def zap_stop(request, ip, port): if login_check.is_logged_in(request): if check_user(request, port): if request.method == "POST": servers = ZAPServer.objects.filter(ip=ip, enabled=True) if servers: response = client.stop_zap_instance(ip, port) if response['status']: try: instance = ZAPInstance.objects.get( port=port, enabled=True, server=servers[0]) instance.enabled = False instance.save() return JsonResponse(response) except: return JsonResponse( { "message": "No such instance found. Please check." }, 400) else: return JsonResponse( { "message": "No such instance found. Please check." }, 400) else: return JsonResponse( {"message": "No such server found. Please check."}, 400) else: return JsonResponse({"message": "Access Denied"}, 401) else: return JsonResponse({"message": "Access Denied"}, 401)
def login(request): try: login_type = settings.LOGIN_METHOD except: login_type = "LOCAL" if login_check.is_logged_in(request): return HttpResponseRedirect(reverse("web:landing")) return render(request, 'login.html', {"login_type": login_type.upper()})
def zap_scan_list(request): port = request.GET.get("port", None) ip = request.GET.get("ip", None) if login_check.is_logged_in(request): if check_user(request, port): if port and ip: zap = ZAPv2( proxies={ 'http': 'http://%s:%s' % (ip, port), 'https': 'http://%s:%s' % (ip, port) }) try: instance = ZAPInstance.objects.get(server__ip=ip, port=port, enabled=True) scans = zap.ascan.scans for i, scan in enumerate(scans): try: zapscan = ZAPScan.objects.get( instance=instance, scanId=scan['id'], user=request.session['login_username']) url = zapscan.url except: url = "ERROR" scan['url'] = url scans[i] = scan return JsonResponse(scans) except Exception as e: return JsonResponse( {"message": "No such instance found. Please check."}, 400) else: return JsonResponse( {"message": "Invalid parameters recieved."}, 400) else: return JsonResponse({"message": "Access Denied"}, 401) else: return JsonResponse({"message": "Access Denied"}, 401)
def zap_get_logs(request, ip, port): if login_check.is_logged_in(request): if check_user(request, port): request.session['login_username'] zap = ZAPv2( proxies={ 'http': 'http://%s:%s' % (ip, port), 'https': 'http://%s:%s' % (ip, port) }) zap_urls = zap.search.urls_by_url_regex(".*") zap_o_data = requests.get( 'http://%s:%s/JSON/search/view/messagesByUrlRegex/?zapapiformat=JSON®ex=.*&baseurl=&start=&count=' % (ip, port)) zap_o_data = json.loads( zap_o_data.content, object_pairs_hook=OrderedDict)['messagesByUrlRegex'] data = {} for url in zap_urls: if not url['url'] in data: data[url['url']] = {} data[url['url']]['id'] = url['id'] data[url['url']]['method'] = url['method'] if url['method'] == "POST": for z_data in zap_o_data: if z_data['id'] == url['id']: if isinstance(z_data['requestBody'], basestring): data[ url['url']]['data'] = z_data['requestBody'] else: data[url['url']]['data'] = "%s" % json.dumps( z_data['requestBody']) else: data[url['url']]['data'] = "" return JsonResponse(data) else: return JsonResponse({"message": "Access Denied"}, 401) else: return JsonResponse({"message": "Access Denied"}, 401)
def home(request, zap_index): if not login_check.is_logged_in(request): return HttpResponseRedirect(reverse("web:login")) username = request.session['login_username'] instances = list_active_zap(username) all_instances = instances zap_instances = [] if instances: zap_index = int(zap_index) if not settings.ZAP_MULTIPLE_ALLOWED and not zap_index == 0: return HttpResponseRedirect(reverse("web:home", kwargs={'zap_index': 0})) try: instances = instances[zap_index] except: return HttpResponseRedirect(reverse("web:home", kwargs={'zap_index': 0})) if not settings.ZAP_MULTIPLE_ALLOWED: zap_instances = [instances] else: zap_instances = all_instances[:settings.ZAP_MULTIPLE_MAX_COUNT] return render(request, 'home.html', {"username": username, "instances": instances, "ZAP_MULTIPLE_ALLOWED": settings.ZAP_MULTIPLE_ALLOWED, "zap_instances": zap_instances, "ZAP_MULTIPLE_MAX_COUNT": settings.ZAP_MULTIPLE_MAX_COUNT})
def landing(request): if not login_check.is_logged_in(request): return HttpResponseRedirect(reverse("web:login")) return HttpResponseRedirect(reverse("web:home", kwargs={'zap_index': 0}))
def zap_start(request): if request.method == "POST": if not login_check.is_logged_in(request): return JsonResponse({"message": "Please login first."}, 403) else: user = request.session['login_username'] servers = ZAPServer.objects.filter(enabled=True) instances = ZAPInstance.objects.filter(enabled=True, user=user) if settings.ZAP_MULTIPLE_ALLOWED and len( instances) >= settings.ZAP_MULTIPLE_MAX_COUNT: return JsonResponse( { "message": "You cannot start more ZAP Instances. Threshold exceeded." }, 403) elif not settings.ZAP_MULTIPLE_ALLOWED and len(instances) >= 1: return JsonResponse( { "message": "You cannot start more ZAP Instances. Multiple ZAP not allowed." }, 403) else: if servers: valid_servers = [] max_mem = 0 best_server = None for server in servers: stats = client.get_server_stats(server.ip) if stats[ 'free'] >= settings.ZAP_SERVER_MIN_FREE_MEMORY_THRESHOLD: valid_servers.append({ "server": server, "stats": stats }) if valid_servers: for server in valid_servers: if server['stats']['percentage'] > max_mem: max_mem = server['stats']['percentage'] best_server = server['server'] if best_server: port, api_key, pid = client.start_zap_instance( best_server.ip) instance_name = request.POST.get("name", None) if not instance_name: haikunator = Haikunator() instance_name = haikunator.haikunate( token_length=0, delimiter=' ').title() instance = ZAPInstance() instance.server = best_server instance.port = port instance.api_key = api_key instance.user = user instance.name = instance_name instance.session = request.session['session_id'] instance.pid = pid instance.save() zap = ZAPv2( proxies={ 'http': 'http://%s:%s' % (best_server.ip, port), 'https': 'http://%s:%s' % (best_server.ip, port) }) zap.ascan.set_option_max_scans_in_ui( 600, apikey=api_key) zap.ascan.set_option_thread_per_host( 5, apikey=api_key) zap.core.set_option_timeout_in_secs(180, apikey=api_key) return JsonResponse({ "message": "ZAP Started", "server": best_server.ip, "port": port, "name": instance_name }) else: return JsonResponse( { "message": "All available servers are below defined Minimum Free Memory Threshold" }, 503) else: return JsonResponse( { "message": "No servers running. Please register servers first." }, 503)