def handle_message(self, toolFlag, messageIsRequest, messageInfo):
if tool_needs_to_be_ignored(self, toolFlag):
return
handle_cookies_feature(self, messageInfo)
if self.intercept and valid_tool(self, toolFlag):
handle_304_status_code_prevention(self, messageIsRequest, messageInfo)
if not messageIsRequest:
if message_not_from_autorize(self, messageInfo):
if self.ignore304.isSelected():
if isStatusCodesReturned(self, messageInfo,
["304", "204"]):
return
if no_filters_defined(self):
checkAuthorization(
self, messageInfo,
self._helpers.analyzeResponse(
messageInfo.getResponse()).getHeaders(),
self.doUnauthorizedRequest.isSelected())
else:
if message_passed_interception_filters(self, messageInfo):
checkAuthorization(
self, messageInfo,
self._helpers.analyzeResponse(
messageInfo.getResponse()).getHeaders(),
self.doUnauthorizedRequest.isSelected())
def checkBypass(self, oldStatusCode, newStatusCode, oldContentLen,
newContentLen, filters, requestResponse, andOrEnforcement):
response = requestResponse.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response)
impression = ""
if oldStatusCode == newStatusCode:
if oldContentLen == newContentLen:
impression = self.BYPASSSED_STR
if len(filters) > 0:
if andOrEnforcement == "And":
andEnforcementCheck = True
auth_enforced = 1
else:
andEnforcementCheck = False
auth_enforced = 0
for filter in filters:
if str(filter).startswith("Status code equals: "):
statusCode = filter[20:]
if andEnforcementCheck:
if auth_enforced == 1 and not isStatusCodesReturned(
self, requestResponse, statusCode):
auth_enforced = 0
else:
if auth_enforced == 0 and isStatusCodesReturned(
self, requestResponse, statusCode):
auth_enforced = 1
if str(filter).startswith("Headers (simple string): "):
if andEnforcementCheck:
if auth_enforced == 1 and not filter[
25:] in self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()]):
auth_enforced = 0
else:
if auth_enforced == 0 and filter[
25:] in self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()]):
auth_enforced = 1
if str(filter).startswith("Headers (regex): "):
regex_string = filter[17:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced == 1 and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()])):
auth_enforced = 0
else:
if auth_enforced == 0 and p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()])):
auth_enforced = 1
if str(filter).startswith("Body (simple string): "):
if andEnforcementCheck:
if auth_enforced == 1 and not filter[
22:] in self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():]):
auth_enforced = 0
else:
if auth_enforced == 0 and filter[
22:] in self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():]):
auth_enforced = 1
if str(filter).startswith("Body (regex): "):
regex_string = filter[14:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced == 1 and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():])):
auth_enforced = 0
else:
if auth_enforced == 0 and p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():])):
auth_enforced = 1
if str(filter).startswith("Full response (simple string): "):
if andEnforcementCheck:
if auth_enforced == 1 and not filter[
31:] in self._helpers.bytesToString(
requestResponse.getResponse()):
auth_enforced = 0
else:
if auth_enforced == 0 and filter[
31:] in self._helpers.bytesToString(
requestResponse.getResponse()):
auth_enforced = 1
if str(filter).startswith("Full response (regex): "):
regex_string = filter[23:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced == 1 and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse())):
auth_enforced = 0
else:
if auth_enforced == 0 and p.search(
self._helpers.bytesToString(
requestResponse.getResponse())):
auth_enforced = 1
if str(filter).startswith("Full response length: "):
if andEnforcementCheck:
if auth_enforced == 1 and not str(
len(response)) == filter[22:].strip():
auth_enforced = 0
else:
if auth_enforced == 0 and str(
len(response)) == filter[22:].strip():
auth_enforced = 1
else:
# If no enforcement detectors are set and the HTTP response is the same, the impression is yellow
auth_enforced = 0
if auth_enforced:
impression = self.ENFORCED_STR
else:
impression = self.IS_ENFORCED_STR
else:
impression = self.ENFORCED_STR
return impression
def handle_message(self, toolFlag, messageIsRequest, messageInfo):
for i in range(0, self.IFList.getModel().getSize()):
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "Ignore spider requests":
if (toolFlag == self._callbacks.TOOL_SPIDER):
return
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "Ignore proxy requests":
if (toolFlag == self._callbacks.TOOL_PROXY):
return
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "Ignore target requests":
if (toolFlag == self._callbacks.TOOL_TARGET):
return
cookies = getCookieFromMessage(self, messageInfo)
if cookies:
self.lastCookies = cookies
self.fetchButton.setEnabled(True)
if self.intercept == 1 and (
toolFlag == self._callbacks.TOOL_PROXY or
(toolFlag == self._callbacks.TOOL_REPEATER
and self.interceptRequestsfromRepeater.isSelected())):
if self.prevent304.isSelected():
if messageIsRequest:
requestHeaders = list(
self._helpers.analyzeRequest(messageInfo).getHeaders())
newHeaders = list()
found = 0
for header in requestHeaders:
if not "If-None-Match:" in header and not "If-Modified-Since:" in header:
newHeaders.append(header)
found = 1
if found == 1:
requestInfo = self._helpers.analyzeRequest(messageInfo)
bodyBytes = messageInfo.getRequest()[requestInfo.
