-
-
Notifications
You must be signed in to change notification settings - Fork 242
/
Copy pathCompoundCookies.js
138 lines (132 loc) · 4.62 KB
/
CompoundCookies.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/**
* Input Vector script to help Zap attack compound cookies, i.e. cookies that contain multiple parameters
* Format of a Compound cookie is Classic ASP compliant, i.e. of the form:
* <compoundcookie>=<p1name>=<p1value>&<p2name>=<p2value>&...
* where parameter names and values must be URI component encoded. Generates parameters in the form:
* <compoundcookie>:<p1name>=<p1value>
* <compoundcookie>:<p2name>=<p2value>
* ...
* These compound cookies should be filtered out in Active Scan Exclude Param to stop ZAP attacking these cookies directly.
*/
var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie;
/* List of compound cookies to target - either burn in list below (i.e. ccList = [ "<compoundcookie1>", "<compoundcookie2>", ... ]; )
* or set via 'CompoundCookies' global var as a '&' separated list (i.e. "<compoundcookie1>&<compoundcookie2>&..." ) */
var ccList = [];
function parseParameters(helper, msg) {
var headers = msg.getRequestHeader();
var cookies = headers.getCookieParams();
var cookieIndex;
var equalsIndex;
var loopCounter;
var cookieList;
if (ccList.length == 0) {
var ei;
if (
(ei = ScriptVars.getGlobalVar("CompoundCookies")).equals("") ||
(ccList = ei.split("&")).length == 0
) {
print(
"CompoundCookie Setup Error: GlobalVar CompoundCookies must be set to '&' separated list of compound cookies"
);
return;
}
//print('CompoundCookie list: ' + ccList);
}
//print('parseParameters: ' + msg.getRequestHeader().getURI().toString());
for (var ci = cookies.iterator(); ci.hasNext(); ) {
var cc = ci.next();
if ((cookieIndex = ccList.indexOf(cc.getName())) >= 0) {
cookieList = cc.getValue().split("&");
//print(" Splitting: " + ccList[cookieIndex]);
for (loopCounter = 0; loopCounter < cookieList.length; loopCounter++) {
if ((equalsIndex = cookieList[loopCounter].indexOf("=")) > 0) {
//print(" Var " + decodeURIComponent(cookieList[loopCounter].substring(0,equalsIndex)) + "=" + decodeURIComponent(cookieList[loopCounter].substring(equalsIndex+1)));
helper.addParamQuery(
ccList[cookieIndex] +
":" +
decodeURIComponent(
cookieList[loopCounter].substring(0, equalsIndex)
),
decodeURIComponent(
cookieList[loopCounter].substring(equalsIndex + 1)
)
);
}
}
}
}
}
/* Only one parameter is changed at a time so only one compound cookie to update */
function setParameter(helper, msg, param, value, escaped) {
var size = helper.getParamNumber();
var pos = helper.getCurrentParam().getPosition();
var loopCounter;
var colonIndex;
var paramName;
var cookieName;
var prefix;
var val;
if (
pos < size &&
(colonIndex = (paramName = helper.getParamName(pos)).indexOf(":")) > 0 &&
ccList.indexOf((cookieName = paramName.substring(0, colonIndex))) >= 0
) {
var headers = msg.getRequestHeader();
var cookies = headers.getCookieParams();
prefix = cookieName + ":";
val = "";
for (loopCounter = 0; loopCounter < size; loopCounter++) {
if (loopCounter == pos) {
val =
encodeURIComponent(
helper.getParamName(loopCounter).slice(colonIndex + 1)
) +
"=" +
encodeURIComponent(value) +
"&" +
val;
} else if (
(paramName = helper.getParamName(loopCounter)).startsWith(prefix)
) {
val =
encodeURIComponent(paramName.slice(colonIndex + 1)) +
"=" +
encodeURIComponent(helper.getParamValue(loopCounter)) +
"&" +
val;
}
}
/* remove trailing '&' */
val = val.slice(0, -1);
//print('SetParameter: ' + cookieName + '=' + val);
val = new HtmlParameter(COOKIE_TYPE, cookieName, val);
for (var ci = cookies.iterator(); ci.hasNext(); ) {
var cc = ci.next();
if (cc.getName().equals(cookieName)) {
ci.remove();
break;
}
}
cookies.add(val);
msg.getRequestHeader().setCookieParams(cookies);
} else {
print(
"CompoundCookie SetParameter Error: Invalid input " +
size +
", " +
pos +
" -> " +
paramName
);
}
}
/* Return null to Use default method */
function getLeafName(helper, nodeName, msg) {
return null;
}
/* Return null to Use default method */
function getTreePath(helper, msg) {
return null;
}