diff --git a/tool/.gitignore b/tool/.gitignore new file mode 100644 index 0000000..b63da45 --- /dev/null +++ b/tool/.gitignore @@ -0,0 +1,42 @@ +.gradle +build/ +!gradle/wrapper/gradle-wrapper.jar +!**/src/main/**/build/ +!**/src/test/**/build/ + +### IntelliJ IDEA ### +.idea/modules.xml +.idea/jarRepositories.xml +.idea/compiler.xml +.idea/libraries/ +*.iws +*.iml +*.ipr +out/ +!**/src/main/**/out/ +!**/src/test/**/out/ + +### Eclipse ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache +bin/ +!**/src/main/**/bin/ +!**/src/test/**/bin/ + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ + +### VS Code ### +.vscode/ + +### Mac OS ### +.DS_Store \ No newline at end of file diff --git a/tool/.gitignore.txt b/tool/.gitignore.txt deleted file mode 100644 index 4ac0fc7..0000000 --- a/tool/.gitignore.txt +++ /dev/null @@ -1,80 +0,0 @@ -# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider -# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 - -# User-specific stuff -.idea/**/workspace.xml -.idea/**/tasks.xml -.idea/**/usage.statistics.xml -.idea/**/dictionaries -.idea/**/shelf - -# AWS User-specific -.idea/**/aws.xml - -# Generated files -.idea/**/contentModel.xml - -# Sensitive or high-churn files -.idea/**/dataSources/ -.idea/**/dataSources.ids -.idea/**/dataSources.local.xml -.idea/**/sqlDataSources.xml -.idea/**/dynamic.xml -.idea/**/uiDesigner.xml -.idea/**/dbnavigator.xml - -# Gradle -.idea/**/gradle.xml -.idea/**/libraries - -# Gradle and Maven with auto-import -# When using Gradle or Maven with auto-import, you should exclude module files, -# since they will be recreated, and may cause churn. Uncomment if using -# auto-import. -.idea/artifacts -.idea/compiler.xml -.idea/jarRepositories.xml -.idea/modules.xml -.idea/*.iml -.idea/modules -*.iml -*.ipr - -# CMake -cmake-build-*/ - -# Mongo Explorer plugin -.idea/**/mongoSettings.xml - -# File-based project format -*.iws - -# IntelliJ -out/ - -# Build files -target/ - -# mpeltonen/sbt-idea plugin -.idea_modules/ - -# JIRA plugin -atlassian-ide-plugin.xml - -# Cursive Clojure plugin -.idea/replstate.xml - -# SonarLint plugin -.idea/sonarlint/ - -# Crashlytics plugin (for Android Studio and IntelliJ) -com_crashlytics_export_strings.xml -crashlytics.properties -crashlytics-build.properties -fabric.properties - -# Editor-based Rest Client -.idea/httpRequests - -# Android studio 3.1+ serialized cache file -.idea/caches/build_file_checksums.ser \ No newline at end of file diff --git a/tool/CHANGELOG.md b/tool/CHANGELOG.md index 1b970ac..ecc0be2 100644 --- a/tool/CHANGELOG.md +++ b/tool/CHANGELOG.md @@ -2,4 +2,4 @@ ## [0.0.1] - 2024-10-01 ### Added -- Addon creato nella cartela zap-extension \ No newline at end of file +- Addon created in separated project \ No newline at end of file diff --git a/tool/build.gradle.kts b/tool/build.gradle.kts new file mode 100644 index 0000000..1bc5bff --- /dev/null +++ b/tool/build.gradle.kts @@ -0,0 +1,46 @@ +//import org.zaproxy.gradle.addon.AddOnPlugin +//import org.zaproxy.gradle.addon.AddOnStatus + +plugins { + id("java") + id("org.zaproxy.add-on") version "0.11.0" +} + +version = "0.0.1" +description = "A new description." + +zapAddOn { + addOnName.set("migt") + zapVersion.set("2.15.0") + + manifest { + author.set("FBK") + } +} + +repositories { + mavenCentral() +} + +dependencies { + implementation("org.json:json:20240303") + implementation("com.nimbusds:nimbus-jose-jwt:9.31") + implementation("org.bouncycastle:bcpkix-jdk15on:1.70") + implementation("com.google.code.gson:gson:2.10.1") + implementation("org.seleniumhq.selenium:selenium-java:4.13.0") + implementation("org.apache.santuario:xmlsec:3.0.0") + implementation("com.sun.xml.security:xml-security-impl:1.0") + implementation("com.jayway.jsonpath:json-path:2.9.0") + implementation("net.minidev:json-smart:2.4.10") + implementation("org.apache.httpcomponents:httpclient:4.5.14") + implementation("org.apache.httpcomponents:httpcore:4.4.16") + implementation("com.networknt:json-schema-validator:1.0.78") + implementation("org.apache.commons:commons-text:1.10.0") + implementation("commons-codec:commons-codec:1.16.0") + testImplementation(platform("org.junit:junit-bom:5.10.0")) + testImplementation("org.junit.jupiter:junit-jupiter") +} + +tasks.test { + useJUnitPlatform() +} diff --git a/tool/gradle.properties b/tool/gradle.properties deleted file mode 100644 index bf17fa0..0000000 --- a/tool/gradle.properties +++ /dev/null @@ -1,6 +0,0 @@ -version=1 -release=false - - -# Imposta la memoria heap e il metaspace della JVM -#org.gradle.jvmargs=-Xmx2048m -XX:MaxMetaspaceSize=512m \ No newline at end of file diff --git a/tool/gradlew b/tool/gradlew index b740cf1..1b6c787 100644 --- a/tool/gradlew +++ b/tool/gradlew @@ -55,7 +55,7 @@ # Darwin, MinGW, and NonStop. # # (3) This script is generated from the Groovy template -# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt # within the Gradle project. # # You can find Gradle at https://github.com/gradle/gradle/. @@ -80,11 +80,13 @@ do esac done -# This is normally unused -# shellcheck disable=SC2034 +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" APP_BASE_NAME=${0##*/} -# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) -APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum @@ -131,29 +133,22 @@ location of your Java installation." fi else JAVACMD=java - if ! command -v java >/dev/null 2>&1 - then - die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." - fi fi # Increase the maximum file descriptors if we can. if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) - # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC2039,SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac case $MAX_FD in #( '' | soft) :;; #( *) - # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. - # shellcheck disable=SC2039,SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -198,15 +193,11 @@ if "$cygwin" || "$msys" ; then done fi - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' - -# Collect all arguments for the java command: -# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, -# and any embedded shellness will be escaped. -# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be -# treated as '${Hostname}' itself on the command line. +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. set -- \ "-Dorg.gradle.appname=$APP_BASE_NAME" \ @@ -214,12 +205,6 @@ set -- \ org.gradle.wrapper.GradleWrapperMain \ "$@" -# Stop when "xargs" is not available. -if ! command -v xargs >/dev/null 2>&1 -then - die "xargs is not available" -fi - # Use "xargs" to parse quoted args. # # With -n1 it outputs one arg per line, with the quotes and backslashes removed. diff --git a/tool/gradlew.bat b/tool/gradlew.bat index 25da30d..107acd3 100644 --- a/tool/gradlew.bat +++ b/tool/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%"=="" @echo off +@if "%DEBUG%" == "" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,8 +25,7 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%"=="" set DIRNAME=. -@rem This is normally unused +if "%DIRNAME%" == "" set DIRNAME=. set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -41,13 +40,13 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if %ERRORLEVEL% equ 0 goto execute +if "%ERRORLEVEL%" == "0" goto execute -echo. 1>&2 -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 -echo. 1>&2 -echo Please set the JAVA_HOME variable in your environment to match the 1>&2 -echo location of your Java installation. 1>&2 +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. goto fail @@ -57,11 +56,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe if exist "%JAVA_EXE%" goto execute -echo. 1>&2 -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 -echo. 1>&2 -echo Please set the JAVA_HOME variable in your environment to match the 1>&2 -echo location of your Java installation. 