public abstract class AbstractPlugin extends Object implements Plugin, Comparable<Object>
Plugin.AlertThreshold, Plugin.AttackStrength
Modifier and Type | Field and Description |
---|---|
protected static String |
CRLF
CRLF string.
|
protected static int |
PATTERN_PARAM
Default pattern used in pattern check for most plugins.
|
Constructor and Description |
---|
AbstractPlugin()
Default Constructor
|
Modifier and Type | Method and Description |
---|---|
protected void |
bingo(int risk,
int confidence,
String uri,
String param,
String attack,
String otherInfo,
HttpMessage msg)
Generate an alert when a security issue (risk/info) is found.
|
protected void |
bingo(int risk,
int confidence,
String uri,
String param,
String attack,
String otherInfo,
String evidence,
HttpMessage msg)
Generate an alert when a security issue (risk/info) is found.
|
protected void |
bingo(int risk,
int confidence,
String name,
String description,
String uri,
String param,
String attack,
String otherInfo,
String solution,
HttpMessage msg)
Generate an alert when a security issue (risk/info) is found.
|
protected void |
bingo(int risk,
int confidence,
String name,
String description,
String uri,
String param,
String attack,
String otherInfo,
String solution,
String evidence,
HttpMessage msg)
Generate an alert when a security issue (risk/info) is found.
|
protected void |
bingo(int risk,
int confidence,
String name,
String description,
String uri,
String param,
String attack,
String otherInfo,
String solution,
String evidence,
int cweId,
int wascId,
HttpMessage msg) |
protected void |
bingo(int risk,
int confidence,
String name,
String description,
String uri,
String param,
String attack,
String otherInfo,
String solution,
String evidence,
String reference,
int cweId,
int wascId,
HttpMessage msg) |
void |
cloneInto(Plugin plugin) |
int |
compareTo(Object obj)
Compare if 2 plugin is the same.
|
void |
createParamIfNotExist()
Check and create necessary parameter in config file if not already present.
|
boolean |
equals(Object obj) |
Plugin.AlertThreshold |
getAlertThreshold()
The alert threshold for this plugin, ie the level of certainty required to report an alert.
|
Plugin.AlertThreshold |
getAlertThreshold(boolean incDefault)
The alert threshold for this plugin, ie the level of certainty required to report an alert
|
Plugin.AlertThreshold[] |
getAlertThresholdsSupported()
Override this if you plugin supports other levels.
|
Plugin.AttackStrength |
getAttackStrength()
Returns the AttackStrength, which is an indication of the relative number of requests the
plugin will make against a given target.
|
Plugin.AttackStrength |
getAttackStrength(boolean incDefault)
Returns the AttackStrength, which is an indication of the relative number of requests the
plugin will make against a given target
|
Plugin.AttackStrength[] |
getAttackStrengthsSupported()
Override this if you plugin supports other levels.
|
protected HttpMessage |
getBaseMsg()
Get the base reference HttpMessage for this check.
|
String |
getCodeName()
Code name is the plugin name used for dependency naming.
|
org.apache.commons.configuration.Configuration |
getConfig() |
int |
getCweId()
Gets the CWE ID of the issue(s) raised by the scanner.
|
int |
getDelayInMs() |
String[] |
getDependency()
Returns no dependencies by default.
|
static String |
getHTMLEncode(String msg) |
protected Kb |
getKb() |
protected org.apache.log4j.Logger |
getLog() |
protected HttpMessage |
getNewMsg()
Obtain a new HttpMessage with the same request as the base.
|
HostProcess |
getParent()
Get the parent HostProcess.
|
String |
getProperty(String key) |
int |
getRisk()
Gets the highest risk level of the alerts raised by the plugin.
|
AddOn.Status |
getStatus()
Gets the status of the plugin (as given by the corresponding add-on).
|
TechSet |
getTechSet()
Returns the technologies enabled for the scan.
|
Date |
getTimeFinished() |
Date |
getTimeStarted() |
static String |
getURLDecode(String msg) |
static String |
getURLEncode(String msg) |
int |
getWascId()
Gets the WASC ID of the issue(s) raised by the scanner.
|
int |
hashCode() |
void |
init()
Finishes the initialisation of the plugin, subclasses should add any initialisation
logic/code to this method.
|
void |
init(HttpMessage msg,
HostProcess parent)
Initialises the plugin with the given message and host process.
