org.parosproxy.paros.core.scanner.AbstractDefaultFilePlugin Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of zap Show documentation
Show all versions of zap Show documentation
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
/*
*
* Paros and its related class files.
*
* Paros is an HTTP/HTTPS proxy for assessing web application security.
* Copyright (C) 2003-2004 Chinotec Technologies Company
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the Clarified Artistic License
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* Clarified Artistic License for more details.
*
* You should have received a copy of the Clarified Artistic License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
// ZAP: 2012/01/02 Separate param and attack
// ZAP: 2012/04/25 Added @Override annotation to all appropriate methods and
// removed unnecessary cast.
// ZAP: 2013/01/23 Clean up of exception handling/logging.
// ZAP: 2013/03/03 Issue 547: Deprecate unused classes and methods
// ZAP: 2013/05/02 Re-arranged all modifiers into Java coding standard order
// ZAP: 2013/07/12 Issue 713: Add CWE and WASC numbers to issues
// ZAP: 2019/06/01 Normalise line endings.
// ZAP: 2019/06/05 Normalise format/style.
package org.parosproxy.paros.core.scanner;
import java.util.Vector;
import java.util.regex.Pattern;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.URIException;
import org.apache.log4j.Logger;
import org.parosproxy.paros.network.HttpMessage;
/**
* @deprecated No longer used/needed (FilePlugins were replaced with Forced Browse). It will be
* removed in a future release.
*/
@Deprecated
public abstract class AbstractDefaultFilePlugin extends AbstractHostPlugin {
private static final Logger logger = Logger.getLogger(AbstractDefaultFilePlugin.class);
private static final Pattern patternItems = Pattern.compile(",");
private static final String[] SPECIAL_TAG_LIST = {"@cgibin"};
private static final String[] TAG_REPLACE_LIST = {
"cgi-bin,cgi-local,htbin,cgi,cgis,cgi-win,bin,scripts"
};
private URI baseURI = null;
private Vector listURI = new Vector<>();
protected void addTest(String directories, String files) {
String[] dirList = null, fileList = null;
String dir = "", file = "";
directories = directories.trim();
files = files.trim();
for (int i = 0; i < SPECIAL_TAG_LIST.length; i++) {
directories = directories.replaceAll(SPECIAL_TAG_LIST[i], TAG_REPLACE_LIST[i]);
}
try {
dirList = patternItems.split(directories);
fileList = patternItems.split(files);
for (int i = 0; i < dirList.length; i++) {
dir = dirList[i].trim();
if (!dir.startsWith("/")) {
dir = "/" + dir;
}
for (int j = 0; j < fileList.length; j++) {
file = fileList[j].trim();
try {
URI uri = createURI(baseURI, dir, file);
listURI.add(uri);
} catch (URIException eu) {
}
}
}
} catch (Exception e) {
logger.error(e.getMessage(), e);
}
}
private URI createURI(URI base, String dir, String file) throws URIException {
if (!dir.startsWith("/")) {
dir = "/" + dir;
}
if (!file.startsWith("/") && !dir.endsWith("/")) {
file = "/" + file;
}
String path = dir + file;
URI uri = new URI(base, path, true);
return uri;
}
/** @return Returns the baseURI. */
public URI getBaseURI() {
return baseURI;
}
/** @return Returns the listURI. */
public Vector getListURI() {
return listURI;
}
@Override
public void init() {
baseURI = getBaseMsg().getRequestHeader().getURI();
}
@Override
public void scan() {
for (int i = 0; i < getListURI().size() && !isStop(); i++) {
// ZAP: Removed unnecessary cast.
URI uri = getListURI().get(i);
HttpMessage msg = getNewMsg();
try {
msg.getRequestHeader().setURI(uri);
msg.getRequestBody().setLength(0);
sendAndReceive(msg);
if (isFileExist(msg)) {
bingo(
Alert.RISK_MEDIUM,
Alert.CONFIDENCE_LOW,
uri.toString(),
"",
"",
"",
"",
msg);
}
} catch (Exception e) {
}
}
}
}