All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.zaproxy.zap.extension.api.WebUI Maven / Gradle / Ivy

Go to download

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

There is a newer version: 2.15.0
Show newest version
/*
 * Zed Attack Proxy (ZAP) and its related class files.
 *
 * ZAP is an HTTP/HTTPS proxy for assessing web application security.
 *
 * Copyright 2011 The ZAP Development Team
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.zaproxy.zap.extension.api;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Locale;
import org.apache.commons.httpclient.URI;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.model.Model;
import org.zaproxy.zap.extension.api.API.Format;
import org.zaproxy.zap.extension.api.API.RequestType;

public class WebUI {

    private API api;
    private boolean isDevTestNonce = false; // Manually change here to test nonces with the web UI

    public WebUI(API api) {
        this.api = api;
    }

    private ApiElement getElement(ApiImplementor impl, String name, RequestType reqType)
            throws ApiException {
        if (RequestType.action.equals(reqType) && name != null) {
            // Action form
            List actionList = impl.getApiActions();
            ApiAction action = null;
            for (ApiAction act : actionList) {
                if (name.equals(act.getName())) {
                    action = act;
                    break;
                }
            }
            if (action == null) {
                throw new ApiException(ApiException.Type.BAD_ACTION);
            }
            return action;
        } else if (RequestType.other.equals(reqType) && name != null) {
            // Other form
            List otherList = impl.getApiOthers();
            ApiOther other = null;
            for (ApiOther oth : otherList) {
                if (name.equals(oth.getName())) {
                    other = oth;
                    break;
                }
            }
            if (other == null) {
                throw new ApiException(ApiException.Type.BAD_OTHER);
            }
            return other;
        } else if (RequestType.view.equals(reqType) && name != null) {
            List viewList = impl.getApiViews();
            ApiView view = null;
            for (ApiView v : viewList) {
                if (name.equals(v.getName())) {
                    view = v;
                    break;
                }
            }
            if (view == null) {
                throw new ApiException(ApiException.Type.BAD_VIEW);
            }
            return view;
        } else if (RequestType.pconn.equals(reqType) && name != null) {
            List pconnList = impl.getApiPersistentConnections();
            ApiPersistentConnection pconn = null;
            for (ApiPersistentConnection pc : pconnList) {
                if (name.equals(pc.getName())) {
                    pconn = pc;
                    break;
                }
            }
            if (pconn == null) {
                throw new ApiException(ApiException.Type.BAD_PCONN);
            }
            return pconn;
        } else {
            throw new ApiException(ApiException.Type.BAD_TYPE);
        }
    }

    private void appendElements(
            StringBuilder sb, String component, String type, List elementList) {
        Collections.sort(
                elementList,
                new Comparator() {
                    @Override
                    public int compare(ApiElement ae1, ApiElement ae2) {
                        return ae1.getName().compareTo(ae2.getName());
                    }
                });

        sb.append("\n\n");
        for (ApiElement element : elementList) {
            List mandatoryParams = element.getMandatoryParamNames();
            List optionalParams = element.getOptionalParamNames();
            sb.append("");
            sb.append("");

            sb.append("\n");
        }
        sb.append("
"); sb.append(""); sb.append(element.getName()); if (mandatoryParams != null || optionalParams != null) { sb.append(" ("); if (mandatoryParams != null) { for (String param : mandatoryParams) { sb.append(param); sb.append("* "); } } if (optionalParams != null) { for (String param : optionalParams) { sb.append(param); sb.append(" "); } } sb.append(") "); } sb.append(""); sb.append(""); if (element.isDeprecated()) { sb.append(Constant.messages.getString("api.html.deprecated.endpoint")); sb.append("
"); String text = element.getDeprecatedDescription(); if (text != null && !text.isEmpty()) { sb.append(text); sb.append("
"); } } String descTag = element.getDescriptionTag(); if (descTag == null) { // This is the default, but it can be overriden by the getDescriptionTag method if // required descTag = component + ".api." + type + "." + element.getName(); } if (Constant.messages.containsKey(descTag)) { sb.append(Constant.messages.getString(descTag)); } else { // Uncomment to see what tags are missing via the UI // sb.append(descTag); } sb.append("
\n"); } private void appendShortcuts(StringBuilder sb, String component, List shortcutList) { Collections.sort(shortcutList); sb.append("\n\n"); for (String shortcut : shortcutList) { sb.append(""); sb.append(""); sb.append("\n"); } sb.append("
"); sb.append(""); sb.append(shortcut); sb.append(""); sb.append(""); sb.append("
\n"); } public String handleRequest( String component, ApiImplementor impl, RequestType reqType, String name) throws ApiException { // Generate HTML UI StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("\n"); sb.append(""); sb.append(Constant.messages.getString("api.html.title")); sb.append("\n"); /* The script version prevents the cache being used if ZAP has been updated in the same day */ sb.append( "\n"); sb.append("\n"); sb.append("\n"); sb.append("

"); sb.append(""); sb.append(Constant.messages.getString("api.html.title")); sb.append(""); sb.append("

\n"); if (impl != null) { sb.append("

"); sb.append(""); sb.append(Constant.messages.getString("api.html.component")); sb.append(component); sb.append(""); sb.append("

\n"); if (name != null) { ApiElement element = this.getElement(impl, name, reqType); List mandatoryParams = element.getMandatoryParamNames(); List optionalParams = element.getOptionalParamNames(); sb.append("

