List of usage examples for org.apache.commons.httpclient URIException getMessage
public String getMessage()
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.AbstractAppFilePlugin.java
@Override public void scan() { // Check if the user stopped things. One request per URL so check before // sending the request if (isStop()) { if (LOG.isDebugEnabled()) { LOG.debug("Scanner " + getName() + " Stopping."); }// www. j av a 2 s. c om return; } HttpMessage newRequest = getNewMsg(); newRequest.getRequestHeader().setMethod(HttpRequestHeader.GET); URI baseUri = getBaseMsg().getRequestHeader().getURI(); URI newUri = null; try { String baseUriPath = baseUri.getPath() == null ? "" : baseUri.getPath(); newUri = new URI(baseUri.getScheme(), null, baseUri.getHost(), baseUri.getPort(), createTestablePath(baseUriPath)); } catch (URIException uEx) { if (LOG.isDebugEnabled()) { LOG.debug( "An error occurred creating a URI for the: " + getName() + " scanner. " + uEx.getMessage(), uEx); } return; } try { newRequest.getRequestHeader().setURI(newUri); } catch (URIException uEx) { if (LOG.isDebugEnabled()) { LOG.debug("An error occurred setting the URI for a new request used by: " + getName() + " scanner. " + uEx.getMessage(), uEx); } return; } // Until https://github.com/zaproxy/zaproxy/issues/3563 is addressed // track completed in Kb // TODO change this when possible synchronized (getKb()) { if (getKb().getBoolean(newUri, messagePrefix)) { return; } getKb().add(newUri, messagePrefix, Boolean.TRUE); } try { sendAndReceive(newRequest, false); } catch (IOException e) { LOG.warn("An error occurred while checking [" + newRequest.getRequestHeader().getMethod() + "] [" + newRequest.getRequestHeader().getURI() + "] for " + getName() + " Caught " + e.getClass().getName() + " " + e.getMessage()); return; } if (isFalsePositive(newRequest)) { return; } int statusCode = newRequest.getResponseHeader().getStatusCode(); if (statusCode == HttpStatusCode.OK) { raiseAlert(newRequest, getRisk(), ""); } else if (statusCode == HttpStatusCode.UNAUTHORIZED || statusCode == HttpStatusCode.FORBIDDEN) { raiseAlert(newRequest, Alert.RISK_INFO, getOtherInfo()); } }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.ElmahScanner.java
@Override public void scan() { // Check if the user stopped things. One request per URL so check before // sending the request if (isStop()) { if (LOG.isDebugEnabled()) { LOG.debug("Scanner " + getName() + " Stopping."); }/* w w w . ja v a 2 s. c om*/ return; } HttpMessage newRequest = getNewMsg(); newRequest.getRequestHeader().setMethod(HttpRequestHeader.GET); URI baseUri = getBaseMsg().getRequestHeader().getURI(); URI elmahUri = null; try { elmahUri = new URI(baseUri.getScheme(), null, baseUri.getHost(), baseUri.getPort(), "/elmah.axd"); } catch (URIException uEx) { if (LOG.isDebugEnabled()) { LOG.debug( "An error occurred creating a URI for the: " + getName() + " scanner. " + uEx.getMessage(), uEx); } return; } try { newRequest.getRequestHeader().setURI(elmahUri); } catch (URIException uEx) { if (LOG.isDebugEnabled()) { LOG.debug("An error occurred setting the URI for a new request used by: " + getName() + " scanner. " + uEx.getMessage(), uEx); } return; } try { sendAndReceive(newRequest, false); } catch (IOException e) { LOG.warn("An error occurred while checking [" + newRequest.getRequestHeader().getMethod() + "] [" + newRequest.getRequestHeader().getURI() + "] for " + getName() + " Caught " + e.getClass().getName() + " " + e.getMessage()); return; } int statusCode = newRequest.getResponseHeader().getStatusCode(); if (statusCode == HttpStatusCode.OK) { raiseAlert(newRequest, getRisk(), ""); } else if (statusCode == HttpStatusCode.UNAUTHORIZED || statusCode == HttpStatusCode.FORBIDDEN) { raiseAlert(newRequest, Alert.RISK_INFO, getOtherInfo()); } }
From source file:org.zaproxy.zap.extension.ascanrulesAlpha.HttpOnlySite.java