|
boolean |
inScope(Tech tech)
Tells whether or not the given technology is enabled for the scan.
|
protected boolean |
isAnyInScope(Tech... techs)
Tells whether or not any of the given technologies is enabled for the scan.
|
boolean |
isDepreciated() |
boolean |
isEnabled()
Tells whether or not the scanner is enabled.
|
protected boolean |
isFileExist(HttpMessage msg)
Tells whether or not the file exists, based on previous analysis.
|
protected boolean |
isStop()
Check if this test should be stopped.
|
boolean |
isVisible()
Tells whether or not the scanner can be selected and should be shown..
|
void |
loadFrom(org.apache.commons.configuration.Configuration conf) |
protected boolean |
matchBodyPattern(HttpMessage msg,
Pattern pattern,
StringBuilder sb)
Check if the given pattern can be found in the msg body.
|
protected boolean |
matchHeaderPattern(HttpMessage msg,
String header,
Pattern pattern)
Check if the given pattern can be found in the header.
|
void |
run() |
void |
saveTo(org.apache.commons.configuration.Configuration conf) |
protected void |
sendAndReceive(HttpMessage message)
Sends and receives the given
message , always following redirections. |
protected void |
sendAndReceive(HttpMessage message,
boolean isFollowRedirect)
Sends and receives the given
message , optionally following redirections. |
protected void |
sendAndReceive(HttpMessage message,
boolean isFollowRedirect,
boolean handleAntiCSRF)
Sends and receives the given
message , optionally following redirections and
optionally regenerating anti-CSRF token, if any. |
void |
setAlertThreshold(Plugin.AlertThreshold level)
Set the alert threshold for this plugin, ie the level of certainty required to report an
alert
|
void |
setAttackStrength(Plugin.AttackStrength level)
Set the attack strength for this plugin, ie the relative number of requests the plugin will
make against a given target.
|
void |
setConfig(org.apache.commons.configuration.Configuration config) |
void |
setDefaultAlertThreshold(Plugin.AlertThreshold level)
Set the default alert threshold for this plugin, ie the level of certainty required to report
an alert
|
void |
setDefaultAttackStrength(Plugin.AttackStrength strength)
Set the default attack strength for this plugin, ie the relative number of attacks that will
be performed
|
void |
setDelayInMs(int delayInMs) |
void |
setEnabled(boolean enabled)
Enable this test
|
void |
setProperty(String key,
String value) |
void |
setStatus(AddOn.Status status) |
void |
setTechSet(TechSet ts)
Sets the technologies enabled for the scan.
|
void |
setTimeFinished() |
void |
setTimeStarted() |
protected String |
stripOff(String body,
String pattern)
Replace body by stripping of pattern string.
|
boolean |
targets(TechSet technologies)
Returns
true by default. |
protected void |
writeProgress(String msg)
Write a progress update message.
|
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait
getCategory, getDescription, getId, getName, getReference, getSolution, notifyPluginCompleted, scan
protected static final int PATTERN_PARAM
protected static final String CRLF
public String getCodeName()
Plugin
getCodeName
in interface Plugin
public String[] getDependency()
getDependency
in interface Plugin
public void init(HttpMessage msg, HostProcess parent)
Plugin
public void init()
Called after the plugin has been initialised with the message being scanned. By default it does nothing.
Since 2.5.0 it is no longer abstract.
init(HttpMessage, HostProcess)
protected HttpMessage getNewMsg()
protected HttpMessage getBaseMsg()
protected void sendAndReceive(HttpMessage message) throws IOException
message
, always following redirections.
The following changes are made to the request before being sent:
HttpHeader.IF_MODIFIED_SINCE
and HttpHeader.IF_NONE_MATCH
are removed, to always obtain a fresh response;
HttpHeader.CONTENT_LENGTH
is updated, to match the length of the
request body.
HttpSenderListener
(for example, scripts).
message
- the message to be sent and receivedorg.apache.commons.httpclient.HttpException
- if a HTTP error occurredIOException
- if an I/O error occurred (for example, read time out)sendAndReceive(HttpMessage, boolean)
,
sendAndReceive(HttpMessage, boolean, boolean)
protected void sendAndReceive(HttpMessage message, boolean isFollowRedirect) throws IOException
message
, optionally following redirections.
The following changes are made to the request before being sent:
HttpHeader.IF_MODIFIED_SINCE
and HttpHeader.IF_NONE_MATCH
are removed, to always obtain a fresh response;
HttpHeader.CONTENT_LENGTH
is updated, to match the length of the
request body.
HttpSenderListener
(for example, scripts).
message
- the message to be sent and receivedisFollowRedirect
- true
if redirections should be followed, false
otherwiseorg.apache.commons.httpclient.HttpException
- if a HTTP error occurredIOException
- if an I/O error occurred (for example, read time out)sendAndReceive(HttpMessage)
,
sendAndReceive(HttpMessage, boolean, boolean)
protected void sendAndReceive(HttpMessage message, boolean isFollowRedirect, boolean handleAntiCSRF) throws IOException
message
, optionally following redirections and
optionally regenerating anti-CSRF token, if any.
The following changes are made to the request before being sent:
HttpHeader.IF_MODIFIED_SINCE
and HttpHeader.IF_NONE_MATCH
are removed, to always obtain a fresh response;
HttpHeader.CONTENT_LENGTH
is updated, to match the length of the
request body.
HttpSenderListener
(for example, scripts).
message
- the message to be sent and receivedisFollowRedirect
- true
if redirections should be followed, false
otherwisehandleAntiCSRF
- true
if the anti-CSRF token present in the request should be
handled/regenerated, false
otherwiseorg.apache.commons.httpclient.HttpException
- if a HTTP error occurredIOException
- if an I/O error occurred (for example, read time out)sendAndReceive(HttpMessage)
,
sendAndReceive(HttpMessage, boolean)
protected void bingo(int risk, int confidence, String uri, String param, String attack, String otherInfo, HttpMessage msg)
risk
- the risk of the new alertconfidence
- the confidence of the new alerturi
- the affected URIparam
- the name/ID of the affected parameterattack
- the attack that shows the issueotherInfo
- other information about the issuemsg
- the message that shows the issueprotected void bingo(int risk, int confidence, String name, String description, String uri, String param, String attack, String otherInfo, String solution, HttpMessage msg)
risk
- the risk of the new alertconfidence
- the confidence of the new alertname
- the name of the new alertdescription
- the description of the new alerturi
- the affected URIparam
- the name/ID of the affected parameterattack
- the attack that shows the issueotherInfo
- other information about the issuesolution
- the solution for the issuemsg
- the message that shows the issueprotected void bingo(int risk, int confidence, String uri, String param, String attack, String otherInfo, String evidence, HttpMessage msg)
risk
- the risk of the new alertconfidence
- the confidence of the new alerturi
- the affected URIparam
- the name/ID of the affected parameterattack
- the attack that shows the issueotherInfo
- other information about the issueevidence
- the evidence (in the response) that shows the issuemsg
- the message that shows the issueprotected void bingo(int risk, int confidence, String name, String description, String uri, String param, String attack, String otherInfo, String solution, String evidence, HttpMessage msg)
risk
- the risk of the new alertconfidence
- the confidence of the new alertname
- the name of the new alertdescription
- the description of the new alerturi
- the affected URIparam
- the name/ID of the affected parameterattack
- the attack that shows the issueotherInfo
- other information about the issuesolution
- the solution for the issueevidence
- the evidence (in the response) that shows the issuemsg
- the message that shows the issueprotected void bingo(int risk, int confidence, String name, String description, String uri, String param, String attack, String otherInfo, String solution, String evidence, int cweId, int wascId, HttpMessage msg)
protected void bingo(int risk, int confidence, String name, String description, String uri, String param, String attack, String otherInfo, String solution, String evidence, String reference, int cweId, int wascId, HttpMessage msg)
protected boolean isFileExist(HttpMessage msg)
msg
- the message that will be checkedtrue
if the file exists, false
otherwiseprotected boolean isStop()
true
if the scanner should stop, false
otherwisepublic boolean isEnabled()
Plugin
public boolean isVisible()
Plugin
public void setEnabled(boolean enabled)
setEnabled
in interface Plugin
enabled
- true
if the scanner should be enabled, false
otherwisepublic Plugin.AlertThreshold getAlertThreshold()
Plugin
getAlertThreshold
in interface Plugin
public Plugin.AlertThreshold getAlertThreshold(boolean incDefault)
Plugin
getAlertThreshold
in interface Plugin
incDefault
