-
-
Notifications
You must be signed in to change notification settings - Fork 242
/
Copy pathJsonStrings.js
77 lines (70 loc) · 2.51 KB
/
JsonStrings.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// The parseParameter function will typically be called for every page and
// the setParameter function is called by each active plugin to bundle specific attacks
// Note that new custom input vector scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"
/*
This variant script can be used as an alternative to the default JSON input vectors
when one only wants to scan the string fields of the JSON object, not integers.
Input vectors will be located and set recursively and objects containing up to three
layers of objects, lists and strings seem to work as intended.
*/
function parseParameters(helper, msg) {
//we're only interested in JSON requests with non-empty POST bodies
var header = msg.getRequestHeader();
if (
!header.getHeader("Content-Type") ||
!header
.getHeader("Content-Type")
.trim()
.equalsIgnoreCase("application/json") ||
header.getMethod() != "POST" ||
msg.getRequestBody().length() == 0
) {
return;
}
var body = msg.getRequestBody().toString();
try {
var obj = JSON.parse(body);
} catch (err) {
print("Parsing message body failed: " + err.message);
return;
}
recursive_parse(helper, obj, "Object");
}
function recursive_parse(helper, obj, path) {
if (typeof obj == "number") {
//skipping this is why I wrote this script!
} else if (typeof obj == "string") {
//here the parameter is added with the name being a JSON
//list of keys that act as the JSON path to the input vector
helper.addParamPost(path, obj);
} else {
for (var k in obj) {
recursive_parse(helper, obj[k], path + "." + k);
}
}
//are there other cases that have been missed?
}
function setParameter(helper, msg, param, value, escaped) {
try {
var obj = JSON.parse(msg.getRequestBody().toString());
//get the path from the parameter name, ignore the "Object"-part
var path = param.split(".").slice(1);
//this may fail if "param" has been edited since parsing
recursive_set(obj, path, value);
} catch (err) {
print("Setting parameter value failed: " + err.message);
return;
}
msg.getRequestBody().setBody(JSON.stringify(obj));
msg.getRequestHeader().setContentLength(msg.getRequestBody().length());
}
function recursive_set(obj, path, value) {
//print(JSON.stringify(obj) + " : " + JSON.stringify(path))
if (path.length == 0) {
//stop recursing when the path is consumed
return value;
}
obj[path[0]] = recursive_set(obj[path[0]], path.slice(1), value);
return obj;
}