org.zaproxy.zap.extension.api.WebUI Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of zap Show documentation
Show all versions of zap Show documentation
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
The newest version!
/*
* Zed Attack Proxy (ZAP) and its related class files.
*
* ZAP is an HTTP/HTTPS proxy for assessing web application security.
*
* Copyright 2011 The ZAP Development Team
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.zaproxy.zap.extension.api;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Locale;
import org.apache.commons.httpclient.URI;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.model.Model;
import org.parosproxy.paros.network.HttpHeader;
import org.zaproxy.zap.extension.api.API.Format;
import org.zaproxy.zap.extension.api.API.RequestType;
public class WebUI {
private API api;
private boolean isDevTestNonce = false; // Manually change here to test nonces with the web UI
private static final String PAC_FILE_API_PATH = "/OTHER/network/other/proxy.pac/";
private static final String ROOT_CA_CERT_API_PATH = "/OTHER/network/other/rootCaCert/";
public WebUI(API api) {
this.api = api;
}
private ApiElement getElement(ApiImplementor impl, String name, RequestType reqType)
throws ApiException {
if (RequestType.action.equals(reqType) && name != null) {
// Action form
List actionList = impl.getApiActions();
ApiAction action = null;
for (ApiAction act : actionList) {
if (name.equals(act.getName())) {
action = act;
break;
}
}
if (action == null) {
throw new ApiException(ApiException.Type.BAD_ACTION);
}
return action;
} else if (RequestType.other.equals(reqType) && name != null) {
// Other form
List otherList = impl.getApiOthers();
ApiOther other = null;
for (ApiOther oth : otherList) {
if (name.equals(oth.getName())) {
other = oth;
break;
}
}
if (other == null) {
throw new ApiException(ApiException.Type.BAD_OTHER);
}
return other;
} else if (RequestType.view.equals(reqType) && name != null) {
List viewList = impl.getApiViews();
ApiView view = null;
for (ApiView v : viewList) {
if (name.equals(v.getName())) {
view = v;
break;
}
}
if (view == null) {
throw new ApiException(ApiException.Type.BAD_VIEW);
}
return view;
} else if (RequestType.pconn.equals(reqType) && name != null) {
List pconnList = impl.getApiPersistentConnections();
ApiPersistentConnection pconn = null;
for (ApiPersistentConnection pc : pconnList) {
if (name.equals(pc.getName())) {
pconn = pc;
break;
}
}
if (pconn == null) {
throw new ApiException(ApiException.Type.BAD_PCONN);
}
return pconn;
} else {
throw new ApiException(ApiException.Type.BAD_TYPE);
}
}
private void appendElements(
StringBuilder sb, String component, String type, List elementList) {
Collections.sort(
elementList,
new Comparator() {
@Override
public int compare(ApiElement ae1, ApiElement ae2) {
return ae1.getName().compareTo(ae2.getName());
}
});
sb.append("\n\n");
for (ApiElement element : elementList) {
sb.append("");
sb.append("");
sb.append("");
sb.append(element.getName());
if (!element.getParameters().isEmpty()) {
sb.append(" (");
for (ApiParameter parameter : element.getParameters()) {
sb.append(parameter.getName());
if (parameter.isRequired()) {
sb.append('*');
}
sb.append(' ');
}
sb.append(") ");
}
sb.append("");
sb.append(" ");
if (element.isDeprecated()) {
sb.append(Constant.messages.getString("api.html.deprecated.endpoint"));
sb.append("
");
String text = element.getDeprecatedDescription();
if (text != null && !text.isEmpty()) {
sb.append(text);
sb.append("
");
}
}
String descTag = element.getDescriptionTag();
if (Constant.messages.containsKey(descTag)) {
sb.append(Constant.messages.getString(descTag));
} else {
// Uncomment to see what tags are missing via the UI
// sb.append(descTag);
}
sb.append(" ");
sb.append(" \n");
}
sb.append("
\n");
}
private void appendShortcuts(StringBuilder sb, String component, List shortcutList) {
Collections.sort(shortcutList);
sb.append("\n\n");
for (String shortcut : shortcutList) {
sb.append("");
sb.append("");
sb.append("");
sb.append(shortcut);
sb.append("");
sb.append(" ");
sb.append(" ");
sb.append(" \n");
}
sb.append("
\n");
}
public String handleRequest(
String component, ApiImplementor impl, RequestType reqType, String name)
throws ApiException {
// Generate HTML UI
StringBuilder sb = new StringBuilder();
sb.append("\n");
sb.append("\n");
sb.append("");
sb.append(Constant.messages.getString("api.html.title"));
sb.append(" \n");
/* The script version prevents the cache being used if ZAP has been updated in the same day */
sb.append(
"\n");
sb.append("\n");
sb.append("\n");
sb.append("");
sb.append("");
sb.append(Constant.messages.getString("api.html.title"));
sb.append("");
sb.append("
\n");
if (impl != null) {
sb.append("");
sb.append("");
