Skip to content

Commit

Permalink
Add option to control on-domain messages
Browse files Browse the repository at this point in the history
  • Loading branch information
psiinon committed Dec 18, 2018
1 parent 12b4834 commit 3688dec
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
- Add option to control on-domain messages.

### Fixed
- Fix bug where field alert flags don't show alert dialog. [#290](https://github.com/zaproxy/zap-hud/issues/290)
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/org/zaproxy/zap/extension/hud/HudAPI.java
Original file line number Diff line number Diff line change
Expand Up @@ -442,8 +442,13 @@ protected String getFile(HttpMessage msg, String file) {
.isShowWelcomeScreen()))
.replace(
"<<TUTORIAL_URL>>",
this.extension.getTutorialUrl("", false))
.replace("<<ZAP_SHARED_SECRET>>", this.sharedSecret);
this.extension.getTutorialUrl("", false));
if (this.extension.getHudParam().isEnableOnDomainMsgs()) {
contents = contents.replace("<<ZAP_SHARED_SECRET>>", this.sharedSecret);
} else {
// In this case an empty secret is used to turn off this feature
contents = contents.replace("<<ZAP_SHARED_SECRET>>", "");
}
}
}

Expand Down
14 changes: 14 additions & 0 deletions src/main/java/org/zaproxy/zap/extension/hud/HudParam.java
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ public class HudParam extends VersionedAbstractParam {
private static final String PARAM_TUTORIAL_TEST_MODE = PARAM_BASE_KEY + ".tutorialTestMode";
private static final String PARAM_TUTORIAL_TASKS = PARAM_BASE_KEY + ".tutorialTasks";
private static final String PARAM_SHOW_WELCOME_SCREEN = PARAM_BASE_KEY + ".showWelcomeScreen";
private static final String PARAM_ENABLE_ON_DOMAIN_MSGS =
PARAM_BASE_KEY + ".enableOnDomainMsgs";

/**
* The version of the configurations. Used to keep track of configurations changes between
Expand Down Expand Up @@ -77,6 +79,8 @@ public class HudParam extends VersionedAbstractParam {

private boolean showWelcomeScreen;

private boolean enableOnDomainMsgs;

private List<String> tutorialTasks;

private Logger log = Logger.getLogger(this.getClass());
Expand Down Expand Up @@ -172,6 +176,15 @@ public void setShowWelcomeScreen(boolean showWelcomeScreen) {
getConfig().setProperty(PARAM_SHOW_WELCOME_SCREEN, showWelcomeScreen);
}

public boolean isEnableOnDomainMsgs() {
return enableOnDomainMsgs;
}

public void setEnableOnDomainMsgs(boolean enableOnDomainMsgs) {
this.enableOnDomainMsgs = enableOnDomainMsgs;
getConfig().setProperty(PARAM_ENABLE_ON_DOMAIN_MSGS, enableOnDomainMsgs);
}

@Override
protected String getConfigVersionKey() {
return PARAM_BASE_KEY + VERSION_ATTRIBUTE;
Expand Down Expand Up @@ -202,6 +215,7 @@ protected void parseImpl() {
isTutorialTestMode = getConfig().getBoolean(PARAM_TUTORIAL_TEST_MODE, false);
tutorialTasks = convert(getConfig().getList(PARAM_TUTORIAL_TASKS));
showWelcomeScreen = getConfig().getBoolean(PARAM_SHOW_WELCOME_SCREEN, true);
enableOnDomainMsgs = getConfig().getBoolean(PARAM_ENABLE_ON_DOMAIN_MSGS, true);
}

private List<String> convert(List<Object> objs) {
Expand Down
14 changes: 14 additions & 0 deletions src/main/java/org/zaproxy/zap/extension/hud/OptionsHudPanel.java
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ public class OptionsHudPanel extends AbstractParamPanel {
private JCheckBox enabledForDesktop = null;
private JCheckBox enabledForDaemon = null;
private JCheckBox inScopeOnly = null;
private JCheckBox enableOnDomainMsgs = null;
private JCheckBox showWelcomeScreen = null;
private JCheckBox removeCsp = null;
private JCheckBox developmentMode = null;
Expand Down Expand Up @@ -84,6 +85,7 @@ public OptionsHudPanel(ExtensionHUD extension) {
panel.add(getEnabledForDaemon(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(getShowWelcomeScreen(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(getInScopeOnly(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(getEnableOnDomainMsgs(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(getRemoveCsp(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(getDevelopmentMode(), LayoutHelper.getGBC(0, ++i, 2, 1.0));
panel.add(directoryLabel, LayoutHelper.getGBC(0, ++i, 1, 1.0, new Insets(2, 2, 2, 2)));
Expand Down Expand Up @@ -130,6 +132,16 @@ private JCheckBox getInScopeOnly() {
return inScopeOnly;
}

