Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added two new options to the forced-browse add-on. #1534

Merged
merged 2 commits into from Apr 16, 2018
Merged

added two new options to the forced-browse add-on. #1534

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
129f65d
minor refactorization to improve code readability
KajanM Apr 7, 2018
d35a8d3
new options for forced-browse add-on
KajanM Apr 9, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 1 addition & 10 deletions src/com/sittinglittleduck/DirBuster/Manager.java
View file
Open in desktop
Expand Up @@ -112,7 +112,7 @@ public class Manager implements ProcessChecker.ProcessUpdate
//total number of basecases produced
private int numberOfBaseCasesProduced = 0;
//exts that are not to be added to the work queue if found by the HTML parser
public Vector extsToMiss = new Vector(10, 10);
public Vector<String> extsToMiss = new Vector<>(10, 10);
//Vector to store all the html elements that are to be parsed.
public Vector elementsToParse = new Vector(10, 10);
//Used to store a string of what we are currently processing
Expand Down Expand Up @@ -186,15 +186,6 @@ public class Manager implements ProcessChecker.ProcessUpdate
// ZAP: Changed to public to allow it to be extended
public Manager()
{
//add the default file extentions for links to be process if found during a HTML parse
extsToMiss.addElement("jpg");
extsToMiss.addElement("gif");
extsToMiss.addElement("jpeg");
extsToMiss.addElement("ico");
extsToMiss.addElement("tiff");
extsToMiss.addElement("png");
extsToMiss.addElement("bmp");

elementsToParse.addElement(new HTMLelementToParse("a", "href"));
elementsToParse.addElement(new HTMLelementToParse("img", "src"));
elementsToParse.addElement(new HTMLelementToParse("form", "action"));
Expand Down
1 change: 1 addition & 0 deletions src/org/zaproxy/zap/extension/bruteforce/BruteForce.java
View file
Open in desktop
Expand Up @@ -99,6 +99,7 @@ public BruteForce (ScanTarget target, File file, BruteForceListenner listenner,
} else {
extensions = Collections.emptyList();
}
manager.extsToMiss.addAll(bruteForceParam.getExtensionsToMissSet());
}

public BruteForce (ScanTarget target, File file, BruteForceListenner listenner, BruteForceParam bruteForceParam, String directory) {
Expand Down
72 changes: 72 additions & 0 deletions src/org/zaproxy/zap/extension/bruteforce/BruteForceParam.java
View file
Open in desktop
Expand Up @@ -21,12 +21,16 @@

import java.io.File;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import org.apache.commons.configuration.ConversionException;
import org.apache.log4j.Logger;
import org.parosproxy.paros.common.AbstractParam;
import com.sittinglittleduck.DirBuster.Config;

public class BruteForceParam extends AbstractParam {

Expand All @@ -37,19 +41,25 @@ public class BruteForceParam extends AbstractParam {
private static final String RECURSIVE = "bruteforce.recursive";
private static final String BROWSE_FILES = "bruteforce.browsefiles";
private static final String FILE_EXTENSIONS = "bruteforce.fileextensions";
private static final String EXTENSIONS_TO_MISS = "bruteforce.extensionsToMiss";
private static final String FAIL_CASE_STRING = "bruteforce.failCaseString";

public static final int DEFAULT_THREAD_PER_SCAN = 10;
public static final int MAXIMUM_THREADS_PER_SCAN = 200;
public static final boolean DEFAULT_RECURSIVE = true;
public static final boolean DEFAULT_BROWSE_FILES = false;
public static final String EMPTY_STRING = "";
public static final String DEFAULT_EXTENSIONS_TO_MISS = "jpg, gif, jpeg, ico, tiff, png, bmp";
public static final String DEFAULT_FAIL_CASE_STRING = Config.failCaseString;

private int threadPerScan = DEFAULT_THREAD_PER_SCAN;
private boolean recursive = DEFAULT_RECURSIVE;
private ForcedBrowseFile defaultFile = null;
private boolean browseFiles = DEFAULT_BROWSE_FILES;
// can't be null
private String fileExtensions = EMPTY_STRING;
private String extensionsToMiss = DEFAULT_EXTENSIONS_TO_MISS;
private String failCaseString = DEFAULT_FAIL_CASE_STRING;

public BruteForceParam() {
}
Expand All @@ -61,6 +71,8 @@ protected void parse() {
this.recursive = getConfig().getBoolean(RECURSIVE, DEFAULT_RECURSIVE);
this.browseFiles = getConfig().getBoolean(BROWSE_FILES, DEFAULT_BROWSE_FILES);
this.fileExtensions = getConfig().getString(FILE_EXTENSIONS, EMPTY_STRING);
this.extensionsToMiss = getConfig().getString(EXTENSIONS_TO_MISS, DEFAULT_EXTENSIONS_TO_MISS);
this.failCaseString = getConfig().getString(FAIL_CASE_STRING, DEFAULT_FAIL_CASE_STRING);
} catch (Exception e) {}

try {
Expand Down Expand Up @@ -173,4 +185,64 @@ public List<String> getFileExtensionsList() {

return fileExtensionsList;
}

/**
* @return {@code String} of comma-separated file-extensions that are ignored.
* URIs ending with these extensions are ignored from making requests to the server.
* {@link #DEFAULT_EXTENSIONS_TO_MISS} is returned by default
*/
String getExtensionsToMiss() {
return extensionsToMiss;
}

/**
* Define a {@code String} of comma-separated file-extensions for
* resources to ignore
*
* @param extensionsToMiss file-extensions string
* @throws IllegalArgumentException if {@code extensionsToMiss} is
* {@code null}
*/
void setExtensionsToMiss(String extensionsToMiss) {
if (extensionsToMiss == null) {
throw new IllegalArgumentException("extensionsToMiss is null");
}

this.extensionsToMiss = extensionsToMiss;
getConfig().setProperty(EXTENSIONS_TO_MISS, extensionsToMiss);
}

/**
* @return {@code Set} of file extensions that are ignored.
* URIs ending with these extensions are ignored from making requests to the server.
* By default returned {@code Set} will contain following extensions,
* {@link #DEFAULT_EXTENSIONS_TO_MISS}
*/
Set<String> getExtensionsToMissSet() {
if (extensionsToMiss.trim().equals(EMPTY_STRING)) {
return new HashSet<>();
}
String[] tempArray = extensionsToMiss.replaceAll("\\s",
EMPTY_STRING).split(",");
Set<String> tempSet = new HashSet<>(Arrays.asList(tempArray));
tempSet.remove(EMPTY_STRING);
return tempSet;
}

String getFailCaseString() {
return failCaseString;
}

void setFailCaseString(String failCaseString) {
if(failCaseString == null) {
throw new IllegalArgumentException("failCaseString is null");
}
if(failCaseString.isEmpty()) {
throw new IllegalArgumentException("failCaseString is empty");
}
Config.failCaseString = failCaseString;
this.failCaseString = failCaseString;
getConfig().setProperty(FAIL_CASE_STRING, failCaseString);
}

}