STRLCPY/autorize

Merge branch 'Quitten:master' into Send_to_repeater
Eric Harris committed with GitHub 1 year ago

2284cc2b

2 parents
f01b0602
49ed62a1

■ ■ ■ ■ ■ ■

BappManifest.bmf

		skipped 5 lines
6	6		SerialVersion: 18
7	7		MinPlatformVersion: 0
8	8		ProOnly: False
9		-	Author: Barak Tawily
	9	+	Author: Barak Tawily, AppSec Labs
10	10		ShortDescription: Automatically detects authorization enforcement.
11	11		EntryPoint: Autorize.py
12	12		BuildCommand:
		skipped 1 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 51 lines
52	52
53	53
54	54		# Authors
55		-	- Barak Tawily, CTO @ [enso.security](https://enso.security/) by day, [Application Security Researcher](https://quitten.github.io/) by night
	55	+	- Barak Tawily, CTO @ [enso.security](https://enso.security/) by day, [Application Security Researcher](https://quitten.github.io/) by night, former Application Security Consultant @ [AppSec Labs](https://appsec-labs.com/)
56	56

■ ■ ■ ■ ■ ■

authorization/authorization.py

		skipped 9 lines
10	10
11	11		sys.path.append("..")
12	12
13		-	from helpers.http import get_authorization_header_from_message, get_cookie_header_from_message, isStatusCodesReturned, makeMessage, makeRequest, getResponseContentLength, IHttpRequestResponseImplementation
	13	+	from helpers.http import get_authorization_header_from_message, get_cookie_header_from_message, isStatusCodesReturned, makeMessage, makeRequest, getResponseBody, IHttpRequestResponseImplementation
14	14		from gui.table import LogEntry, UpdateTableEDT
15	15		from javax.swing import SwingUtilities
16	16		from java.net import URL
		skipped 202 lines
219	219		andEnforcementCheck = False
220	220		auth_enforced = False
221	221
222		-	response = requestResponse.getResponse()
223	222		for filter in filters:
224	223		filter = self._helpers.bytesToString(bytes(filter))
	224	+	inverse = "NOT" in filter
	225	+	filter = filter.replace(" NOT", "")
	226	+
225	227		if filter.startswith("Status code equals: "):
226	228		statusCode = filter[20:]
227		-	if andEnforcementCheck:
228		-	if auth_enforced and not isStatusCodesReturned(self, requestResponse, statusCode):
229		-	auth_enforced = False
230		-	else:
231		-	if not auth_enforced and isStatusCodesReturned(self, requestResponse, statusCode):
232		-	auth_enforced = True
	229	+	filterMatched = inverse ^ isStatusCodesReturned(self, requestResponse, statusCode)
233	230
234		-	if filter.startswith("Headers (simple string): "):
235		-	if andEnforcementCheck:
236		-	if auth_enforced and not filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]):
237		-	auth_enforced = False
238		-	else:
239		-	if not auth_enforced and filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]):
240		-	auth_enforced = True
	231	+	elif filter.startswith("Headers (simple string): "):
	232	+	filterMatched = inverse ^ (filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]))
241	233
242		-	if filter.startswith("Headers (regex): "):
	234	+	elif filter.startswith("Headers (regex): "):
243	235		regex_string = filter[17:]
244	236		p = re.compile(regex_string, re.IGNORECASE)
245		-	if andEnforcementCheck:
246		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])):
247		-	auth_enforced = False
248		-	else:
249		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])):
250		-	auth_enforced = True
	237	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])))
251	238
252		-	if filter.startswith("Body (simple string): "):
253		-	if andEnforcementCheck:
254		-	if auth_enforced and not filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]):
255		-	auth_enforced = False
256		-	else:
257		-	if not auth_enforced and filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]):
258		-	auth_enforced = True
	239	+	elif filter.startswith("Body (simple string): "):
	240	+	filterMatched = inverse ^ (filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]))
259	241
260		-	if filter.startswith("Body (regex): "):
	242	+	elif filter.startswith("Body (regex): "):
261	243		regex_string = filter[14:]
262	244		p = re.compile(regex_string, re.IGNORECASE)
263		-	if andEnforcementCheck:
264		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])):
265		-	auth_enforced = False
266		-	else:
267		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])):
268		-	auth_enforced = True
	245	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])))
269	246
270		-	if filter.startswith("Full response (simple string): "):
271		-	if andEnforcementCheck:
272		-	if auth_enforced and not filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()):
273		-	auth_enforced = False
274		-	else:
275		-	if not auth_enforced and filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()):
276		-	auth_enforced = True
	247	+	elif filter.startswith("Full response (simple string): "):
