skipped 1 lines 2 2 # -*- coding: utf-8 -*- 3 3 4 4 import sys 5 + reload(sys) 6 + 7 + sys.setdefaultencoding('utf8') 5 8 sys.path.append("..") 6 9 7 - from helpers.http import getCookieFromMessage , isStatusCodesReturned, makeMessage, makeRequest, getResponseContentLength, IHttpRequestResponseImplementation 10 + from helpers.http import get_authorization_header_from_message , get_cookie_header_from_message , isStatusCodesReturned, makeMessage, makeRequest, getResponseContentLength, IHttpRequestResponseImplementation 8 11 from gui.table import LogEntry, UpdateTableEDT 9 12 from javax.swing import SwingUtilities 10 13 from java.net import URL skipped 12 lines 23 26 return True 24 27 return False 25 28 26 - def handle_cookies_feature(self, messageInfo): 27 - cookies = getCookieFromMessage (self, messageInfo) 29 + def capture_last_cookie_header(self, messageInfo): 30 + cookies = get_cookie_header_from_message (self, messageInfo) 28 31 if cookies: 29 - self.lastCookies = cookies 30 - self.fetchButton .setEnabled(True) 32 + self.lastCookiesHeader = cookies 33 + self.fetchCookiesHeaderButton .setEnabled(True) 31 34 32 - def isToolValid(self, toolFlag): 35 + def capture_last_authorization_header(self, messageInfo): 36 + authorization = get_authorization_header_from_message(self, messageInfo) 37 + if authorization: 38 + self.lastAuthorizationHeader = authorization 39 + self.fetchAuthorizationHeaderButton.setEnabled(True) 40 + 41 + 42 + def valid_tool(self, toolFlag): 33 43 return (toolFlag == self._callbacks.TOOL_PROXY or 34 - (toolFlag == self._callbacks.TOOL_REPEATER and 35 - self.interceptRequestsfromRepeater.isSelected())) 44 + (toolFlag == self._callbacks.TOOL_REPEATER and 45 + self.interceptRequestsfromRepeater.isSelected()))36 46 37 47 def handle_304_status_code_prevention(self, messageIsRequest, messageInfo): 38 48 should_prevent = False skipped 19 lines 58 68 59 69 def message_passed_interception_filters(self, messageInfo): 60 70 urlString = str(self._helpers.analyzeRequest(messageInfo).getUrl()) 71 + reqInfo = self._helpers.analyzeRequest(messageInfo) 72 + reqBodyBytes = messageInfo.getRequest()[reqInfo.getBodyOffset():] 73 + bodyStr = self._helpers.bytesToString(reqBodyBytes) 74 + 75 + resInfo = self._helpers.analyzeResponse(messageInfo.getResponse()) 76 + resBodyBytes = messageInfo.getResponse()[resInfo.getBodyOffset():] 77 + resStr = self._helpers.bytesToString(resBodyBytes) 78 + 61 79 message_passed_filters = True 62 80 for i in range(0, self.IFList.getModel().getSize()): 63 81 if self.IFList.getModel().getElementAt(i).split(":")[0] == "Scope items only": skipped 19 lines 83 101 if not re.search(regex_string, urlString, re.IGNORECASE) is None: 84 102 message_passed_filters = False 85 103 86 - if self.IFList.getModel().getElementAt(i).split(":")[0] == "URL Not Contains (regex )": 87 - regex_string = self.IFList.getModel().getElementAt(i)[26 :] 88 - if not re.search(regex_string, urlString, re.IGNORECASE) is None: 104 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body contains (simple string )": 105 + if self.IFList.getModel().getElementAt(i)[40 :] not in bodyStr : 106 + message_passed_filters = False 107 + 108 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body contains (regex)": 109 + regex_string = self.IFList.getModel().getElementAt(i)[32:] 110 + if re.search(regex_string, bodyStr, re.IGNORECASE) is None: 111 + message_passed_filters = False 112 + 113 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body NOT contains (simple string)": 114 + if self.IFList.getModel().getElementAt(i)[44:] in bodyStr: 115 + message_passed_filters = False 116 + 117 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Request Body Not contains (regex)": 118 + regex_string = self.IFList.getModel().getElementAt(i)[36:] 119 + if not re.search(regex_string, bodyStr, re.IGNORECASE) is None: 120 + message_passed_filters = False 121 + 122 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body contains (simple string)": 123 + if self.IFList.getModel().getElementAt(i)[41:] not in resStr: 124 + message_passed_filters = False 125 + 126 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body contains (regex)": 127 + regex_string = self.IFList.getModel().getElementAt(i)[33:] 128 + if re.search(regex_string, resStr, re.IGNORECASE) is None: 129 + message_passed_filters = False 130 + 131 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body NOT contains (simple string)": 132 + if self.IFList.getModel().getElementAt(i)[45:] in resStr: 133 + message_passed_filters = False 134 + 135 + if self.IFList.getModel().getElementAt(i).split(":")[0] == "Response Body Not contains (regex)": 136 + regex_string = self.IFList.getModel().getElementAt(i)[37:] 137 + if not re.search(regex_string, resStr, re.IGNORECASE) is None: 89 138 message_passed_filters = False 90 139 91 140 if self.IFList.getModel().getElementAt(i).split(":")[0] == "Only HTTP methods (newline separated)": skipped 16 lines 108 157 if tool_needs_to_be_ignored(self, toolFlag): 109 158 return 110 159 111 - handle_cookies_feature(self, messageInfo) 160 + capture_last_cookie_header(self, messageInfo) 161 + capture_last_authorization_header(self, messageInfo) 112 162 113 - if self.intercept and isToolValid (self, toolFlag): 163 + if ( self.intercept