Skip to content

Commit

Permalink
Handle sites that fail when 'only in scope' switched on
Browse files Browse the repository at this point in the history
Fixes zaproxy#316

Signed-off-by: Simon Bennetts <[email protected]>
  • Loading branch information
psiinon committed Nov 22, 2019
1 parent bb40130 commit 1f3d0e3
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Fixed
- Dialogue windows close properly when the Escape key is pressed [#71](https://github.com/zaproxy/zap-hud/issues/71)
- Sites upgraded to https fail if 'only in scope' switched on [#316](https://github.com/zaproxy/zap-hud/issues/316)

## [0.7.0] - 2019-10-07

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import org.apache.log4j.Logger;
import org.parosproxy.paros.core.proxy.OverrideMessageProxyListener;
import org.parosproxy.paros.network.HttpHeader;
import org.parosproxy.paros.network.HttpMalformedHeaderException;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpResponseHeader;
import org.zaproxy.zap.ZAP;
Expand All @@ -55,32 +56,40 @@ public int getArrangeableListenerOrder() {
return 0;
}

private void redirectMessage(HttpMessage msg, String targetUrl)
throws HttpMalformedHeaderException {
msg.setResponseHeader(
HudAPI.getAllowFramingResponseHeader(
"302 OK", "text/html; charset=UTF-8", 0, false));
msg.getResponseHeader().addHeader(HttpHeader.LOCATION, targetUrl);
// Don't strictly need the body
msg.setResponseBody("<html><body>Redirecting to " + targetUrl + "</body></html>");
msg.getResponseHeader().setContentLength(msg.getResponseBody().length());
LOG.debug("redirectMessage returning a 302 to " + targetUrl);
}

@Override
public boolean onHttpRequestSend(HttpMessage msg) {
if (this.extHud.isHudEnabled()) {
if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) {
return false;
}
try {
URI uri = msg.getRequestHeader().getURI();
if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) {
if (this.extHud.isUpgradedHttpsDomain(uri)) {
// 302 to the https version..
this.extHud.removeUpgradedHttpsDomain(uri);
redirectMessage(
msg, uri.toString().replaceFirst("(?i)https://", "http://"));
return true;
}
return false;
}
if (!msg.getRequestHeader().isSecure()) {
// 302 to the https version..
this.extHud.addUpgradedHttpsDomain(msg.getRequestHeader().getURI());
msg.setResponseHeader(
HudAPI.getAllowFramingResponseHeader(
"302 OK", "text/html; charset=UTF-8", 0, false));
String url =
msg.getRequestHeader()
.getURI()
.toString()
.replaceFirst("(?i)http://", "https://");
msg.getResponseHeader().addHeader(HttpHeader.LOCATION, url);
// Don't strictly need the body
msg.setResponseBody("<html><body>Redirecting to " + url + "</body></html>");
msg.getResponseHeader().setContentLength(msg.getResponseBody().length());
LOG.debug("onHttpRequestSend returning a 302 to " + url);
this.extHud.addUpgradedHttpsDomain(uri);
redirectMessage(msg, uri.toString().replaceFirst("(?i)http://", "https://"));
return true;
} else {
if (this.extHud.isUpgradedHttpsDomain(msg.getRequestHeader().getURI())) {
if (this.extHud.isUpgradedHttpsDomain(uri)) {
// Switch to using the HTTP version in the background
msg.getRequestHeader().setSecure(false);
}
Expand Down

0 comments on commit 1f3d0e3

Please sign in to comment.