From 3a975c82deefa84278df2d025eaf424aeb40d857 Mon Sep 17 00:00:00 2001 From: kingthorin Date: Fri, 12 Dec 2025 11:45:04 -0500 Subject: [PATCH] Address potential classloader performance issues Signed-off-by: kingthorin --- CHANGELOG.md | 2 ++ active/OpenModelContextProtocolServer.js | 2 +- authentication/DjangoAuthentication.js | 18 +++++----- extender/ZAP onEvent Handler.js | 6 ++-- extender/arpSyndicateSubdomainDiscovery.js | 5 +-- httpfuzzerprocessor/addCacheBusting.js | 8 +++-- httpfuzzerprocessor/add_msgs_sites_tree.js | 8 +++-- .../Alert on HTTP Response Code Errors.js | 35 +++++++++---------- .../Alert on Unexpected Content Types.js | 33 ++++++++--------- .../Capture and Replace Anti CSRF Token.js | 21 +++++------ httpsender/greenbone-maintain-auth.js | 5 ++- httpsender/inject_js_in_html_page.js | 10 +++--- httpsender/keep-cookies-going.js | 5 ++- httpsender/maintain-jwt.js | 5 ++- .../JuiceShopAuthentication.js | 5 ++- .../juiceshop-selenium-auth/JuiceShopReset.js | 5 ++- .../JuiceShopSession.js | 5 ++- passive/Report non static sites.js | 10 +++--- passive/Telerik Using Poor Crypto.js | 14 ++++---- passive/f5_bigip_cookie_internal_ip.js | 16 ++++----- selenium/FillOTPInMFA.js | 5 +-- session/Juice Shop Session Management.js | 5 ++- standalone/Active scan rule list.js | 8 +++-- .../Juice shop authentication by form.js | 7 ++-- .../Juice shop authentication by google.js | 7 ++-- standalone/Loop through alerts.js | 10 +++--- standalone/Loop through history table.js | 8 +++-- standalone/alertAndPluginDetails.js | 18 ++++++---- standalone/domainFinder.js | 5 +-- standalone/historySourceTagger.js | 18 +++++----- standalone/load_function_example.js | 4 ++- standalone/scan_rule_list.js | 13 ++++--- targeted/Remove 302s.js | 8 ++--- targeted/SQLMapCommandGenerator.js | 7 ++-- .../Search www.xssposed.org for known XSS.js | 3 +- targeted/curl_command_generator.js | 7 ++-- targeted/cve-2021-22214.js | 8 ++--- targeted/cve-2021-41773-apache-path-trav.js | 8 ++--- targeted/json_csrf_poc_generator.js | 15 ++++---- targeted/request_to_xml.js | 19 +++------- ...h cvedetails using target server header.js | 3 +- variant/CompoundCookies.js | 5 ++- 42 files changed, 230 insertions(+), 179 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e5152f4..95feda42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,11 +16,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Add cautionary note to help and readme. - Maintenance and documentation changes. - Active and passive READMEs to include lastest JS script examples. +- Reduce usage of fully qualified objects in loops or main methods to address potential classloader performance issues, in JavaScript scripts (Issue 9187). ### Fixed - The following scripts were not being loaded as scan rules: - active/SSTI.js - passive/Mutliple Security Header Check.js +- Updated Alert_on_HTTP_Response_Code_Errors.js to work with GraalVM JavaScript engine. ### Removed - Links to videos which no longer exist. diff --git a/active/OpenModelContextProtocolServer.js b/active/OpenModelContextProtocolServer.js index d38ae7a9..1b8d4539 100644 --- a/active/OpenModelContextProtocolServer.js +++ b/active/OpenModelContextProtocolServer.js @@ -5,6 +5,7 @@ var ScanRuleMetadata = Java.type( "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" ); var CommonAlertTag = Java.type("org.zaproxy.addon.commonlib.CommonAlertTag"); +var HttpClientURI = Java.type("org.apache.commons.httpclient.URI"); function getMetadata() { return ScanRuleMetadata.fromYaml(` @@ -131,7 +132,6 @@ function testMcpEndpoint(as, originalMsg, testUrl, payload) { var requestHeader = testMsg.getRequestHeader(); // Set the new URL using Apache Commons HttpClient URI - var HttpClientURI = Java.type("org.apache.commons.httpclient.URI"); requestHeader.setURI(new HttpClientURI(testUrl, false)); requestHeader.setMethod("POST"); diff --git a/authentication/DjangoAuthentication.js b/authentication/DjangoAuthentication.js index 1fd5d752..c62ebdbf 100644 --- a/authentication/DjangoAuthentication.js +++ b/authentication/DjangoAuthentication.js @@ -10,16 +10,16 @@ * Every request made by this script is logged separately to the History tab. */ -function authenticate(helper, paramsValues, credentials) { - var AuthenticationHelper = Java.type( - "org.zaproxy.zap.authentication.AuthenticationHelper" - ); - var HttpRequestHeader = Java.type( - "org.parosproxy.paros.network.HttpRequestHeader" - ); - var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"); - var URI = Java.type("org.apache.commons.httpclient.URI"); +var AuthenticationHelper = Java.type( + "org.zaproxy.zap.authentication.AuthenticationHelper" +); +var HttpRequestHeader = Java.type( + "org.parosproxy.paros.network.HttpRequestHeader" +); +var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"); +var URI = Java.type("org.apache.commons.httpclient.URI"); +function authenticate(helper, paramsValues, credentials) { var targetURL = paramsValues.get("Target URL"); var baseURL = targetURL.match(/^(.+?[^\/:](?=[?\/]|$))/i)[1]; diff --git a/extender/ZAP onEvent Handler.js b/extender/ZAP onEvent Handler.js index 359e57fd..1a3388e0 100644 --- a/extender/ZAP onEvent Handler.js +++ b/extender/ZAP onEvent Handler.js @@ -1,6 +1,8 @@ // A script which listens for events generated by the ProxyListenerLogEventPublisher. // You can change this to listen for events generated by any other event publisher +const ZAP = Java.type("org.zaproxy.zap.ZAP"); + var consumer; function install(helper) { @@ -31,12 +33,12 @@ function install(helper) { }, }); - org.zaproxy.zap.ZAP.getEventBus().registerConsumer( + ZAP.getEventBus().registerConsumer( consumer, "org.parosproxy.paros.extension.history.ProxyListenerLogEventPublisher" ); } function uninstall(helper) { - org.zaproxy.zap.ZAP.getEventBus().unregisterConsumer(consumer); + ZAP.getEventBus().unregisterConsumer(consumer); } diff --git a/extender/arpSyndicateSubdomainDiscovery.js b/extender/arpSyndicateSubdomainDiscovery.js