Package org.zaproxy.zap.extension.pscanrules

Source Code of org.zaproxy.zap.extension.pscanrules.MixedContentScanner$MixedContent

/*
* Zed Attack Proxy (ZAP) and its related class files.
*
* ZAP is an HTTP/HTTPS proxy for assessing web application security.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*   http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.zaproxy.zap.extension.pscanrules;

import java.util.ArrayList;
import java.util.List;

import net.htmlparser.jericho.Element;
import net.htmlparser.jericho.HTMLElementName;
import net.htmlparser.jericho.Source;

import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.network.HttpMessage;
import org.zaproxy.zap.extension.pscan.PassiveScanThread;
import org.zaproxy.zap.extension.pscan.PluginPassiveScanner;


public class MixedContentScanner extends PluginPassiveScanner {

  private PassiveScanThread parent = null;

  @Override
  public void setParent (PassiveScanThread parent) {
    this.parent = parent;
  }

  @Override
  public void scanHttpRequestSend(HttpMessage msg, int id) {
    // Ignore
  }

  @Override
  public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
    if (!msg.getRequestHeader().isSecure()) {
      // If SSL isn't used then this check isnt relevant
      return;
    }
    List<MixedContent> list = new ArrayList<MixedContent>();
    boolean incScript = false;
   
    if (msg.getResponseBody().length() > 0 && msg.getResponseHeader().isText()){
      List<Element> sourceElements = source.getAllElements();
      if (sourceElements != null) {
        for (Element sourceElement : sourceElements) {
          if (addAttsContainingHttpContent(sourceElement, "src", list)) {
            if (HTMLElementName.SCRIPT.equals(sourceElement.getName())) {
              // Considered to be more serious
              incScript = true;
            }
          } 
          addAttsContainingHttpContent(sourceElement, "background", list);
          addAttsContainingHttpContent(sourceElement, "classid", list);
          addAttsContainingHttpContent(sourceElement, "codebase", list);
          addAttsContainingHttpContent(sourceElement, "data", list);
          addAttsContainingHttpContent(sourceElement, "icon", list);
          addAttsContainingHttpContent(sourceElement, "usemap", list);
         
          switch (this.getLevel()) {
          case LOW:
          case MEDIUM:
            // These are a bit more debatable, so dont do them on the HIGH setting
            addAttsContainingHttpContent(sourceElement, "action", list);
            addAttsContainingHttpContent(sourceElement, "formaction", list);
            break;
          default:
            // No other checks
          }
        } 
      }
      final int numberOfMixedElements = list.size();
      if (numberOfMixedElements > 0) {
        StringBuilder sb = new StringBuilder(numberOfMixedElements * 40);
        for (MixedContent mc : list) {
          sb.append("tag=");
          sb.append(mc.getTag());
          sb.append(' ');
          sb.append(mc.getAtt());
          sb.append('=');
          sb.append(mc.getValue());
          sb.append('\n');
        }

        this.raiseAlert(msg, id, list.get(0).getValue(), sb.toString(), incScript);
      }
    }
  }
 
  private boolean addAttsContainingHttpContent(Element sourceElement, String attribute, List<MixedContent> list) {
    String val = sourceElement.getAttributeValue(attribute);
    if (val != null && val.toLowerCase().startsWith("http:")) {
      list.add(new MixedContent(sourceElement.getName(), attribute, val));
      return true;
    }
    return false;
  }
 
  private void raiseAlert(HttpMessage msg, int id, String first, String all, boolean incScript) {
    String name = "Secure page includes mixed content";
    int risk = Alert.RISK_LOW;
    if (incScript) {
      name = "Secure page includes mixed content, including scripts";
      risk = Alert.RISK_MEDIUM;
    }
      Alert alert = new Alert(getPluginId(), risk, Alert.WARNING, name);
      alert.setDetail(
          "The page includes mixed content, ie content accessed via http instead of https.",
          msg.getRequestHeader().getURI().toString(),
          "", first, all,
          "A page that is available over TLS must be comprised completely of content which is transmitted over TLS. \n" +
          "The page must not contain any content that is transmitted over unencrypted HTTP.\n" +
          "This includes content from unrelated third party sites.",
            "https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet",
            first, // evidence
            0// TODO CWE Id
            0// TODO WASC Id
            msg);
 
      parent.raiseAlert(id, alert);

  }

  @Override
  public int getPluginId() {
    return 10040;
  }

  @Override
  public String getName() {
    return "Secure pages including mixed content";
  }
 
  private class MixedContent {
    private String tag;
    private String att;
    private String value;
   
    public MixedContent(String tag, String att, String value) {
      super();
      this.tag = tag;
      this.att = att;
      this.value = value;
    }

    public String getTag() {
      return tag;
    }

    public String getAtt() {
      return att;
    }

    public String getValue() {
      return value;
    }
   
  }
}
TOP

Related Classes of org.zaproxy.zap.extension.pscanrules.MixedContentScanner$MixedContent

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.