Package org.parosproxy.paros.core.scanner

Class AbstractAppParamPlugin

java.lang.Object

org.parosproxy.paros.core.scanner.AbstractPlugin

org.parosproxy.paros.core.scanner.AbstractAppPlugin

org.parosproxy.paros.core.scanner.AbstractAppParamPlugin

All Implemented Interfaces:

java.lang.Comparable<java.lang.Object>, java.lang.Runnable, Plugin, ExampleAlertProvider

Direct Known Subclasses:

ScriptsActiveScanner

public abstract class AbstractAppParamPlugin
extends AbstractAppPlugin

Nested Class Summary

Nested classes/interfaces inherited from class org.parosproxy.paros.core.scanner.AbstractPlugin

AbstractPlugin.AlertBuilder

Nested classes/interfaces inherited from interface org.parosproxy.paros.core.scanner.Plugin

Plugin.AlertThreshold, Plugin.AttackStrength

Field Summary

Fields inherited from class org.parosproxy.paros.core.scanner.AbstractPlugin

CRLF, PATTERN_PARAM

Constructor Summary

Constructors

Constructor	Description
AbstractAppParamPlugin()

Method Summary

Modifier and Type	Method	Description
protected InputVectorBuilder	getBuilder()
protected AbstractPlugin.AlertBuilder	newAlert()	Returns a new alert builder.
void	scan()	Scans the target server using the message previously set during initialisation.
protected void	scan(java.util.List<NameValuePair> nameValuePairs)	Scans the current message using the list of NameValuePairs handled by the current variant.
void	scan(HttpMessage msg, java.lang.String param, java.lang.String value)	Plugin method that need to be implemented for the specific test.
void	scan(HttpMessage msg, NameValuePair originalParam)	General method for a specific Parameter scanning, which allows developers to access all the settings specific of the parameters like the place/type where the name/value pair has been retrieved.
protected java.lang.String	setEscapedParameter(HttpMessage message, java.lang.String param, java.lang.String value)	Sets the parameter into the given message.
protected java.lang.String	setParameter(HttpMessage message, java.lang.String param, java.lang.String value)	Sets the parameter into the given message.
protected void	setParameters(HttpMessage message, java.util.List<InputVector> inputVectors)	Sets the parameters into the given message.

Methods inherited from class org.parosproxy.paros.core.scanner.AbstractAppPlugin

notifyPluginCompleted

Methods inherited from class org.parosproxy.paros.core.scanner.AbstractPlugin

bingo, bingo, bingo, bingo, bingo, bingo, cloneInto, compareTo, createParamIfNotExist, equals, getAlertTags, getAlertThreshold, getAlertThreshold, getAlertThresholdsSupported, getAttackStrength, getAttackStrength, getAttackStrengthsSupported, getBaseMsg, getCodeName, getConfig, getCweId, getDelayInMs, getDependency, getDisplayName, getHTMLEncode, getKb, getLog, getLogger, getNewMsg, getParent, getProperty, getRisk, getStatus, getTechSet, getTimeFinished, getTimeStarted, getURLDecode, getURLEncode, getWascId, hashCode, init, init, inScope, isAnyInScope, isClientError, isDepreciated, isEnabled, isFileExist, isPage200, isPage404, isPage500, isPageAuthIssue, isPageOther, isServerError, isStop, isSuccess, isVisible, loadFrom, matchBodyPattern, matchHeaderPattern, run, saveTo, sendAndReceive, sendAndReceive, sendAndReceive, setAlertThreshold, setAttackStrength, setConfig, setDefaultAlertThreshold, setDefaultAttackStrength, setDelayInMs, setEnabled, setProperty, setStatus, setTechSet, setTimeFinished, setTimeStarted, stripOff, targets, updateRequestContentLength, writeProgress

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.parosproxy.paros.core.scanner.Plugin

getCategory, getDescription, getExampleAlerts, getId, getName, getReference, getSolution

Constructor Detail

AbstractAppParamPlugin

public AbstractAppParamPlugin()

Method Detail

scan

public void scan()

Description copied from interface: Plugin

Scans the target server using the message previously set during initialisation.

See Also:

Plugin.init(HttpMessage, HostProcess)

scan

protected void scan(java.util.List<NameValuePair> nameValuePairs)

Scans the current message using the list of NameValuePairs handled by the current variant. This method should be overridden for the use-cases of manipulating multiple parameters in a HttpMessage.

By default this method calls scan(HttpMessage, NameValuePair) for each NameValuePair.

Parameters:

nameValuePairs - list of parameters handled by the current variant

Since:

2.11.0

See Also:

setParameters(HttpMessage, List)

scan

public void scan(HttpMessage msg,
                 java.lang.String param,
                 java.lang.String value)

Plugin method that need to be implemented for the specific test. The passed message is a copy which maintains only the Request's information so if the plugin need to manage the original Response body a getBaseMsg() call should be done. the param name and the value are the original value retrieved by the crawler and the current applied Variant.

Parameters:

msg - a copy of the HTTP message currently under scanning

param - the name of the parameter under testing

value - the clean value (no escaping is needed)

scan

public void scan(HttpMessage msg,
                 NameValuePair originalParam)

General method for a specific Parameter scanning, which allows developers to access all the settings specific of the parameters like the place/type where the name/value pair has been retrieved. This method can be overridden so that plugins that need a more deep access to the parameter context can benefit about this possibility.

Parameters:

msg - a copy of the HTTP message currently under scanning

originalParam - the parameter pair with all the context informations

setParameter

protected java.lang.String setParameter(HttpMessage message,
                                        java.lang.String param,
                                        java.lang.String value)

Sets the parameter into the given message. If both parameter name and value are null, the parameter will be removed.

Parameters:

message - the message that will be changed

param - the name of the parameter

value - the value of the parameter

Returns:

the parameter set

See Also:

setEscapedParameter(HttpMessage, String, String)

setEscapedParameter

protected java.lang.String setEscapedParameter(HttpMessage message,
                                               java.lang.String param,
                                               java.lang.String value)

Sets the parameter into the given message. If both parameter name and value are null, the parameter will be removed.

The value is expected to be properly encoded/escaped.

Parameters:

message - the message that will be changed

param - the name of the parameter

value - the value of the parameter

Returns:

the parameter set

See Also:

setParameter(HttpMessage, String, String)

getBuilder

protected InputVectorBuilder getBuilder()

Returns:

InputVectorBuilder which is used to build the InputVector which is used by setParameters(HttpMessage, List)

Since:

2.11.0

setParameters

protected void setParameters(HttpMessage message,
                             java.util.List<InputVector> inputVectors)

Sets the parameters into the given message. Please refer getBuilder() for building InputVectors.

Parameters:

message - the message that will be changed

inputVectors - list of the parameters

Since:

2.11.0

newAlert

protected AbstractPlugin.AlertBuilder newAlert()

Returns a new alert builder.

By default the alert builder sets the following fields of the alert:

• Plugin ID - using Plugin.getId()
• Name - using Plugin.getName()
• Risk - using AbstractPlugin.getRisk()
• Description - using Plugin.getDescription()
• Solution - using Plugin.getSolution()
• Reference - using Plugin.getReference()
• CWE ID - using AbstractPlugin.getCweId()
• WASC ID - using AbstractPlugin.getWascId()
• URI - from the alert message
• Alert Tags - using AbstractPlugin.getAlertTags()

Since 2.12.0 it also sets the input vector and parameter.

Overrides:

newAlert in class AbstractPlugin

Returns:

the alert builder.