@Override public void scan() { if (getBaseMsg().getRequestHeader().isSecure()) { // Base request is HTTPS if (log.isDebugEnabled()) { log.debug("The original request was HTTPS, so there is not much point in looking further."); }/*from ww w .j a v a2 s. c o m*/ return; } HttpMessage newRequest = getNewMsg(); try { String host = newRequest.getRequestHeader().getURI().getHost(); String path = newRequest.getRequestHeader().getURI().getPath(); newRequest.getRequestHeader().setURI(new URI("https", null, host, 443, path)); } catch (URIException e) { log.error("Error creating HTTPS URL from HTTP URL:", e); return; } if (isStop()) { if (log.isDebugEnabled()) { log.debug("Scanner " + getName() + " Stopping."); } return; } try { int count = 0; while (count < REDIR_LIMIT) { if (isStop()) { if (log.isDebugEnabled()) { log.debug("Scanner " + getName() + " Stopping."); } return; } sendAndReceive(newRequest, false); int status = newRequest.getResponseHeader().getStatusCode(); if (!HttpStatusCode.isRedirection(status)) { break; } String redirect = newRequest.getResponseHeader().getHeader(HttpResponseHeader.LOCATION); if (redirect == null || redirect.isEmpty()) { raiseAlert(newRequest, "noredirection"); return; } URI oldURI = newRequest.getRequestHeader().getURI(); URI newURI = constructURI(redirect, oldURI); if (newURI == null) { raiseAlert(newRequest, "urinotencoded"); return; } newRequest.getRequestHeader().setURI(newURI); if (!oldURI.getHost().equals(newURI.getHost())) { raiseAlert(newRequest, "differenthosts"); return; } if (newRequest.getRequestHeader().isSecure()) { count++; } else { raiseAlert(newRequest, "redirecttohttp"); return; } } if (count == REDIR_LIMIT) { // When redirection limit is exceeded raiseAlert(newRequest, "redirectionlimit"); return; } } catch (SocketException | SocketTimeoutException e) { raiseAlert(newRequest, "connectionfail"); return; } catch (SSLException e) { if (e.getMessage().contains("plaintext")) { raiseAlert(newRequest, "nossl"); } return; } catch (IOException e) { log.error("Request couldn't go through:", e); return; } }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.ChallengeCallbackImplementor.java
/** * @param msg/*from w w w .j a v a2 s. c o m*/ * @return * @throws ApiException */ @Override public void handleCallBack(HttpMessage msg) { // We've to look at the name and verify if the challenge has // been registered by one of the executed plugins try { String path = msg.getRequestHeader().getURI().getPath(); String challenge = path.substring(path.indexOf(getPrefix()) + getPrefix().length() + 1); if (challenge.charAt(challenge.length() - 1) == '/') { challenge = challenge.substring(0, challenge.length() - 1); } RegisteredCallback rcback = regCallbacks.get(challenge); if (rcback != null) { rcback.getPlugin().notifyCallback(challenge, rcback.getAttackMessage()); // OK we consumed it so it's time to clean regCallbacks.remove(challenge); } else { // Maybe we've a lot of dirty entries cleanExpiredCallbacks(); } } catch (URIException e) { logger.warn(e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.HPP.java
/** * Main method of the class. It is executed for each page. Determined whether the page in * vulnerable to HPP or not./*from w ww . j a v a 2 s . c o m*/ */ @Override public void scan() { try { log.debug("Targeting " + getBaseMsg().getRequestHeader().getURI()); // pages are not vulnerable if not proved otherwise List<String> vulnLinks = new ArrayList<String>(); // We parse the HTML of the response and get all its parameters Source s = new Source(getBaseMsg().getResponseBody().toString()); List<Element> inputTags = s.getAllElements(HTMLElementName.INPUT); TreeSet<HtmlParameter> tags = this.getParams(s, inputTags); /* If there are input fields, they can potentially be polluted */ if (!inputTags.isEmpty()) { if (!tags.isEmpty()) { // We send the request with the injected payload in the parameters log.debug("Injecting payload..."); HttpMessage newMsg = getNewMsg(); newMsg.setGetParams(tags); try { sendAndReceive(newMsg); } catch (IllegalStateException | UnknownHostException ex) { if (log.isDebugEnabled()) log.debug("Caught " + ex.getClass().getName() + " " + ex.getMessage() + " when accessing: " + newMsg.getRequestHeader().getURI().toString() + "\n The target may have replied with a poorly formed redirect due to our input."); return; } // We check all the links of the response to find our payload s = new Source(newMsg.getResponseBody().toString()); List<Element> links = s.getAllElements(HTMLElementName.A); if (!links.isEmpty()) { vulnLinks = this.findPayload(s, inputTags, vulnLinks); // If vulnerable, generates the alert if (!vulnLinks.isEmpty()) { this.generateReport(vulnLinks); } } } } if (vulnLinks.isEmpty()) { log.debug("Page not vulnerable to HPP attacks"); } } catch (URIException e) { if (log.isDebugEnabled()) { log.debug("Failed to send HTTP message, cause: " + e.getMessage()); } } catch (Exception e) { log.error(e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.HPP.java