1>&2 +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. goto fail @@ -76,15 +75,13 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if %ERRORLEVEL% equ 0 goto mainEnd +if "%ERRORLEVEL%"=="0" goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -set EXIT_CODE=%ERRORLEVEL% -if %EXIT_CODE% equ 0 set EXIT_CODE=1 -if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% -exit /b %EXIT_CODE% +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/tool/migt.gradle.kts b/tool/migt.gradle.kts deleted file mode 100644 index 93d4410..0000000 --- a/tool/migt.gradle.kts +++ /dev/null @@ -1,97 +0,0 @@ -plugins { - id("java") - id("com.diffplug.spotless") -} - -version = "0.0.1" -description = "A new description." - -zapAddOn { - addOnName.set("migt") - zapVersion.set("2.15.0") - - manifest { - author.set("FBK") - - dependencies { - addOns { - register("network") { - version.set(">=0.11.0") - } - } - } - } -} - -repositories { - mavenCentral() -} - -dependencies { - zapAddOn("network") - implementation("org.json:json:20240303") - implementation("com.nimbusds:nimbus-jose-jwt:9.31") - implementation("org.bouncycastle:bcpkix-jdk15on:1.70") - implementation("com.google.code.gson:gson:2.10.1") - implementation("org.seleniumhq.selenium:selenium-java:4.13.0") - implementation("org.apache.santuario:xmlsec:3.0.0") - implementation("com.sun.xml.security:xml-security-impl:1.0") - implementation("com.jayway.jsonpath:json-path:2.9.0") - implementation("net.minidev:json-smart:2.4.10") - implementation("org.apache.httpcomponents:httpclient:4.5.14") - implementation("org.apache.httpcomponents:httpcore:4.4.16") - implementation("com.networknt:json-schema-validator:1.0.78") - implementation("org.apache.commons:commons-text:1.10.0") - implementation("commons-codec:commons-codec:1.16.0") - implementation("org.zaproxy:zap:2.15.0") - implementation("org.zaproxy:zap-clientapi:1.14.0") - testImplementation(platform("org.junit:junit-bom:5.10.0")) - testImplementation("org.junit.jupiter:junit-jupiter") -} - -tasks.test { - useJUnitPlatform() -} - -spotless { - javaWith3rdPartyFormatted( - project, - listOf( - "src/**/ZAPextender.java", - ), - listOf( - "src/**/BurpCertificateBuilder.java", - "src/**/CertificateTabController.java", - "src/**/SamlTabController.java", - "src/**/CertificateTab.java", - "src/**/ImagePanel.java", - "src/**/SamlMain.java", - "src/**/SamlPanelAction.java", - "src/**/SamlPanelInfo.java", - "src/**/SignatureHelpWindow.java", - "src/**/XSWHelpWindow.java", - "src/**/CertificateHelper.java", - "src/**/FileHelper.java", - "src/**/Flags.java", - "src/**/XMLHelpers.java", - "src/**/BurpCertificate.java", - "src/**/BurpCertificateExtension.java", - "src/**/BurpCertificateStore.java", - "src/**/ObjectIdentifier.java", - ), - ) -} - -crowdin { - configuration { - val resourcesPath = "org/zaproxy/addon/${zapAddOn.addOnId.get()}/resources/" - tokens.put("%messagesPath%", resourcesPath) - tokens.put("%helpPath%", resourcesPath) - } -} - -// tasks.register("wrapper") { -// gradleVersion = "5.6.4" -// } - -tasks.register("prepareKotlinBuildScriptModel") {} diff --git a/tool/settings.gradle.kts b/tool/settings.gradle.kts new file mode 100644 index 0000000..bb56b53 --- /dev/null +++ b/tool/settings.gradle.kts @@ -0,0 +1,2 @@ +rootProject.name = "MIG-T_indipendent" + diff --git a/tool/src/main/java/org/zaproxy/addon/migt/API.java b/tool/src/main/java/org/zaproxy/addon/migt/API.java index f3a8189..33cda3b 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/API.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/API.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; /** The API class stores the API of a Module, this class is inherited by all the other APIs */ diff --git a/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_check.java b/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_check.java index d81df72..be2f8c1 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_check.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_check.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.security.MessageDigest; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_update.java b/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_update.java index 26df4af..0383287 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_update.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/At_Hash_update.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.security.MessageDigest; @@ -133,6 +114,7 @@ public void execute() { j.private_key_pem = sign_key; new_id_token = j.build(); } catch (ParsingException e) { + System.out.println("Error position is At_Hash_update 1"); applicable = false; return; } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Check.java b/tool/src/main/java/org/zaproxy/addon/migt/Check.java index f0c1c0c..762a428 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Check.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Check.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import com.fasterxml.jackson.core.JsonProcessingException; @@ -255,6 +236,7 @@ private boolean execute_regex(String input) throws ParsingException { Pattern p = Pattern.compile(regex); Matcher m = p.matcher(input); applicable = true; + System.out.println("Set true 1"); String val = ""; if (m.find()) { @@ -312,6 +294,7 @@ private boolean execute_http(HTTPReqRes message, boolean isRequest, List va if (msg_str.isEmpty()) { applicable = true; + System.out.println("Set true 2"); return this.op != null && op == CheckOps.IS_NOT_PRESENT; } @@ -324,6 +307,7 @@ private boolean execute_http(HTTPReqRes message, boolean isRequest, List va if (this.isParamCheck) { if (in == CheckIn.BODY) { + System.out.println("Error position is Check 1"); applicable = false; throw new ParsingException( "Invalid check operation, cannot do \"check param\" over body, " @@ -340,6 +324,7 @@ private boolean execute_http(HTTPReqRes message, boolean isRequest, List va Matcher m = p.matcher(msg_str); applicable = true; + System.out.println("Set true 3 <--"); String val = ""; if (m.find()) { @@ -350,6 +335,7 @@ private boolean execute_http(HTTPReqRes message, boolean isRequest, List va return do_check(val); } else { applicable = true; + System.out.println("Set true 4"); if (!msg_str.contains(this.what)) { if (this.op != null) { return this.op == CheckOps.IS_NOT_PRESENT; @@ -452,6 +438,7 @@ private boolean execute_json(List vars) throws ParsingException { if (op == CheckOps.IS_PRESENT | op == CheckOps.IS_NOT_PRESENT) { // whatever is the type of the value, if it is found return the result applicable = true; + System.out.println("Set true 5"); return op == CheckOps.IS_PRESENT; } @@ -494,12 +481,14 @@ private boolean execute_json(List vars) throws ParsingException { } catch (com.jayway.jsonpath.PathNotFoundException e) { applicable = true; + System.out.println("Set true 6"); return op == CheckOps.IS_NOT_PRESENT; } catch (ClassCastException e) { throw new ParsingException("Error in check, json matched value cast exception: " + e); } applicable = true; // at this point the path has been found so the check is applicable + System.out.println("Set true 7"); switch (op) { case IS: @@ -675,6 +664,7 @@ public boolean do_check(String val_to_check) throws ParsingException { public boolean execute(HTTPReqRes message, boolean isRequest, List vars) throws ParsingException { + System.out.println("entrato in execute senza API"); result = execute_http(message, isRequest, vars); return result; } @@ -685,6 +675,7 @@ public boolean execute(HTTPReqRes message, boolean isRequest, List vars) * @param vars the variables of the actual operation (test) */ public void execute(List vars) throws ParsingException { + System.out.println("entrato in execute con API"); if (imported_api instanceof Operation_API) { // If is inside a standard Operation result = diff --git a/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation.java b/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation.java index aa432ef..2735d74 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import static org.zaproxy.addon.migt.Tools.executeDecodeOps; @@ -557,6 +538,7 @@ public void execute(List vars) throws ParsingException { decoded_content = decode(encodings, m.group()); } else { applicable = false; + System.out.println("Error position is DecodeOperation 1"); } break; } @@ -566,6 +548,7 @@ public void execute(List vars) throws ParsingException { found = JsonPath.read(j, decode_target); // select what to decode } catch (com.jayway.jsonpath.PathNotFoundException e) { applicable = false; + System.out.println("Error position is DecodeOperation 2"); result = false; return; } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation_API.java b/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation_API.java index 0897e79..66aeeaa 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation_API.