List of usage examples for org.apache.commons.httpclient.util DateUtil formatDate
public static String formatDate(Date paramDate, String paramString)
From source file:com.oneops.search.msg.processor.OpsProcMessageProcessor.java
/** * // w ww.j a v a 2 s.c o m * @param procedure * @return */ public CmsOpsProcedureSearch processOpsProcMsg(CmsOpsProcedureSearch procedure) { CmsOpsProcedureSearch esProcedure = null; try { esProcedure = fetchprocedureRecord(procedure.getProcedureId()); if (isFinalState(procedure.getProcedureState().getName())) { if (esProcedure != null && OpsProcedureState.canceled.getName() .equalsIgnoreCase(procedure.getProcedureState().getName())) { if (OpsProcedureState.failed.getName() .equalsIgnoreCase(esProcedure.getProcedureState().getName())) { esProcedure.setFailedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double failedDuration = esProcedure.getFailedDuration() + (((SearchUtil.getTimefromDate(esProcedure.getFailedEndTS())) - (SearchUtil.getTimefromDate(esProcedure.getFailedStartTS()))) / 1000.0); esProcedure.setFailedDuration(Math.round(failedDuration * 1000.0) / 1000.0); } } else if (esProcedure != null && OpsProcedureState.complete.getName() .equalsIgnoreCase(procedure.getProcedureState().getName())) { if (OpsProcedureState.active.getName() .equalsIgnoreCase(esProcedure.getProcedureState().getName())) { esProcedure.setActiveEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double activeDuration = esProcedure.getActiveDuration() + (((SearchUtil.getTimefromDate((esProcedure.getActiveEndTS()))) - (SearchUtil.getTimefromDate(esProcedure.getActiveStartTS()))) / 1000.0); esProcedure.setActiveDuration(Math.round(activeDuration * 1000.0) / 1000.0); } } esProcedure.setProcedureState(procedure.getProcedureState()); esProcedure.setTotalTime( ((System.currentTimeMillis()) - (esProcedure.getCreated().getTime())) / 1000.0); } else if (OpsProcedureState.active.getName() .equalsIgnoreCase(procedure.getProcedureState().getName())) { if (esProcedure != null) { esProcedure.setActiveStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); if (OpsProcedureState.failed.getName() .equalsIgnoreCase(esProcedure.getProcedureState().getName())) { esProcedure.setRetryCount(esProcedure.getRetryCount() + 1); esProcedure.setFailedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double failedDuration = esProcedure.getFailedDuration() + (((SearchUtil.getTimefromDate(esProcedure.getFailedEndTS())) - (SearchUtil.getTimefromDate(esProcedure.getFailedStartTS()))) / 1000.0); esProcedure.setFailedDuration(Math.round(failedDuration * 1000.0) / 1000.0); esProcedure.setProcedureState(procedure.getProcedureState()); } } else { procedure.setActiveStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); } } else if (OpsProcedureState.failed.getName() .equalsIgnoreCase(procedure.getProcedureState().getName())) { esProcedure.setFailureCnt(esProcedure.getFailureCnt() + 1); esProcedure.setFailedStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); if (OpsProcedureState.active.getName() .equalsIgnoreCase(esProcedure.getProcedureState().getName())) { esProcedure.setActiveEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double activeDuration = esProcedure.getActiveDuration() + (((SearchUtil.getTimefromDate((esProcedure.getActiveEndTS()))) - (SearchUtil.getTimefromDate(esProcedure.getActiveStartTS()))) / 1000.0); esProcedure.setActiveDuration(Math.round(activeDuration * 1000.0) / 1000.0); } esProcedure.setProcedureState(procedure.getProcedureState()); } } catch (Exception e) { logger.error("Error in processing ops-procedure message " + e.getMessage()); } return esProcedure != null ? esProcedure : procedure; }
From source file:com.oneops.search.msg.processor.DpmtMessageProcessor.java
/** * /*w ww . ja v a2 s.c o m*/ * @param deployment * @return */ public CmsDeploymentSearch processDeploymentMsg(CmsDeploymentSearch deployment) { CmsDeploymentSearch esDeployment = null; try { esDeployment = fetchDeploymentRecord(deployment.getDeploymentId()); if (isFinalState(deployment.getDeploymentState())) { if (esDeployment != null && SearchConstants.DPMT_STATE_CANCELED.equalsIgnoreCase(deployment.getDeploymentState())) { if (SearchConstants.DPMT_STATE_PAUSED.equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment .setPausedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double pausedDuration = esDeployment.getPausedDuration() + (((SearchUtil.getTimefromDate(esDeployment.getPausedEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getPausedStartTS()))) / 1000.0); esDeployment.setPausedDuration(Math.round(pausedDuration * 1000.0) / 1000.0); } else if (SearchConstants.DPMT_STATE_PENDING .equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment .setPendingEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double pendingDuration = esDeployment.getPendingDuration() + (((SearchUtil.getTimefromDate(esDeployment.getPendingEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getPendingStartTS()))) / 1000.0); esDeployment.setPendingDuration(Math.round(pendingDuration * 1000.0) / 1000.0); } else if (SearchConstants.DPMT_STATE_FAILED .equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment .setFailedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double failedDuration = esDeployment.getFailedDuration() + (((SearchUtil.getTimefromDate(esDeployment.getFailedEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getFailedStartTS()))) / 1000.0); esDeployment.setFailedDuration(Math.round(failedDuration * 1000.0) / 1000.0); } } else if (esDeployment != null && SearchConstants.DPMT_STATE_COMPLETE.equalsIgnoreCase(deployment.getDeploymentState())) { esDeployment.setActiveEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double activeDuration = esDeployment.getActiveDuration() + (((SearchUtil.getTimefromDate(esDeployment.getActiveEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getActiveStartTS()))) / 1000.0); esDeployment.setActiveDuration(Math.round(activeDuration * 1000.0) / 1000.0); } esDeployment.setDeploymentState(deployment.getDeploymentState()); esDeployment .setTotalTime((System.currentTimeMillis() - esDeployment.getCreated().getTime()) / 1000.0); } else if (SearchConstants.DPMT_STATE_ACTIVE.equalsIgnoreCase(deployment.getDeploymentState())) { if (esDeployment != null) { esDeployment.setActiveStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); if (SearchConstants.DPMT_STATE_FAILED.equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment.setRetryCount(esDeployment.getRetryCount() + 1); esDeployment .setFailedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double failedDuration = esDeployment.getFailedDuration() + (((SearchUtil.getTimefromDate(esDeployment.getFailedEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getFailedStartTS()))) / 1000.0); esDeployment.setFailedDuration(Math.round(failedDuration * 1000.0) / 1000.0); esDeployment.setDeploymentState(deployment.getDeploymentState()); } else if (SearchConstants.DPMT_STATE_PAUSED .equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment .setPausedEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double pausedDuration = esDeployment.getPausedDuration() + (((SearchUtil.getTimefromDate(esDeployment.getPausedEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getPausedStartTS()))) / 1000.0); esDeployment.setPausedDuration(Math.round(pausedDuration * 1000.0) / 1000.0); esDeployment.setDeploymentState(deployment.getDeploymentState()); } else if (SearchConstants.DPMT_STATE_PENDING .equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment .setPendingEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double pendingDuration = esDeployment.getPendingDuration() + (((SearchUtil.getTimefromDate(esDeployment.getPendingEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getPendingStartTS()))) / 1000.0); esDeployment.setPendingDuration(Math.round(pendingDuration * 1000.0) / 1000.0); esDeployment.setDeploymentState(deployment.getDeploymentState()); } updateTotalTime(esDeployment); } else { deployment.setActiveStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); } } else if (SearchConstants.DPMT_STATE_PENDING.equalsIgnoreCase(deployment.getDeploymentState())) { if (esDeployment == null) { esDeployment = deployment; } esDeployment.setPendingStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); esDeployment.setDeploymentState(deployment.getDeploymentState()); } else if (SearchConstants.DPMT_STATE_PAUSED.equalsIgnoreCase(deployment.getDeploymentState())) { esDeployment.setPauseCnt(deployment.getPauseCnt() + 1); esDeployment.setPausedStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); if (SearchConstants.DPMT_STATE_ACTIVE.equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment.setActiveEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double activeDuration = esDeployment.getActiveDuration() + (((SearchUtil.getTimefromDate(esDeployment.getActiveEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getActiveStartTS()))) / 1000.0); esDeployment.setActiveDuration(Math.round(activeDuration * 1000.0) / 1000.0); } esDeployment.setDeploymentState(deployment.getDeploymentState()); updateTotalTime(esDeployment); } else if (SearchConstants.DPMT_STATE_FAILED.equalsIgnoreCase(deployment.getDeploymentState())) { esDeployment.setFailureCnt(esDeployment.getFailureCnt() + 1); esDeployment.setFailedStartTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); if (SearchConstants.DPMT_STATE_ACTIVE.equalsIgnoreCase(esDeployment.getDeploymentState())) { esDeployment.setActiveEndTS(DateUtil.formatDate(new Date(), CmsConstants.SEARCH_TS_PATTERN)); double activeDuration = esDeployment.getActiveDuration() + (((SearchUtil.getTimefromDate(esDeployment.getActiveEndTS())) - (SearchUtil.getTimefromDate(esDeployment.getActiveStartTS()))) / 1000.0); esDeployment.setActiveDuration(Math.round(activeDuration * 1000.0) / 1000.0); } esDeployment.setDeploymentState(deployment.getDeploymentState()); updateTotalTime(esDeployment); } } catch (Exception e) { logger.error("Error in processing deployment message " + e.getMessage()); } return esDeployment != null ? esDeployment : deployment; }
From source file:net.duckling.ddl.web.controller.space.SpaceController.java
@RequestMapping @WebLog(method = "spaceManager") public ModelAndView display(HttpServletRequest request) { String uid = VWBSession.getCurrentUid(request); UserExt ext = aoneUserService.getUserExtInfo(uid); Activity spaceActivity = activityService.get(ActivitySpaceConfig.ACTIVITY_TITLE); List<UserTeamAclBean> adminAclList = authorityService.getTeamAclByUidAndAuth(uid, AuthorityService.ADMIN); List<TeamSpaceSize> teamSpaceSizeList = new ArrayList<TeamSpaceSize>(); TeamSpaceSize personalSpaceSize = null; for (UserTeamAclBean item : adminAclList) { Team team = teamService.getTeamByID(item.getTid()); TeamSpaceSize obj = teamSpaceSizeService.getTeamSpaceSize(item.getTid()); obj.setTeamDisplayName(team.getDisplayName()); if (team.isPersonalTeam()) { personalSpaceSize = obj;/*ww w . ja v a 2 s .c o m*/ } else { teamSpaceSizeList.add(obj); } } VWBContext context = VWBContext.createContext(request, UrlPatterns.ADMIN); ModelAndView mv = layout(ELayout.LYNX_MAIN, context, "/jsp/space/manager.jsp"); long spaceGainedCount = spaceGainedCount(uid); mv.addObject("spaceGainedCount", FileSizeUtils.getFileSize(spaceGainedCount)); mv.addObject("allocatedSpace", FileSizeUtils.getFileSize(spaceGainedCount - ext.getUnallocatedSpace())); mv.addObject("unallocatedSpace", FileSizeUtils.getFileSize(ext.getUnallocatedSpace())); mv.addObject("endTime", DateUtil.formatDate(spaceActivity.getEndTime(), "yyyy.MM.dd")); mv.addObject("teamSpaceSizeList", teamSpaceSizeList); mv.addObject("personalSpaceSize", personalSpaceSize); //? mv.addObject("currPageName", "?"); return mv; }
From source file:gov.nih.nci.caintegrator.domain.application.AbstractPersistedAnalysisJob.java
/** * Retrieves the header for the toString() of subclasses. * @param type of job.//from w w w .j a va2 s . co m * @return the header */ protected String retrieveHeader(String type) { String nl = "\n"; StringBuffer sb = new StringBuffer(); sb.append("Job Type: ").append(type).append(nl); sb.append("Job ID: ").append(getId()).append(nl); sb.append("Date: ").append(DateUtil.formatDate(new Date(), DateUtil.PATTERN_ASCTIME)).append(nl); if (getSubscription() != null && getSubscription().getStudy() != null) { sb.append("Study Name: ").append(getSubscription().getStudy().getShortTitleText()).append(nl); } return sb.toString(); }
From source file:com.pureinfo.srm.outlay.action.OutlayAssginCheckAction.java
/** * get message content/* w w w . j a v a2 s . com*/ * * @param _project * @param _sFailed * @return * @throws PureException */ private String messageContentForCheckEdit(Project _project, OutlayAssgin _oa, String _sFailed, boolean _bApprove) throws PureException { StringBuffer buffer = new StringBuffer(); Date date = new Date(); SRMUser prjAdmin = _project.getAdministrator(); SRMUser _loginuser = (SRMUser) ArkHelper.getLoginUser(); String authorName = ""; String checkName = ""; if (prjAdmin != null) { authorName = prjAdmin.getTrueName(); } if (_loginuser != null) { checkName = _loginuser.getTrueName(); } String dateStr = DateUtil.formatDate(date, "yyyy-MM-dd HH:mm"); String dateYMD = DateUtil.formatDate(date, "yyyy-MM-dd"); try { buffer.append(authorName + ",:\n"); if (_bApprove) { buffer.append(""); buffer.append(""); buffer.append(_project.getProjectName()); buffer.append(""); buffer.append(dateStr + " "); buffer.append(_sFailed); } else { buffer.append(""); buffer.append(_project.getProjectName()); buffer.append("\n"); buffer.append(":"); buffer.append(_oa.getCheckSuggestion()); } buffer.append("\n"); buffer.append(checkName); buffer.append("\n\r"); buffer.append("\n"); buffer.append(dateYMD); return buffer.toString(); } finally { if (buffer != null) { buffer.setLength(0); } } }
From source file:com.oneops.inductor.WorkOrderExecutor.java
/** * Process workorder and return message to be put in * the controller response queue/*from w ww. ja v a 2s . c om*/ * * @param o CmsWorkOrderSimpleBase * @param correlationId JMS correlation Id * @returns Map<String, String> message */ @Override public Map<String, String> process(CmsWorkOrderSimpleBase o, String correlationId) throws IOException { CmsWorkOrderSimple wo = (CmsWorkOrderSimple) o; // compute::replace will do a delete and add - only for old // pre-versioned compute String[] classParts = wo.getRfcCi().getCiClassName().split("\\."); if (classParts.length < 3 && isWorkOrderOfCompute(wo) && isAction(wo, REPLACE)) { logger.info("compute::replace - delete then add"); wo.getRfcCi().setRfcAction(DELETE); process(wo, correlationId); if (wo.getDpmtRecordState().equals(COMPLETE)) { if (wo.getRfcCi().getCiAttributes().containsKey("instance_id")) wo.getRfcCi().getCiAttributes().remove("instance_id"); wo.getRfcCi().setRfcAction(ADD); } else { logger.info("compute::replace - delete failed"); return buildResponseMessage(wo, correlationId); } } long startTime = System.currentTimeMillis(); if (config.isCloudStubbed(wo)) { String fileName = config.getDataDir() + "/" + wo.getDpmtRecordId() + ".json"; writeChefRequest(wo, fileName); processStubbedCloud(wo); logger.warn("completing wo without doing anything because cloud is stubbed"); } else { // skip fqdn workorder if dns is disabled if (config.isDnsDisabled() && wo.getRfcCi().getCiClassName().matches(BOM_CLASS_PREFIX + "Fqdn")) { wo.setDpmtRecordState(COMPLETE); CmsCISimple resultCi = new CmsCISimple(); mergeRfcToResult(wo.getRfcCi(), resultCi); wo.setResultCi(resultCi); logger.info("completing wo without doing anything because dns is off"); } else { // creates the json chefRequest and exec's chef to run chef // local or remote via ssh/mc runWorkOrder(wo); } } long endTime = System.currentTimeMillis(); int duration = Math.round((endTime - startTime) / 1000); logger.info(wo.getRfcCi().getRfcAction() + " " + wo.getRfcCi().getImpl() + " " + wo.getRfcCi().getCiClassName() + " " + wo.getRfcCi().getCiName() + " took: " + duration + "sec"); setTotalExecutionTime(wo, endTime - startTime); wo.putSearchTag(RESPONSE_ENQUE_TS, DateUtil.formatDate(new Date(), SEARCH_TS_PATTERN)); return buildResponseMessage(wo, correlationId); }