	248	+	filterMatched = inverse ^ (filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()))
277	249
278		-	if filter.startswith("Full response (regex): "):
	250	+	elif filter.startswith("Full response (regex): "):
279	251		regex_string = filter[23:]
280	252		p = re.compile(regex_string, re.IGNORECASE)
281		-	if andEnforcementCheck:
282		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse())):
283		-	auth_enforced = False
284		-	else:
285		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse())):
286		-	auth_enforced = True
	253	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse())))
287	254
288		-	if filter.startswith("Full response length: "):
289		-	if andEnforcementCheck:
290		-	if auth_enforced and not str(len(response)) == filter[22:].strip():
291		-	auth_enforced = False
292		-	else:
293		-	if not auth_enforced and str(len(response)) == filter[22:].strip():
294		-	auth_enforced = True
295		-	return auth_enforced
	255	+	elif filter.startswith("Full response length: "):
	256	+	filterMatched = inverse ^ (str(len(response)) == filter[22:].strip())
	257	+
	258	+	if andEnforcementCheck:
	259	+	if auth_enforced and not filterMatched:
	260	+	auth_enforced = False
	261	+	else:
	262	+	if not auth_enforced and filterMatched:
	263	+	auth_enforced = True
	264	+
	265	+	return auth_enforced
296	266
297		-	def checkBypass(self, oldStatusCode, newStatusCode, oldContentLen,
298		-	newContentLen, filters, requestResponse, andOrEnforcement):
	267	+	def checkBypass(self, oldStatusCode, newStatusCode, oldContent,
	268	+	newContent, filters, requestResponse, andOrEnforcement):
299	269		if oldStatusCode == newStatusCode:
300	270		auth_enforced = 0
301	271		if len(filters) > 0:
302	272		auth_enforced = auth_enforced_via_enforcement_detectors(self, filters, requestResponse, andOrEnforcement)
303	273		if auth_enforced:
304	274		return self.ENFORCED_STR
305		-	elif oldContentLen == newContentLen:
	275	+	elif oldContent == newContent:
306	276		return self.BYPASSSED_STR
307	277		else:
308	278		return self.IS_ENFORCED_STR
		skipped 1 lines
310	280		return self.ENFORCED_STR
311	281
312	282		def checkAuthorization(self, messageInfo, originalHeaders, checkUnauthorized):
313		-	oldResponse = messageInfo.getResponse()
314	283		message = makeMessage(self, messageInfo, True, True)
315	284		requestResponse = makeRequest(self, messageInfo, message)
316	285		newResponse = requestResponse.getResponse()
		skipped 1 lines
318	287
319	288		oldStatusCode = originalHeaders[0]
320	289		newStatusCode = analyzedResponse.getHeaders()[0]
321		-	oldContentLen = getResponseContentLength(self, oldResponse)
322		-	newContentLen = getResponseContentLength(self, newResponse)
	290	+	oldContent = getResponseBody(self, messageInfo)
	291	+	newContent = getResponseBody(self, requestResponse)
323	292
324	293		# Check unauthorized request
325	294		if checkUnauthorized:
		skipped 2 lines
328	297		unauthorizedResponse = requestResponseUnauthorized.getResponse()
329	298		analyzedResponseUnauthorized = self._helpers.analyzeResponse(unauthorizedResponse)
330	299		statusCodeUnauthorized = analyzedResponseUnauthorized.getHeaders()[0]
331		-	contentLenUnauthorized = getResponseContentLength(self, unauthorizedResponse)
	300	+	contentUnauthorized = getResponseBody(self, requestResponseUnauthorized)
332	301
333	302		EDFilters = self.EDModel.toArray()
334	303
335		-	impression = checkBypass(self, oldStatusCode,newStatusCode,oldContentLen,newContentLen,EDFilters,requestResponse,self.AndOrType.getSelectedItem())
	304	+	impression = checkBypass(self, oldStatusCode, newStatusCode, oldContent, newContent, EDFilters, requestResponse, self.AndOrType.getSelectedItem())
336	305
337	306		if checkUnauthorized:
338	307		EDFiltersUnauth = self.EDModelUnauth.toArray()
339		-	impressionUnauthorized = checkBypass(self, oldStatusCode,statusCodeUnauthorized,oldContentLen,contentLenUnauthorized,EDFiltersUnauth,requestResponseUnauthorized,self.AndOrTypeUnauth.getSelectedItem())
	308	+	impressionUnauthorized = checkBypass(self, oldStatusCode, statusCodeUnauthorized, oldContent, contentUnauthorized, EDFiltersUnauth, requestResponseUnauthorized, self.AndOrTypeUnauth.getSelectedItem())
340	309
341	310		self._lock.acquire()
342	311
		skipped 13 lines
356	325		checkAuthorization(self, messageInfo, self._extender._helpers.analyzeResponse(messageInfo.getResponse()).getHeaders(), self._extender.doUnauthorizedRequest.isSelected())
357	326
358	327		def retestAllRequests(self):
	328	+	self.logTable.setAutoCreateRowSorter(True)
359	329		for i in range(self.tableModel.getRowCount()):
360	330		logEntry = self._log.get(self.logTable.convertRowIndexToModel(i))
361	331		handle_message(self, "AUTORIZE", False, logEntry._originalrequestResponse)
	332	+