index e30ccfa6..afbb8784 100644 --- a/extender/arpSyndicateSubdomainDiscovery.js +++ b/extender/arpSyndicateSubdomainDiscovery.js @@ -10,6 +10,7 @@ const HistoryReference = Java.type( const HttpSender = Java.type("org.parosproxy.paros.network.HttpSender"); const HttpMessage = Java.type("org.parosproxy.paros.network.HttpMessage"); const URI = Java.type("org.apache.commons.httpclient.URI"); +const ZAP = Java.type("org.zaproxy.zap.ZAP"); const requestedSubdomains = []; const sender = new HttpSender(HttpSender.MANUAL_REQUEST_INITIATOR); @@ -58,12 +59,12 @@ function consumer(event) { } function install(helper) { - org.zaproxy.zap.ZAP.getEventBus().registerConsumer( + ZAP.getEventBus().registerConsumer( consumer, "org.parosproxy.paros.model.SiteMapEventPublisher" ); } function uninstall(helper) { - org.zaproxy.zap.ZAP.getEventBus().unregisterConsumer(consumer); + ZAP.getEventBus().unregisterConsumer(consumer); } diff --git a/httpfuzzerprocessor/addCacheBusting.js b/httpfuzzerprocessor/addCacheBusting.js index a720daa5..4cf0d0a0 100644 --- a/httpfuzzerprocessor/addCacheBusting.js +++ b/httpfuzzerprocessor/addCacheBusting.js @@ -1,3 +1,9 @@ +const HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); +const HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +const URL_TYPE = HtmlParameterType.url; + function processMessage(utils, message) { var cbValue = "" + Math.floor(Math.random() * 10000); setCacheBusting(message, cbValue); @@ -5,8 +11,6 @@ function processMessage(utils, message) { } function setCacheBusting(message, cbValue) { - var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); - var URL_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.url; var params = message.getUrlParams(); var newParam = new HtmlParameter( URL_TYPE, diff --git a/httpfuzzerprocessor/add_msgs_sites_tree.js b/httpfuzzerprocessor/add_msgs_sites_tree.js index a21afe94..116fc6aa 100644 --- a/httpfuzzerprocessor/add_msgs_sites_tree.js +++ b/httpfuzzerprocessor/add_msgs_sites_tree.js @@ -1,6 +1,10 @@ // A Fuzzer HTTP Processor script that allows to populate the Sites tree // with messages sent by the fuzzer (by default the fuzz result/messages // are not shown in the Fuzzer tab). +const HistoryReference = Java.type( + "org.parosproxy.paros.model.HistoryReference" +); +const EventQueue = Java.type("java.awt.EventQueue"); var session = model.getSession(); @@ -11,9 +15,9 @@ function processResult(utils, fuzzResult) { // The type 15 indicates that the message was sent by the user. // Refer to the HistoryReference for more details on the available types. // Persist the message to the session. - var ref = new org.parosproxy.paros.model.HistoryReference(session, 15, msg); + var ref = new HistoryReference(session, 15, msg); // Add the message to Sites tree. - java.awt.EventQueue.invokeLater(function () { + EventQueue.invokeLater(function () { session.getSiteTree().addPath(ref, msg); }); diff --git a/httpsender/Alert on HTTP Response Code Errors.js b/httpsender/Alert on HTTP Response Code Errors.js index 910b8b39..a252f563 100644 --- a/httpsender/Alert on HTTP Response Code Errors.js +++ b/httpsender/Alert on HTTP Response Code Errors.js @@ -2,7 +2,17 @@ // By default it will raise 'Info' level alerts for Client Errors (4xx) (apart from 404s) and 'Low' Level alerts for Server Errors (5xx) // But it can be easily changed. -var Pattern = Java.type("java.util.regex.Pattern"); +const Integer = Java.type("java.lang.Integer"); +const Pattern = Java.type("java.util.regex.Pattern"); + +const Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); +const ExtensionAlert = Java.type( + "org.zaproxy.zap.extension.alert.ExtensionAlert" +); +const HistoryReference = Java.type( + "org.parosproxy.paros.model.HistoryReference" +); + pluginid = 100000; // https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md function sendingRequest(msg, initiator, helper) { @@ -16,7 +26,7 @@ function responseReceived(msg, initiator, helper) { } var extensionAlert = control .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.alert.ExtensionAlert.NAME); + .getExtension(ExtensionAlert.NAME); if (extensionAlert != null) { var code = msg.getResponseHeader().getStatusCode(); if (code < 400 || code >= 600 || code == 404) { @@ -30,17 +40,12 @@ function responseReceived(msg, initiator, helper) { title = "A Server Error response code was returned by the server"; } // CONFIDENCE_HIGH = 3 (we can be pretty sure we're right) - var alert = new org.parosproxy.paros.core.scanner.Alert( - pluginid, - risk, - 3, - title - ); + var alert = new Alert(pluginid, risk, 3, title); var ref = msg.getHistoryRef(); if ( ref != null && - org.parosproxy.paros.model.HistoryReference.getTemporaryTypes().contains( - java.lang.Integer.valueOf(ref.getHistoryType()) + HistoryReference.getTemporaryTypes().contains( + Integer.valueOf(ref.getHistoryType()) ) ) { // Dont use temporary types as they will get deleted @@ -78,11 +83,7 @@ function responseReceived(msg, initiator, helper) { type = 15; // User - fallback break; } - ref = new org.parosproxy.paros.model.HistoryReference( - model.getSession(), - type, - msg - ); + ref = new HistoryReference(model.getSession(), type, msg); } alert.setMessage(msg); alert.setUri(msg.getRequestHeader().getURI().toString()); @@ -93,9 +94,7 @@ function responseReceived(msg, initiator, helper) { "This may indicate that the application is failing to handle unexpected input correctly.\n" + "Raised by the 'Alert on HTTP Response Code Error' script" ); - // Use a regex to extract the evidence from the response header - var regex = new RegExp("^HTTP.