From source file:com.eucalyptus.blockstorage.HttpTransfer.java
/** * Constructs the requested method, optionally signing the request via EucaRSA-V2 signing method if signRequest=true * Signing the request can be done later as well by explicitly calling signEucaInternal() and passing it the output of this method. * That case is useful for constructing the request and then adding headers explicitly before signing takes place. * @param verb - The HTTP verb GET|PUT|POST|DELETE|UPDATE * @param addr - THe destination address for the request * @param eucaOperation - The EucaOperation, if any (e.g. StoreSnapshot, GetWalrusSnapshot, or other values from ObjectStorageProperties.StorageOperations) * @param eucaHeader - The Euca Header value, if any. This is not typically used. * @param signRequest - Determines if the request is signed at construction time or must be done explicitly later (boolean) * @return//from www. j a v a 2 s . c om */ public HttpMethodBase constructHttpMethod(String verb, String addr, String eucaOperation, String eucaHeader, boolean signRequest) { String date = DateUtil.formatDate(new Date(), ISO_8601_FORMAT); //String date = new Date().toString(); String httpVerb = verb; String addrPath = null; java.net.URI addrUri = null; try { addrUri = new URL(addr).toURI(); addrPath = addrUri.getPath().toString(); String query = addrUri.getQuery(); if (query != null) { addrPath += "?" + query; } } catch (Exception ex) { LOG.error(ex, ex); return null; } HttpMethodBase method = null; if (httpVerb.equals("PUT")) { method = new PutMethodWithProgress(addr); } else if (httpVerb.equals("DELETE")) { method = new DeleteMethod(addr); } else { method = new GetMethod(addr); } method.setRequestHeader("Date", date); //method.setRequestHeader("Expect", "100-continue"); method.setRequestHeader(EUCALYPTUS_OPERATION, eucaOperation); if (eucaHeader != null) { method.setRequestHeader(EUCALYPTUS_HEADER, eucaHeader); } if (signRequest) { signEucaInternal(method); } return method; }
From source file:org.kuali.student.r2.core.acal.service.impl.TermCodeGeneratorMockImpl.java
@Override public String generateTermCode(TermInfo term) { //Don't generate if the term was set already if (term.getCode() != null) { return term.getCode(); }/* w w w. j a v a2s . c om*/ // if the term is not of a type that is handled by the defined formula, return null, since the value for the atp code is undefined at that point if (!termTypeCodeMap.containsKey(term.getTypeKey())) { return null; } StringBuilder result = new StringBuilder(DateUtil.formatDate(term.getStartDate(), YEAR_ONLY_FORMAT_STRING)); result.append(termTypeCodeMap.get(term.getTypeKey()).toString()); return result.toString(); }
From source file:org.kuali.student.r2.core.acal.service.impl.TestTermCodeGeneratorImpl.java
@Test public void testTermCodeGenerator() throws Exception { TypeInfo termType = typeService.getType(AtpServiceConstants.ATP_WINTER_TYPE_KEY, callContext); List<AttributeInfo> attributes = new ArrayList<AttributeInfo>(); AttributeInfo attrInfo = new AttributeInfo(); attrInfo.setId("term_type_code_for_" + AtpServiceConstants.ATP_WINTER_TYPE_KEY); attrInfo.setKey(TypeServiceConstants.ATP_TERM_TYPE_CODE_ATTR); attrInfo.setValue("00"); attributes.add(attrInfo);/*from w w w . j av a 2s . c om*/ termType.setAttributes(attributes); typeService.updateType(termType.getKey(), termType, callContext); TermInfo term = new TermInfo(); term.setStartDate(new Date()); term.setTypeKey(AtpServiceConstants.ATP_WINTER_TYPE_KEY); TypeInfo type = typeService.getType(term.getTypeKey(), callContext); String typeCode = type.getAttributeValue(TypeServiceConstants.ATP_TERM_TYPE_CODE_ATTR); StringBuilder termCode = new StringBuilder( DateUtil.formatDate(term.getStartDate(), YEAR_ONLY_FORMAT_STRING)); termCode.append(typeCode); String startYear = DateFormatters.DEFULT_YEAR_FORMATTER.format(new Date()); assertEquals(startYear + "00", termCode.toString()); }
From source file:org.zaproxy.zap.extension.ascanrulesBeta.SessionFixation.java
/** * scans all GET, Cookie params for Session fields, and looks for SessionFixation * vulnerabilities//w w w . ja va 2 s . c om */ @Override public void scan() { // TODO: scan the POST (form) params for session id fields. try { boolean loginUrl = false; // Are we dealing with a login url in any of the contexts of which this uri is part URI requestUri = getBaseMsg().getRequestHeader().getURI(); ExtensionAuthentication extAuth = (ExtensionAuthentication) Control.getSingleton().getExtensionLoader() .getExtension(ExtensionAuthentication.NAME); // using the session, get the list of contexts for the url List<Context> contextList = extAuth.getModel().getSession().getContextsForUrl(requestUri.getURI()); // now loop, and see if the url is a login url in each of the contexts in turn... for (Context context : contextList) { URI loginUri = extAuth.getLoginRequestURIForContext(context); if (loginUri != null && requestUri.getPath() != null) { if (requestUri.getScheme().equals(loginUri.getScheme()) && requestUri.getHost().equals(loginUri.getHost()) && requestUri.getPort() == loginUri.getPort() && requestUri.getPath().equals(loginUri.getPath())) { // we got this far.. only the method (GET/POST), user details, query params, // fragment, and POST params // are possibly different from the login page. loginUrl = true; break; } } } // For now (from Zap 2.0), the Session Fixation scanner will only run for login pages if (loginUrl == false) { log.debug("For the Session Fixation scanner to actually do anything, a Login Page *must* be set!"); return; } // find all params set in the request (GET/POST/Cookie) // Note: this will be the full set, before we delete anything. TreeSet<HtmlParameter> htmlParams = new TreeSet<>(); htmlParams.addAll(getBaseMsg().getRequestHeader().getCookieParams()); // request cookies only. no response cookies htmlParams.addAll(getBaseMsg().getFormParams()); // add in the POST params htmlParams.addAll(getBaseMsg().getUrlParams()); // add in the GET params // Now add in the pseudo parameters set in the URL itself, such as in the following: // http://www.example.com/someurl;JSESSIONID=abcdefg?x=123&y=456 // as opposed to the url parameters in the following example, which are already picked // up by getUrlParams() // http://www.example.com/someurl?JSESSIONID=abcdefg&x=123&y=456 // convert from org.apache.commons.httpclient.URI to a String String requestUrl = "Unknown URL"; try { requestUrl = new URL(requestUri.getScheme(), requestUri.getHost(), requestUri.getPort(), requestUri.getPath()).toString(); } catch (Exception e) { // no point in continuing. The URL is invalid. This is a peculiarity in the Zap // core, // and can happen when // - the user browsed to http://www.example.com/bodgeit and // - the user did not browse to http://www.example.com or to http://www.example.com/ // so the Zap GUI displays "http://www.example.com" as a node under "Sites", // and under that, it displays the actual urls to which the user browsed // (http://www.example.com/bodgeit, for instance) // When the user selects the node "http://www.example.com", and tries to scan it // with // the session fixation scanner, the URI that is passed is "http://www.example.com", // which is *not* a valid url. // If the user actually browses to "http://www.example.com" (even without the // trailing slash) // the web browser appends the trailing slash, and so Zap records the URI as // "http://www.example.com/", which IS a valid url, and which can (and should) be // scanned. // // In short.. if this happens, we do not want to scan the URL anyway // (because the user never browsed to it), so just do nothing instead. log.error("Cannot convert URI [" + requestUri + "] to a URL: " + e.getMessage()); return; } // suck out any pseudo url parameters from the url Set<HtmlParameter> pseudoUrlParams = getPseudoUrlParameters(requestUrl); htmlParams.addAll(pseudoUrlParams); if (this.debugEnabled) log.debug("Pseudo url params of URL [" + requestUrl + "] : [" + pseudoUrlParams + "]"); //// for each parameter in turn, // int counter = 0; for (Iterator<HtmlParameter> iter = htmlParams.iterator(); iter.hasNext();) { HttpMessage msg1Final; HttpMessage msg1Initial = getNewMsg(); //// debug logic only.. to do first field only // counter ++; // if ( counter > 1 ) // return; HtmlParameter currentHtmlParameter = iter.next(); // Useful for debugging, but I can't find a way to view this data in the GUI, so // leave it out for now. // msg1Initial.setNote("Message 1 for parameter "+ currentHtmlParameter); if (this.debugEnabled) log.debug("Scanning URL [" + msg1Initial.getRequestHeader().getMethod() + "] [" + msg1Initial.getRequestHeader().getURI() + "], [" + currentHtmlParameter.getType() + "] field [" + currentHtmlParameter.getName() + "] with value [" + currentHtmlParameter.getValue() + "] for Session Fixation"); if (currentHtmlParameter.getType().equals(HtmlParameter.Type.cookie)) { // careful to pick up the cookies from the Request, and not to include cookies // set in any earlier response TreeSet<HtmlParameter> cookieRequestParams = msg1Initial.getRequestHeader().getCookieParams(); // delete the original cookie from the parameters cookieRequestParams.remove(currentHtmlParameter); msg1Initial.setCookieParams(cookieRequestParams); // send the message, minus the cookie parameter, and see how it comes back. // Note: do NOT automatically follow redirects.. handle those here instead. sendAndReceive(msg1Initial, false, false); ///////////////////////////// // create a copy of msg1Initial to play with to handle redirects (if any). // we use a copy because if we change msg1Initial itself, it messes the URL and // params displayed on the GUI. msg1Final = msg1Initial; HtmlParameter cookieBack1 = getResponseCookie(msg1Initial, currentHtmlParameter.getName()); long cookieBack1TimeReceived = System.currentTimeMillis(); // in ms. when was the cookie received? // Important if it has a Max-Age directive Date cookieBack1ExpiryDate = null; HttpMessage temp = msg1Initial; int redirectsFollowed1 = 0; while (HttpStatusCode.isRedirection(temp.getResponseHeader().getStatusCode())) { // Note that we need to clone the Request and the Response.. // we seem to need to track the secure flag now to make sure its set later boolean secure1 = temp.getRequestHeader().isSecure(); temp = temp.cloneAll(); // clone the previous message redirectsFollowed1++; if (redirectsFollowed1 > 10) { throw new Exception("Too many redirects were specified in the first message"); } // create a new URI from the absolute location returned, and interpret it as // escaped // note that the standard says that the Location returned should be // absolute, but it ain't always so... URI newLocation = new URI(temp.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // and follow the forward url // need to clear the params (which would come from the initial POST, // otherwise) temp.getRequestHeader().setGetParams(new TreeSet<HtmlParameter>()); temp.setRequestBody(""); temp.setResponseBody(""); // make sure no values accidentally carry from one iteration to // the next try { temp.getRequestHeader().setURI(newLocation); } catch (Exception e) { // the Location field contents may not be standards compliant. Lets // generate a uri to use as a workaround where a relative path was // given instead of an absolute one URI newLocationWorkaround = new URI(temp.getRequestHeader().getURI(), temp.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // try again, except this time, if it fails, don't try to handle it if (this.debugEnabled) log.debug("The Location [" + newLocation + "] specified in a redirect was not valid. Trying workaround url [" + newLocationWorkaround + "]"); temp.getRequestHeader().setURI(newLocationWorkaround); } temp.getRequestHeader().setSecure(secure1); temp.getRequestHeader().setMethod(HttpRequestHeader.GET); temp.getRequestHeader().setContentLength(0); // since we send a GET, the body will be 0 long if (cookieBack1 != null) { // if the previous request sent back a cookie, we need to set that // cookie when following redirects, as a browser would if (this.debugEnabled) log.debug("Adding in cookie [" + cookieBack1 + "] for a redirect"); TreeSet<HtmlParameter> forwardCookieParams = temp.getRequestHeader().getCookieParams(); forwardCookieParams.add(cookieBack1); temp.getRequestHeader().setCookieParams(forwardCookieParams); } if (this.debugEnabled) log.debug("DEBUG: Cookie Message 1 causes us to follow redirect to [" + newLocation + "]"); sendAndReceive(temp, false, false); // do NOT redirect.. handle it here // handle any cookies set from following redirects that override the cookie // set in the redirect itself (if any) // note that this will handle the case where a latter cookie unsets one set // earlier. HtmlParameter cookieBack1Temp = getResponseCookie(temp, currentHtmlParameter.getName()); if (cookieBack1Temp != null) { cookieBack1 = cookieBack1Temp; cookieBack1TimeReceived = System.currentTimeMillis(); // in ms. record when we got the // cookie.. in case it has a // Max-Age directive } // reset the "final" version of message1 to use the final response in the // chain msg1Final = temp; } /////////////////////////// // if non-200 on the final response for message 1, no point in continuing. Bale // out. if (msg1Final.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug( "Got a non-200 response code [" + msg1Final.getResponseHeader().getStatusCode() + "] when sending [" + msg1Initial.getRequestHeader().getURI() + "] with param [" + currentHtmlParameter.getName() + "] = NULL (possibly somewhere in the redirects)"); continue; } // now check that the response set a cookie. if it didn't, then either.. // 1) we are messing with the wrong field // 2) the app doesn't do sessions // either way, there is not much point in continuing to look at this field.. if (cookieBack1 == null || cookieBack1.getValue() == null) { // no cookie was set, or the cookie param was set to a null value if (this.debugEnabled) log.debug("The Cookie parameter was NOT set in the response, when cookie param [" + currentHtmlParameter.getName() + "] was set to NULL: " + cookieBack1); continue; } ////////////////////////////////////////////////////////////////////// // at this point, before continuing to check for Session Fixation, do some other // checks on the session cookie we got back // that might cause us to raise additional alerts (in addition to doing the main // check for Session Fixation) ////////////////////////////////////////////////////////////////////// // Check 1: was the session cookie sent and received securely by the server? // If not, alert this fact if ((!msg1Final.getRequestHeader().isSecure()) || (!cookieBack1.getFlags().contains("secure"))) { // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); if (!cookieBack1.getFlags().contains("secure")) { extraInfo += ("\n" + Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset")); } // and figure out the risk, depending on whether it is a login page int risk = Alert.RISK_LOW; if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage")); // login page, so higher risk risk = Alert.RISK_MEDIUM; } else { // not a login page.. lower risk risk = Alert.RISK_LOW; } String attack = Constant.messages.getString( "ascanbeta.sessionidsentinsecurely.