■ ■ ■ ■ ■ ■

gui/enforcement_detector.py

		skipped 34 lines
35	35		EDLabelList = JLabel("Filter List:")
36	36		EDLabelList.setBounds(10, 165, 140, 30)
37	37
38		-	EDStrings = ["Headers (simple string): (enforced message headers contains)",
39		-	"Headers (regex): (enforced message headers contains)",
40		-	"Body (simple string): (enforced message body contains)",
41		-	"Body (regex): (enforced message body contains)",
42		-	"Full response (simple string): (enforced message contains)",
43		-	"Full response (regex): (enforced message contains)",
44		-	"Full response length: (of enforced response)",
45		-	"Status code equals: (numbers only)"]
	38	+	EDStrings = [
	39	+	"Headers (simple string): (enforced message headers contain)",
	40	+	"Headers NOT (simple string): (enforced message headers NOT contain)",
	41	+	"Headers (regex): (enforced message headers contain)",
	42	+	"Headers NOT (regex): (enforced message headers NOT contain)",
	43	+	"Body (simple string): (enforced message body contains)",
	44	+	"Body NOT (simple string): (enforced message body NOT contains)",
	45	+	"Body (regex): (enforced message body contains)",
	46	+	"Body NOT (regex): (enforced message body NOT contains)",
	47	+	"Full response (simple string): (enforced message contains)",
	48	+	"Full response NOT (simple string): (enforced message NOT contains)",
	49	+	"Full response (regex): (enforced message contains)",
	50	+	"Full response NOT (regex): (enforced message NOT contains)",
	51	+	"Full response length: (of enforced response)",
	52	+	"Full response NOT length: (of enforced response)",
	53	+	"Status code equals: (numbers only)",
	54	+	"Status code NOT equals: (numbers only)"
	55	+	]
46	56		self._extender.EDType = JComboBox(EDStrings)
47	57		self._extender.EDType.setBounds(80, 10, 430, 30)
48	58
		skipped 50 lines
99	109		EDLabelList = JLabel("Filter List:")
100	110		EDLabelList.setBounds(10, 165, 140, 30)
101	111
102		-	EDStrings = ["Headers (simple string): (enforced message headers contains)",
103		-	"Headers (regex): (enforced message headers contains)",
104		-	"Body (simple string): (enforced message body contains)",
105		-	"Body (regex): (enforced message body contains)",
106		-	"Full response (simple string): (enforced message contains)",
107		-	"Full response (regex): (enforced message contains)",
108		-	"Full response length: (of enforced response)",
109		-	"Status code equals: (numbers only)"]
	112	+	EDStrings = [
	113	+	"Headers (simple string): (enforced message headers contain)",
	114	+	"Headers NOT (simple string): (enforced message headers NOT contain)",
	115	+	"Headers (regex): (enforced message headers contain)",
	116	+	"Headers NOT (regex): (enforced message headers NOT contain)",
	117	+	"Body (simple string): (enforced message body contains)",
	118	+	"Body NOT (simple string): (enforced message body NOT contains)",
	119	+	"Body (regex): (enforced message body contains)",
	120	+	"Body NOT (regex): (enforced message body NOT contains)",
	121	+	"Full response (simple string): (enforced message contains)",
	122	+	"Full response NOT (simple string): (enforced message NOT contains)",
	123	+	"Full response (regex): (enforced message contains)",
	124	+	"Full response NOT (regex): (enforced message NOT contains)",
	125	+	"Full response length: (of enforced response)",
	126	+	"Full response NOT length: (of enforced response)",
	127	+	"Status code equals: (numbers only)",
	128	+	"Status code NOT equals: (numbers only)"
	129	+	]
110	130		self._extender.EDTypeUnauth = JComboBox(EDStrings)
111	131		self._extender.EDTypeUnauth.setBounds(80, 10, 430, 30)
112	132
		skipped 60 lines