*" + code); - alert.setEvidence(msg.getResponseHeader().toString().match(regex)); + alert.setEvidence(code.toString()); alert.setCweId(388); // CWE CATEGORY: Error Handling alert.setWascId(20); // WASC Improper Input Handling extensionAlert.alertFound(alert, ref); diff --git a/httpsender/Alert on Unexpected Content Types.js b/httpsender/Alert on Unexpected Content Types.js index a1229b9f..65099a6c 100644 --- a/httpsender/Alert on Unexpected Content Types.js +++ b/httpsender/Alert on Unexpected Content Types.js @@ -2,13 +2,22 @@ // By default it will raise 'Low' level alerts for content types that are not expected to be returned by APIs. // But it can be easily changed. -var Pattern = Java.type("java.util.regex.Pattern"); +const Integer = Java.type("java.lang.Integer"); +const Pattern = Java.type("java.util.regex.Pattern"); -var pluginid = 100001; // https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md +const Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); +const ExtensionAlert = Java.type( + "org.zaproxy.zap.extension.alert.ExtensionAlert" +); +const HistoryReference = Java.type( + "org.parosproxy.paros.model.HistoryReference" +); var extensionAlert = control .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.alert.ExtensionAlert.NAME); + .getExtension(ExtensionAlert.NAME); + +var pluginid = 100001; // https://github.com/zaproxy/zaproxy/blob/main/docs/scanners.md var expectedTypes = ["application/octet-stream", "text/plain"]; @@ -23,6 +32,7 @@ function responseReceived(msg, initiator, helper) { // Not of interest. return; } + if (extensionAlert != null) { var ctype = msg.getResponseHeader().getHeader("Content-Type"); if (ctype != null) { @@ -38,17 +48,12 @@ function responseReceived(msg, initiator, helper) { var risk = 1; // Low var title = "Unexpected Content-Type was returned"; // CONFIDENCE_HIGH = 3 (we can be pretty sure we're right) - var alert = new org.parosproxy.paros.core.scanner.Alert( - pluginid, - risk, - 3, - title - ); + var alert = new Alert(pluginid, risk, 3, title); var ref = msg.getHistoryRef(); if ( ref != null && - org.parosproxy.paros.model.HistoryReference.getTemporaryTypes().contains( - java.lang.Integer.valueOf(ref.getHistoryType()) + HistoryReference.getTemporaryTypes().contains( + Integer.valueOf(ref.getHistoryType()) ) ) { // Dont use temporary types as they will get deleted @@ -86,11 +91,7 @@ function responseReceived(msg, initiator, helper) { type = 15; // User - fallback break; } - ref = new org.parosproxy.paros.model.HistoryReference( - model.getSession(), - type, - msg - ); + ref = new HistoryReference(model.getSession(), type, msg); } alert.setMessage(msg); alert.setUri(msg.getRequestHeader().getURI().toString()); diff --git a/httpsender/Capture and Replace Anti CSRF Token.js b/httpsender/Capture and Replace Anti CSRF Token.js index 381a91b6..080367d0 100644 --- a/httpsender/Capture and Replace Anti CSRF Token.js +++ b/httpsender/Capture and Replace Anti CSRF Token.js @@ -9,6 +9,14 @@ // REPLACE the values for the variables as applicable to your application. +var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var formParamType = HtmlParameterType.form; +var urlParamType = HtmlParameterType.url; +var cookieParamType = HtmlParameterType.cookie; + // Regular expression for the request URI that returns CSRF token in response. // If the application under test returns csrf token in every response or in response to more than request, set a generic regex that matches with host name or domain name of the application. // REPLACE the value with RegEx for your application. @@ -27,17 +35,13 @@ var matcherGroupNumber = 1; // REPLACE the value with csrf token name for your application. var antiCsrfTokenName = "secureToken"; -var formParamType = org.parosproxy.paros.network.HtmlParameter.Type.form; -var urlParamType = org.parosproxy.paros.network.HtmlParameter.Type.url; -var cookieParamType = org.parosproxy.paros.network.HtmlParameter.Type.cookie; - // HTML parameter types to look for antiCsrfTokenName and replace with new anti CSRF Token value. // Comma separated list of HTML parameter types. // Supported values: formParamType, urlParamType, cookieParamType. // REPLACE the value with the params to scan for CSRF token and replace with latest vaule. var parameterTypesList = [formParamType, urlParamType, cookieParamType]; -//print ("AntiCsrfTokenValue: " + org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("anti.csrf.token.value")) +//print("AntiCsrfTokenValue: " + ScriptVars.getGlobalVar("anti.csrf.token.value")); function sendingRequest(msg, initiator, helper) { // print('sendingRequest called for url=' + msg.getRequestHeader().getURI().toString()) @@ -83,7 +87,7 @@ function responseReceived(msg, initiator, helper) { .match(csrfTokenValueRegEx); if (csrfTokenValue != null && csrfTokenValue.length > matcherGroupNumber) { print("Latest CSRF Token value: " + csrfTokenValue[matcherGroupNumber]); - org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar( + ScriptVars.setGlobalVar( "anti.csrf.token.value", csrfTokenValue[matcherGroupNumber] ); @@ -98,10 +102,7 @@ function modifyParams(params) { // Check if the url parameters has the antiCsrfTokenName in it. if (param.getName().equals(antiCsrfTokenName)) { var secureTokenValue = param.getValue(); - var antiCsrfTokenValue = - org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar( - "anti.csrf.token.value" - ); + var antiCsrfTokenValue = ScriptVars.getGlobalVar("anti.csrf.token.value"); // Check for the value of AntiCsrfTokenName in the existing request with the latest value captured from previous requests. if ( antiCsrfTokenValue != null && diff --git a/httpsender/greenbone-maintain-auth.js b/httpsender/greenbone-maintain-auth.js index 9d067763..86a41eb1 100644 --- a/httpsender/greenbone-maintain-auth.js +++ b/httpsender/greenbone-maintain-auth.js @@ -34,7 +34,10 @@ function isStaticUrl(url) { return false; } -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender"); diff --git a/httpsender/inject_js_in_html_page.js b/httpsender/inject_js_in_html_page.js index c417b817..a311e6d7 100644 --- a/httpsender/inject_js_in_html_page.js +++ b/httpsender/inject_js_in_html_page.js @@ -10,13 +10,13 @@ FILE = "/tmp/test.js"; -function loadScriptFromFile(file) { - var Files = Java.type("java.nio.file.Files"); - var Paths = Java.type("java.nio.file.Paths"); - var String = Java.type("java.lang.String"); +var Files = Java.type("java.nio.file.Files"); +var Paths = Java.type("java.nio.file.Paths"); +var JString = Java.type("java.lang.String"); +function loadScriptFromFile(file) { var filePath = Paths.get(file); - return new String(Files.readAllBytes(filePath), "UTF-8"); + return new JString(Files.readAllBytes(filePath), "UTF-8"); } function sendingRequest(msg, initiator, helper) {} diff --git a/httpsender/keep-cookies-going.js b/httpsender/keep-cookies-going.js index bb046b5b..670be7c0 100644 --- a/httpsender/keep-cookies-going.js +++ b/httpsender/keep-cookies-going.js @@ -8,7 +8,10 @@ function logger() { var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; function sendingRequest(msg, initiator, helper) { var headers = msg.getRequestHeader(); diff --git a/httpsender/maintain-jwt.js b/httpsender/maintain-jwt.js index aa9e9f52..409ddf91 100644 --- a/httpsender/maintain-jwt.js +++ b/httpsender/maintain-jwt.js @@ -11,7 +11,10 @@ function logger() { var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender"); var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; function sendingRequest(msg, initiator, helper) { if (initiator === HttpSender.AUTHENTICATION_INITIATOR) { diff --git a/other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js b/other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js index 9b96f3aa..f5aa2fde 100644 --- a/other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js +++ b/other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js @@ -33,6 +33,9 @@ var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var System = Java.type("java.lang.System"); var Thread = Java.type("java.lang.Thread"); var URI = Java.type("org.apache.commons.httpclient.URI"); +var ExtensionSelenium = Java.type( + "org.zaproxy.zap.extension.selenium.ExtensionSelenium" +); var extensionNetwork = control .getExtensionLoader() @@ -83,7 +86,7 @@ function authenticate(helper, _paramsValues, _credentials) { logger("Launching browser to authenticate to Juice Shop"); var extSel = control .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.selenium.ExtensionSelenium.class); + .getExtension(ExtensionSelenium.class); // Change to "firefox" (or "chrome") to see the browsers being launched var wd = extSel.getWebDriver(5, "firefox-headless", proxyAddress, proxyPort); diff --git a/other/af-plans/juiceshop-selenium-auth/JuiceShopReset.js b/other/af-plans/juiceshop-selenium-auth/JuiceShopReset.js index e772b2ff..e2312dc7 100644 --- a/other/af-plans/juiceshop-selenium-auth/JuiceShopReset.js +++ b/other/af-plans/juiceshop-selenium-auth/JuiceShopReset.js @@ -15,6 +15,9 @@ function logger() { } var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); +var ExtensionUserManagement = Java.type( + "org.zaproxy.zap.extension.users.ExtensionUserManagement" +); var proxy = ScriptVars.getGlobalCustomVar("auth-proxy"); @@ -33,7 +36,7 @@ if (token) { // Reset the state for all users var extUser = control .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.users.ExtensionUserManagement.class); + .getExtension(ExtensionUserManagement.class); var session = model.getSession(); var contexts = session.getContexts(); for (i in contexts) { diff --git a/other/af-plans/juiceshop-selenium-auth/JuiceShopSession.js b/other/af-plans/juiceshop-selenium-auth/JuiceShopSession.js index cd0f4ce0..f83989b2 100644 --- a/other/af-plans/juiceshop-selenium-auth/JuiceShopSession.js +++ b/other/af-plans/juiceshop-selenium-auth/JuiceShopSession.js @@ -19,7 +19,10 @@ function logger() { print("[" + this["zap.script.name"] + "] " + arguments[0]); } -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var Stats = Java.type("org.zaproxy.zap.utils.Stats"); diff --git a/passive/Report non static sites.js b/passive/Report non static sites.js index e28571c5..6650e591 100644 --- a/passive/Report non static sites.js +++ b/passive/Report non static sites.js @@ -4,6 +4,9 @@ // Note that new passive scripts will initially be disabled // Right click the script in the Scripts tree and select "enable" +const PluginPassiveScanner = Java.type( + "org.zaproxy.zap.extension.pscan.PluginPassiveScanner" +); var ScanRuleMetadata = Java.type( "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" ); @@ -70,10 +73,9 @@ function scan(helper, msg, src) { */ function appliesToHistoryType(historyType) { // For example, to just scan spider messages: - // return historyType == org.parosproxy.paros.model.HistoryReference.TYPE_SPIDER; + // const HistoryReference = Java.type("org.parosproxy.paros.model.HistoryReference"); + // return historyType == HistoryReference.TYPE_SPIDER; // Default behaviour scans default types. - return org.zaproxy.zap.extension.pscan.PluginPassiveScanner.getDefaultHistoryTypes().contains( - historyType - ); + return PluginPassiveScanner.getDefaultHistoryTypes().contains(historyType); } diff --git a/passive/Telerik Using Poor Crypto.js b/passive/Telerik Using Poor Crypto.js index d488da77..c43c41ee 100644 --- a/passive/Telerik Using Poor Crypto.js +++ b/passive/Telerik Using Poor Crypto.js @@ -7,6 +7,8 @@ const ScanRuleMetadata = Java.type( "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" ); +const Base64 = Java.type("org.apache.commons.codec.binary.Base64"); +const Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); function getMetadata() { return ScanRuleMetadata.fromYaml(` @@ -54,11 +56,11 @@ function scan(helper, msg, src) { return; } - if (!org.apache.commons.codec.binary.Base64.isBase64(dp)) { + if (!Base64.isBase64(dp)) { return; } - var dpBytes = org.apache.commons.codec.binary.Base64.decodeBase64(dp); + var dpBytes = Base64.decodeBase64(dp); if (dpBytes.length < 48) { return; @@ -94,7 +96,7 @@ function scan(helper, msg, src) { var xor = ctx ^ key; var chr = String.fromCharCode(xor); - if (!org.apache.commons.codec.binary.Base64.isBase64(chr)) { + if (!Base64.isBase64(chr)) { keyPossibilities1[keyIdx][possibleIdx] = 0; } } @@ -158,7 +160,7 @@ function scan(helper, msg, src) { ptBase64 += chr; } - var pt = org.apache.commons.codec.binary.Base64.decodeBase64(ptBase64); + var pt = Base64.decodeBase64(ptBase64); for (byteIdx = 0; byteIdx < pt.length; byteIdx++) { if (!