Examples with ScriptWrapper org.zaproxy.zap.extension.script.ScriptWrapper used on opensource projects

Example 1 with ScriptWrapper

use of org.zaproxy.zap.extension.script.ScriptWrapper in project zaproxy by zaproxy.

the class ScriptsPassiveScanner method scanHttpResponseReceive.

@Override
public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
    if (this.getExtension() != null) {
        currentHRefId = id;
        List<ScriptWrapper> scripts = extension.getScripts(ExtensionPassiveScan.SCRIPT_TYPE_PASSIVE);
        for (ScriptWrapper script : scripts) {
            try {
                if (script.isEnabled()) {
                    PassiveScript s = extension.getInterface(script, PassiveScript.class);
                    if (s != null) {
                        s.scan(this, msg, source);
                    } else {
                        extension.handleFailedScriptInterface(script, Constant.messages.getString("pscan.scripts.interface.passive.error", script.getName()));
                    }
                }
            } catch (Exception e) {
                extension.handleScriptException(script, e);
            }
        }
    }
}

Example 2 with ScriptWrapper

use of org.zaproxy.zap.extension.script.ScriptWrapper in project zaproxy by zaproxy.

the class ScriptsPassiveScannerUnitTest method shouldCreateScriptsCacheWithExpectedConfiguration.

@Test
@SuppressWarnings("unchecked")
void shouldCreateScriptsCacheWithExpectedConfiguration() {
    // Given / When
    new ScriptsPassiveScanner();
    // Then
    ArgumentCaptor<Configuration<PassiveScript>> argumentCaptor = ArgumentCaptor.forClass(Configuration.class);
    verify(extensionScript).createScriptsCache(argumentCaptor.capture());
    Configuration<PassiveScript> configuration = argumentCaptor.getValue();
    assertThat(configuration.getScriptType(), is(equalTo(SCRIPT_TYPE)));
    assertThat(configuration.getTargetInterface(), is(equalTo(TARGET_INTERFACE)));
    InterfaceErrorMessageProvider errorMessageProvider = configuration.getInterfaceErrorMessageProvider();
    assertThat(errorMessageProvider, is(not(nullValue())));
    ScriptWrapper scriptWrapper = mock(ScriptWrapper.class);
    given(scriptWrapper.getName()).willReturn("Name");
    assertThat(errorMessageProvider.getErrorMessage(scriptWrapper), is(not(nullValue())));
}

Example 3 with ScriptWrapper

use of org.zaproxy.zap.extension.script.ScriptWrapper in project zaproxy by zaproxy.

the class VariantFactory method createVariants.