■ ■ ■ ■ ■ ■

gui/export.py

		skipped 73 lines
74	74		actionPerformed=self.export)
75	75		self.exportButton.setBounds(390, 50, 100, 30)
76	76
77		-	saveRestoreLabel = JLabel("State:")
	77	+	saveRestoreLabel = JLabel("State (incl. Configuration):")
78	78		saveRestoreLabel.setBounds(10, 160, 250, 30)
79	79		saveRestoreLabel.setFont(boldFont)
80	80
		skipped 157 lines
238	238		f.writelines(csvContent)
239	239		f.close()
240	240
241		-

■ ■ ■ ■ ■ ■

gui/interception_filters.py

		skipped 62 lines
63	63
64	64		# Adding some default interception filters
65	65		# self.IFModel.addElement("Scope items only: (Content is not required)") # commented for better first impression.
66		-	self._extender.IFModel.addElement("URL Not Contains (regex): \\.js\|\\.css\|\\.png\|\\.jpg\|\\.svg\|\\.jpeg\|\\.gif\|\\.woff\|\\.map\|\\.bmp\|\\.ico$")
	66	+	self._extender.IFModel.addElement("URL Not Contains (regex): (\\.js\|\\.css\|\\.png\|\\.jpg\|\\.svg\|\\.jpeg\|\\.gif\|\\.woff\|\\.map\|\\.bmp\|\\.ico)(?![a-z]+)[?][\S]$")
67	67		self._extender.IFModel.addElement("Ignore spider requests: ")
68	68
69	69		self._extender.IFText = JTextArea("", 5, 30)
		skipped 43 lines

■ ■ ■ ■ ■ ■

gui/match_replace.py

		skipped 32 lines
33	33		column1X = 10
34	34		column2X = column1X + labelWidth + padding
35	35		column3X = column2X + editWidth + padding
36		-	MRStrings = ["Headers (simple string):" ,
	36	+	MRStrings = ["Headers (simple string):",
37	37		"Headers (regex):",
38	38		"Body (simple string):",
39	39		"Body (regex):"]
		skipped 77 lines
117	117
118	118		regexMatch = None
119	119		try:
120		-	if "(regex)" in typeName :
	120	+	if "(regex)" in typeName:
121	121		regexMatch = re.compile(match)
122	122		except re.error:
123	123		self._extender.MRFeedback.setText("ERROR: Invalid regex")
		skipped 23 lines

■ ■ ■ ■ ■ ■

gui/menu.py

		skipped 21 lines
22	22		ret = LinkedList()
23	23		requestMenuItem = JMenuItem("Send request to Autorize")
24	24		cookieMenuItem = JMenuItem("Send Cookie header to Autorize")
25		-	authMenuItem = JMenuItem("Send Authorziation header to Autorize")
	25	+	authMenuItem = JMenuItem("Send Authorization header to Autorize")
26	26
27	27		for response in responses:
28	28		requestMenuItem.addActionListener(HandleMenuItems(self._extender,response, "request"))
		skipped 24 lines