sb.append(Constant.messages.getString("api.html.component"));
sb.append(component);
sb.append("");
sb.append("
\n");
if (name != null) {
ApiElement element = this.getElement(impl, name, reqType);
sb.append("");
sb.append(Constant.messages.getString("api.html." + reqType.name()));
sb.append(element.getName());
sb.append("
\n");
String descTag = element.getDescriptionTag();
if (Constant.messages.containsKey(descTag)) {
sb.append(Constant.messages.getString(descTag));
}
sb.append("\n\n");
} else {
if (Constant.messages.containsKey(impl.getDescriptionKey())) {
sb.append("\n");
sb.append(Constant.messages.getString(impl.getDescriptionKey()));
sb.append("\n
\n");
}
List elementList = new ArrayList<>();
List viewList = impl.getApiViews();
if (viewList != null && viewList.size() > 0) {
sb.append("");
sb.append(Constant.messages.getString("api.html.views"));
sb.append("
\n");
elementList.addAll(viewList);
this.appendElements(sb, component, RequestType.view.name(), elementList);
}
List actionList = impl.getApiActions();
if (actionList != null && actionList.size() > 0) {
sb.append("");
sb.append(Constant.messages.getString("api.html.actions"));
sb.append("
\n");
elementList = new ArrayList<>();
elementList.addAll(actionList);
this.appendElements(sb, component, RequestType.action.name(), elementList);
}
List otherList = impl.getApiOthers();
if (otherList != null && otherList.size() > 0) {
sb.append("");
sb.append(Constant.messages.getString("api.html.others"));
sb.append("
\n");
elementList = new ArrayList<>();
elementList.addAll(otherList);
this.appendElements(sb, component, RequestType.other.name(), elementList);
}
List pconnList = impl.getApiPersistentConnections();
if (pconnList != null && pconnList.size() > 0) {
sb.append("");
sb.append(Constant.messages.getString("api.html.pconns"));
sb.append("
\n");
elementList = new ArrayList<>();
elementList.addAll(pconnList);
this.appendElements(sb, component, RequestType.pconn.name(), elementList);
}
if (getOptionsParamApi().isDisableKey()
|| getOptionsParamApi().isAutofillKey()
|| this.isDevTestNonce) {
// Only show shortcuts if they will work without the user having to add a
// key/nonce
List shortcutList = impl.getApiShortcuts();
if (shortcutList != null && shortcutList.size() > 0) {
sb.append("");
sb.append(Constant.messages.getString("api.html.shortcuts"));
sb.append("
\n");
elementList = new ArrayList<>();
elementList.addAll(otherList);
this.appendShortcuts(sb, component, shortcutList);
}
}
}
} else {
sb.append("");
sb.append(Constant.messages.getString("api.html.components"));
sb.append("
\n");
List components = new ArrayList<>(api.getImplementors().values());
Collections.sort(components, Comparator.comparing(ApiImplementor::getPrefix));
sb.append("\n");
for (ApiImplementor cmp : components) {
sb.append("");
sb.append("");
sb.append("");
sb.append(cmp.getPrefix());
sb.append("");
sb.append(" ");
sb.append("");
if (Constant.messages.containsKey(cmp.getDescriptionKey())) {
sb.append(Constant.messages.getString(cmp.getDescriptionKey()));
}
sb.append(" ");
sb.append(" \n");
}
sb.append("
\n");
}
sb.append("\n");
return sb.toString();
}
private static void appendParams(StringBuilder sb, List params) {
for (ApiParameter param : params) {
sb.append("");
sb.append("");
sb.append(param.getName());
if (param.isRequired()) {
sb.append('*');
}
sb.append(" ");
sb.append("");
sb.append("");
sb.append(" ");
String descKey = param.getDescriptionKey();
if (Constant.messages.containsKey(descKey)) {
sb.append(Constant.messages.getString(descKey));
}
sb.append(" ");
sb.append(" \n");
}
}
public String handleRequest(URI uri, boolean apiEnabled) {
// Right now just generate a basic home page
StringBuilder sb = new StringBuilder();
sb.append("\n");
sb.append("");
sb.append(Constant.messages.getString("api.html.title"));
sb.append(" \n");
sb.append("\n");
sb.append("\n");
sb.append(Constant.messages.getString("api.home.topmsg"));
sb.append(
Constant.messages.getString(
"api.home.proxypac", getApiPathWithNonceParam(PAC_FILE_API_PATH)));
sb.append(
Constant.messages.getString(
"api.home.cacert", getApiPathWithNonceParam(ROOT_CA_CERT_API_PATH)));
sb.append(Constant.messages.getString("api.home.links.header"));
if (apiEnabled) {
sb.append(Constant.messages.getString("api.home.links.api.enabled"));
} else {
sb.append(Constant.messages.getString("api.home.links.api.disabled"));
}
sb.append(Constant.messages.getString("api.home.links.online"));
sb.append("\n");
return sb.toString();
}
private static String getApiPathWithNonceParam(String path) {
return path + '?' + API.API_NONCE_PARAM + '=' + API.getInstance().getLongLivedNonce(path);
}
private OptionsParamApi getOptionsParamApi() {
return Model.getSingleton().getOptionsParam().getApiParam();
}
}