Skip to content

Commit

Permalink
Merge pull request #32 from gdgd009xcd/JOHANNES240223
Browse files Browse the repository at this point in the history 
## [v0.8.8] - 2024-03-12
  • Loading branch information
@gdgd009xcd
gdgd009xcd authored Mar 12, 2024
2 parents d012c60 + 3718ac7 commit 9ca1ffe
Show file tree
Hide file tree
Showing 20 changed files with 1,285 additions and 128 deletions.
7 changes: 4 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,10 @@ $
## how to use
This is automatically called when you start active scannig after already installed default scanners.
If you have any doubts whether this scanner is actually being called, you can import the [CustomScan.policy](CustomScan.policy) file. This policy forces the use of CustomScan when invoking active scan. using guide is follows:
1) download [CustomScan.policy](CustomScan.policy)
1) select menu [Analyse->Scan Policy Manager->import], and load CustomScan.policy file.
2) when you start scan, select policy [Custom Scan].

1) download [CustomScan.policy](CustomScan.policy)
2) select menu [Analyse->Scan Policy Manager->import], and load CustomScan.policy file.
3) when you start scan, select policy [Custom Scan].

Information on how to use can be found at the following link: <BR>
[Basic Usage](https://github.com/gdgd009xcd/CustomActiveScanForZAP/wiki/1.0.-Basic-Usage)
Expand Down
4 changes: 4 additions & 0 deletions addOns/customactivescan/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
All notable changes to this add-on will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [v0.8.8] - 2024-03-12
### Added
- new feature: Supported URLEncoded(%XX) value within pattern for embeding binary data on the request. see [this](https://github.com/gdgd009xcd/CustomActiveScanForZAP/wiki/2.0.-CustomActiveScan-Main-Panel/#5-decode-urlencodedxx-value-check-box)

## [v0.8.7] - 2024-02-21
### Changed
- bugfix: fixed an issue where deleting a row in the ScanRule table would cause an exception if the ComboBox had input focus.
Expand Down
2 changes: 1 addition & 1 deletion addOns/customactivescan/customactivescan.gradle.kts
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import org.zaproxy.gradle.addon.AddOnStatus


version = "0.8.7"
version = "0.8.8"
description = "a Active Scanner with custmizable rules"

val jar by tasks.getting(Jar::class) {
Expand Down
580 changes: 489 additions & 91 deletions .../src/main/java/org/zaproxy/zap/extension/customactivescan/CustomSQLInjectionScanRule.java
View file

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions .../src/main/java/org/zaproxy/zap/extension/customactivescan/HttpMessageWithLCSResponse.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import org.zaproxy.zap.extension.customactivescan.view.InterfacePopUpAction;

import java.awt.*;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;

Expand Down Expand Up @@ -63,6 +64,10 @@ private HttpMessageWithLCSResponse(HttpMessageWithLCSResponse message) {
super(message);
}

protected HttpMessageWithLCSResponse(HttpMessage httpMessage) {
super(httpMessage);
}

private void copyMembersToDest(HttpMessageWithLCSResponse dest) {
dest.lcsResponse = this.lcsResponse;
dest.originalAverageResponseSize = this.originalAverageResponseSize;
Expand Down
60 changes: 60 additions & 0 deletions ...activescan/src/main/java/org/zaproxy/zap/extension/customactivescan/ManipulateAction.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
package org.zaproxy.zap.extension.customactivescan;

public class ManipulateAction<T> {

/**
* Elements:<BR>
* the Sequence : the target sequence of manipulation<BR>
* the Key : the value for searching within the Sequence<BR>
* the Value(of Manipulation): the value for replacing the key within sequence<BR>
* the Output: the buffer for storing result of manipulation.<BR>
* Objective:<BR>
* search the Key within the Sequence and replace it with the Value.<BR>
* Steps:<BR>
* 1) get index of the Key within the Sequence by the foundKeyNext method.<BR>
* 2) replace the part of the Key in the Sequence with the Value by the manipulate method.<BR>
* 3) copy these results of manipulation in the Sequence to the Output.
*
* @param manipulator
* @return
*/
protected T manipulateAction(SequenceManipulator<T> manipulator) {
int startPos = 0;
int endPos = -1;
StartEndPosition position;
while((position = manipulator.foundKeyNext(startPos)) != null){
endPos = position.start;
if (startPos < endPos) {
T inputData = manipulator.getSubSequence(startPos, endPos);
manipulator.addToResultData(inputData);
}
manipulator.addToResultData(manipulator.manipulate(position.start, position.end));
startPos = position.end;
}
if (startPos < manipulator.length()) {
manipulator.addToResultData(manipulator.getSubSequence(startPos, manipulator.length()));
}
return manipulator.getResultData();
}

protected T manipulateActionUntil(SequenceManipulator<T> manipulator, int untilFoundCount) {
if (untilFoundCount<1) return manipulateAction(manipulator);
int startPos = 0;
int endPos = -1;
StartEndPosition position;
while((position = manipulator.foundKeyNext(startPos)) != null){
endPos = position.start;
if (startPos < endPos) {
T inputData = manipulator.getSubSequence(startPos, endPos);
manipulator.addToResultData(inputData);
}
manipulator.addToResultData(manipulator.manipulate(position.start, position.end));
startPos = position.end;
if(--untilFoundCount <= 0)break;
}
if (startPos < manipulator.length()) {
manipulator.addToResultData(manipulator.getSubSequence(startPos, manipulator.length()));
}
return manipulator.getResultData();
}
}
195 changes: 195 additions & 0 deletions ...omactivescan/src/main/java/org/zaproxy/zap/extension/customactivescan/ParmGenBinUtil.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
package org.zaproxy.zap.extension.customactivescan;

import java.io.ByteArrayOutputStream;
import java.io.IOException;