"); sb.append(Constant.messages.getString("api.html." + reqType.name())); sb.append(element.getName()); sb.append("

\n"); // Handle the (optional) description String descTag = element.getDescriptionTag(); if (descTag == null) { // This is the default, but it can be overriden by the getDescriptionTag method // if required descTag = component + ".api." + reqType.name() + "." + name; } if (Constant.messages.containsKey(descTag)) { sb.append(Constant.messages.getString(descTag)); } sb.append("\n
"); sb.append("\n"); if (!RequestType.other.equals(reqType)) { sb.append("\n"); } if (RequestType.action.equals(reqType) || RequestType.other.equals(reqType) || !getOptionsParamApi().isNoKeyForSafeOps()) { String keyType = API.API_KEY_PARAM; if (this.isDevTestNonce && RequestType.other.equals(reqType)) { // We can use nonces as we know the return type keyType = API.API_NONCE_PARAM; } if (!getOptionsParamApi().isDisableKey()) { sb.append(""); sb.append(""); sb.append(""); sb.append("\n"); } sb.append(""); sb.append(""); sb.append(""); sb.append("\n"); } if (mandatoryParams != null) { for (String param : mandatoryParams) { sb.append(""); sb.append(""); sb.append(""); sb.append("\n"); } } if (optionalParams != null) { for (String param : optionalParams) { sb.append(""); sb.append(""); sb.append(""); sb.append("\n"); } } sb.append(""); sb.append(""); sb.append(""); sb.append("\n"); sb.append("
"); sb.append(Constant.messages.getString("api.html.format")); sb.append("\n"); sb.append("\n"); sb.append("
"); sb.append(keyType); sb.append("*"); sb.append(""); sb.append("
"); sb.append(Constant.messages.getString("api.html.formMethod")); sb.append(""); sb.append("\n"); sb.append("
"); sb.append(param); sb.append("*"); sb.append(""); sb.append("
"); sb.append(param); sb.append(""); sb.append(""); sb.append("
"); sb.append(""); sb.append("\n"); sb.append("
\n"); sb.append("
\n"); } else { List elementList = new ArrayList<>(); List viewList = impl.getApiViews(); if (viewList != null && viewList.size() > 0) { sb.append("

"); sb.append(Constant.messages.getString("api.html.views")); sb.append("

\n"); elementList.addAll(viewList); this.appendElements(sb, component, RequestType.view.name(), elementList); } List actionList = impl.getApiActions(); if (actionList != null && actionList.size() > 0) { sb.append("

"); sb.append(Constant.messages.getString("api.html.actions")); sb.append("

\n"); elementList = new ArrayList<>(); elementList.addAll(actionList); this.appendElements(sb, component, RequestType.action.name(), elementList); } List otherList = impl.getApiOthers(); if (otherList != null && otherList.size() > 0) { sb.append("

"); sb.append(Constant.messages.getString("api.html.others")); sb.append("

\n"); elementList = new ArrayList<>(); elementList.addAll(otherList); this.appendElements(sb, component, RequestType.other.name(), elementList); } List pconnList = impl.getApiPersistentConnections(); if (pconnList != null && pconnList.size() > 0) { sb.append("

"); sb.append(Constant.messages.getString("api.html.pconns")); sb.append("

\n"); elementList = new ArrayList<>(); elementList.addAll(pconnList); this.appendElements(sb, component, RequestType.pconn.name(), elementList); } if (getOptionsParamApi().isDisableKey() || getOptionsParamApi().isAutofillKey() || this.isDevTestNonce) { // Only show shortcuts if they will work without the user having to add a // key/nonce List shortcutList = impl.getApiShortcuts(); if (shortcutList != null && shortcutList.size() > 0) { sb.append("

"); sb.append(Constant.messages.getString("api.html.shortcuts")); sb.append("

\n"); elementList = new ArrayList<>(); elementList.addAll(otherList); this.appendShortcuts(sb, component, shortcutList); } } } } else { sb.append("

"); sb.append(Constant.messages.getString("api.html.components")); sb.append("

\n"); ArrayList components = new ArrayList(api.getImplementors().keySet()); Collections.sort(components); sb.append("\n"); for (String cmp : components) { sb.append(""); sb.append(""); sb.append("\n"); } sb.append("
"); sb.append(""); sb.append(cmp); sb.append(""); sb.append("
\n"); } sb.append("\n"); return sb.toString(); } public String handleRequest(URI uri, boolean apiEnabled) { // Right now just generate a basic home page StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append(""); sb.append(Constant.messages.getString("api.html.title")); sb.append("\n"); sb.append("\n"); sb.append("\n"); sb.append(Constant.messages.getString("api.home.topmsg")); sb.append( Constant.messages.getString( "api.home.proxypac", "/?" + API.API_NONCE_PARAM + "=" + API.getInstance() .getLongLivedNonce("/OTHER/core/other/proxy.pac/"))); sb.append(Constant.messages.getString("api.home.links.header")); if (apiEnabled) { sb.append(Constant.messages.getString("api.home.links.api.enabled")); } else { sb.append(Constant.messages.getString("api.home.links.api.disabled")); } sb.append(Constant.messages.getString("api.home.links.online")); sb.append("\n"); return sb.toString(); } private OptionsParamApi getOptionsParamApi() { return Model.getSingleton().getOptionsParam().getApiParam(); } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy