zap-extensions icon indicating copy to clipboard operation
zap-extensions copied to clipboard

Published 20 hours ago verified publisher icon zaproxy

ascanrules : GetForPostScanRule use ComparableResponse

Open ganesh-dagadi opened this issue 1 year ago • 5 comments

Overview

Changed GetForPost scan rule to use ComparableResponse. Part of zaproxy/zaproxy#7116

Related Issues

https://github.com/zaproxy/zaproxy/issues/7116

Checklist

  • [ ] Update help
  • [x] Update changelog
  • [x] Run ./gradlew spotlessApply for code formatting
  • [ ] Write tests
  • [ ] Check code coverage
  • [x] Sign-off commits
  • [x] Squash commits
  • [x] Use a descriptive title

For more details, please refer to the developer rules and guidelines.

ganesh-dagadi avatar Feb 17 '24 11:02 ganesh-dagadi

This doesn't resolve 7116, there are still other tasks (for other rules).

kingthorin avatar Feb 17 '24 12:02 kingthorin

This doesn't resolve 7116, there are still other tasks (for other rules).

updated to Part of

ganesh-dagadi avatar Feb 17 '24 12:02 ganesh-dagadi

Would be good to have tests.

thc202 avatar Feb 29 '24 15:02 thc202

Really sorry, I have been a little busy with university. Is it fine if i do the changes within a week?

ganesh-dagadi avatar Mar 09 '24 14:03 ganesh-dagadi

Sounds fine to me.

kingthorin avatar Mar 09 '24 20:03 kingthorin

I tried to add the test but got stuck with adding the form parameters. Initializing the message in the test case

HttpMessage msg = this.getHttpMessage("POST" , "application/x-www-form-urlencoded", testPath , "<html>Something<html>");
        TreeSet<HtmlParameter> treeSet = new TreeSet<>();
        treeSet.add(new HtmlParameter(HtmlParameter.Type.form ,  "key" , "value"));
        msg.setFormParams(treeSet);
        this.rule.init(msg , this.parent);
        //When
        this.rule.scan();
        //Then
        assertTrue(true);

And in the GetForPostScanRule


@Override
    public void scan() {
        // Check if the user stopped things. One request per URL so check before
        // sending the request
        if (isStop()) {
            LOGGER.debug("Scan rule {} Stopping.", getName());
            return;
        }

        HttpMessage baseMsg = getBaseMsg();
        System.out.println(baseMsg.getRequestBody());
        System.out.println(baseMsg.getRequestHeader());
        TreeSet<HtmlParameter> postParams = baseMsg.getFormParams();
        System.out.println("Is params empty= " + postParams.isEmpty());
        System.out.println("Is post req = " + baseMsg.getRequestHeader().getMethod().equalsIgnoreCase(HttpRequestHeader.POST));
        if (!baseMsg.getRequestHeader().getMethod().equalsIgnoreCase(HttpRequestHeader.POST)
                || postParams.isEmpty()) {
            return; // Not a POST or no form params, no reason to continue
        }

output is

key=value //the request body
//the header
POST http://localhost:45323/shouldRaiseAlertIfGetAndPostResponsesAreSame/ HTTP/1.1 
Host: localhost:45323
User-Agent: ZAP
Pragma: no-cache

//the boolean checks
Is params empty= true
Is post req = true

please tell me what I am doing wrong with initializing the http message in the test case. Thankyou

ganesh-dagadi avatar Mar 11 '24 15:03 ganesh-dagadi

@kingthorin @thc202 please help me with this https://github.com/zaproxy/zap-extensions/pull/5305#issuecomment-1988698291

ganesh-dagadi avatar Mar 14 '24 03:03 ganesh-dagadi

The content-type being passed to getHttpMessage is for the response not the request, you need to set it into the request after creating the message.

thc202 avatar Mar 14 '24 08:03 thc202

Thank you!

thc202 avatar Mar 16 '24 07:03 thc202