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidsentinsecurely.soln"); // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session id sent insecurely", or words to that effect. bingo(risk, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in {2} field: [{3}] may be sent " + "via an insecure mechanism at [{0}] URL [{1}]", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } ////////////////////////////////////////////////////////////////////// // Check 2: is the session cookie that was set accessible to Javascript? // If so, alert this fact too if (!cookieBack1.getFlags().contains("httponly") && loginUrl) { // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); String attack = Constant.messages.getString( "ascanbeta.sessionidaccessiblebyjavascript.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.name"); String vulndesc = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.desc"); String vulnsoln = Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.soln"); extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage")); // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session id accessible in Javascript", or words to that // effect. bingo(Alert.RISK_LOW, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in [{0}] URL [{1}] {2} field: " + "[{3}] may be accessible to JavaScript", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } ////////////////////////////////////////////////////////////////////// // Check 3: is the session cookie set to expire soon? when the browser session // closes? never? // the longer the session cookie is valid, the greater the risk. alert it // accordingly String cookieBack1Expiry = null; int sessionExpiryRiskLevel; String sessionExpiryDescription = null; // check for the Expires header for (Iterator<String> i = cookieBack1.getFlags().iterator(); i.hasNext();) { String cookieBack1Flag = i.next(); // if ( this.debugEnabled ) log.debug("Cookie back 1 flag (checking for // Expires): "+ cookieBack1Flag); // match in a case insensitive manner. never know what case various web // servers are going to send back. // if (cookieBack1Flag.matches("(?i)expires=.*")) { if (cookieBack1Flag.toLowerCase(Locale.ENGLISH).startsWith("expires=")) { String[] cookieBack1FlagValues = cookieBack1Flag.split("="); if (cookieBack1FlagValues.length > 1) { if (this.debugEnabled) log.debug("Cookie Expiry: " + cookieBack1FlagValues[1]); cookieBack1Expiry = cookieBack1FlagValues[1]; // the Date String sessionExpiryDescription = cookieBack1FlagValues[1]; // the Date String cookieBack1ExpiryDate = DateUtil.parseDate(cookieBack1Expiry); // the actual Date } } } // also check for the Max-Age header, which overrides the Expires header. // WARNING: this Directive is reported to be ignored by IE, so if both Expires // and Max-Age are present // and we report based on the Max-Age value, but the user is using IE, then the // results reported // by us here may be different from those actually experienced by the user! (we // use Max-Age, IE uses Expires) for (Iterator<String> i = cookieBack1.getFlags().iterator(); i.hasNext();) { String cookieBack1Flag = i.next(); // if ( this.debugEnabled ) log.debug("Cookie back 1 flag (checking for // Max-Age): "+ cookieBack1Flag); // match in a case insensitive manner. never know what case various web // servers are going to send back. if (cookieBack1Flag.toLowerCase(Locale.ENGLISH).startsWith("max-age=")) { String[] cookieBack1FlagValues = cookieBack1Flag.split("="); if (cookieBack1FlagValues.length > 1) { // now the Max-Age value is the number of seconds relative to the // time the browser received the cookie // (as stored in cookieBack1TimeReceived) if (this.debugEnabled) log.debug("Cookie Max Age: " + cookieBack1FlagValues[1]); long cookie1DropDeadMS = cookieBack1TimeReceived + (Long.parseLong(cookieBack1FlagValues[1]) * 1000); cookieBack1ExpiryDate = new Date(cookie1DropDeadMS); // the actual Date the cookie // expires (by Max-Age) cookieBack1Expiry = DateUtil.formatDate(cookieBack1ExpiryDate, DateUtil.PATTERN_RFC1123); sessionExpiryDescription = cookieBack1Expiry; // needs to the Date String } } } String sessionExpiryRiskDescription = null; // check the Expiry/Max-Age details garnered (if any) // and figure out the risk, depending on whether it is a login page // and how long the session will live before expiring if (cookieBack1ExpiryDate == null) { // session expires when the browser closes.. rate this as medium risk? sessionExpiryRiskLevel = Alert.RISK_MEDIUM; sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.browserclose"; sessionExpiryDescription = Constant.messages.getString(sessionExpiryRiskDescription); } else { long datediffSeconds = (cookieBack1ExpiryDate.getTime() - cookieBack1TimeReceived) / 1000; long anHourSeconds = 3600; long aDaySeconds = anHourSeconds * 24; long aWeekSeconds = aDaySeconds * 7; if (datediffSeconds < 0) { if (this.debugEnabled) log.debug("The session cookie has expired already"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timeexpired"; sessionExpiryRiskLevel = Alert.RISK_INFO; // no risk.. the cookie has expired already } else if (datediffSeconds > aWeekSeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than a week!"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanoneweek"; sessionExpiryRiskLevel = Alert.RISK_HIGH; } else if (datediffSeconds > aDaySeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than a day"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanoneday"; sessionExpiryRiskLevel = Alert.RISK_MEDIUM; } else if (datediffSeconds > anHourSeconds) { if (this.debugEnabled) log.debug("The session cookie is set to last for more than an hour"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timemorethanonehour"; sessionExpiryRiskLevel = Alert.RISK_LOW; } else { if (this.debugEnabled) log.debug("The session cookie is set to last for less than an hour!"); sessionExpiryRiskDescription = "ascanbeta.sessionidexpiry.timelessthanonehour"; sessionExpiryRiskLevel = Alert.RISK_INFO; } } if (!loginUrl) { // decrement the risk if it's not a login page sessionExpiryRiskLevel--; } // alert it if the default session expiry risk level is more than informational if (sessionExpiryRiskLevel > Alert.RISK_INFO) { // pass the original param value here, not the new value String cookieReceivedTime = cookieBack1Expiry = DateUtil .formatDate(new Date(cookieBack1TimeReceived), DateUtil.PATTERN_RFC1123); String extraInfo = Constant.messages.getString("ascanbeta.sessionidexpiry.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue(), sessionExpiryDescription, cookieReceivedTime); String attack = Constant.messages.getString("ascanbeta.sessionidexpiry.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidexpiry.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidexpiry.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidexpiry.soln"); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidexpiry.alert.extrainfo.loginpage")); } // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and description // (etc) // the alert here is "Session Id Expiry Time is excessive", or words to that // effect. bingo(sessionExpiryRiskLevel, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "A session identifier in [{0}] URL [{1}] {2} field: " + "[{3}] may be accessed until [{4}], unless the session is destroyed.", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getType(), currentHtmlParameter.getName(), sessionExpiryDescription); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } if (!loginUrl) { // not a login page.. skip continue; } //////////////////////////////////////////////////////////////////////////////////////////// /// Message 2 - processing starts here //////////////////////////////////////////////////////////////////////////////////////////// // so now that we know the URL responds with 200 (OK), and that it sets a // cookie, lets re-issue the original request, // but lets add in the new (valid) session cookie that was just issued. // we will re-send it. the aim is then to see if it accepts the cookie (BAD, in // some circumstances), // or if it issues a new session cookie (GOOD, in most circumstances) if (this.debugEnabled) log.debug("A Cookie was set by the URL for the correct param, when param [" + currentHtmlParameter.getName() + "] was set to NULL: " + cookieBack1); // use a copy of msg2Initial, since it has already had the correct cookie // removed in the request.. // do NOT use msg2Initial itself, as this will cause both requests in the GUI to // show the modified data.. // finally send the second message, and see how it comes back. HttpMessage msg2Initial = msg1Initial.cloneRequest(); TreeSet<HtmlParameter> cookieParams2Set = msg2Initial.getRequestHeader().getCookieParams(); cookieParams2Set.add(cookieBack1); msg2Initial.setCookieParams(cookieParams2Set); // resend the copy of the initial message, but with the valid session cookie // added in, to see if it is accepted // do not automatically follow redirects, as we need to check these for cookies // being set. sendAndReceive(msg2Initial, false, false); // create a copy of msg2Initial to play with to handle redirects (if any). // we use a copy because if we change msg2Initial itself, it messes the URL and // params displayed on the GUI. HttpMessage temp2 = msg2Initial; HttpMessage msg2Final = msg2Initial; HtmlParameter cookieBack2Previous = cookieBack1; HtmlParameter cookieBack2 = getResponseCookie(msg2Initial, currentHtmlParameter.getName()); int redirectsFollowed2 = 0; while (HttpStatusCode.isRedirection(temp2.getResponseHeader().getStatusCode())) { // clone the previous message boolean secure2 = temp2.getRequestHeader().isSecure(); temp2 = temp2.cloneAll(); redirectsFollowed2++; if (redirectsFollowed2 > 10) { throw new Exception("Too many redirects were specified in the second message"); } // create a new URI from the absolute location returned, and interpret it as // escaped // note that the standard says that the Location returned should be // absolute, but it ain't always so... URI newLocation = new URI(temp2.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // and follow the forward url // need to clear the params (which would come from the initial POST, // otherwise) temp2.getRequestHeader().setGetParams(new TreeSet<HtmlParameter>()); temp2.setRequestBody(""); temp2.setResponseBody(""); // make sure no values accidentally carry from one iteration to // the next try { temp2.getRequestHeader().setURI(newLocation); } catch (Exception e) { // the Location field contents may not be standards compliant. Lets // generate a uri to use as a workaround where a relative path was // given instead of an absolute one URI newLocationWorkaround = new URI(temp2.getRequestHeader().getURI(), temp2.getResponseHeader().getHeader(HttpHeader.LOCATION), true); // try again, except this time, if it fails, don't try to handle it if (this.debugEnabled) log.debug("The Location [" + newLocation + "] specified in a redirect was not valid. Trying workaround url [" + newLocationWorkaround + "]"); temp2.getRequestHeader().setURI(newLocationWorkaround); } temp2.getRequestHeader().setSecure(secure2); temp2.getRequestHeader().setMethod(HttpRequestHeader.GET); temp2.getRequestHeader().setContentLength(0); // since we send a GET, the body will be 0 long if (cookieBack2 != null) { // if the previous request sent back a cookie, we need to set that // cookie when following redirects, as a browser would // also make sure to delete the previous value set for the cookie value if (this.debugEnabled) { log.debug("Deleting old cookie [" + cookieBack2Previous + "], and adding in cookie [" + cookieBack2 + "] for a redirect"); } TreeSet<HtmlParameter> forwardCookieParams = temp2.getRequestHeader().getCookieParams(); forwardCookieParams.remove(cookieBack2Previous); forwardCookieParams.add(cookieBack2); temp2.getRequestHeader().setCookieParams(forwardCookieParams); } sendAndReceive(temp2, false, false); // do NOT automatically redirect.. handle redirects here // handle any cookies set from following redirects that override the cookie // set in the redirect itself (if any) // note that this will handle the case where a latter cookie unsets one set // earlier. HtmlParameter cookieBack2Temp = getResponseCookie(temp2, currentHtmlParameter.getName()); if (cookieBack2Temp != null) { cookieBack2Previous = cookieBack2; cookieBack2 = cookieBack2Temp; } // reset the "final" version of message2 to use the final response in the // chain msg2Final = temp2; } if (this.debugEnabled) log.debug("Done following redirects"); // final result was non-200, no point in continuing. Bale out. if (msg2Final.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug( "Got a non-200 response code [" + msg2Final.getResponseHeader().getStatusCode() + "] when sending [" + msg2Initial.getRequestHeader().getURI() + "] with a borrowed cookie (or by following a redirect) for param [" + currentHtmlParameter.getName() + "]"); continue; // to next parameter } // and what we've been waiting for.. do we get a *different* cookie being set in // the response of message 2?? // or do we get a new cookie back at all? // No cookie back => the borrowed cookie was accepted. Not ideal // Cookie back, but same as the one we sent in => the borrowed cookie was // accepted. Not ideal if ((cookieBack2 == null) || cookieBack2.getValue().equals(cookieBack1.getValue())) { // no cookie back, when a borrowed cookie is in use.. suspicious! // use the cookie extrainfo message, which is specific to the case of // cookies // pretty much everything else is generic to all types of Session Fixation // vulnerabilities String extraInfo = Constant.messages.getString( "ascanbeta.sessionfixation.alert.cookie.extrainfo", currentHtmlParameter.getName(), cookieBack1.getValue(), (cookieBack2 == null ? "NULL" : cookieBack2.getValue())); String attack = Constant.messages.getString("ascanbeta.sessionfixation.alert.attack", currentHtmlParameter.getType(), currentHtmlParameter.getName()); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionfixation.alert.cookie.extrainfo.loginpage")); } bingo(Alert.RISK_INFO, Alert.CONFIDENCE_MEDIUM, msg2Initial.getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, msg2Initial); logSessionFixation(msg2Initial, currentHtmlParameter.getType().toString(), currentHtmlParameter.getName()); } continue; // jump to the next iteration of the loop (ie, the next parameter) } // end of the cookie code. // start of the url parameter code // note that this actually caters for // - actual URL parameters // - pseudo URL parameters, where the sessionid was in the path portion of the URL, // in conjunction with URL re-writing if (currentHtmlParameter.getType().equals(HtmlParameter.Type.url)) { boolean isPseudoUrlParameter = false; // is