and valid_tool (self, toolFlag) or toolFlag = = " AUTORIZE " ): 114 164 handle_304_status_code_prevention(self, messageIsRequest, messageInfo) 115 165 116 166 if not messageIsRequest: skipped 10 lines 127 177 if message_passed_interception_filters(self, messageInfo): 128 178 checkAuthorization(self, messageInfo,self._helpers.analyzeResponse(messageInfo.getResponse()).getHeaders(),self.doUnauthorizedRequest.isSelected()) 129 179 130 - def sendRequestToAutorizeWork(self, messageInfo): 180 + def send_request_to_autorize(self, messageInfo): 131 181 if messageInfo.getResponse() is None: 132 182 message = makeMessage(self, messageInfo,False,False) 133 183 requestResponse = makeRequest(self, messageInfo, message) skipped 19 lines 153 203 154 204 response = requestResponse.getResponse() 155 205 for filter in filters: 156 - if str(filter).startswith("Status code equals: "): 206 + filter = self._helpers.bytesToString(bytes(filter)) 207 + if filter.startswith("Status code equals: "): 157 208 statusCode = filter[20:] 158 209 if andEnforcementCheck: 159 210 if auth_enforced and not isStatusCodesReturned(self, requestResponse, statusCode): skipped 2 lines 162 213 if not auth_enforced and isStatusCodesReturned(self, requestResponse, statusCode): 163 214 auth_enforced = True 164 215 165 - if str ( filter) .startswith("Headers (simple string): "): 216 + if filter.startswith("Headers (simple string): "): 166 217 if andEnforcementCheck: 167 218 if auth_enforced and not filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]): 168 219 auth_enforced = False skipped 1 lines 170 221 if not auth_enforced and filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]): 171 222 auth_enforced = True 172 223 173 - if str ( filter) .startswith("Headers (regex): "): 224 + if filter.startswith("Headers (regex): "): 174 225 regex_string = filter[17:] 175 226 p = re.compile(regex_string, re.IGNORECASE) 176 227 if andEnforcementCheck: skipped 3 lines 180 231 if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])): 181 232 auth_enforced = True 182 233 183 - if str ( filter) .startswith("Body (simple string): "): 234 + if filter.startswith("Body (simple string): "): 184 235 if andEnforcementCheck: 185 236 if auth_enforced and not filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]): 186 237 auth_enforced = False skipped 1 lines 188 239 if not auth_enforced and filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]): 189 240 auth_enforced = True 190 241 191 - if str ( filter) .startswith("Body (regex): "): 242 + if filter.startswith("Body (regex): "): 192 243 regex_string = filter[14:] 193 244 p = re.compile(regex_string, re.IGNORECASE) 194 245 if andEnforcementCheck: skipped 3 lines 198 249 if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])): 199 250 auth_enforced = True 200 251 201 - if str ( filter) .startswith("Full response (simple string): "): 252 + if filter.startswith("Full response (simple string): "): 202 253 if andEnforcementCheck: 203 254 if auth_enforced and not filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()): 204 255 auth_enforced = False skipped 1 lines 206 257 if not auth_enforced and filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()): 207 258 auth_enforced = True 208 259 209 - if str ( filter) .startswith("Full response (regex): "): 260 + if filter.startswith("Full response (regex): "): 210 261 regex_string = filter[23:] 211 262 p = re.compile(regex_string, re.IGNORECASE) 212 263 if andEnforcementCheck: skipped 3 lines 216 267 if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse())): 217 268 auth_enforced = True 218 269 219 - if str ( filter) .startswith("Full response length: "): 270 + if filter.startswith("Full response length: "): 220 271 if andEnforcementCheck: 221 272 if auth_enforced and not str(len(response)) == filter[22:].strip(): 222 273 auth_enforced = False skipped 4 lines 227 278 228 279 def checkBypass(self, oldStatusCode, newStatusCode, oldContentLen, 229 280 newContentLen, filters, requestResponse, andOrEnforcement): 230 - 231 281 if oldStatusCode == newStatusCode: 232 - if oldContentLen == newContentLen: 233 - return self.BYPASSSED_STR 234 - # If no enforcement detectors are set and the HTTP response is the same, the impression is yellow 235 282 auth_enforced = 0 236 - 237 283 if len(filters) > 0: 238 284 auth_enforced = auth_enforced_via_enforcement_detectors(self, filters, requestResponse, andOrEnforcement) 239 - 240 285 if auth_enforced: 241 286 return self.ENFORCED_STR 287 + elif oldContentLen == newContentLen: 288 + return self.BYPASSSED_STR 242 289 else: 243 290 return self.IS_ENFORCED_STR 244 - 245 291 else: 246 292 return self.ENFORCED_STR 247 293 skipped 40 lines 288 334 self.currentRequestNumber = self.currentRequestNumber + 1 289 335 self._lock.release() 290 336 337 + def checkAuthorizationV2(self, messageInfo): 338 + checkAuthorization(self, messageInfo, self._extender._helpers.analyzeResponse(messageInfo.getResponse()).getHeaders(), self._extender.doUnauthorizedRequest.isSelected()) 291 339 340 + def retestAllRequests(self): 341 + for i in range(self.tableModel.getRowCount()): 342 + logEntry = self._log.get(self.logTable.convertRowIndexToModel(i)) 343 + handle_message(self, "AUTORIZE", False, logEntry._originalrequestResponse)