public List<Variant> createVariants(ScannerParam scanOptions, HttpMessage message) {
    List<Variant> listVariant = new ArrayList<>();
    int targets = scanOptions.getTargetParamsInjectable();
    int enabledRPC = scanOptions.getTargetParamsEnabledRPC();
    // First check URL query-string target configuration
    if ((targets & ScannerParam.TARGET_QUERYSTRING) != 0) {
        VariantURLQuery vuq = new VariantURLQuery();
        vuq.setAddQueryParam(scanOptions.isAddQueryParam());
        listVariant.add(vuq);
        if ((enabledRPC & ScannerParam.RPC_ODATA) != 0) {
            listVariant.add(new VariantODataIdQuery());
            listVariant.add(new VariantODataFilterQuery());
        }
        if ((targets & ScannerParam.TARGET_URLPATH) == 0) {
            // If we're not already doing URLPath we should do DDN when doing QueryString
            listVariant.add(new VariantDdnPath());
        }
    }
    // Then check POST data target configuration and RPC enabled methods
    if ((targets & ScannerParam.TARGET_POSTDATA) != 0) {
        listVariant.add(new VariantFormQuery());
        if ((enabledRPC & ScannerParam.RPC_MULTIPART) != 0) {
            listVariant.add(new VariantMultipartFormParameters());
        }
        if ((enabledRPC & ScannerParam.RPC_XML) != 0) {
            listVariant.add(new VariantXMLQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_JSON) != 0) {
            VariantJSONQuery variant = new VariantJSONQuery();
            variant.setScanNullValues(scanOptions.isScanNullJsonValues());
            listVariant.add(variant);
        }
        if ((enabledRPC & ScannerParam.RPC_GWT) != 0) {
            listVariant.add(new VariantGWTQuery());
        }
        if ((enabledRPC & ScannerParam.RPC_DWR) != 0) {
            listVariant.add(new VariantDirectWebRemotingQuery());
        }
    }
    if ((targets & ScannerParam.TARGET_HTTPHEADERS) != 0) {
        boolean addVariant = scanOptions.isScanHeadersAllRequests();
        if (!addVariant) {
            // If not scanning all requests check if it looks like a dynamic or static page
            // (based on query/post parameters)
            char[] query = message.getRequestHeader().getURI().getRawQuery();
            addVariant = (query != null && query.length != 0) || message.getRequestBody().length() != 0;
        }
        if (addVariant) {
            listVariant.add(new VariantHeader());
        }
    }
    if ((targets & ScannerParam.TARGET_URLPATH) != 0) {
        listVariant.add(new VariantURLPath());
    }
    if ((targets & ScannerParam.TARGET_COOKIE) != 0) {
        listVariant.add(new VariantCookie());
    }
    // Now is time to initialize all the custom Variants
    if ((enabledRPC & ScannerParam.RPC_CUSTOM) != 0 && getExtension() != null) {
        List<ScriptWrapper> scripts = getExtension().getScripts(ExtensionActiveScan.SCRIPT_TYPE_VARIANT);
        for (ScriptWrapper script : scripts) {
            if (script.isEnabled()) {
                listVariant.add(new VariantCustom(script, getExtension()));
            }
        }
    }
    if ((enabledRPC & ScannerParam.RPC_USERDEF) != 0) {
        listVariant.add(new VariantUserDefined());
    }
    addCustomVariants(listVariant);
    return listVariant;
}

Example 4 with ScriptWrapper

use of org.zaproxy.zap.extension.script.ScriptWrapper in project zaproxy by zaproxy.

the class VariantCustomUnitTest method shouldReturnNullLeafNameWithDisabledScript.

@Test
void shouldReturnNullLeafNameWithDisabledScript() throws Exception {
    // Given
    ScriptWrapper scriptWrapper = mock(ScriptWrapper.class);
    given(scriptWrapper.isEnabled()).willReturn(false);
    String nodeName = "name";
    String expectedName = "newname";
    ExtensionScript extScript = mock(ExtensionScript.class);
    VariantScript variantScript = mock(VariantScript.class);
    given(extScript.getInterface(scriptWrapper, VariantScript.class)).willReturn(variantScript);
    VariantCustom variantCustom = new VariantCustom(scriptWrapper, extScript);
    HttpMessage msg = mock(HttpMessage.class);
    given(variantScript.getLeafName(variantCustom, nodeName, msg)).willReturn(expectedName);
    // When
    String name = variantCustom.getLeafName(nodeName, msg);
    // Then
    assertThat(name, is(equalTo(null)));
}

Example 5 with ScriptWrapper

use of org.zaproxy.zap.extension.script.ScriptWrapper in project zaproxy by zaproxy.

the class VariantCustomUnitTest method shouldReturnNullTreePathWithScriptException.

@Test
void shouldReturnNullTreePathWithScriptException() throws Exception {
    // Given
    ScriptWrapper scriptWrapper = mock(ScriptWrapper.class);
    String expectedPath = "newpath";
    List<String> list = new ArrayList<>();
    list.add(expectedPath);
    ExtensionScript extScript = mock(ExtensionScript.class);
    VariantScript variantScript = mock(VariantScript.class);
    given(extScript.getInterface(scriptWrapper, VariantScript.class)).willReturn(variantScript);
    VariantCustom variantCustom = new VariantCustom(scriptWrapper, extScript);
    HttpMessage msg = mock(HttpMessage.class);
    given(variantScript.getTreePath(variantCustom, msg)).willThrow(RuntimeException.class);
    // When
    List<String> path = variantCustom.getTreePath(msg);
    // Then
    assertThat(path, is(equalTo(null)));
}