From 9f84c1eab4edc20be165e9931ca90d3bfdf6dfde Mon Sep 17 00:00:00 2001 From: Simon Bennetts Date: Thu, 21 Nov 2019 17:23:57 +0000 Subject: [PATCH] Handle sites that fail when 'only in scope' switched on Fixes #316 --- .../hud/HttpUpgradeProxyListener.java | 48 ++++++++++++------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java b/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java index cadab4f9a..655f7eb9c 100644 --- a/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java +++ b/src/main/java/org/zaproxy/zap/extension/hud/HttpUpgradeProxyListener.java @@ -30,6 +30,7 @@ import org.apache.log4j.Logger; import org.parosproxy.paros.core.proxy.OverrideMessageProxyListener; import org.parosproxy.paros.network.HttpHeader; +import org.parosproxy.paros.network.HttpMalformedHeaderException; import org.parosproxy.paros.network.HttpMessage; import org.parosproxy.paros.network.HttpResponseHeader; import org.zaproxy.zap.ZAP; @@ -55,32 +56,43 @@ public int getArrangeableListenerOrder() { return 0; } + private void redirectMessage(HttpMessage msg, String targetUrl) + throws HttpMalformedHeaderException { + msg.setResponseHeader( + HudAPI.getAllowFramingResponseHeader( + "302 OK", "text/html; charset=UTF-8", 0, false)); + msg.getResponseHeader().addHeader(HttpHeader.LOCATION, targetUrl); + // Don't strictly need the body + msg.setResponseBody("Redirecting to " + targetUrl + ""); + msg.getResponseHeader().setContentLength(msg.getResponseBody().length()); + // TODO back to debug + LOG.info("redirectMessage returning a 302 to " + targetUrl); + } + @Override public boolean onHttpRequestSend(HttpMessage msg) { if (this.extHud.isHudEnabled()) { - if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) { - return false; - } try { + URI uri = msg.getRequestHeader().getURI(); + if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) { + // TODO fix here? + // Hoping this works but failing to run npm on windows... + if (this.extHud.isUpgradedHttpsDomain(uri)) { + // 302 to the https version.. + this.extHud.removeUpgradedHttpsDomain(uri); + redirectMessage( + msg, uri.toString().replaceFirst("(?i)https://", "http://")); + return true; + } + return false; + } if (!msg.getRequestHeader().isSecure()) { // 302 to the https version.. - this.extHud.addUpgradedHttpsDomain(msg.getRequestHeader().getURI()); - msg.setResponseHeader( - HudAPI.getAllowFramingResponseHeader( - "302 OK", "text/html; charset=UTF-8", 0, false)); - String url = - msg.getRequestHeader() - .getURI() - .toString() - .replaceFirst("(?i)http://", "https://"); - msg.getResponseHeader().addHeader(HttpHeader.LOCATION, url); - // Don't strictly need the body - msg.setResponseBody("Redirecting to " + url + ""); - msg.getResponseHeader().setContentLength(msg.getResponseBody().length()); - LOG.debug("onHttpRequestSend returning a 302 to " + url); + this.extHud.addUpgradedHttpsDomain(uri); + redirectMessage(msg, uri.toString().replaceFirst("(?i)http://", "https://")); return true; } else { - if (this.extHud.isUpgradedHttpsDomain(msg.getRequestHeader().getURI())) { + if (this.extHud.isUpgradedHttpsDomain(uri)) { // Switch to using the HTTP version in the background msg.getRequestHeader().setSecure(false); }