getBodyOffset():]
bodyStr = self._helpers.bytesToString(bodyBytes)
messageInfo.setRequest(
self._helpers.buildHttpMessage(newHeaders, bodyStr))
if not messageIsRequest:
# Requests with the same headers of the Autorize headers are
# not intercepted
if not self.replaceString.getText(
) in self._helpers.analyzeRequest(messageInfo).getHeaders():
if self.ignore304.isSelected():
if isStatusCodesReturned(self, messageInfo,
["304", "204"]):
return
if self.IFList.getModel().getSize() == 0:
checkAuthorization(
self, messageInfo,
self._helpers.analyzeResponse(
messageInfo.getResponse()).getHeaders(),
self.doUnauthorizedRequest.isSelected())
else:
urlString = str(
self._helpers.analyzeRequest(messageInfo).getUrl())
do_the_check = 1
for i in range(0, self.IFList.getModel().getSize()):
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "Scope items only":
currentURL = URL(urlString)
if not self._callbacks.isInScope(currentURL):
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "URL Contains (simple string)":
if self.IFList.getModel().getElementAt(
i)[30:] not in urlString:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "URL Contains (regex)":
regex_string = self.IFList.getModel().getElementAt(
i)[22:]
if re.search(regex_string, urlString,
re.IGNORECASE) is None:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "URL Not Contains (simple string)":
if self.IFList.getModel().getElementAt(
i)[34:] in urlString:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "URL Not Contains (regex)":
regex_string = self.IFList.getModel().getElementAt(
i)[26:]
if not re.search(regex_string, urlString,
re.IGNORECASE) is None:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":")[0] == "URL Not Contains (regex)":
regex_string = self.IFList.getModel().getElementAt(
i)[26:]
if not re.search(regex_string, urlString,
re.IGNORECASE) is None:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(":")[
0] == "Only HTTP methods (newline separated)":
filterMethods = self.IFList.getModel(
).getElementAt(i)[39:].split("\n")
filterMethods = [x.lower() for x in filterMethods]
reqMethod = str(
self._helpers.analyzeRequest(
messageInfo).getMethod())
if reqMethod.lower() not in filterMethods:
do_the_check = 0
if self.IFList.getModel().getElementAt(i).split(
":"
)[0] == "Ignore HTTP methods (newline separated)":
filterMethods = self.IFList.getModel(
).getElementAt(i)[41:].split("\n")
filterMethods = [x.lower() for x in filterMethods]
reqMethod = str(
self._helpers.analyzeRequest(
messageInfo).getMethod())
if reqMethod.lower() in filterMethods:
do_the_check = 0
if do_the_check:
checkAuthorization(
self, messageInfo,
self._helpers.analyzeResponse(
messageInfo.getResponse()).getHeaders(),
self.doUnauthorizedRequest.isSelected())
def auth_enforced_via_enforcement_detectors(self, filters, requestResponse,
andOrEnforcement):
response = requestResponse.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response)
auth_enforced = False
if andOrEnforcement == "And":
andEnforcementCheck = True
auth_enforced = True
else:
andEnforcementCheck = False
auth_enforced = False
response = requestResponse.getResponse()
for filter in filters:
if str(filter).startswith("Status code equals: "):
statusCode = filter[20:]
if andEnforcementCheck:
if auth_enforced and not isStatusCodesReturned(
self, requestResponse, statusCode):
auth_enforced = False
else:
if not auth_enforced and isStatusCodesReturned(
self, requestResponse, statusCode):
auth_enforced = True
if str(filter).startswith("Headers (simple string): "):
if andEnforcementCheck:
if auth_enforced and not filter[
25:] in self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()]):
auth_enforced = False
else:
if not auth_enforced and filter[
25:] in self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()]):
auth_enforced = True
if str(filter).startswith("Headers (regex): "):
regex_string = filter[17:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()])):
auth_enforced = False
else:
if not auth_enforced and p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[0:analyzedResponse.getBodyOffset()])):
auth_enforced = True
if str(filter).startswith("Body (simple string): "):
if andEnforcementCheck:
if auth_enforced and not filter[
22:] in self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():]):
auth_enforced = False
else:
if not auth_enforced and filter[
22:] in self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():]):
auth_enforced = True
if str(filter).startswith("Body (regex): "):
regex_string = filter[14:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():])):
auth_enforced = False
else:
if not auth_enforced and p.search(
self._helpers.bytesToString(
requestResponse.getResponse()
[analyzedResponse.getBodyOffset():])):
auth_enforced = True
if str(filter).startswith("Full response (simple string): "):
if andEnforcementCheck:
if auth_enforced and not filter[
31:] in self._helpers.bytesToString(
requestResponse.getResponse()):
auth_enforced = False
else:
if not auth_enforced and filter[
31:] in self._helpers.bytesToString(
requestResponse.getResponse()):
auth_enforced = True
if str(filter).startswith("Full response (regex): "):
regex_string = filter[23:]
p = re.compile(regex_string, re.IGNORECASE)
if andEnforcementCheck:
if auth_enforced and not p.search(
self._helpers.bytesToString(
requestResponse.getResponse())):
auth_enforced = False
else:
if not auth_enforced and p.search(
self._helpers.bytesToString(
requestResponse.getResponse())):
auth_enforced = True
if str(filter).startswith("Full response length: "):
if andEnforcementCheck:
if auth_enforced and not str(
len(response)) == filter[22:].strip():
auth_enforced = False
else:
if not auth_enforced and str(
len(response)) == filter[22:].strip():
auth_enforced = True
return auth_enforced
