List of usage examples for org.apache.commons.httpclient URI URI
public URI(URI base, URI relative) throws URIException
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.LinkTargetScanner.java
private boolean isLinkFromOtherDomain(String host, String link, List<Context> contextList) { if (link == null || !link.startsWith("//") && (link.startsWith("/") || link.startsWith("./") || link.startsWith("../"))) { return false; }// w w w. j a v a 2s. c om boolean otherDomain = false; try { URI linkURI = new URI(link, true); String linkURIStr = linkURI.toString(); String linkHost = linkURI.getHost(); if (linkHost != null && !linkHost.toLowerCase().equals(host.toLowerCase())) { otherDomain = true; } if (otherDomain && !Plugin.AlertThreshold.LOW.equals(this.getAlertThreshold())) { // Get a list of contexts that contain the original URL for (Context context : contextList) { if (context.isInContext(linkURIStr)) { // The linkURI is in a context that the original URI is in return false; // No need to loop further } } } } catch (URIException e) { // Ignore } if (otherDomain) { // check the trusted domains for (String regex : this.trustedDomainRegexes) { try { if (link.matches(regex)) { return false; } } catch (Exception e) { LOG.warn("Invalid regex in rule " + TRUSTED_DOMAINS_PROPERTY + ": " + regex, e); } } } return otherDomain; }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.RetrievedFromCacheScannerUnitTest.java
private HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); HttpMessage msg = new HttpMessage(); msg.setRequestHeader(requestHeader); return msg;//from ww w .jav a 2 s . com }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.StrictTransportSecurityScanner.java
@Override public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { long start = System.currentTimeMillis(); Vector<String> stsOption = msg.getResponseHeader().getHeaders(STS_HEADER); String metaHSTS = getMetaHSTSEvidence(source); if (msg.getRequestHeader().isSecure()) { // No point reporting missing for non-SSL resources // Content available via both HTTPS and HTTP is a separate though related issue if (stsOption == null) { // Header NOT found boolean report = true; if (!this.getAlertThreshold().equals(AlertThreshold.LOW) && HttpStatusCode.isRedirection(msg.getResponseHeader().getStatusCode())) { // Only report https redirects to the same domain at low threshold try { String redirStr = msg.getResponseHeader().getHeader(HttpHeader.LOCATION); URI srcUri = msg.getRequestHeader().getURI(); URI redirUri = new URI(redirStr, false); if (redirUri.isRelativeURI() || (redirUri.getScheme().equalsIgnoreCase("https") && redirUri.getHost().equals(srcUri.getHost()) && redirUri.getPort() == srcUri.getPort())) { report = false;//ww w . ja v a 2 s . c o m } } catch (Exception e) { // Ignore, so report the missing header } } if (report) { raiseAlert(VulnType.HSTS_MISSING, null, msg, id); } } else if (stsOption.size() > 1) { // More than one header found raiseAlert(VulnType.HSTS_MULTIPLE_HEADERS, null, msg, id); } else { // Single HSTS header entry String stsOptionString = stsOption.get(0); Matcher badAgeMatcher = BAD_MAX_AGE_PATT.matcher(stsOptionString); Matcher maxAgeMatcher = MAX_AGE_PATT.matcher(stsOptionString); Matcher malformedMaxAgeMatcher = MALFORMED_MAX_AGE.matcher(stsOptionString); Matcher wellformedMatcher = WELL_FORMED_PATT.matcher(stsOptionString); if (!wellformedMatcher.matches()) { // Well formed pattern didn't match (perhaps curly quotes or some other unwanted // character(s)) raiseAlert(VulnType.HSTS_MALFORMED_CONTENT, STS_HEADER, msg, id); } else if (badAgeMatcher.find()) { // Matched BAD_MAX_AGE_PATT, max-age is zero raiseAlert(VulnType.HSTS_MAX_AGE_DISABLED, badAgeMatcher.group(), msg, id); } else if (!maxAgeMatcher.find()) { // Didn't find a digit value associated with max-age raiseAlert(VulnType.HSTS_MAX_AGE_MISSING, stsOption.get(0), msg, id); } else if (malformedMaxAgeMatcher.find()) { // Found max-age but it was malformed raiseAlert(VulnType.HSTS_MALFORMED_MAX_AGE, stsOption.get(0), msg, id); } } } else if (AlertThreshold.LOW.equals(this.getAlertThreshold()) && stsOption != null && !stsOption.isEmpty()) { // isSecure is false at this point // HSTS Header found on non-HTTPS response (technically there could be more than one // but we only care that there is one or more) raiseAlert(VulnType.HSTS_ON_PLAIN_RESP, stsOption.get(0), msg, id); } if (metaHSTS != null) { // HSTS found defined by META tag raiseAlert(VulnType.HSTS_META, metaHSTS, msg, id); } if (logger.isDebugEnabled()) { logger.debug("\tScan of record " + id + " took " + (System.currentTimeMillis() - start) + " ms"); } }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.StrictTransportSecurityScannerUnitTest.java
private HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("https://example.com", false)); HttpMessage msg = new HttpMessage(); msg.setRequestHeader(requestHeader); return msg;// ww w .j av a2s .c o m }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
public HttpMessage createMessage() { HttpMessage msg = new HttpMessage(); HttpRequestHeader requestHeader = new HttpRequestHeader(); try {/* ww w. j a v a 2 s . c om*/ requestHeader.setURI(new URI("http://example.com/i.php", false)); } catch (URIException | NullPointerException e) { } requestHeader.setMethod(HttpRequestHeader.GET); msg = new HttpMessage(); msg.setRequestHeader(requestHeader); msg.getResponseHeader().setStatusCode(HttpStatusCode.OK); msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, "text/html"); return msg; }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
@Test public void shouldNotRaiseAlertIfRequestParamsHaveNoValues() throws Exception { // Given//from w w w . ja va2 s.c om HttpMessage msg = createMessage(); msg.getRequestHeader().setURI(new URI("http://example.com/i.php?place=&name=", false)); // When rule.scanHttpResponseReceive(msg, -1, createSource(msg)); // Then assertThat(alertsRaised.size(), equalTo(0)); }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
@Test public void shouldNotRaiseAlertIfResponseCharsetIsEmpty() throws Exception { // Given//from ww w .j a v a 2 s.c o m HttpMessage msg = createMessage(); msg.getRequestHeader().setURI(new URI("http://example.com/i.php?cs=utf-8", false)); msg.getResponseHeader().setHeader(HttpResponseHeader.CONTENT_TYPE, "text/html; charset="); // When rule.scanHttpResponseReceive(msg, -1, createSource(msg)); // Then assertThat(alertsRaised.size(), equalTo(0)); }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
@Test public void shouldRaiseAlertIfRequestParamsAppearAsCharsetValue() throws Exception { // Given/*from w w w . j av a 2 s . c om*/ HttpMessage msg = createMessage(); msg.getRequestHeader().setURI(new URI("http://example.com/i.php?cs=utf-8", false)); msg.getResponseHeader().setHeader(HttpResponseHeader.CONTENT_TYPE, "text/html; charset=utf-8"); // When rule.scanHttpResponseReceive(msg, -1, createSource(msg)); // Then assertThat(alertsRaised.size(), equalTo(1)); assertThat(alertsRaised.get(0).getParam(), equalTo("cs")); }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
@Test public void shouldNotRaiseAlertIfResponseMetaCharsetIsEmpty() throws Exception { // Given//from www.ja va 2 s . c o m HttpMessage msg = createMessage(); msg.getRequestHeader().setURI(new URI("http://example.com/i.php?cs=utf-8", false)); msg.setResponseBody("<html><META http-equiv=\"Content-Type\" content=\"text/html; charset=\"></html>"); // When rule.scanHttpResponseReceive(msg, -1, createSource(msg)); // Then assertThat(alertsRaised.size(), equalTo(0)); }
From source file:org.zaproxy.zap.extension.pscanrulesAlpha.UserControlledCharsetScannerUnitTest.java
@Test public void shouldNotRaiseAlertIfResponseMetaIsNotContentType() throws Exception { // Given//from ww w . ja v a 2 s . c o m HttpMessage msg = createMessage(); msg.getRequestHeader().setURI(new URI("http://example.com/i.php?cs=utf-8", false)); msg.setResponseBody("<html><META http-equiv=\"info\" content=\"Someinfo\"></html>"); // When rule.scanHttpResponseReceive(msg, -1, createSource(msg)); // Then assertThat(alertsRaised.size(), equalTo(0)); }