■ ■ ■ ■ ■ ■ ■

gui/save_restore.py

		skipped 6 lines
7	7		from java.io import File
8	8
9	9		from table import LogEntry, UpdateTableEDT
10		-	from helpers.http import IHttpRequestResponseImplementation
	10	+	from helpers.http import get_cookie_header_from_message, get_authorization_header_from_message, IHttpRequestResponseImplementation
11	11
12		-	import csv, base64, sys
	12	+	import csv, base64, json, re, sys
13	13
14	14		# This code is necessary to maximize the csv field limit for the save and
15	15		# restore functionality
		skipped 10 lines
26	26		class SaveRestore():
27	27		def __init__(self, extender):
28	28		self._extender = extender
	29	+	self._checkBoxes = [
	30	+	"autoScroll",
	31	+	"ignore304",
	32	+	"prevent304",
	33	+	"interceptRequestsfromRepeater",
	34	+	"doUnauthorizedRequest",
	35	+	"replaceQueryParam",
	36	+	"showAuthBypassModified",
	37	+	"showAuthPotentiallyEnforcedModified",
	38	+	"showAuthEnforcedModified",
	39	+	"showAuthBypassUnauthenticated",
	40	+	"showAuthPotentiallyEnforcedUnauthenticated",
	41	+	"showAuthEnforcedUnauthenticated",
	42	+	"showDisabledUnauthenticated"
	43	+	]
29	44
30	45		def saveState(self):
31	46		parentFrame = JFrame()
		skipped 5 lines
37	52		exportFile = fileChooser.getSelectedFile()
38	53		with open(exportFile.getAbsolutePath(), 'wb') as csvfile:
39	54		csvwriter = csv.writer(csvfile, delimiter='\t', quotechar='\|', quoting=csv.QUOTE_MINIMAL)
	55	+
	56	+	# Configuration
	57	+	tempRow = ["ReplaceString", base64.b64encode(self._extender.replaceString.getText())]
	58	+	csvwriter.writerow(tempRow)
	59	+
	60	+	for EDFilter in self._extender.EDModel.toArray():
	61	+	tempRow = ["EDFilter", base64.b64encode(EDFilter)]
	62	+	csvwriter.writerow(tempRow)
	63	+
	64	+	for EDFilterUnauth in self._extender.EDModelUnauth.toArray():
	65	+	tempRow = ["EDFilterUnauth", base64.b64encode(EDFilterUnauth)]
	66	+	csvwriter.writerow(tempRow)
	67	+
	68	+	for IFFilter in self._extender.IFModel.toArray():
	69	+	tempRow = ["IFFilter", base64.b64encode(IFFilter)]
	70	+	csvwriter.writerow(tempRow)
	71	+
	72	+	for t in ["AndOrType", "AndOrTypeUnauth"]:
	73	+	tempRow = [t, getattr(self._extender, t).getSelectedItem()]
	74	+	csvwriter.writerow(tempRow)
	75	+
	76	+	for key in self._extender.badProgrammerMRModel:
	77	+	d = dict(self._extender.badProgrammerMRModel[key])
	78	+	d["regexMatch"] = d["regexMatch"] is not None
	79	+	tempRow = ["MatchReplace", base64.b64encode(json.dumps(d))]
	80	+	csvwriter.writerow(tempRow)
	81	+
	82	+	d = dict((c, getattr(self._extender, c).isSelected()) for c in self._checkBoxes)
	83	+	tempRow = ["CheckBoxes", json.dumps(d)]
	84	+	csvwriter.writerow(tempRow)
	85	+
	86	+	isSelected = self._extender.exportPnl.getComponents()[-1].isSelected()
	87	+	tempRow = ["RemoveDuplicates", json.dumps(isSelected)]
	88	+	csvwriter.writerow(tempRow)
	89	+
	90	+	# Request/response list
40	91		for i in range(0,self._extender._log.size()):
41	92		tempRequestResponseHost = self._extender._log.get(i)._requestResponse.getHttpService().getHost()
42	93		tempRequestResponsePort = self._extender._log.get(i)._requestResponse.getHttpService().getPort()
		skipped 5 lines
48	99		tempOriginalRequestResponsePort = self._extender._log.get(i)._originalrequestResponse.getHttpService().getPort()
49	100		tempOriginalRequestResponseProtocol = self._extender._log.get(i)._originalrequestResponse.getHttpService().getProtocol()
50	101		tempOriginalRequestResponseRequest = base64.b64encode(self._extender._log.get(i)._originalrequestResponse.getRequest())
51		-	tempOriginalRequestResponseResponse = base64.b64encode(self._extender._log.get(i)._originalrequestResponse.getResponse())
	102	+	tempOriginalRequestResponseResponse = base64.b64encode(self._extender._log.get(i)._originalrequestResponse.getResponse())
52	103
53	104		if self._extender._log.get(i)._unauthorizedRequestResponse is not None:
54	105		tempUnauthorizedRequestResponseHost = self._extender._log.get(i)._unauthorizedRequestResponse.getHttpService().getHost()
		skipped 9 lines
64	115		tempUnauthorizedRequestResponseResponse = None
65	116
66	117		tempEnforcementStatus = self._extender._log.get(i)._enfocementStatus
67		-	tempEnforcementStatusUnauthorized = self._extender._log.get(i)._enfocementStatusUnauthorized
	118	+	tempEnforcementStatusUnauthorized = self._extender._log.get(i)._enfocementStatusUnauthorized
68	119
69	120		tempRow = [tempRequestResponseHost,tempRequestResponsePort,tempRequestResponseProtocol,tempRequestResponseRequest,tempRequestResponseResponse]