- if the DEFAULT level should be returned as DEFAULT as opposed to the value
of the default levelpublic void setAlertThreshold(Plugin.AlertThreshold level)
Plugin
setAlertThreshold
in interface Plugin
level
- The alert threshold to set for this pluginpublic void setDefaultAlertThreshold(Plugin.AlertThreshold level)
Plugin
setDefaultAlertThreshold
in interface Plugin
level
- The alert threshold to set for this pluginpublic Plugin.AlertThreshold[] getAlertThresholdsSupported()
getAlertThresholdsSupported
in interface Plugin
public Plugin.AttackStrength getAttackStrength(boolean incDefault)
Plugin
getAttackStrength
in interface Plugin
incDefault
- if the DEFAULT level should be returned as DEFAULT as opposed to the value
of the default levelpublic Plugin.AttackStrength getAttackStrength()
Plugin
getAttackStrength
in interface Plugin
public void setAttackStrength(Plugin.AttackStrength level)
Plugin
setAttackStrength
in interface Plugin
level
- The alert threshold to set for this pluginpublic void setDefaultAttackStrength(Plugin.AttackStrength strength)
Plugin
setDefaultAttackStrength
in interface Plugin
strength
- The attack strength to set for this pluginpublic Plugin.AttackStrength[] getAttackStrengthsSupported()
getAttackStrengthsSupported
in interface Plugin
public int compareTo(Object obj)
compareTo
in interface Comparable<Object>
protected boolean matchHeaderPattern(HttpMessage msg, String header, Pattern pattern)
msg
- the message that will be checkedheader
- the name of the headerpattern
- the pattern that will be usedprotected boolean matchBodyPattern(HttpMessage msg, Pattern pattern, StringBuilder sb)
msg
- the message that will be checkedpattern
- the pattern that will be usedsb
- where the regex match should be appendedprotected void writeProgress(String msg)
msg
- the progress messagepublic HostProcess getParent()
protected String stripOff(String body, String pattern)
body
- the body that will be usedpattern
- the pattern used for the removalsprotected Kb getKb()
protected org.apache.log4j.Logger getLog()
public void setConfig(org.apache.commons.configuration.Configuration config)
public org.apache.commons.configuration.Configuration getConfig()
public void saveTo(org.apache.commons.configuration.Configuration conf)
public void loadFrom(org.apache.commons.configuration.Configuration conf)
public void createParamIfNotExist()
createParamIfNotExist
in interface Plugin
public boolean isDepreciated()
isDepreciated
in interface Plugin
public int getRisk()
Plugin
getRisk
in interface Plugin
Alert.RISK_HIGH
,
Alert.RISK_MEDIUM
,
Alert.RISK_LOW
,
Alert.RISK_INFO
public int getDelayInMs()
getDelayInMs
in interface Plugin
public void setDelayInMs(int delayInMs)
setDelayInMs
in interface Plugin
public boolean inScope(Tech tech)
Plugin
Helper method to check if a technology is enabled before performing a test/scan.
inScope
in interface Plugin
tech
- the technology that will be checkedtrue
if the technology is enabled for the scan, false
otherwiseisAnyInScope(Tech...)
protected boolean isAnyInScope(Tech... techs)
Helper method to check if any of the related technologies is enabled before performing a test/scan. For example:
if (isAnyInScope(Tech.Linux, Tech.MacOS)) {
// Perform nix test...
}
techs
- the technologies that will be checked.true
if any of the technologies is enabled for the scan, false
otherwise.inScope(Tech)
,
targets(TechSet)
public void setTechSet(TechSet ts)
Plugin
Called before initialising the plugin
.
setTechSet
in interface Plugin
ts
- the technologies enabled for the scanPlugin.targets(TechSet)
public TechSet getTechSet()
TechSet
with the technologies enabled for the scan, never null
(since 2.6.0).inScope(Tech)
,
targets(TechSet)
public boolean targets(TechSet technologies)
true
by default.targets
in interface Plugin
technologies
- the technologies that are enabled for the scan, never null
true
if the scanner is targeting the given technologies (or none at all),
false
otherwisegetTechSet()
public Date getTimeStarted()
getTimeStarted
in interface Plugin
public Date getTimeFinished()
getTimeFinished
in interface Plugin
public void setTimeStarted()
setTimeStarted
in interface Plugin
public void setTimeFinished()
setTimeFinished
in interface Plugin
public int getCweId()
Plugin
getCweId
in interface Plugin
public int getWascId()
Plugin
getWascId
in interface Plugin
public AddOn.Status getStatus()
Plugin
The status is automatically set by core code during initialisation.
public void setStatus(AddOn.Status status)