
* {@link ExtensionHttpSessions} if it's active.
*/
public void removeSessionToken() {
HtmlParameterStats item = this.getParamsPanel().getSelectedParam();
if (item != null) {
// If the HttpSessions extension is active, notify it of the removed session token
ExtensionHttpSessions extSession = this.getExtensionHttpSessions();
if (extSession != null) {
extSession.removeHttpSessionToken(this.getParamsPanel().getCurrentSite(), item.getName());
}
// Unflag the item accordingly
item.removeFlag(HtmlParameter.Flags.session.name());
// Repaint so change shows up
this.getParamsPanel().getParamsTable().repaint();
}
}
use of org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions in project zaproxy by zaproxy.
the class ExtensionParams method addSessionToken.
/**
* Adds a new session token from the selected parameter. Also notifies the
* {@link ExtensionHttpSessions} if it's active.
*/
public void addSessionToken() {
// Get the selected parameter
HtmlParameterStats item = this.getParamsPanel().getSelectedParam();
if (item != null) {
// If the HttpSessions extension is active, notify it of the new session token
ExtensionHttpSessions extSession = this.getExtensionHttpSessions();
if (extSession != null) {
extSession.addHttpSessionToken(this.getParamsPanel().getCurrentSite(), item.getName());
}
// Flag the item accordingly
item.addFlag(HtmlParameter.Flags.session.name());
// Repaint so change shows up
this.getParamsPanel().getParamsTable().repaint();
}
}
Aggregations