Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle sites that fail when 'only in scope' switched on #638

Merged
merged 1 commit into from
Nov 22, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Fixed
- Dialogue windows close properly when the Escape key is pressed [#71](https://github.com/zaproxy/zap-hud/issues/71)
- Sites upgraded to https fail if 'only in scope' switched on [#316](https://github.com/zaproxy/zap-hud/issues/316)

## [0.7.0] - 2019-10-07

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import org.apache.log4j.Logger;
import org.parosproxy.paros.core.proxy.OverrideMessageProxyListener;
import org.parosproxy.paros.network.HttpHeader;
import org.parosproxy.paros.network.HttpMalformedHeaderException;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpResponseHeader;
import org.zaproxy.zap.ZAP;
Expand All @@ -55,32 +56,40 @@ public int getArrangeableListenerOrder() {
return 0;
}

private void redirectMessage(HttpMessage msg, String targetUrl)
throws HttpMalformedHeaderException {
msg.setResponseHeader(
HudAPI.getAllowFramingResponseHeader(
"302 OK", "text/html; charset=UTF-8", 0, false));
msg.getResponseHeader().addHeader(HttpHeader.LOCATION, targetUrl);
// Don't strictly need the body
msg.setResponseBody("<html><body>Redirecting to " + targetUrl + "</body></html>");
msg.getResponseHeader().setContentLength(msg.getResponseBody().length());
LOG.debug("redirectMessage returning a 302 to " + targetUrl);
}

@Override
public boolean onHttpRequestSend(HttpMessage msg) {
if (this.extHud.isHudEnabled()) {
if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) {
return false;
}
try {
URI uri = msg.getRequestHeader().getURI();
if (this.extHud.getHudParam().isInScopeOnly() && !msg.isInScope()) {
if (this.extHud.isUpgradedHttpsDomain(uri)) {
// 302 to the original http version..
this.extHud.removeUpgradedHttpsDomain(uri);
redirectMessage(
msg, uri.toString().replaceFirst("(?i)https://", "http://"));
return true;
}
return false;
}
if (!msg.getRequestHeader().isSecure()) {
// 302 to the https version..
this.extHud.addUpgradedHttpsDomain(msg.getRequestHeader().getURI());
msg.setResponseHeader(
HudAPI.getAllowFramingResponseHeader(
"302 OK", "text/html; charset=UTF-8", 0, false));
String url =
msg.getRequestHeader()
.getURI()
.toString()
.replaceFirst("(?i)http://", "https://");
msg.getResponseHeader().addHeader(HttpHeader.LOCATION, url);
// Don't strictly need the body
msg.setResponseBody("<html><body>Redirecting to " + url + "</body></html>");
msg.getResponseHeader().setContentLength(msg.getResponseBody().length());
LOG.debug("onHttpRequestSend returning a 302 to " + url);
this.extHud.addUpgradedHttpsDomain(uri);
redirectMessage(msg, uri.toString().replaceFirst("(?i)http://", "https://"));
return true;
} else {
if (this.extHud.isUpgradedHttpsDomain(msg.getRequestHeader().getURI())) {
if (this.extHud.isUpgradedHttpsDomain(uri)) {
// Switch to using the HTTP version in the background
msg.getRequestHeader().setSecure(false);
}
Expand Down