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/DecodeOperation_API.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; public class DecodeOperation_API extends API { diff --git a/tool/src/main/java/org/zaproxy/addon/migt/EditOperation.java b/tool/src/main/java/org/zaproxy/addon/migt/EditOperation.java index 2c8c90f..3d58445 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/EditOperation.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/EditOperation.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import static org.zaproxy.addon.migt.Tools.getVariableByName; @@ -391,6 +372,7 @@ public void execute_decodeOperation_API(List vars) throws ParsingException } } catch (PathNotFoundException e) { this.applicable = false; + System.out.println("Error position is EditOperation 1"); this.result = false; return; } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActiveListener.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActiveListener.java index 51a5aff..82e96d1 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActiveListener.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActiveListener.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; /** Listener class for ExecuteActive class */ diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActives.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActives.java index ef8439a..061be20 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActives.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteActives.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.HashMap; @@ -149,6 +130,8 @@ public void onError(String sessionName) { || actual_test.resultSession.equals( sessionName)) { actual_test.applicable = false; + System.out.println( + "Error position is ExecuteActives 1"); } synchronized (waiting) { waiting.notify(); @@ -275,6 +258,8 @@ public void onSetVar(Var v) { op.api.vars = actual_test.vars; } + + //TODO niccolo lech listener.onNewProcessOperation(op); synchronized (this.waiting) { @@ -301,6 +286,7 @@ public void onSetVar(Var v) { } } else { actual_test.applicable = false; + System.out.println("Error position is ExecuteActives 2"); for (String key : executions.keySet()) { executions.get(key).interrupt(); } @@ -311,6 +297,7 @@ public void onSetVar(Var v) { e.printStackTrace(); listener.onError(actual_test); actual_test.applicable = false; + System.out.println("Error position is ExecuteActives 3"); for (String key : executions.keySet()) { executions.get(key).interrupt(); } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassiveListener.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassiveListener.java index 1ee0bd7..0f41b74 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassiveListener.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassiveListener.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassives.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassives.java index eacbaad..cf34526 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassives.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecutePassives.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; @@ -112,6 +93,7 @@ public void run() { res = actual_test.execute(executedSession.messages, messageTypes); } catch (ParsingException e) { actual_test.applicable = false; + System.out.println("Error position is ExecutePassives"); } System.out.println("Actual test result: " + res); diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrack.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrack.java index 6b4c560..935d251 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrack.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrack.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.io.File; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrackListener.java b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrackListener.java index 840a258..672180f 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrackListener.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ExecuteTrackListener.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; /** Listener for the ExectuteTrack Object */ diff --git a/tool/src/main/java/org/zaproxy/addon/migt/GUIclass.java b/tool/src/main/java/org/zaproxy/addon/migt/GUIclass.java index a4986f4..495917a 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/GUIclass.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/GUIclass.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import com.google.gson.Gson; @@ -55,7 +36,9 @@ import javax.swing.table.DefaultTableCellRenderer; import javax.swing.table.DefaultTableModel; import org.json.JSONArray; +import org.json.JSONException; import org.json.JSONObject; +import org.parosproxy.paros.Constant; import org.parosproxy.paros.network.HttpMalformedHeaderException; /** @@ -89,7 +72,7 @@ public class GUIclass extends JSplitPane { private static DefaultTableModel resultTableModel; private static DefaultTableModel testTableModel; final transient Object waiting = new Object(); - final String LOG_FOLDER = "logs/"; + final String LOG_FOLDER = Constant.getZapHome() + File.separator + "logs/"; private final String[] foundTableColNames = { "Op. num", "Message Type", "message section", "check/regex", "index", "result" }; @@ -108,8 +91,8 @@ public class GUIclass extends JSplitPane { String SAVE_FILE_PATH = ""; String RECORD_FILE_PATH = ""; boolean FILTERING = true; - String MSG_DEF_PATH = "msg_def.json"; - String CONFIG_FILE_PATH = "config.json"; + String MSG_DEF_PATH = Constant.getZapHome() + File.separator + "templates/msg_def.json"; + String CONFIG_FILE_PATH = Constant.getZapHome() + File.separator + "templates/config.json"; // GUI JTable resultTable; JTable testTable; @@ -289,7 +272,6 @@ private void readMsgDefFile() { } myReader.close(); messageTypes = Tools.readMsgTypesFromJson(content.toString()); // load message types - } catch (ParsingException e) { lblOutput.setText("Invalid message type in message type definition file"); e.printStackTrace(); @@ -345,11 +327,9 @@ private void readConfigFile() { } } catch (IOException e) { lblOutput.setText("cannot create message definition file: " + e); + } catch (JSONException e) { + lblOutput.setText("Invalid config file: " + e); } - // TODO fix, commented since there was an error - // catch (JSONException e) { - // lblOutput.setText("Invalid config file: " + e); - // } } /** @@ -384,12 +364,9 @@ private void editConfigFile(String key, String value) { w.close(); } catch (IOException e) { lblOutput.setText("cannot create message definition file: " + e); + } catch (JSONException e) { + lblOutput.setText("Invalid config file: " + e); } - - // TODO fix, commented since there was an error -// catch (JSONException e) { -// lblOutput.setText("Invalid config file: " + e); -// } } /** @@ -401,6 +378,7 @@ private void editConfigFile(String key, String value) { * @param jsonInput the json input */ private void readJSONinput(String jsonInput) { + sessions_names.clear(); txtSearch.setBorder(BorderFactory.createEmptyBorder()); setJSONError(false, ""); diff --git a/tool/src/main/java/org/zaproxy/addon/migt/HTTPReqRes.java b/tool/src/main/java/org/zaproxy/addon/migt/HTTPReqRes.java index 26f1ba1..199e79e 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/HTTPReqRes.