70	121		tempRow.extend([tempOriginalRequestResponseHost,tempOriginalRequestResponsePort,tempOriginalRequestResponseProtocol,tempOriginalRequestResponseRequest,tempOriginalRequestResponseResponse])
		skipped 6 lines
77	128		parentFrame = JFrame()
78	129		fileChooser = JFileChooser()
79	130		fileChooser.setDialogTitle("State import file")
80		-	userSelection = fileChooser.showDialog(parentFrame,"Restore")
	131	+	userSelection = fileChooser.showDialog(parentFrame, "Restore")
	132	+	modelMap = {
	133	+	"IFFilter": self._extender.IFModel,
	134	+	"EDFilter": self._extender.EDModel,
	135	+	"EDFilterUnauth": self._extender.EDModelUnauth
	136	+	}
81	137
82	138		if userSelection == JFileChooser.APPROVE_OPTION:
83	139		importFile = fileChooser.getSelectedFile()
		skipped 3 lines
87	143		csvreader = csv.reader(csvfile, delimiter='\t', quotechar='\|')
88	144
89	145		for row in csvreader:
	146	+	# Configuration
	147	+	if row[0] == "ReplaceString":
	148	+	self._extender.replaceString.setText(base64.b64decode(row[1]))
	149	+	continue
90	150
	151	+	if row[0] in modelMap:
	152	+	f = base64.b64decode(row[1])
	153	+	if f not in modelMap[row[0]].toArray():
	154	+	modelMap[row[0]].addElement(f)
	155	+	continue
	156	+
	157	+	if row[0] in {"AndOrType", "AndOrTypeUnauth"}:
	158	+	getattr(self._extender, row[0]).setSelectedItem(row[1])
	159	+	continue
	160	+
	161	+	if row[0] == "MatchReplace":
	162	+	d = json.loads(base64.b64decode(row[1]))
	163	+	key = d["type"] + " " + d["match"] + "->" + d["replace"]
	164	+	if key in self._extender.badProgrammerMRModel:
	165	+	continue
	166	+	regexMatch = None
	167	+	if d["regexMatch"]:
	168	+	try:
	169	+	d["regexMatch"] = re.compile(d["match"])
	170	+	except re.error:
	171	+	print("ERROR: Regex to restore is invalid:", d["match"])
	172	+	continue
	173	+	self._extender.badProgrammerMRModel[key] = d
	174	+	self._extender.MRModel.addElement(key)
	175	+	continue
	176	+
	177	+	if row[0] == "CheckBoxes":
	178	+	d = json.loads(row[1])
	179	+	for k in d:
	180	+	getattr(self._extender, k).setSelected(d[k])
	181	+	continue
	182	+
	183	+	if row[0] == "RemoveDuplicates":
	184	+	isSelected = json.loads(row[1])
	185	+	try:
	186	+	self._extender.exportPnl.getComponents()[-1].setSelected(isSelected)
	187	+	except TypeError: # suppress TypeError: None required for void return
	188	+	pass
	189	+	continue
	190	+
	191	+	# Request/response list
91	192		tempRequestResponseHost = row[0]
92	193		tempRequestResponsePort = row[1]
93	194		tempRequestResponseProtocol = row[2]
		skipped 7 lines
101	202		tempOriginalRequestResponsePort = row[6]
102	203		tempOriginalRequestResponseProtocol = row[7]
103	204		tempOriginalRequestResponseRequest = base64.b64decode(row[8])
104		-	tempOriginalRequestResponseResponse = base64.b64decode(row[9])
	205	+	tempOriginalRequestResponseResponse = base64.b64decode(row[9])
105	206
106	207		tempOriginalRequestResponseHttpService = self._extender._helpers.buildHttpService(tempOriginalRequestResponseHost,int(tempOriginalRequestResponsePort),tempOriginalRequestResponseProtocol)
107	208		tempOriginalRequestResponse = IHttpRequestResponseImplementation(tempOriginalRequestResponseHttpService,tempOriginalRequestResponseRequest,tempOriginalRequestResponseResponse)
		skipped 12 lines
120	221		tempUnauthorizedRequestResponse = None
121	222
122	223		tempEnforcementStatus = row[15]
123		-	tempEnforcementStatusUnauthorized = row[16]
	224	+	tempEnforcementStatusUnauthorized = row[16]
124	225
125	226		self._extender._lock.acquire()
126	227
		skipped 24 lines
151	252
152	253		lastRow = self._extender._log.size()
153	254		if lastRow > 0:
154		-	cookiesHeader = self._extender.get_cookie_header_from_message(self._extender._log.get(lastRow - 1)._requestResponse)
	255	+	cookiesHeader = get_cookie_header_from_message(self._extender, self._extender._log.get(lastRow - 1)._requestResponse)
155	256		if cookiesHeader:
156	257		self._extender.lastCookiesHeader = cookiesHeader
157	258		self._extender.fetchCookiesHeaderButton.setEnabled(True)
158		-	authorizationHeader = self._extender.get_authorization_header_from_message(self._extender._log.get(lastRow - 1)._requestResponse)
	259	+	authorizationHeader = get_authorization_header_from_message(self._extender, self._extender._log.get(lastRow - 1)._requestResponse)
159	260		if authorizationHeader:
160	261		self._extender.lastAuthorizationHeader = authorizationHeader
161	262		self._extender.fetchAuthorizationHeaderButton.setEnabled(True)
162	263
163		-

