From cc5f5cffd3cdc5ca93ba11f9a9b91a2d1e91d583 Mon Sep 17 00:00:00 2001 From: gdgd009xcd Date: Fri, 2 Feb 2024 21:12:46 +0900 Subject: [PATCH] 24020201 MAXIMUS240128 ### Changed - bugfix: fixed bug in tracking token68 in Authorization bearer header(which used in OAuth2.0) ### Added - improve: Added feature of tracking "Rails" csrf-token in meta tag --- addOns/automacrobuilder/CHANGELOG.md | 6 + .../automacrobuilder.gradle.kts | 2 +- .../extension/automacrobuilder/AppValue.java | 2 + .../automacrobuilder/ParmGenParser.java | 125 +++++++++++------- .../automacrobuilder/ParmGenRequestToken.java | 2 +- .../ParmGenResTokenCollections.java | 5 + .../automacrobuilder/ParmGenTokenKey.java | 2 +- .../automacrobuilder/ParseHTTPHeaders.java | 117 +++------------- .../generated/MacroBuilderUI.java | 23 +++- .../generated/ParmGenAutoTrack.java | 4 +- .../generated/ParmGenTokenJDialog.java | 2 +- 11 files changed, 127 insertions(+), 163 deletions(-) diff --git a/addOns/automacrobuilder/CHANGELOG.md b/addOns/automacrobuilder/CHANGELOG.md index 31c0614..ba0875b 100644 --- a/addOns/automacrobuilder/CHANGELOG.md +++ b/addOns/automacrobuilder/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [v1.1.16] - 2024-02-02 +### Changed +- bugfix: fixed bug in tracking token68 in Authorization bearer header(which used in OAuth2.0) +### Added +- improve: Added feature of tracking "Rails" csrf-token in meta tag + ## [v1.1.15] - 2024-01-24 ### Changed - bugfix: fixed bug in related to misuse of displaying icons in StyledDocument diff --git a/addOns/automacrobuilder/automacrobuilder.gradle.kts b/addOns/automacrobuilder/automacrobuilder.gradle.kts index 5b2da3b..43a28b6 100644 --- a/addOns/automacrobuilder/automacrobuilder.gradle.kts +++ b/addOns/automacrobuilder/automacrobuilder.gradle.kts @@ -1,6 +1,6 @@ import org.zaproxy.gradle.addon.AddOnStatus -version = "1.1.15" +version = "1.1.16" description = "AutoMacroBuilder for ZAP" tasks.withType { diff --git a/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/AppValue.java b/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/AppValue.java index 116df47..24805e6 100644 --- a/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/AppValue.java +++ b/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/AppValue.java @@ -86,6 +86,8 @@ public enum TokenTypeNames { TEXTAREA, JSON, ACTION, + META, + }; private boolean urlencode; // Whether to encode URL diff --git a/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/ParmGenParser.java b/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/ParmGenParser.java index 12bf7ff..35e1d82 100644 --- a/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/ParmGenParser.java +++ b/addOns/automacrobuilder/src/main/java/org/zaproxy/zap/extension/automacrobuilder/ParmGenParser.java @@ -22,8 +22,6 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.Map; -import java.util.logging.Level; -import java.util.logging.Logger; import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.nodes.Element; @@ -31,12 +29,18 @@ /** @author tms783 */ public class ParmGenParser implements DeepClone { + + final private static org.apache.logging.log4j.Logger LOGGER4J = + org.apache.logging.log4j.LogManager.getLogger(); // get the factory String htmltext; Document doc; Elements elems; Map map; Map defmap; // T_DEFAULT + // target tags: input|A|HREF|META + // private static String tagSelector = "input,a[href],form[action],textarea,meta"; + private static String tagSelector = "[name],a[href],form[action]"; private void init() { htmltext = null; @@ -46,7 +50,7 @@ private void init() { defmap = null; } - // tokenらしき値を自動引継ぎ + // tracking token parser public ParmGenParser(String htmltext) { setup(htmltext); } @@ -59,60 +63,62 @@ private void setup(String htmltext) { Elements elems = null; try { - doc = Jsoup.parse(htmltext); // パース実行 + doc = Jsoup.parse(htmltext); // elems = // doc.select("input[type=hidden],input[type=text],input[type=tel],input[type=url], // input[type=email], - // input[type=search],input[type=number],input[type=email],a[href],form[action],textarea");//name属性を持つHIDDENタグ全部、A HREFタグ - elems = doc.select("input,a[href],form[action],textarea"); // input、A HREFタグ - // elemsprint(htmltext); + // input[type=search],input[type=number],input[type=email],a[href],form[action],textarea");//tag which has name attributes, href , form, textarea + elems = doc.select(tagSelector); + } catch (Exception e) { // TODO Auto-generated catch block - EnvironmentVariables.plog.printException(e); + LOGGER4J.error(e.getMessage(), e); doc = null; elems = null; } this.doc = doc; this.elems = elems; + //elemsprint(); } - void elemsprint(String _t) { + void elemsprint() { for (Element vtag : elems) { String n = vtag.attr("name"); String v = vtag.attr("value"); String h = vtag.attr("href"); - if (vtag.tagName().toLowerCase().indexOf("input") != -1) { // "); - } else if (vtag.tagName().toLowerCase().indexOf("a") != -1) { // "); + } else if (vtag.tagName().toLowerCase().equals("a")) { // "); + + } else if (vtag.tagName().toLowerCase().equals("meta")) { + LOGGER4J.debug((ParmGenUtil.isTokenValue(content) ? "Token":"") + "<" + vtag.tagName() + " name=\"" + n + "\" content=\"" + content + "\">"); } else { - EnvironmentVariables.plog.AppendPrint("<" + vtag.tagName() + "\">"); + LOGGER4J.debug("<" + vtag.tagName() + "\">"); } } } - public ArrayList getParmGenTokens( + private ArrayList getParmGenTokens( Element vtag, HashMap namepos) { String[] nv = null; ParmGenToken tk = null; ArrayList tklist = new ArrayList(); - if (vtag.tagName().toLowerCase().indexOf("input") != -1) { // getParmGenTokens( tk = new ParmGenToken(ttype, "", n, v, false, npos); tklist.add(tk); } - } else if (vtag.tagName().toLowerCase().equals("a")) { // getParmGenTokens( value = nvp[1]; if (name != null && name.length() > 0 && value != null) { - // 重複nameの検査 + // count if same name is exist int npos = 0; if (namepos.containsKey(name)) { npos = namepos.get(name); @@ -163,9 +188,9 @@ public ArrayList getParmGenTokens( } } } - } else if (vtag.tagName().toLowerCase().indexOf("form") != -1) { // getParmGenTokens( value = nvp[1]; if (name != null && name.length() > 0 && value != null) { - // 重複nameの検査 + // count if same name is exist int npos = 0; if (namepos.containsKey(name)) { npos = namepos.get(name); @@ -198,21 +223,16 @@ public ArrayList getParmGenTokens( } } } - } else if (vtag.tagName().toLowerCase().indexOf("textarea") != -1) { //