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/HTTPReqRes.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.net.MalformedURLException; @@ -40,6 +21,7 @@ import org.apache.http.util.CharArrayBuffer; import org.parosproxy.paros.db.DatabaseException; import org.parosproxy.paros.model.HistoryReference; +import org.parosproxy.paros.network.HtmlParameter; import org.parosproxy.paros.network.HttpHeaderField; import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; @@ -164,10 +146,13 @@ public HTTPReqRes(HistoryReference hmsg) this.body_offset_req = message.getRequestHeader().toString().length(); this.body_offset_resp = message.getResponseHeader().toString().length(); - // da ottimizzare ma per il momento ok + this.headers_req.add(message.getRequestHeader().getPrimeHeader()); + this.headers_req.addAll(toStringList(message.getRequestHeader().getHeaders())); +// this.headers_req = toStringList(message.getRequestHeader().getHeaders()); - this.headers_req = toStringList(message.getRequestHeader().getHeaders()); - this.headers_resp = toStringList(message.getResponseHeader().getHeaders()); + this.headers_resp.add(message.getResponseHeader().getPrimeHeader()); + this.headers_resp.addAll(toStringList(message.getResponseHeader().getHeaders())); +// this.headers_resp = toStringList(message.getResponseHeader().getHeaders()); instances++; } @@ -212,6 +197,12 @@ public HTTPReqRes(HttpMessage message, boolean isRequest, int index) { this.setRequest_url(message.getRequestHeader().getURI().toString()); this.headers_req = toStringList(message.getRequestHeader().getHeaders()); + + // changed this by adding +// for (HtmlParameter p : message.getUrlParams()) { +// this.headers_req.add(p.toString()); +// } + this.request_url = message.getRequestHeader().getURI().toString(); this.body_offset_req = message.getRequestHeader().toString().length(); @@ -270,53 +261,44 @@ public static List parse_url_query_no_decoding( return list; } - /** - * Function used to replace an IHttpRequestResponse message with the values contained in this - * object - * - *

// @param message the message to be replaced // @param helpers the burp helpers // @return - * the edited message with the request and/or response replaced - */ - - /* - public HttpMessage replaceBurpMessage(HttpMessage message) throws HttpMalformedHeaderException, URIException { - if (isRequest) { - message.setRequestHeader(Req_header); - message.setRequestBody(Req_body); - - } - if (isResponse) { - message.setResponseHeader(Res_header); - message.setResponseBody(Res_body); - } - if (host != null && port != 0 && protocol != null) { - if (protocol == "https"){ - message.getRequestHeader().setSecure(true); - } else { - message.getRequestHeader().setSecure(false); - } - - //TODO: check that the changes to the URI in this way are fine - org.apache.commons.httpclient.URI origialURI = new org.apache.commons.httpclient.URI(request_url, true); - - org.apache.commons.httpclient.URI newURI = new org.apache.commons.httpclient.URI( - origialURI.getScheme(), - null, - host, - port, - origialURI.getPath(), - origialURI.getQuery(), - origialURI.getFragment() - ); - - //set host and port values by changing the URI - message.getRequestHeader().setURI(newURI); - - - } - return message; - } - */ + // public HttpMessage replaceBurpMessage(HttpMessage message) throws + // HttpMalformedHeaderException, URIException { + // if (isRequest) { + // message.setRequestHeader(Req_header); + // message.setRequestBody(Req_body); + // + // } + // if (isResponse) { + // message.setResponseHeader(Res_header); + // message.setResponseBody(Res_body); + // } + // if (host != null && port != 0 && protocol != null) { + // if (protocol == "https"){ + // message.getRequestHeader().setSecure(true); + // } else { + // message.getRequestHeader().setSecure(false); + // } + // + // org.apache.commons.httpclient.URI origialURI = new + // org.apache.commons.httpclient.URI(request_url, true); + // + // org.apache.commons.httpclient.URI newURI = new org.apache.commons.httpclient.URI( + // origialURI.getScheme(), + // null, + // host, + // port, + // origialURI.getPath(), + // origialURI.getQuery(), + // origialURI.getFragment() + // ); + // + // //set host and port values by changing the URI + // message.getRequestHeader().setURI(newURI); + // + // + // } + // return message; + // } public String getUrlHeader() { if (!isRequest) throw new RuntimeException("called getUrlHeader on a response message"); @@ -672,7 +654,7 @@ public void editUrlParam(String param, String value) throws ParsingException { request_url = request_url.replaceAll( - "\\Q" + java.util.regex.Matcher.quoteReplacement(url.getQuery()) + "\\E", + "\\Q" + Matcher.quoteReplacement(url.getQuery()) + "\\E", new_query); updateHeadersWHurl(); @@ -722,7 +704,7 @@ public void removeUrlParam(String name) throws ParsingException { request_url = request_url.replaceAll( - "\\Q" + java.util.regex.Matcher.quoteReplacement(url.getQuery()) + "\\E", + "\\Q" + Matcher.quoteReplacement(url.getQuery()) + "\\E", new_query); updateHeadersWHurl(); @@ -777,7 +759,7 @@ public void addUrlParam(String name, String value) { request_url = request_url.replaceAll( - "\\Q" + java.util.regex.Matcher.quoteReplacement(url.getQuery()) + "\\E", + "\\Q" + Matcher.quoteReplacement(url.getQuery()) + "\\E", new_query); updateHeadersWHurl(); @@ -1037,6 +1019,7 @@ public void updateHeadersWHurl() throws RuntimeException { * @return true or false, if matched or not respectively */ public boolean matches_msg_type(MessageType msg_type, boolean is_request) { + System.out.println("eseguito matches_msg_type"); boolean matchedMessage = false; try { /* If the response message name is searched, the getByResponse will be true. @@ -1071,6 +1054,7 @@ public boolean matches_msg_type(MessageType msg_type, boolean is_request) { } catch (Exception e) { e.printStackTrace(); } + System.out.println("return di matches_msg_type is " + matchedMessage); return matchedMessage; } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/JWT.java b/tool/src/main/java/org/zaproxy/addon/migt/JWT.java index 111a732..da5dcf2 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/JWT.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/JWT.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import static org.zaproxy.addon.migt.Tools.check_json_strings_equals; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Marker.java b/tool/src/main/java/org/zaproxy/addon/migt/Marker.java index 1ff86f6..26ed5e9 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Marker.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Marker.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.Objects; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/MessageOperation.java b/tool/src/main/java/org/zaproxy/addon/migt/MessageOperation.java index 21504ed..f0a37e3 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/MessageOperation.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/MessageOperation.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import static org.zaproxy.addon.migt.Tools.getVariableByName; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/MessageType.java b/tool/src/main/java/org/zaproxy/addon/migt/MessageType.java index a54c0b8..56863b7 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/MessageType.