this "url parameter" actually a url parameter, or was it // path of the path (+url re-writing)? String possibleSessionIdIssuedForUrlParam = null; // remove the named url parameter from the request.. TreeSet<HtmlParameter> urlRequestParams = msg1Initial.getUrlParams(); // get parameters? if (!urlRequestParams.remove(currentHtmlParameter)) { isPseudoUrlParameter = true; // was not removed because it was a pseudo Url parameter, not a real url // parameter.. (so it would not be in the url params) // in this case, we will need to "rewrite" (ie hack) the URL path to remove // the pseudo url parameter portion // ie, we need to remove the ";jsessionid=<sessionid>" bit from the path // (assuming the current field is named 'jsessionid') // and replace it with ";jsessionid=" (ie, we nullify the possible "session" // parameter in the hope that a new session will be issued) // then we continue as usual to see if the URL is vulnerable to a Session // Fixation issue // Side note: quote the string to search for, and the replacement, so that // regex special characters are treated as literals String hackedUrl = requestUrl.replaceAll( Pattern.quote(";" + currentHtmlParameter.getName() + "=" + currentHtmlParameter.getValue()), Matcher.quoteReplacement(";" + currentHtmlParameter.getName() + "=")); if (this.debugEnabled) log.debug("Removing the pseudo URL parameter from [" + requestUrl + "]: [" + hackedUrl + "]"); // Note: the URL is not escaped. Handle it. msg1Initial.getRequestHeader().setURI(new URI(hackedUrl, false)); } msg1Initial.setGetParams(urlRequestParams); // url parameters // send the message, minus the value for the current parameter, and see how it // comes back. // Note: automatically follow redirects.. no need to look at any intermediate // responses. // this was only necessary for cookie-based session implementations sendAndReceive(msg1Initial); // if non-200 on the response for message 1, no point in continuing. Bale out. if (msg1Initial.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug("Got a non-200 response code [" + msg1Initial.getResponseHeader().getStatusCode() + "] when sending [" + msg1Initial.getRequestHeader().getURI() + "] with param [" + currentHtmlParameter.getName() + "] = NULL (possibly somewhere in the redirects)"); continue; } // now parse the HTML response for urls that contain the same parameter name, // and look at the values for that parameter // if no values are found for the parameter, then // 1) we are messing with the wrong field, or // 2) the app doesn't do sessions // either way, there is not much point in continuing to look at this field.. // parse out links in HTML (assume for a moment that all the URLs are in links) // this gives us a map of parameter value for the current parameter, to the // number of times it was encountered in links in the HTML SortedMap<String, Integer> parametersInHTMLURls = getParameterValueCountInHtml( msg1Initial.getResponseBody().toString(), currentHtmlParameter.getName(), isPseudoUrlParameter); if (this.debugEnabled) log.debug("The count of the various values of the [" + currentHtmlParameter.getName() + "] parameters in urls in the result of retrieving the url with a null value for parameter [" + currentHtmlParameter.getName() + "]: " + parametersInHTMLURls); if (parametersInHTMLURls.isEmpty()) { // setting the param to NULL did not cause any new values to be generated // for it in the output.. // so either.. // it is not a session field, or // it is a session field, but a session is only issued on authentication, // and this is not an authentication url // the app doesn't do sessions (etc) // either way, the parameter/url combo is not vulnerable, so continue with // the next parameter if (this.debugEnabled) log.debug("The URL parameter [" + currentHtmlParameter.getName() + "] was NOT set in any links in the response, when " + (isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "] was set to NULL in the request, so it is likely not a session id field"); continue; // to the next parameter } else if (parametersInHTMLURls.size() == 1) { // the parameter was set to just one value in the output // so it's quite possible it is the session id field that we have been // looking for // caveat 1: check it is longer than 3 chars long, to remove false // positives.. // we assume here that a real session id will always be greater than 3 // characters long // caveat 2: the value we got back for the param must be different from the // value we // over-wrote with NULL (empty) in the first place, otherwise it is very // unlikely to // be a session id field possibleSessionIdIssuedForUrlParam = parametersInHTMLURls.firstKey(); // did we get back the same value we just nulled out in the original // request? // if so, use this to eliminate false positives, and to optimise. if (possibleSessionIdIssuedForUrlParam.equals(currentHtmlParameter.getValue())) { if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes 1 distinct values to be set for it in URLs in the output, but the possible session id value [" + possibleSessionIdIssuedForUrlParam + "] is the same as the value we over-wrote with NULL. 'Sorry, kid. You got the gift, but it looks like you're waiting for something'"); continue; // to the next parameter } if (possibleSessionIdIssuedForUrlParam.length() > 3) { // raise an alert here on an exposed session id, even if it is not // subject to a session fixation vulnerability // log.info("The URL parameter ["+ currentHtmlParameter.getName() + "] // was set ["+ // parametersInHTMLURls.get(possibleSessionIdIssuedForUrlParam)+ "] // times to ["+ possibleSessionIdIssuedForUrlParam + "] in links in the // response, when "+ (isPseudoUrlParameter?"pseudo/URL rewritten":"")+ " // URL param ["+ currentHtmlParameter.getName() + "] was set to NULL in // the request. This likely indicates it is a session id field."); // pass the original param value here, not the new value, since we're // displaying the session id exposed in the original message String extraInfo = Constant.messages.getString( "ascanbeta.sessionidexposedinurl.alert.extrainfo", currentHtmlParameter.getType(), currentHtmlParameter.getName(), currentHtmlParameter.getValue()); String attack = Constant.messages .getString("ascanbeta.sessionidexposedinurl.alert.attack", (isPseudoUrlParameter ? "pseudo/URL rewritten " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); String vulnname = Constant.messages.getString("ascanbeta.sessionidexposedinurl.name"); String vulndesc = Constant.messages.getString("ascanbeta.sessionidexposedinurl.desc"); String vulnsoln = Constant.messages.getString("ascanbeta.sessionidexposedinurl.soln"); if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage")); } // call bingo with some extra info, indicating that the alert is // not specific to Session Fixation, but has its own title and // description (etc) // the alert here is "Session id exposed in url", or words to that // effect. bingo(Alert.RISK_MEDIUM, Alert.CONFIDENCE_MEDIUM, vulnname, vulndesc, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, vulnsoln, getBaseMsg()); if (log.isDebugEnabled()) { String logMessage = MessageFormat.format( "An exposed session identifier has been found at " + "[{0}] URL [{1}] on {2} field: [{3}]", getBaseMsg().getRequestHeader().getMethod(), getBaseMsg().getRequestHeader().getURI().getURI(), (isPseudoUrlParameter ? "pseudo " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); log.debug(logMessage); } // Note: do NOT continue to the next field at this point.. // since we still need to check for Session Fixation. } else { if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes 1 distinct values to be set for it in URLs in the output, but the possible