diff --git a/CHANGELOG.md b/CHANGELOG.md index 30265f9fb..11ec92719 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Dialogue windows close properly when the Escape key is pressed [#71](https://github.com/zaproxy/zap-hud/issues/71) + - Sites upgraded to https fail if 'only in scope' switched on [#316](https://github.com/zaproxy/zap-hud/issues/316) ## [0.7.0] - 2019-10-07 diff --git a/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java b/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java index cadab4f9a..387bb3acc 100644 --- a/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java +++ b/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java @@ -30,6 +30,7 @@ import org.apache.log4j.Logger; import org.parosproxy.paros.core.proxy.OverrideMessageProxyListener; import org.parosproxy.paros.network.HttpHeader; +import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpResponseHeader; import org.zaproxy.zap.ZAP; @@ -55,32 +56,40 @@ public int getArrangeableListenerOrder() { return 0; } + private void redirectMessage(HttpMessage msg, String targetUrl) + throws HttpMalformedHeaderException { + msg.setResponseHeader( + HudAPI.getAllowFramingResponseHeader( + "302 OK", "text/html; charset=UTF-8", 0, false)); + msg.getResponseHeader().addHeader(HttpHeader.LOCATION, targetUrl); + // Don't strictly need the body + msg.setResponseBody("Redirecting to " + targetUrl + ""); + msg.getResponseHeader().setContentLength(msg.getResponseBody().length()); + LOG.debug("redirectMessage returning a 302 to " + targetUrl); + } + @Override public boolean onHttpRequestSend(HttpMessage msg) { if (this.extHud.isHudEnabled()) { - if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) { - return false; - } try { + URI uri = msg.getRequestHeader().getURI(); + if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) { + if (this.extHud.isUpgradedHttpsDomain(uri)) { + // 302 to the https version.. + this.extHud.removeUpgradedHttpsDomain(uri); + redirectMessage( + msg, uri.toString().replaceFirst("(?i)https://", "http://")); + return true; + } + return false; + } if (!msg.getRequestHeader().isSecure()) { // 302 to the https version.. - this.extHud.addUpgradedHttpsDomain(msg.getRequestHeader().getURI()); - msg.setResponseHeader( - HudAPI.getAllowFramingResponseHeader( - "302 OK", "text/html; charset=UTF-8", 0, false)); - String url = - msg.getRequestHeader() - .getURI() - .toString() - .replaceFirst("(?i)http://", "https://"); - msg.getResponseHeader().addHeader(HttpHeader.LOCATION, url); - // Don't strictly need the body - msg.setResponseBody("Redirecting to " + url + ""); - msg.getResponseHeader().setContentLength(msg.getResponseBody().length()); - LOG.debug("onHttpRequestSend returning a 302 to " + url); + this.extHud.addUpgradedHttpsDomain(uri); + redirectMessage(msg, uri.toString().replaceFirst("(?i)http://", "https://")); return true; } else { - if (this.extHud.isUpgradedHttpsDomain(msg.getRequestHeader().getURI())) { + if (this.extHud.isUpgradedHttpsDomain(uri)) { // Switch to using the HTTP version in the background msg.getRequestHeader().setSecure(false); }