private JCheckBox getEnableOnDomainMsgs() {
if (enableOnDomainMsgs == null) {
enableOnDomainMsgs =
new JCheckBox(
Constant.messages.getString(
"hud.optionspanel.label.enableOnDomainMsgs"));
}
return enableOnDomainMsgs;
}

private JCheckBox getShowWelcomeScreen() {
if (showWelcomeScreen == null) {
showWelcomeScreen =
Expand Down Expand Up @@ -194,6 +206,7 @@ public void initParam(Object obj) {
getEnabledForDaemon().setSelected(param.isEnabledForDaemon());
getBaseDirectory().setText(param.getBaseDirectory());
getInScopeOnly().setSelected(param.isInScopeOnly());
getEnableOnDomainMsgs().setSelected(param.isEnableOnDomainMsgs());
getShowWelcomeScreen().setSelected(param.isShowWelcomeScreen());
getRemoveCsp().setSelected(param.isRemoveCSP());
getSkipTutorialTasks().setSelected(param.isSkipTutorialTasks());
Expand Down Expand Up @@ -239,6 +252,7 @@ public void saveParam(Object obj) throws Exception {
param.setEnabledForDaemon(getEnabledForDaemon().isSelected());
param.setBaseDirectory(getBaseDirectory().getText());
param.setInScopeOnly(getInScopeOnly().isSelected());
param.setEnableOnDomainMsgs(getEnableOnDomainMsgs().isSelected());
param.setShowWelcomeScreen(getShowWelcomeScreen().isSelected());
param.setRemoveCSP(getRemoveCsp().isSelected());
param.setSkipTutorialTasks(getSkipTutorialTasks().isSelected());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,15 @@ <h2>Enable the HUD only for URLs that are in scope</h2>
The plan is to expose this option via the HUD, but until that time if the option is enabled then you will
need to add URLs to the scope via the ZAP Desktop.

<h2>Enable on-domain messages</h2>

Allow messages to be sent from the target domain to the ZAP domain. This is needed for features such as showing the
number of hidden fields and displaying the alert associated with a specific field.
If you think that the target domain could be malicious then you can turn this option off.
The HUD does not trust any messages from the target domain but a malicious site could potentially do mildly annoying things such as
causing ZAP alerts to be displayed unexpectedly.
You will need to restart your browser after changing this setting in order for it to take effect.

<h2>Remove CSP from target pages</h2>

The HUD will not currently work if a strong CSP policy is used in target web sites.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ hud.optionspanel.button.baseDirectory = Change
hud.optionspanel.label.baseDirectory = Base Directory:
hud.optionspanel.label.enabledForDesktop = Enable when using the ZAP Desktop
hud.optionspanel.label.enabledForDaemon = Enable when using ZAP in daemon mode
hud.optionspanel.label.enableOnDomainMsgs = Enable on-domain messages
hud.optionspanel.label.inScopeOnly = Enable the HUD only for URLs that are in scope
hud.optionspanel.label.showWelcomeScreen = Show the HUD welcome screen when a browser is opened
hud.optionspanel.label.removeCsp = Remove CSP from target pages
Expand Down
6 changes: 4 additions & 2 deletions src/main/zapHomeFiles/hud/management.js
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,10 @@ function windowMessageListener(event) {
if (! event.data.hasOwnProperty('sharedSecret')) {
utils.log(LOG_WARN, 'management.receiveMessage', 'Message without sharedSecret rejected');
return;
}
if (event.data.sharedSecret === ZAP_SHARED_SECRET) {
} else if ("" === ZAP_SHARED_SECRET) {
// A blank secret is used to indicate that this functionality is turned off
utils.log(LOG_DEBUG, 'management.receiveMessage', 'Message from target domain ignored as on-domain messaging has been switched off');
} else if (event.data.sharedSecret === ZAP_SHARED_SECRET) {
navigator.serviceWorker.controller.postMessage(event.data);
} else {
utils.log(LOG_WARN, 'management.receiveMessage', 'Message with incorrect sharedSecret rejected ' + event.data.sharedSecret);
Expand Down

0 comments on commit 3688dec

Please sign in to comment.