(pt[byteIdx] >= 32 && pt[byteIdx] <= 127)) { @@ -206,11 +208,11 @@ function scan(helper, msg, src) { const url = msg.getRequestHeader().getURI().toString(); if (url.contains("DialogHandler.aspx")) { - alertConfidence = org.parosproxy.paros.core.scanner.Alert.CONFIDENCE_HIGH; + alertConfidence = Alert.CONFIDENCE_HIGH; otherInfo = "The URI strongly suggests this is a Telerik.Web.UI.DialogHandler instance."; } else { - alertConfidence = org.parosproxy.paros.core.scanner.Alert.CONFIDENCE_MEDIUM; + alertConfidence = Alert.CONFIDENCE_MEDIUM; otherInfo = "The URI is not typical for a Telerik.Web.UI.DialogHandler instance, so it may have been changed (e.g., in web.config), or this may be a false positive."; } diff --git a/passive/f5_bigip_cookie_internal_ip.js b/passive/f5_bigip_cookie_internal_ip.js index 1ad74819..d9130335 100755 --- a/passive/f5_bigip_cookie_internal_ip.js +++ b/passive/f5_bigip_cookie_internal_ip.js @@ -12,6 +12,8 @@ // 20160117 - Updated to include ipv6 variants - jkbowser[at]gmail[dot]com var Locale = Java.type("java.util.Locale"); +var Integer = Java.type("java.lang.Integer"); +var InetAddress = Java.type("java.net.InetAddress"); var ScanRuleMetadata = Java.type( "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" ); @@ -127,7 +129,7 @@ function decodeIP(ipChunk) { } else { //not ipv6, so process it as ipv4 - var backwardIpHex = java.net.InetAddress.getByName(ipChunk); + var backwardIpHex = InetAddress.getByName(ipChunk); var backwardAddress = backwardIpHex.getHostAddress(); var ipPieces = backwardAddress.split("."); var theIP = @@ -141,7 +143,7 @@ function isLocal(ip) { //match on ipv6 notation try { //isSiteLocalAddress only returns true for FEC0, using RFC4193 definition of fc00, matching on beginning string regexp - if (java.net.InetAddress.getByName(ip) && ip.match(/(^fc00)/im)) { + if (InetAddress.getByName(ip) && ip.match(/(^fc00)/im)) { return true; //it is local per RFC4193 } } catch (e) { @@ -149,7 +151,7 @@ function isLocal(ip) { } } else { try { - if (java.net.InetAddress.getByName(ip).isSiteLocalAddress()) { + if (InetAddress.getByName(ip).isSiteLocalAddress()) { return true; //RFC1918 and IPv4 } } catch (e) { @@ -160,7 +162,7 @@ function isLocal(ip) { function isExternal(ip) { try { - if (java.net.InetAddress.getByName(ip)) { + if (InetAddress.getByName(ip)) { //just testing for valid format to verify it's not encrypted return true; //it is a valid IP, likely external } @@ -171,12 +173,10 @@ function isExternal(ip) { function decodePort(portChunk) { //port processing is same for ipv4 and ipv6 - var backwardPortHex = java.lang.Integer.toHexString( - java.lang.Integer.parseInt(portChunk) - ); + var backwardPortHex = Integer.toHexString(Integer.parseInt(portChunk)); var assembledPortHex = backwardPortHex.substring(2, 4) + backwardPortHex.substring(0, 2); - var thePort = java.lang.Integer.parseInt(assembledPortHex, 16); + var thePort = Integer.parseInt(assembledPortHex, 16); return thePort; } diff --git a/selenium/FillOTPInMFA.js b/selenium/FillOTPInMFA.js index 29a311b8..2f34243f 100644 --- a/selenium/FillOTPInMFA.js +++ b/selenium/FillOTPInMFA.js @@ -4,9 +4,10 @@ You need to analyze DOM of the web app this script needs to run on and modify th This script assumes that the web app has fixed OTP for testing which can be stored in the variable below. */ +var By = Java.type("org.openqa.selenium.By"); +var Thread = Java.type("java.lang.Thread"); + function browserLaunched(utils) { - var By = Java.type("org.openqa.selenium.By"); - var Thread = Java.type("java.lang.Thread"); var url = utils.waitForURL(5000); var wd = utils.getWebDriver(); var OTP = "123456"; diff --git a/session/Juice Shop Session Management.js b/session/Juice Shop Session Management.js index 585deabf..75c41788 100644 --- a/session/Juice Shop Session Management.js +++ b/session/Juice Shop Session Management.js @@ -13,7 +13,10 @@ * Obviously update with any local changes as necessary. */ -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); diff --git a/standalone/Active scan rule list.js b/standalone/Active scan rule list.js index 7c8dca20..f8fd6022 100644 --- a/standalone/Active scan rule list.js +++ b/standalone/Active scan rule list.js @@ -1,8 +1,10 @@ // This script gives details about all of the active scan rules installed -extAscan = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME); +var ExtensionActiveScan = Java.type( + "org.zaproxy.zap.extension.ascan.ExtensionActiveScan" +); + +extAscan = control.getExtensionLoader().getExtension(ExtensionActiveScan.NAME); plugins = extAscan .getPolicyManager() diff --git a/standalone/Juice shop authentication by form.js b/standalone/Juice shop authentication by form.js index 25a7c8b0..dd822250 100644 --- a/standalone/Juice shop authentication by form.js +++ b/standalone/Juice shop authentication by form.js @@ -6,13 +6,14 @@ var By = Java.type("org.openqa.selenium.By"); var Thread = Java.type("java.lang.Thread"); +var ExtensionSelenium = Java.type( + "org.zaproxy.zap.extension.selenium.ExtensionSelenium" +); var juiceshop = "http://localhost:3000/"; var username = "test@test.com"; var password = "test123"; -var extSel = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.selenium.ExtensionSelenium.class); +var extSel = control.getExtensionLoader().getExtension(ExtensionSelenium.class); var wd = extSel.getWebDriverProxyingViaZAP(1, "firefox"); wd.get(juiceshop); diff --git a/standalone/Juice shop authentication by google.js b/standalone/Juice shop authentication by google.js index c2d75bd3..d1b823ad 100644 --- a/standalone/Juice shop authentication by google.js +++ b/standalone/Juice shop authentication by google.js @@ -5,13 +5,14 @@ var By = Java.type("org.openqa.selenium.By"); var Thread = Java.type("java.lang.Thread"); +var ExtensionSelenium = Java.type( + "org.zaproxy.zap.extension.selenium.ExtensionSelenium" +); var juiceshop = "http://localhost:3000/"; var username = "zap.addo.sb@gmail.com"; // Change this to an account you own var password = "nottherealpassword"; // Change this to the right password for your account -var extSel = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.selenium.ExtensionSelenium.class); +var extSel = control.getExtensionLoader().getExtension(ExtensionSelenium.class); var wd = extSel.getWebDriverProxyingViaZAP(1, "firefox"); wd.get(juiceshop); diff --git a/standalone/Loop through alerts.js b/standalone/Loop through alerts.js index b0a9ebcc..efdcaec4 100644 --- a/standalone/Loop through alerts.js +++ b/standalone/Loop through alerts.js @@ -2,11 +2,13 @@ // // This is a standalone script which you can run from the Script Console -extAlert = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.alert.ExtensionAlert.NAME); +var ExtensionAlert = Java.type( + "org.zaproxy.zap.extension.alert.ExtensionAlert" +); +var Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); + +extAlert = control.getExtensionLoader().getExtension(ExtensionAlert.NAME); if (extAlert != null) { - var Alert = org.parosproxy.paros.core.scanner.Alert; var alerts = extAlert.getAllAlerts(); for (var i = 0; i < alerts.length; i++) { var alert = alerts[i]; diff --git a/standalone/Loop through history table.js b/standalone/Loop through history table.js index cee2ac42..cbe5406b 100644 --- a/standalone/Loop through history table.js +++ b/standalone/Loop through history table.js @@ -3,9 +3,11 @@ // Standalone scripts have no template. // They are only evaluated when you run them. -extHist = control - .getExtensionLoader() - .getExtension(org.parosproxy.paros.extension.history.ExtensionHistory.NAME); +var ExtensionHistory = Java.type( + "org.parosproxy.paros.extension.history.ExtensionHistory" +); + +extHist = control.getExtensionLoader().getExtension(ExtensionHistory.NAME); if (extHist != null) { i = 1; lastRef = extHist.getLastHistoryId(); // Get current max history reference diff --git a/standalone/alertAndPluginDetails.js b/standalone/alertAndPluginDetails.js index f469d8e3..0ceeb3b3 100644 --- a/standalone/alertAndPluginDetails.js +++ b/standalone/alertAndPluginDetails.js @@ -5,20 +5,24 @@ * It's tab separated so you can simply copy/paste it into Excel (or whatever). */ -extAlert = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.alert.ExtensionAlert.NAME); +var ExtensionAlert = Java.type( + "org.zaproxy.zap.extension.alert.ExtensionAlert" +); +var ExtensionPassiveScan2 = Java.type( + "org.zaproxy.addon.pscan.ExtensionPassiveScan2" +); +var Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); +var pf = Java.type("org.parosproxy.paros.core.scanner.PluginFactory"); + +extAlert = control.getExtensionLoader().getExtension(ExtensionAlert.NAME); extPscan = control .getExtensionLoader() - .getExtension(org.zaproxy.addon.pscan.ExtensionPassiveScan2.NAME); - -var pf = Java.type("org.parosproxy.paros.core.scanner.PluginFactory"); + .getExtension(ExtensionPassiveScan2.NAME); printHeaders(); if (extAlert != null) { - var Alert = org.parosproxy.paros.core.scanner.Alert; var alerts = extAlert.getAllAlerts(); for (var i = 0; i < alerts.length; i++) { var alert = alerts[i]; diff --git a/standalone/domainFinder.js b/standalone/domainFinder.js index fb3d08c4..0c3c1ff0 100644 --- a/standalone/domainFinder.js +++ b/standalone/domainFinder.js @@ -8,6 +8,7 @@ var DOMAIN=".example.org"; //Update this with the domain you want to do lookups on var System = Java.type("java.lang.System"); +var InetAddress = Java.type("java.net.InetAddress"); var Thread = Java.type("java.lang.Thread"); var TimeUnit = Java.type("java.util.concurrent.TimeUnit"); var ForkJoinPool = Java.type("java.util.concurrent.ForkJoinPool"); @@ -62,7 +63,7 @@ function nslookup(lookupItem, type) { switch (type) { case 'rev': try { - host = java.net.InetAddress.getByName(lookupItem).getCanonicalHostName(); + host = InetAddress.getByName(lookupItem).getCanonicalHostName(); if (!/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/.test(host)) { printHost(host); foundRev.push(host); @@ -71,7 +72,7 @@ function nslookup(lookupItem, type) { break; case 'fwd': try { - host = java.net.InetAddress.getByName(lookupItem + DOMAIN); + host = InetAddress.getByName(lookupItem + DOMAIN); foundFwd.push(host.getHostName()); printHost(host); var new_ip=host.getHostAddress(); diff --git a/standalone/historySourceTagger.js b/standalone/historySourceTagger.js index d9ba8aa9..98f9e093 100644 --- a/standalone/historySourceTagger.js +++ b/standalone/historySourceTagger.js @@ -3,17 +3,18 @@ // SRC_Proxied, SRC_Manual, SRC_Other // The script can be run multiple times, history entries will only be tagged // if they don't already have a tag that starts with TAG_PREFIX as defined below. -// Author: kingthorin -// 20160207: Initial release -extHist = control - .getExtensionLoader() - .getExtension(org.parosproxy.paros.extension.history.ExtensionHistory.NAME); +const ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); +const ExtensionHistory = Java.type( + "org.parosproxy.paros.extension.history.ExtensionHistory" +); + +extHist = control.getExtensionLoader().getExtension(ExtensionHistory.NAME); TAG_PREFIX = "SRC_"; if (extHist != null) { - i = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("tagged_ref"); // Check for global reference + i = ScriptVars.getGlobalVar("tagged_ref"); // Check for global reference if (i == null) { i = 1; // Global reference was null so 1 } @@ -48,8 +49,5 @@ if (extHist != null) { } i++; } - org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar( - "tagged_ref", - lastRef + 1 - ); // Set global reference + ScriptVars.setGlobalVar("tagged_ref", lastRef + 1); // Set global reference } diff --git a/standalone/load_function_example.js