session id value [" + possibleSessionIdIssuedForUrlParam + "] is too short to be a real session id."); continue; // to the next parameter } } else { // strange scenario: setting the param to null causes multiple different // values to be set for it in the output // it could still be a session parameter, but we assume it is *not* a // session id field // log it, but assume it is not a session id if (this.debugEnabled) log.debug((isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " URL param [" + currentHtmlParameter.getName() + "], when set to NULL, causes [" + parametersInHTMLURls.size() + "] distinct values to be set for it in URLs in the output. Assuming it is NOT a session id as a consequence. This could be a false negative"); continue; // to the next parameter } //////////////////////////////////////////////////////////////////////////////////////////// /// Message 2 - processing starts here //////////////////////////////////////////////////////////////////////////////////////////// // we now have a plausible session id field to play with, so set it to a // borrowed value. // ie: lets re-send the request, but add in the new (valid) session value that // was just issued. // the aim is then to see if it accepts the session without re-issuing the // session id (BAD, in some circumstances), // or if it issues a new session value (GOOD, in most circumstances) // and set the (modified) session for the second message // use a copy of msg2Initial, since it has already had the correct session // removed in the request.. // do NOT use msg2Initial itself, as this will cause both requests in the GUI to // show the modified data.. // finally send the second message, and see how it comes back. HttpMessage msg2Initial = msg1Initial.cloneRequest(); // set the parameter to the new session id value (in different manners, // depending on whether it is a real url param, or a pseudo url param) if (isPseudoUrlParameter) { // we need to "rewrite" (hack) the URL path to remove the pseudo url // parameter portion // id, we need to remove the ";jsessionid=<sessionid>" bit from the path // and replace it with ";jsessionid=" (ie, we nullify the possible "session" // parameter in the hope that a new session will be issued) // then we continue as usual to see if the URL is vulnerable to a Session // Fixation issue // Side note: quote the string to search for, and the replacement, so that // regex special characters are treated as literals String hackedUrl = requestUrl.replaceAll( Pattern.quote(";" + currentHtmlParameter.getName() + "=" + currentHtmlParameter.getValue()), Matcher.quoteReplacement(";" + currentHtmlParameter.getName() + "=" + possibleSessionIdIssuedForUrlParam)); if (this.debugEnabled) log.debug("Changing the pseudo URL parameter from [" + requestUrl + "]: [" + hackedUrl + "]"); // Note: the URL is not escaped msg2Initial.getRequestHeader().setURI(new URI(hackedUrl, false)); msg2Initial.setGetParams(msg1Initial.getUrlParams()); // restore the GET params } else { // do it via the normal url parameters TreeSet<HtmlParameter> urlRequestParams2 = msg2Initial.getUrlParams(); urlRequestParams2.add(new HtmlParameter(Type.url, currentHtmlParameter.getName(), possibleSessionIdIssuedForUrlParam)); msg2Initial.setGetParams(urlRequestParams2); // restore the GET params } // resend a copy of the initial message, but with the new valid session // parameter added in, to see if it is accepted // automatically follow redirects, which are irrelevant for the purposes of // testing URL parameters sendAndReceive(msg2Initial); // final result was non-200, no point in continuing. Bale out. if (msg2Initial.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { if (this.debugEnabled) log.debug("Got a non-200 response code [" + msg2Initial.getResponseHeader().getStatusCode() + "] when sending [" + msg2Initial.getRequestHeader().getURI() + "] with a borrowed session (or by following a redirect) for param [" + currentHtmlParameter.getName() + "]"); continue; // next field! } // do the analysis on the parameters in link urls in the HTML output again to // see if the session id was regenerated SortedMap<String, Integer> parametersInHTMLURls2 = getParameterValueCountInHtml( msg2Initial.getResponseBody().toString(), currentHtmlParameter.getName(), isPseudoUrlParameter); if (this.debugEnabled) log.debug("The count of the various values of the [" + currentHtmlParameter.getName() + "] parameters in urls in the result of retrieving the url with a borrowed session value for parameter [" + currentHtmlParameter.getName() + "]: " + parametersInHTMLURls2); if (parametersInHTMLURls2.size() != 1) { // either no values, or multiple values, but not 1 value. For a session // that was regenerated, we would have expected to see // just 1 new value if (this.debugEnabled) log.debug("The HTML has spoken. [" + currentHtmlParameter.getName() + "] doesn't look like a session id field, because there are " + parametersInHTMLURls2.size() + " distinct values for this parameter in urls in the HTML output"); continue; } // there is but one value for this param in links in the HTML output. But is it // vulnerable to Session Fixation? Ie, is it the same parameter? String possibleSessionIdIssuedForUrlParam2 = parametersInHTMLURls2.firstKey(); if (possibleSessionIdIssuedForUrlParam2.equals(possibleSessionIdIssuedForUrlParam)) { // same sessionid used in the output.. so it is likely that we have a // SessionFixation issue.. // use the url param extrainfo message, which is specific to the case of url // parameters and url re-writing Session Fixation issue // pretty much everything else is generic to all types of Session Fixation // vulnerabilities String extraInfo = Constant.messages.getString( "ascanbeta.sessionfixation.alert.url.extrainfo", currentHtmlParameter.getName(), possibleSessionIdIssuedForUrlParam, possibleSessionIdIssuedForUrlParam2); String attack = Constant.messages.getString("ascanbeta.sessionfixation.alert.attack", (isPseudoUrlParameter ? "pseudo/URL rewritten " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); int risk = Alert.RISK_LOW; if (loginUrl) { extraInfo += ("\n" + Constant.messages .getString("ascanbeta.sessionfixation.alert.url.extrainfo.loginpage")); // login page, so higher risk risk = Alert.RISK_MEDIUM; } else { // not a login page.. lower risk risk = Alert.RISK_LOW; } bingo(risk, Alert.CONFIDENCE_MEDIUM, getBaseMsg().getRequestHeader().getURI().getURI(), currentHtmlParameter.getName(), attack, extraInfo, getBaseMsg()); logSessionFixation(getBaseMsg(), (isPseudoUrlParameter ? "pseudo " : "") + currentHtmlParameter.getType(), currentHtmlParameter.getName()); continue; // jump to the next iteration of the loop (ie, the next parameter) } else { // different sessionid used in the output.. so it is unlikely that we have a // SessionFixation issue.. // more likely that the Session is being re-issued for every single request, // or we have issues a login request, which // normally causes a session to be reissued if (this.debugEnabled) log.debug("The " + (isPseudoUrlParameter ? "pseudo/URL rewritten" : "") + " parameter [" + currentHtmlParameter.getName() + "] in url [" + getBaseMsg().getRequestHeader().getMethod() + "] [" + getBaseMsg().getRequestHeader().getURI() + "] changes with requests, and so it likely not vulnerable to Session Fixation"); } continue; // onto the next parameter } // end of the url parameter code. } // end of the for loop around the parameter list } catch (Exception e) { // Do not try to internationalise this.. we need an error message in any event.. // if it's in English, it's still better than not having it at all. log.error("An error occurred checking a url for Session Fixation issues", e); } }