■ ■ ■ ■ ■ ■

helpers/http.py

		skipped 49 lines
50	50		if authorizeOrNot:
51	51		# simple string replace
52	52		for k, v in self.badProgrammerMRModel.items():
53		-	if(v["type"] == "Headers (simple string):") :
	53	+	if(v["type"] == "Headers (simple string):"):
54	54		headers = map(lambda h: h.replace(v["match"], v["replace"]), headers)
55	55		if(v["type"] == "Headers (regex):") :
56	56		headers = map(lambda h: re.sub(v["regexMatch"], v["replace"], h), headers)
		skipped 1 lines
58	58		if not queryFlag:
59	59		# fix missing carriage return on *NIX systems
60	60		replaceStringLines = self.replaceString.getText().split("\n")
61		-
62	61		for h in replaceStringLines:
63		-	headers.append(h)
	62	+	if h == "": # Logic to fix extraneous newline at the end of requests when no temporary headers are added
	63	+	pass
	64	+	else:
	65	+	headers.append(h)
64	66
65	67		msgBody = messageInfo.getRequest()[requestInfo.getBodyOffset():]
66	68
		skipped 5 lines
72	74		if(v["type"] == "Body (simple string):") :
73	75		msgBody = msgBody.replace(v["match"], v["replace"])
74	76		if(v["type"] == "Body (regex):") :
75		-	msgBody = re.sub(v["regexMatch"], v["replace"],msgBody)
	77	+	msgBody = re.sub(v["regexMatch"], v["replace"], msgBody)
76	78		msgBody = self._helpers.stringToBytes(msgBody)
77	79		return self._helpers.buildHttpMessage(headers, msgBody)
78	80
		skipped 3 lines
82	84
83	85		def getResponseBody(self, requestResponse):
84	86		analyzedResponse = self._helpers.analyzeResponse(requestResponse.getResponse())
85		-	self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])
	87	+	return self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])
86	88
87	89		def getResponseContentLength(self, response):
88	90		return len(response) - self._helpers.analyzeResponse(response).getBodyOffset()
		skipped 53 lines

■ ■ ■ ■ ■ ■

helpers/initiator.py

		skipped 17 lines
18	18		self._extender = extender
19	19
20	20		def init_constants(self):
21		-	self.contributors = ["Federico Dotta", "mgeeky", "Marcin Woloszyn", "jpginc"]
	21	+	self.contributors = ["Federico Dotta", "mgeeky", "Marcin Woloszyn", "jpginc", "Eric Harris"]
22	22		self._extender.version = 1.5
23	23		self._extender._log = ArrayList()
24	24		self._extender._lock = Lock()
		skipped 53 lines
78	78		Contributors: {}
79	79
80	80		Github:\nhttps://github.com/Quitten/Autorize""".format(self._extender.version, ", ".join(self.contributors)))
	81	+

Merge branch 'Quitten:master' into Send_to_repeater