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/MessageType.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Module.java b/tool/src/main/java/org/zaproxy/addon/migt/Module.java index f1cd191..66a3686 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Module.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Module.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import javax.swing.JPanel; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Operation.java b/tool/src/main/java/org/zaproxy/addon/migt/Operation.java index 5c0b8fb..0927947 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Operation.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Operation.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import static org.zaproxy.addon.migt.Tools.buildStringWithVars; @@ -465,6 +446,7 @@ public void execute() { if (!applicable) return; } catch (ParsingException e) { applicable = false; + System.out.println("Error position is Operation 1"); e.printStackTrace(); return; } @@ -480,6 +462,7 @@ public void execute() { } catch (ParsingException e) { e.printStackTrace(); applicable = false; + System.out.println("Error position is Operation 1"); return; } } @@ -492,6 +475,7 @@ public void execute() { } catch (ParsingException e) { e.printStackTrace(); applicable = false; + System.out.println("Error position is Operation 1"); return; } } @@ -537,6 +521,7 @@ public void execute() { } catch (ParsingException | PatternSyntaxException e) { applicable = false; + System.out.println("Error position is Operation 1"); e.printStackTrace(); return; } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Operation_API.java b/tool/src/main/java/org/zaproxy/addon/migt/Operation_API.java index d2f9032..1916914 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Operation_API.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Operation_API.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ParsingException.java b/tool/src/main/java/org/zaproxy/addon/migt/ParsingException.java index 83a4c76..1b695bf 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ParsingException.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ParsingException.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; /** Exception raised when the parsing of the language fails */ diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ReqResPanel.java b/tool/src/main/java/org/zaproxy/addon/migt/ReqResPanel.java index 47731c6..de60392 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ReqResPanel.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ReqResPanel.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.awt.BorderLayout; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Session.java b/tool/src/main/java/org/zaproxy/addon/migt/Session.java index 818a41f..60fc4e7 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Session.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Session.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.net.MalformedURLException; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/SessionOperation.java b/tool/src/main/java/org/zaproxy/addon/migt/SessionOperation.java index 8b97f9a..14ef05a 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/SessionOperation.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/SessionOperation.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/SessionTrackAction.java b/tool/src/main/java/org/zaproxy/addon/migt/SessionTrackAction.java index 9a2eec2..974f6f3 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/SessionTrackAction.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/SessionTrackAction.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Test.java b/tool/src/main/java/org/zaproxy/addon/migt/Test.java index 7b4f322..338ad58 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Test.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Test.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.io.BufferedWriter; @@ -388,6 +369,7 @@ public void logTest(String log_folder) { // Save all messages seen by this operation if (o.log_messages != null) { for (HttpMessage m : o.log_messages) { + System.out.println("Hystory ID log_messages =" + m.getHistoryRef().getHistoryId()); if (!logged_requests.contains(m.getHistoryRef().getHistoryId())) { byte[] request = concat( diff --git a/tool/src/main/java/org/zaproxy/addon/migt/TestSuite.java b/tool/src/main/java/org/zaproxy/addon/migt/TestSuite.java index 5e4a5bb..845ded0 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/TestSuite.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/TestSuite.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.io.BufferedWriter; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Tools.java b/tool/src/main/java/org/zaproxy/addon/migt/Tools.java index a74de71..3b418d7 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Tools.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Tools.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import com.google.gson.JsonElement; @@ -37,6 +18,7 @@ /** Class with methods to process messages and execute tests */ public class Tools { + /** * This function execute a list of checks over a message, returning true if all the checks are * successful @@ -49,6 +31,7 @@ public class Tools { public static boolean executeChecks( List checks, HTTPReqRes message, boolean isRequest, List vars) throws ParsingException { + System.out.println("eseguito executeChecks"); for (Check c : checks) { if (!c.execute(message, isRequest, vars)) { return false; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Track.java b/tool/src/main/java/org/zaproxy/addon/migt/Track.java index e21638b..8f4f4d3 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Track.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Track.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.util.ArrayList; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/Var.java b/tool/src/main/java/org/zaproxy/addon/migt/Var.java index 44e08ff..dcd5148 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/Var.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/Var.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; /** The class storing the variables used in the test and sessions */ diff --git a/tool/src/main/java/org/zaproxy/addon/migt/XML.java b/tool/src/main/java/org/zaproxy/addon/migt/XML.java index 33bd512..644bbf4 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/XML.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/XML.java @@ -1,22 +1,3 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.io.IOException; diff --git a/tool/src/main/java/org/zaproxy/addon/migt/ZAPextender.java b/tool/src/main/java/org/zaproxy/addon/migt/ZAPextender.java index 792db18..294abc1 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/ZAPextender.