b/standalone/load_function_example.js index c6674d19..97cb33fd 100644 --- a/standalone/load_function_example.js +++ b/standalone/load_function_example.js @@ -3,7 +3,9 @@ // This script will load example_library.js and a popular JS library from the Internet // Docs: https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions -print("loading scripts from: " + java.lang.System.getProperty("user.dir")); +var System = Java.type("java.lang.System"); + +print("loading scripts from: " + System.getProperty("user.dir")); var number = 0; // This variable will be overwritten by the loading of example_library.js diff --git a/standalone/scan_rule_list.js b/standalone/scan_rule_list.js index 666843f0..063835f9 100644 --- a/standalone/scan_rule_list.js +++ b/standalone/scan_rule_list.js @@ -1,8 +1,13 @@ // This script gives details about all of the scan rules installed -extAscan = control - .getExtensionLoader() - .getExtension(org.zaproxy.zap.extension.ascan.ExtensionActiveScan.NAME); +var ExtensionActiveScan = Java.type( + "org.zaproxy.zap.extension.ascan.ExtensionActiveScan" +); +var ExtensionPassiveScan2 = Java.type( + "org.zaproxy.addon.pscan.ExtensionPassiveScan2" +); + +extAscan = control.getExtensionLoader().getExtension(ExtensionActiveScan.NAME); plugins = extAscan .getPolicyManager() @@ -29,7 +34,7 @@ for (var i = 0; i < plugins.length; i++) { extPscan = control .getExtensionLoader() - .getExtension(org.zaproxy.addon.pscan.ExtensionPassiveScan2.NAME); + .getExtension(ExtensionPassiveScan2.NAME); plugins = extPscan.getPassiveScannersManager().getScanRules(); diff --git a/targeted/Remove 302s.js b/targeted/Remove 302s.js index d51e6b75..738278ad 100644 --- a/targeted/Remove 302s.js +++ b/targeted/Remove 302s.js @@ -2,6 +2,9 @@ // the script was invoked with. // The default criteria is leaf nodes with a response code of 302 but you can change that to anything you need // Targeted scripts can only be invoked by you, the user, eg via a right-click option on the Sites or History tabs +const PopupMenuPurgeSites = Java.type( + "org.zaproxy.zap.extension.history.PopupMenuPurgeSites" +); function recurseDown(sitestree, node) { //print('recurseDown node: ' + node.getHierarchicNodeName() + " " + node.getChildCount()) @@ -15,10 +18,7 @@ function recurseDown(sitestree, node) { } if (deleteThis(node)) { print("Removing node: " + node.getHierarchicNodeName()); - org.zaproxy.zap.extension.history.PopupMenuPurgeSites.purge( - sitestree, - node - ); + PopupMenuPurgeSites.purge(sitestree, node); return true; } return false; diff --git a/targeted/SQLMapCommandGenerator.js b/targeted/SQLMapCommandGenerator.js index e18132a1..2707f1e5 100644 --- a/targeted/SQLMapCommandGenerator.js +++ b/targeted/SQLMapCommandGenerator.js @@ -3,6 +3,9 @@ //You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 //author: @juliosmelo +const StringSelection = Java.type("java.awt.datatransfer.StringSelection"); +const Toolkit = Java.type("java.awt.Toolkit"); + function invokeWith(msg) { var string = "sqlmap --url '" + msg.getRequestHeader().getURI().toString() + "' \\\n"; @@ -17,8 +20,8 @@ function invokeWith(msg) { if (body.length() != 0) { string += "--data='" + addSlashes(body) + "'"; } - var selected = new java.awt.datatransfer.StringSelection(string); - var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard(); + var selected = new StringSelection(string); + var clipboard = Toolkit.getDefaultToolkit().getSystemClipboard(); clipboard.setContents(selected, null); print(string); } diff --git a/targeted/Search www.xssposed.org for known XSS.js b/targeted/Search www.xssposed.org for known XSS.js index b98c25ac..9bc479ef 100644 --- a/targeted/Search www.xssposed.org for known XSS.js +++ b/targeted/Search www.xssposed.org for known XSS.js @@ -1,10 +1,11 @@ // Searches www.xssposed.org for known XSS vulnerabilities. // This script just launches your default browser to perform the search. +const DesktopUtils = Java.type("org.zaproxy.zap.utils.DesktopUtils"); function invokeWith(msg) { var host = msg.getRequestHeader().getURI().getHost(); - org.zaproxy.zap.utils.DesktopUtils.openUrlInBrowser( + DesktopUtils.openUrlInBrowser( "https://www.xssposed.org/search/?search=" + host + "&type=host" ); } diff --git a/targeted/curl_command_generator.js b/targeted/curl_command_generator.js index 3947ba8e..0e43e307 100644 --- a/targeted/curl_command_generator.js +++ b/targeted/curl_command_generator.js @@ -3,6 +3,9 @@ //You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 //author:@haseebeqx +const StringSelection = Java.type("java.awt.datatransfer.StringSelection"); +const Toolkit = Java.type("java.awt.Toolkit"); + // Note: The following code lives also in Script Console add-on. function invokeWith(msg) { @@ -30,8 +33,8 @@ function invokeWith(msg) { string += "'" + msg.getRequestHeader().getURI().toString() + "'"; if (!suspiciousHeaders) { - var selected = new java.awt.datatransfer.StringSelection(string); - var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard(); + var selected = new StringSelection(string); + var clipboard = Toolkit.getDefaultToolkit().getSystemClipboard(); clipboard.setContents(selected, null); } print(string); diff --git a/targeted/cve-2021-22214.js b/targeted/cve-2021-22214.js index 35079488..603efd28 100644 --- a/targeted/cve-2021-22214.js +++ b/targeted/cve-2021-22214.js @@ -2,6 +2,7 @@ * Contributed by Astra Security (https://www.getastra.com/) * @author Prince Mendiratta */ +const Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); var pluginid = 100024; @@ -151,12 +152,7 @@ function customAlert( .getExtension(ExtensionAlert.NAME); var ref = new HistoryReference(session, HistoryReference.TYPE_ZAP_USER, msg); - var alert = new org.parosproxy.paros.core.scanner.Alert( - pluginid, - alertRisk, - alertConfidence, - alertName - ); + var alert = new Alert(pluginid, alertRisk, alertConfidence, alertName); alert.setDescription(alertDesc); alert.setAttack(alertAttack); alert.setEvidence(alertEvidence); diff --git a/targeted/cve-2021-41773-apache-path-trav.js b/targeted/cve-2021-41773-apache-path-trav.js index d2fae052..16d5dbb9 100644 --- a/targeted/cve-2021-41773-apache-path-trav.js +++ b/targeted/cve-2021-41773-apache-path-trav.js @@ -2,6 +2,7 @@ * Scan rule for Apache 2.4.49 path traversal CVE-2021-41773. * Based on: https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse */ +const Alert = Java.type("org.parosproxy.paros.core.scanner.Alert"); var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender"); var HistoryReference = Java.type("org.parosproxy.paros.model.HistoryReference"); @@ -93,12 +94,7 @@ function customAlert( .getExtension(ExtensionAlert.NAME); var ref = new HistoryReference(session, HistoryReference.TYPE_ZAP_USER, msg); - var alert = new org.parosproxy.paros.core.scanner.Alert( - -1, - alertRisk, - alertConfidence, - alertName - ); + var alert = new Alert(-1, alertRisk, alertConfidence, alertName); alert.setDescription(alertDesc); alert.setAttack(alertAttack); alert.setEvidence(alertEvidence); diff --git a/targeted/json_csrf_poc_generator.js b/targeted/json_csrf_poc_generator.js index 3b45183e..01d055f3 100644 --- a/targeted/json_csrf_poc_generator.js +++ b/targeted/json_csrf_poc_generator.js @@ -4,6 +4,9 @@ // released under the Apache v2.0 license. //You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 //Author : @haseebeqx +const HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"); +const StringSelection = Java.type("java.awt.datatransfer.StringSelection"); +const Toolkit = Java.type("java.awt.Toolkit"); function invokeWith(msg) { var string = "\n"; @@ -32,9 +35,7 @@ function invokeWith(msg) { if (body.length() != 0) if (!isJson(body)) { if (ismultipart(msg.getRequestHeader())) { - var type = msg - .getRequestHeader() - .getHeader(org.parosproxy.paros.network.HttpHeader.CONTENT_TYPE); + var type = msg.getRequestHeader().getHeader(HttpHeader.CONTENT_TYPE); var delim = type.substring(type.search("=") + 1, type.length()); var h = body.split("--" + delim); var k = 0; @@ -98,8 +99,8 @@ function invokeWith(msg) { string += "\n"; print("\n\n\n"); print(string); - var selected = new java.awt.datatransfer.StringSelection(string); - var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard(); + var selected = new StringSelection(string); + var clipboard = Toolkit.getDefaultToolkit().getSystemClipboard(); clipboard.setContents(selected, null); } @@ -113,9 +114,7 @@ function isJson(str) { } function ismultipart(header) { - var type = header.getHeader( - org.parosproxy.paros.network.HttpHeader.CONTENT_TYPE - ); + var type = header.getHeader(HttpHeader.CONTENT_TYPE); if (type == null) return false; if (type.contains("multipart/form-data")) return true; return false; diff --git a/targeted/request_to_xml.js b/targeted/request_to_xml.js index 6792b386..db0c848f 100644 --- a/targeted/request_to_xml.js +++ b/targeted/request_to_xml.js @@ -11,6 +11,7 @@ // tested on: ZAP 2.7.0 // rule1: pure JSON , no CODE // rule2: correct body (make edits only after conversion) +const HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader"); var requester = control.getExtensionLoader().getExtension("ExtensionRequester"); @@ -30,14 +31,8 @@ function invokeWith(msg) { msg.setRequestBody(body); msg.getRequestHeader().setContentLength(msg.getRequestBody().length()); var header = msg.getRequestHeader(); - header.setHeader( - org.parosproxy.paros.network.HttpHeader.CONTENT_TYPE, - "application/xml" - ); - header.setHeader( - org.parosproxy.paros.network.HttpHeader.CONTENT_LENGTH, - body.length - ); + header.setHeader(HttpHeader.CONTENT_TYPE, "application/xml"); + header.setHeader(HttpHeader.CONTENT_LENGTH, body.length); msg.setRequestHeader(header); requester.displayMessage(msg.cloneRequest()); } @@ -52,9 +47,7 @@ function isJson(str) { } function ismultipart(header) { - var type = header.getHeader( - org.parosproxy.paros.network.HttpHeader.CONTENT_TYPE - ); + var type = header.getHeader(HttpHeader.CONTENT_TYPE); if (type == null) return false; if (type.contains("multipart/form-data")) return true; return false; @@ -149,9 +142,7 @@ function toXml(key, value, att) { } } function multiToJson(msg) { - var type = msg - .getRequestHeader() - .getHeader(org.parosproxy.paros.network.HttpHeader.CONTENT_TYPE); + var type = msg.getRequestHeader().getHeader(HttpHeader.CONTENT_TYPE); var delim = type.substring(type.search("=") + 1, type.length()); var h = msg .getRequestBody() diff --git a/targeted/search cvedetails using target server header.js b/targeted/search cvedetails using target server header.js index 912d5099..a9bcb9dd 100644 --- a/targeted/search cvedetails using target server header.js +++ b/targeted/search cvedetails using target server header.js @@ -1,9 +1,10 @@ // Captures Server header from the application response and searches cvedetails.com for known target server vulnerabilities. +const DesktopUtils = Java.type("org.zaproxy.zap.utils.DesktopUtils"); function invokeWith(msg) { var header = msg.getResponseHeader().getHeader("Server"); if (header != null) { - org.zaproxy.zap.utils.DesktopUtils.openUrlInBrowser( + DesktopUtils.openUrlInBrowser( "http://www.cvedetails.com/google-search-results.php?q=" + encodeURIComponent(header) + "&sa=Search" diff --git a/variant/CompoundCookies.js b/variant/CompoundCookies.js index 1e64fb95..6b712d4e 100644 --- a/variant/CompoundCookies.js +++ b/variant/CompoundCookies.js @@ -10,7 +10,10 @@ */ var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); var HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter"); -var COOKIE_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.cookie; +var HtmlParameterType = Java.type( + "org.parosproxy.paros.network.HtmlParameter.Type" +); +var COOKIE_TYPE = HtmlParameterType.cookie; /* List of compound cookies to target - either burn in list below (i.e. ccList = [ "", "", ... ]; ) * or set via 'CompoundCookies' global var as a '&' separated list (i.e. "&&..." ) */