/** @author gdgd009xcd */
//
// ByteArray
//
public class ParmGenBinUtil {

private ByteArrayOutputStream bstream = null;

public ParmGenBinUtil() {
bstream = new ByteArrayOutputStream();
}

public ParmGenBinUtil(byte[] bin) {
initParmGenBinUtil(bin);
}

public void initParmGenBinUtil(byte[] bin) {
bstream = new ByteArrayOutputStream();
concat(bin);
}

public int length() {
return bstream.size();
}

/**
* add byte array to bstream
*
* @param bin
* @return
*/
public boolean concat(byte[] bin) {

if ((bin == null)) {
return false;
}

try {
bstream.write(bin);
} catch (IOException e) {

return false;
}
return true;
}

public byte[] getBytes() {
if (bstream == null) {
return null;
}
return bstream.toByteArray();
}

/**
* get byte array between beginIndex and endIndex within bstream
* org[beginIndex] - org[endIndex-1] length = endIndex - beginIndex > 0
*
* @param beginIndex
* @param endIndex
* @return
*/
public byte[] subBytes(int beginIndex, int endIndex) {

int length = endIndex - beginIndex; // 戻り値配列の要素数
if (length > 0 && beginIndex >= 0 && length() >= endIndex) {
byte[] org = getBytes();
byte[] result = new byte[length];
System.arraycopy(org, beginIndex, result, 0, length);
return result;
}

return null;
}


/**
* get byte array from beginIndex until last.
*
* @param beginIndex
* @return
*/
public byte[] subBytes(int beginIndex) {
return subBytes(beginIndex, length());
}

/** indexOf */
@Deprecated
public int indexOfobsolete(byte[] dest, int startpos) {
int idx = -1;
byte[] seqbin = getBytes();
byte[] keybin = dest;

int endpos = seqbin.length - keybin.length + 1;

if (endpos > 0 && startpos < endpos) {
for (int i = startpos; i < endpos; i++) {
for (int j = 0; j < keybin.length; j++) {
// System.out.println(" i,j=" + i + "," + j);

if (seqbin[i + j] == keybin[j]) {
if (j == keybin.length - 1) {
idx = i;
// System.out.println(" result idx,i,j=" + idx+ "," + i + "," + j);
break;
}

} else {
break;
}
}
if (idx != -1) break;
}
}

return idx;
}

/**
* get index of first occurrence of dest sequence within this byte sequence
*
* @param dest
* @param startpos
* @return
*/
public int indexOf(byte[] dest, int startpos) {
byte[] seqbin = getBytes();
byte[] keybin = dest;

if (seqbin == null || keybin == null) return -1;

int seqLen = seqbin.length;
int keyLen = keybin.length;
int endpos = seqLen - keyLen + 1;

if (seqLen < 1 || keyLen < 1) return -1;

if (endpos > 0 && startpos < endpos) {
byte c = keybin[0];
int i = startpos;

if (keyLen == 1) {
return nextFirstBytePos(i, seqbin, c, keyLen);
} else {
while ((i = nextFirstBytePos(i, seqbin, c, keyLen)) != -1) {
int j;
for (j = 1; j < keyLen; j++) {
if (seqbin[i + j] != keybin[j]) {
break;
}
}
if (j == keyLen) {
return i;
}
i++;
}
}
}
return -1;
}

/** */
public int indexOf(byte[] dest) {
return indexOf(dest, 0);
}

public int indexOf(byte dest) {
byte[] b = {dest};
return indexOf(b, 0);
}

/** clear data */
public void clear() {
bstream.reset();
}

private int nextFirstBytePos(int start, byte[] src, byte c, int destLen) {
int srcLen = src.length;
int minLen = srcLen - destLen;
for(int i=start; i < srcLen; i++) {
if(src[i] == c ){
if(i <= minLen){
return i;
} else {
break;
}
}
}
return -1;
}
}
65 changes: 65 additions & 0 deletions ...n/src/main/java/org/zaproxy/zap/extension/customactivescan/PartialURLDecodeISO8859_1.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
package org.zaproxy.zap.extension.customactivescan;

import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class PartialURLDecodeISO8859_1 extends ManipulateAction<String> {
SequenceManipulator<String> sequenceManipulator;

/**
* decode the part of the percent encoding(%XX) within the inputData<BR>
* the charset of decoding is ISO8859_1
* @param inputData
*/
public PartialURLDecodeISO8859_1(String inputData) {
sequenceManipulator = new SequenceManipulator<>() {
final int totalLen = inputData!=null?inputData.length():0;
final Pattern pattern = Pattern.compile("%[0-9a-zA-Z][0-9a-zA-Z]");
final StringBuffer outputData = new StringBuffer();
final Matcher matcher = pattern.matcher(inputData);


@Override
public int length() {
return totalLen;
}

@Override
public StartEndPosition foundKeyNext(int pos) {
if(matcher.find()) {
int startPos = matcher.start();
int endPos = matcher.end();
return new StartEndPosition(startPos, endPos);
}
return null;
}

@Override
public String getSubSequence(int startPos, int endPos) {
return inputData.substring(startPos, endPos);
}

@Override
public String manipulate(int startPos, int endPos) {
return URLDecoder.decode(inputData.substring(startPos, endPos), StandardCharsets.ISO_8859_1);
}

@Override
public void addToResultData(String data) {
outputData.append(data);
}

@Override
public String getResultData() {
return outputData.toString();
}

};
}

String action() {
return manipulateAction(sequenceManipulator);
}
}
Loading

0 comments on commit 9ca1ffe

Please sign in to comment.