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/ZAPextender.java @@ -1,32 +1,13 @@ -/* - * Zed Attack Proxy (ZAP) and its related class files. - * - * ZAP is an HTTP/HTTPS proxy for assessing web application security. - * - * Copyright 2024 The ZAP Development Team - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package org.zaproxy.addon.migt; import java.awt.BorderLayout; +import java.io.OutputStream; import java.io.PrintStream; import java.net.MalformedURLException; import java.net.URISyntaxException; import java.util.Arrays; import java.util.Objects; import javax.swing.ImageIcon; -import javax.swing.SwingUtilities; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.parosproxy.paros.core.proxy.ProxyListener; @@ -36,6 +17,8 @@ import org.parosproxy.paros.extension.ExtensionHook; import org.parosproxy.paros.model.HistoryReference; import org.parosproxy.paros.model.Model; +import org.parosproxy.paros.network.HtmlParameter; +import org.parosproxy.paros.network.HttpHeaderField; import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; @@ -45,7 +28,7 @@ public class ZAPextender extends ExtensionAdaptor implements ProxyListener { public static PrintStream printStream; public static PrintStream errorStream; private GUIclass mainPane; // The GUI - private AbstractPanel statusPanel = null; // wrap per OWASP ZAP + private AbstractPanel statusPanel; // wrap per OWASP ZAP public static final String NAME = "MIGT"; protected static final String PREFIX = "migt"; @@ -74,41 +57,38 @@ public void hook(ExtensionHook extensionHook) { private AbstractPanel getStatusPanel(GUIclass _mainPane_) { if (statusPanel == null) { - SwingUtilities.invokeLater( - () -> { - statusPanel = new AbstractPanel(); - statusPanel.setLayout(new BorderLayout()); - statusPanel.setName("MIG-T"); - statusPanel.setIcon( - new ImageIcon(getClass().getResource("resources/logo.png"))); - - // //setup output stream in Burp - // OutputStream stdOut = callbacks.getStdout(); - // OutputStream stdErr = callbacks.getStderr(); - // printStream = new PrintStream(stdOut); - // errorStream = new PrintStream(stdErr); - - //this should allow you to test the operation but could - //Imply redirection - //of all ZAP stderr and stdout to our panel - - // OutputStream stdOut = System.out; - // OutputStream stdErr = System.err; - // printStream = new PrintStream(stdOut); - // errorStream = new PrintStream(stdErr); - - // TODO: check this code, before it created a separate instance - mainPane = new GUIclass(); - - _mainPane_.messageViewer = new ReqResPanel(); - _mainPane_.splitPane.setRightComponent(mainPane.messageViewer); - - /* I should have replaced these elements in the hook method - callbacks.registerProxyListener(BurpExtender.this); - callbacks.registerHttpListener(BurpExtender.this); - */ - statusPanel.add(_mainPane_); - }); + statusPanel = new AbstractPanel(); + statusPanel.setLayout(new BorderLayout()); + statusPanel.setName("MIG-T"); + statusPanel.setIcon(new ImageIcon(getClass().getResource("/resources/logofbk1.png"))); + + // //setup output stream in Burp + // OutputStream stdOut = callbacks.getStdout(); + // OutputStream stdErr = callbacks.getStderr(); + // printStream = new PrintStream(stdOut); + // errorStream = new PrintStream(stdErr); + + // this should allow you to test the operation but could + // Imply redirection + // of all ZAP stderr and stdout to our panel + + // TODO: understand if this needs to exist or is useless + OutputStream stdOut = System.out; + OutputStream stdErr = System.err; + printStream = new PrintStream(stdOut); + errorStream = new PrintStream(stdErr); + + // TODO: this should not be needed, it's a duplicate + // mainPane = new GUIclass(); + + _mainPane_.messageViewer = new ReqResPanel(); + _mainPane_.splitPane.setRightComponent(mainPane.messageViewer); + + /* I should have replaced these elements in the hook method + callbacks.registerProxyListener(BurpExtender.this); + callbacks.registerHttpListener(BurpExtender.this); + */ + statusPanel.add(_mainPane_); } return statusPanel; } @@ -169,6 +149,7 @@ public String getDescription() { @Override public boolean onHttpRequestSend(HttpMessage msg) { + boolean messageIsRequest; if (msg.getRequestHeader().isEmpty()) { messageIsRequest = false; @@ -176,6 +157,19 @@ public boolean onHttpRequestSend(HttpMessage msg) { messageIsRequest = true; } + try { + HistoryReference historyRef = + new HistoryReference( + Model.getSingleton().getSession(), + HistoryReference.TYPE_TEMPORARY, + msg); + msg.setHistoryRef(historyRef); + } catch (HttpMalformedHeaderException e) { + throw new RuntimeException(e); + } catch (DatabaseException e) { + throw new RuntimeException(e); + } + HTTPReqRes message = new HTTPReqRes( // messageInfo, @@ -184,10 +178,38 @@ public boolean onHttpRequestSend(HttpMessage msg) { // proxy_message.getMessageReference() msg.getHistoryRef().getHistoryId()); - if (mainPane.INTERCEPT_ENABLED) { + getView() + .getOutputPanel() + .append( + "\n\n ////////////////////////////////////////////////////////// \n\n Processing message header --> " + + msg.getRequestHeader() + + "\n\n --------------------------------------------------------------- \n\n Single headers \n"); + + if (message.isRequest) { + getView() + .getOutputPanel() + .append(msg.getRequestHeader().getPrimeHeader() + "\n\n-------------------------------------\n"); + + for (HttpHeaderField s : msg.getRequestHeader().getHeaders()) { + getView() + .getOutputPanel() + .append(s.toString() + "\n\n-------------------------------------\n"); + } + } else if (message.isResponse) { + getView() + .getOutputPanel() + .append(msg.getResponseHeader().getPrimeHeader() + "\n\n-------------------------------------\n"); + + for (HttpHeaderField s : msg.getResponseHeader().getHeaders()) { + getView() + .getOutputPanel() + .append(s.toString() + "\n\n-------------------------------------\n"); + } + } - // - // + System.out.println("mainPane.INTERCEPT_ENABLED = " + mainPane.INTERCEPT_ENABLED); + + if (mainPane.INTERCEPT_ENABLED) { // /* Check at which port of the proxy the message has been received // if it is different from the one of the session avoid message*/ // if (!port.equals(mainPane.actual_operation.session_port)) { @@ -196,6 +218,7 @@ public boolean onHttpRequestSend(HttpMessage msg) { // Log the received message by adding it to the list of received messages log_message(messageIsRequest, msg); + System.out.println("Logged a message"); MessageType msg_type = null; try { @@ -204,18 +227,23 @@ public boolean onHttpRequestSend(HttpMessage msg) { mainPane.messageTypes, mainPane.actual_operation.getMessageType()); } catch (Exception e) { e.printStackTrace(); + System.out.println("Error position is ZAPextender 0"); mainPane.actual_operation.applicable = false; } + System.out.println("Here it's going to try matched_msg_type"); + // Check that the given message matches the message type specified in the test boolean matchMessage = message.matches_msg_type(msg_type, messageIsRequest); + System.out.println("matched_msg_type = " + matchMessage); + if (matchMessage) { // If the operation's action is an intercept if (Objects.requireNonNull(mainPane.actual_operation.getAction()) == Operation.Action.INTERCEPT) { try { - processMatchedMsg(msg_type, /*messageInfo,*/ message); + processMatchedMsg(msg_type, message); if (mainPane.actual_operation.then != null & mainPane.actual_operation.then == Operation.Then.DROP) { return false; // IN ZAP A BOOL IS RETURNED STATING IF THE MESSAGE HAVE @@ -223,6 +251,7 @@ public boolean onHttpRequestSend(HttpMessage msg) { } } catch (Exception e) { e.printStackTrace(); + System.out.println("Error position is ZAPextender 1"); mainPane.actual_operation.applicable = false; } } @@ -256,23 +285,6 @@ public boolean onHttpRequestSend(HttpMessage msg) { } } - /* This is the original code for the saveBuffer - if (mainPane.recording) { - if (!messageIsRequest) { // do not remove - synchronized (mainPane.interceptedMessages) { - IHttpRequestResponsePersisted actual = - callbacks.saveBuffersToTempFiles(messageInfo); - mainPane.interceptedMessages.add( - new HTTPReqRes(actual) - ); - if (mainPane.defaultSession != null) { - mainPane.defaultSession.addMessage(actual, - mainPane.FILTERING); - } - } - } - } - */ return true; } @@ -286,6 +298,19 @@ public boolean onHttpResponseReceive(HttpMessage msg) { messageIsRequest = true; } + try { + HistoryReference historyRef = + new HistoryReference( + Model.getSingleton().getSession(), + HistoryReference.TYPE_TEMPORARY, + msg); + msg.setHistoryRef(historyRef); + } catch (HttpMalformedHeaderException e) { + throw new RuntimeException(e); + } catch (DatabaseException e) { + throw new RuntimeException(e); + } + HTTPReqRes message = new HTTPReqRes( // messageInfo, @@ -309,6 +334,7 @@ public boolean onHttpResponseReceive(HttpMessage msg) { // Log the received message by adding it to the list of received messages log_message(messageIsRequest, msg); + System.out.println("Logged a message"); MessageType msg_type = null; try { @@ -317,6 +343,7 @@ public boolean onHttpResponseReceive(HttpMessage msg) { mainPane.messageTypes, mainPane.actual_operation.getMessageType()); } catch (Exception e) { e.printStackTrace(); + System.out.println("Error position is ZAPextender 2"); mainPane.actual_operation.applicable = false; } @@ -336,6 +363,7 @@ public boolean onHttpResponseReceive(HttpMessage msg) { } } catch (Exception e) { e.printStackTrace(); + System.out.println("Error position is ZAPextender 3"); mainPane.actual_operation.applicable = false; } } diff --git a/tool/src/main/java/org/zaproxy/addon/migt/samlraider/gui/SamlMain.java b/tool/src/main/java/org/zaproxy/addon/migt/samlraider/gui/SamlMain.java index 98b416a..c899846 100644 --- a/tool/src/main/java/org/zaproxy/addon/migt/samlraider/gui/SamlMain.java +++ b/tool/src/main/java/org/zaproxy/addon/migt/samlraider/gui/SamlMain.java @@ -7,8 +7,6 @@ public class SamlMain extends JPanel { private static final long serialVersionUID = 1L; - // private ITextEditor textEditorAction; - // private ITextEditor textEditorInformation; private transient SamlTabController controller; private SamlPanelAction panelAction; private SamlPanelInfo panelInformation; diff --git a/tool/src/main/resources/resources/logofbk1.png b/tool/src/main/resources/resources/logofbk1.png new file mode 100644 index 0000000..daeceb7 Binary files /dev/null and b/tool/src/main/resources/resources/logofbk1.png differ diff --git a/tool/src/main/zapHomeFiles/templates/config.json b/tool/src/main/zapHomeFiles/templates/config.json new file mode 100644 index 0000000..1c87f3e --- /dev/null +++ b/tool/src/main/zapHomeFiles/templates/config.json @@ -0,0 +1,5 @@ +{ + "last_driver_path":"", + "last_browser_used": "", + "default_port":8080 +} \ No newline at end of file diff --git a/tool/src/main/zapHomeFiles/templates/msg_def.json b/tool/src/main/zapHomeFiles/templates/msg_def.json new file mode 100644 index 0000000..1b9b49c --- /dev/null +++ b/tool/src/main/zapHomeFiles/templates/msg_def.json @@ -0,0 +1,786 @@ +{ + "message_types": [ + { + "name": "Authentication request", + "is request": true, + "response name": "Authentication error response", + "checks": [ + { + "in": "url", + "check": "response_type", + "is present": "true" + } + ] + }, + { + "name": "Authentication response", + "is request": false, + "checks": [ + { + "in": "head", + "check param": "Location", + "contains": "state" + } + ] + }, + { + "name": "Authorization request", + "is request": true, + "response name": "Authorization response", + "checks": [ + { + "in": "body", + "check regex": "username", + "is present": "true" + }, + { + "in": "body", + "check regex": "password", + "is present": "true" + } + ] + }, + { + "name": "Token request", + "is request": true, + "response name": "Token response", + "checks": [ + { + "in": "url", + "check regex": "/token" + } + ] + }, + { + "name": "Revocation request", + "is request": true, + "response name": "Revocation response", + "checks": [ + { + "in": "url", + "check regex": "/revocation" + } + ] + }, + { + "name": "Entity Configuration request RP", + "is request": true, + "response name": "Entity Configuration response RP", + "checks": [ + { + "in": "url", + "check": "/.well-known/openid-federation", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Entity Configuration request OP", + "is request": true, + "response name": "Entity Configuration response OP", + "checks": [ + { + "in": "url", + "check": "oidc/op/.well-known/openid-federation", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Entity Configuration request TA", + "is request": true, + "response name": "Entity Configuration response TA", + "checks": [ + { + "in": "url", + "check regex": "\\s/.well-known/openid-federation" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Entity Configuration request SA", + "is request": true, + "response name": "Entity Configuration response SA", + "checks": [ + { + "in": "url", + "check regex": "\\s/.well-known/openid-federation" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Entity Configuration request AA", + "is request": true, + "response name": "Entity Configuration response AA", + "checks": [ + { + "in": "url", + "check": "/.well-known/openid-federation", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "attribute-authority.org" + } + ] + }, + { + "name": "Entity Configuration request SA", + "is request": true, + "response name": "Entity Configuration response SA", + "checks": [ + { + "in": "url", + "check": "/.well-known/openid-federation", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Trust Mark status request TA", + "is request": true, + "response name": "Trust Mark status response TA", + "checks": [ + { + "in": "url", + "check": "/trust_mark_status", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Trust Mark status request SA", + "is request": true, + "response name": "Trust Mark status response SA", + "checks": [ + { + "in": "url", + "check": "/trust_mark_status", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Trust Mark status request AA", + "is request": true, + "response name": "Trust Mark status response AA", + "checks": [ + { + "in": "url", + "check": "/trust_mark_status", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "attribute-authority.org" + } + ] + }, + { + "name": "UserInfo request", + "is request": true, + "response name": "UserInfo response", + "checks": [ + { + "in": "url", + "check regex": "/userinfo" + } + ] + }, + { + "name": "Introspection request", + "is request": true, + "response name": "Introspection response", + "checks": [ + { + "in": "url", + "check regex": "/oidc/op/introspection" + } + ] + }, + { + "name": "Entity Statement request TA RP", + "is request": true, + "response name": "Entity Statement response TA RP", + "checks": [ + { + "in": "url", + "check regex": "/fetch\\?sub=http://relying-party\\.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Entity Statement request TA OP", + "is request": true, + "response name": "Entity Statement response TA OP", + "checks": [ + { + "in": "url", + "check regex": "/fetch\\?sub=http://cie-provider.org:8002" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Entity Statement request TA SA", + "is request": true, + "response name": "Entity Statement response TA SA", + "checks": [ + { + "in": "url", + "check regex": "/fetch\\?sub=http://soggetti-aggregatori.org:8004" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Entity Statement request SA RP", + "is request": true, + "response name": "Entity Statement response SA RP", + "checks": [ + { + "in": "url", + "check regex": "/fetch\\?sub=http://relying-party\\.