/** @param vulnLinks list of the vulnerable links in the page */ public void generateReport(List<String> vulnLinks) { String vulnParams = ""; for (String s : vulnLinks) { vulnParams = vulnParams + ", " + s; }//from w ww . j a va 2 s . c om log.debug("Page vulnerable to HPP attacks"); String attack = Constant.messages.getString("ascanbeta.HTTPParamPoll.alert.attack"); try { bingo(Alert.RISK_MEDIUM, Alert.CONFIDENCE_MEDIUM, attack, getDescription(), getBaseMsg().getRequestHeader().getURI().getURI(), vulnParams, attack, getReference(), getSolution(), getBaseMsg()); } catch (URIException e) { log.error(e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.RemoteCodeExecutionCVE20121823.java
private static URI createAttackUri(URI originalURI, String attackParam) { StringBuilder strBuilder = new StringBuilder(); strBuilder.append(originalURI.getScheme()).append("://").append(originalURI.getEscapedAuthority()); strBuilder.append(originalURI.getRawPath() != null ? originalURI.getEscapedPath() : "/") .append(attackParam);/*w ww . ja va 2 s . co m*/ String uri = strBuilder.toString(); try { return new URI(uri, true); } catch (URIException e) { log.warn("Failed to create attack URI [" + uri + "], cause: " + e.getMessage()); } return null; }
From source file:org.zaproxy.zap.extension.authstats.ExtensionAuthStats.java
@Override public void onHttpResponseReceive(HttpMessage msg, int initiator, HttpSender sender) { String comp;/* w ww . j a v a 2s. c o m*/ switch (initiator) { case HttpSender.ACTIVE_SCANNER_INITIATOR: comp = "ascan"; break; case HttpSender.AUTHENTICATION_INITIATOR: comp = "auth"; break; case HttpSender.FUZZER_INITIATOR: comp = "fuzz"; break; case HttpSender.MANUAL_REQUEST_INITIATOR: comp = "manual"; break; case HttpSender.PROXY_INITIATOR: comp = "proxy"; break; case HttpSender.SPIDER_INITIATOR: comp = "spider"; break; default: comp = Integer.toString(initiator); break; } Session session = Model.getSingleton().getSession(); URI uri = msg.getRequestHeader().getURI(); try { String site = SessionStructure.getHostName(msg); for (Context context : session.getContexts()) { if (context.isInScope()) { if (context.isInContext(uri.toString())) { String prefix = "stats.auth." + comp + ".state."; if (!msg.getResponseHeader().isHtml()) { // Record for info Stats.incCounter(site, prefix + "nothtml"); } else if (!HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode())) { // Record for info Stats.incCounter(site, prefix + "notsuccess"); } else { updateAuthIndicatorStats(msg, site, prefix, context); } } } } } catch (URIException e) { log.error(e.getMessage(), e); } }
From source file:org.zaproxy.zap.extension.brk.impl.http.BreakAddDialog.java
public void setMessage(HttpMessage aMessage) { String url = ""; URI uri = aMessage.getRequestHeader().getURI(); try {//w w w.j av a 2s . co m url = uri.getURI(); } catch (URIException e) { logger.error(e.getMessage(), e); } getTxtDisplay().setText(url); getTxtDisplay().discardAllEdits(); }
From source file:org.zaproxy.zap.extension.brk.ProxyListenerBreak.java
private boolean isBreakPoint(HttpMessage msg, boolean request) { if (request && getBreakPanel().isBreakRequest()) { // Break on all requests return true; } else if (!request && getBreakPanel().isBreakResponse()) { // Break on all responses return true; } else if (getBreakPanel().isStepping()) { // Stopping through all requests and responses return true; }//from w ww . j a v a2s . c om try { List<BreakPoint> breakPoints = extension.getBreakPointsList(); if (breakPoints.isEmpty()) { // No break points return false; } URI uri = (URI) msg.getRequestHeader().getURI().clone(); uri.setQuery(null); String sUri = uri.getURI(); // match against the break points synchronized (breakPoints) { Iterator<BreakPoint> it = breakPoints.iterator(); while (it.hasNext()) { BreakPoint breakPoint = it.next(); if (breakPoint.isEnabled() && breakPoint.match(sUri)) { return true; } } } } catch (URIException e) { log.warn(e.getMessage(), e); } return false; }