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Entity Statement request SA OP", + "is request": true, + "response name": "Entity Statement response SA OP", + "checks": [ + { + "in": "url", + "check regex": "/fetch\\?sub=http://cie-provider.org:8002" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Entity Listing request", + "is request": true, + "response name": "Entity Listing response", + "checks": [ + { + "in": "url", + "check regex": "/list\\?entity_type=" + } + ] + }, + { + "name": "Fetch Entity Statement request TA OP", + "is request": true, + "response name": "Fetch Entity Statement response TA OP", + "checks": [ + { + "in": "url", + "check regex": "/federation_fetch_endpoint\\?iss=http://cie-provider.org:8002&sub=http://trust-anchor.org:8000" + } + ] + }, + { + "name": "Fetch Entity Statement request TA RP", + "is request": true, + "response name": "Fetch Entity Statement response TA RP", + "checks": [ + { + "in": "url", + "check regex": "/federation_fetch_endpoint\\?iss=http://relying-party.org:8001&sub=http://trust-anchor.org:8000" + } + ] + }, + { + "name": "Fetch Entity Statement request SA OP", + "is request": true, + "response name": "Fetch Entity Statement response SA OP", + "checks": [ + { + "in": "url", + "check regex": "/federation_fetch_endpoint\\?iss=http://cie-provider.org:8002&sub=http://subject-aggregator.org:8004" + } + ] + }, + { + "name": "Fetch Entity Statement request SA RP", + "is request": true, + "response name": "Fetch Entity Statement response SA RP", + "checks": [ + { + "in": "url", + "check regex": "/federation_fetch_endpoint\\?iss=http://relying-party.org:8001&sub=http://subject-aggregator.org:8004" + } + ] + }, + { + "name": "Public Keys History request", + "is request": true, + "response name": "Public Keys History response", + "checks": [ + { + "in": "url", + "check regex": "/.well-known/openid-federation-jwks" + } + ] + }, + { + "name": "Resolve Entity Statement request AA TA", + "is request": true, + "response name": "Resolve Entity Statement response AA TA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=trust-anchor.org:8000" + }, + { + "in": "head", + "check param": "Host", + "contains": "attribute-authority.org" + } + ] + }, + { + "name": "Resolve Entity Statement request AA RP", + "is request": true, + "response name": "Resolve Entity Statement response AA RP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=relying-party.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "attribute-authority.org" + } + ] + }, + { + "name": "Resolve Entity Statement request AA OP", + "is request": true, + "response name": "Resolve Entity Statement response AA OP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=trust-anchor.org:8000" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Resolve Entity Statement request AA SA", + "is request": true, + "response name": "Resolve Entity Statement response AA SA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=soggetti-aggregatori.org:8004" + }, + { + "in": "head", + "check param": "Host", + "contains": "attribute-authority.org" + } + ] + }, + { + "name": "Resolve Entity Statement request TA AA", + "is request": true, + "response name": "Resolve Entity Statement response TA AA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=attribute-authority.org" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Resolve Entity Statement request TA RP", + "is request": true, + "response name": "Resolve Entity Statement response TA RP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=relying-party.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Resolve Entity Statement request TA OP", + "is request": true, + "response name": "Resolve Entity Statement response TA OP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=cie-provider.org:8002" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Resolve Entity Statement request TA SA", + "is request": true, + "response name": "Resolve Entity Statement response TA SA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=soggetti-aggregatori.org:8004" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Resolve Entity Statement request RP AA", + "is request": true, + "response name": "Resolve Entity Statement response RP AA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=attribute-authority.org" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Resolve Entity Statement request RP TA", + "is request": true, + "response name": "Resolve Entity Statement response RP TA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=trust-anchor.org:8000" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Resolve Entity Statement request RP OP", + "is request": true, + "response name": "Resolve Entity Statement response RP OP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=cie-provider.org:8002" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Resolve Entity Statement request RP SA", + "is request": true, + "response name": "Resolve Entity Statement response RP SA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=soggetti-aggregatori.org:8004" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Resolve Entity Statement request OP AA", + "is request": true, + "response name": "Resolve Entity Statement response OP AA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=attribute-authority.org" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Resolve Entity Statement request OP TA", + "is request": true, + "response name": "Resolve Entity Statement response OP TA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=trust-anchor.org:8000" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Resolve Entity Statement request OP RP", + "is request": true, + "response name": "Resolve Entity Statement response OP RP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=relying-party.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Resolve Entity Statement request OP SA", + "is request": true, + "response name": "Resolve Entity Statement response OP SA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=soggetti-aggregatori.org:8004" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Resolve Entity Statement request SA AA", + "is request": true, + "response name": "Resolve Entity Statement response SA AA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=attribute-authority.org" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Resolve Entity Statement request SA TA", + "is request": true, + "response name": "Resolve Entity Statement response SA TA", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=trust-anchor.org:8000" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Resolve Entity Statement request SA RP", + "is request": true, + "response name": "Resolve Entity Statement response SA RP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=relying-party.org:8001" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Resolve Entity Statement request SA OP", + "is request": true, + "response name": "Resolve Entity Statement response SA OP", + "checks": [ + { + "in": "url", + "check regex": "/resolve/\\?sub=cie-provider.org:8002" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Consent Page request", + "is request": true, + "response name": "Consent Page response", + "checks": [ + { + "in": "url", + "check regex": "/consent" + }, + { + "in": "head", + "check regex": "POST" + }, + { + "in": "head", + "check param": "Host", + "contains": "cie-provider.org:8002" + } + ] + }, + { + "name": "Echo Attribute request", + "is request": true, + "response name": "Echo Attribute response", + "checks": [ + { + "in": "url", + "check regex": "/echo_attributes" + }, + { + "in": "head", + "check param": "Host", + "contains": "relying-party.org:8001" + } + ] + }, + { + "name": "Trust Mark revoke request SA", + "is request": true, + "response name": "Trust Mark revoke response SA", + "checks": [ + { + "in": "url", + "check": "/trust_mark_revoke", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "soggetti-aggregatori.org:8004" + } + ] + }, + { + "name": "Trust Mark revoke request TA", + "is request": true, + "response name": "Trust Mark revoke response TA", + "checks": [ + { + "in": "url", + "check": "/trust_mark_revoke", + "is present": "true" + }, + { + "in": "head", + "check param": "Host", + "contains": "trust-anchor.org:8000" + } + ] + }, + { + "name": "Validating request", + "is request": true, + "response name": "Validating response", + "checks": [ + { + "in": "url", + "check regex": "csrfmiddlewaretoken" + } + ] + } + ] +} \ No newline at end of file