thomashartm · February 27, 2018 00:33
diff --git a/zap-dispatcher-security-check.js b/zap-dispatcher-security-check.js
 /**
 * Targeted zap script to check for URLs that are prohibited when using the AEM dispatcher.
 * Usage: Select a a node in your site tree. Select the Invoke with Script option from your context menu and select this zapcript. 
 * @author [email protected]
 */
 paths = [
    "/admin",
    "/system/console",
    "/dav/crx.default",
    "/crx",
    "/bin/crxde/logs",
    "/jcr:system/jcr:versionStorage.json",
    "/_jcr_system/_jcr_versionStorage.json",
    "/libs/wcm/core/content/siteadmin.html",
    "/libs/collab/core/content/admin.html",
    "/libs/cq/ui/content/dumplibs.html",
    "/var/linkchecker.html",
    "/etc/linkchecker.html",
    "/home/users/a/admin/profile.json",
    "/home/users/a/admin/profile.xml",
    "/libs/cq/core/content/login.json",
    "/content/../libs/foundation/components/text/text.jsp",
    "/content/.{.}/libs/foundation/components/text/text.jsp",
    "/apps/sling/config/org.apache.felix.webconsole.internal.servlet.OsgiManager.config/jcr%3acontent/jcr%3adata",
    "/libs/foundation/components/primary/cq/workflow/components/participants/json.GET.servlet",
    "/content.pages.json",
    "/content.languages.json",
    "/content.blueprint.json",
    "/content.-1.json",
    "/content.10.json",
    "/content.infinity.json",
    "/content.tidy.json",
    "/content.tidy.-1.blubber.json",
    "/content/dam.tidy.-100.json",
    "/content/content/geometrixx.sitemap.txt ",
    "/etc.xml",
    "/content.feed.xml",
    "/content.rss.xml",
    "/content.feed.html"]

 // Targeted scripts can only be invoked by you, the user, eg via a right-click option on the Sites or History tabs
 function invokeWith(msg) {

    new JavaImporter('org.parosproxy.paros.network.HttpSender')

    // Debugging can be done using println like this
    print('Finding comments under ' + msg.getRequestHeader().getURI().toString());
    prefix = msg.getRequestHeader().getURI().toString();

    origMsg = msg;
    origURL = origMsg.getRequestHeader().getURI().toString();
    origPath = origMsg.getRequestHeader().getURI().getPath();
    msg = origMsg.cloneRequest();


    for (var i=0; i < paths.length; i++) {
        path = paths[i];

        msg.getRequestHeader().getURI().setPath(path);
        msg.getRequestHeader().setMethod("GET");
        msg.getRequestHeader().setContentLength(msg.getRequestBody().length());

        // create a new sender
        sender = new org.parosproxy.paros.network.HttpSender(org.parosproxy.paros.model.Model.getSingleton().getOptionsParam().getConnectionParam(), true, 6)

        // send our new request
        sender.sendAndReceive(msg)

        statusCode=msg.getResponseHeader().getStatusCode();
        print(path + statusCode)
    }

 }
	/**
	* Targeted zap script to check for URLs that are prohibited when using the AEM dispatcher.
	* Usage: Select a a node in your site tree. Select the Invoke with Script option from your context menu and select this zapcript.
	* @author [email protected]
	*/
	paths = [
	"/admin",
	"/system/console",
	"/dav/crx.default",
	"/crx",
	"/bin/crxde/logs",
	"/jcr:system/jcr:versionStorage.json",
	"/_jcr_system/_jcr_versionStorage.json",
	"/libs/wcm/core/content/siteadmin.html",
	"/libs/collab/core/content/admin.html",
	"/libs/cq/ui/content/dumplibs.html",
	"/var/linkchecker.html",
	"/etc/linkchecker.html",
	"/home/users/a/admin/profile.json",
	"/home/users/a/admin/profile.xml",
	"/libs/cq/core/content/login.json",
	"/content/../libs/foundation/components/text/text.jsp",
	"/content/.{.}/libs/foundation/components/text/text.jsp",
	"/apps/sling/config/org.apache.felix.webconsole.internal.servlet.OsgiManager.config/jcr%3acontent/jcr%3adata",
	"/libs/foundation/components/primary/cq/workflow/components/participants/json.GET.servlet",
	"/content.pages.json",
	"/content.languages.json",
	"/content.blueprint.json",
	"/content.-1.json",
	"/content.10.json",
	"/content.infinity.json",
	"/content.tidy.json",
	"/content.tidy.-1.blubber.json",
	"/content/dam.tidy.-100.json",
	"/content/content/geometrixx.sitemap.txt ",
	"/etc.xml",
	"/content.feed.xml",
	"/content.rss.xml",
	"/content.feed.html"]

	// Targeted scripts can only be invoked by you, the user, eg via a right-click option on the Sites or History tabs
	function invokeWith(msg) {

	new JavaImporter('org.parosproxy.paros.network.HttpSender')

	// Debugging can be done using println like this
	print('Finding comments under ' + msg.getRequestHeader().getURI().toString());
	prefix = msg.getRequestHeader().getURI().toString();

	origMsg = msg;
	origURL = origMsg.getRequestHeader().getURI().toString();
	origPath = origMsg.getRequestHeader().getURI().getPath();
	msg = origMsg.cloneRequest();


	for (var i=0; i < paths.length; i++) {
	path = paths[i];

	msg.getRequestHeader().getURI().setPath(path);
	msg.getRequestHeader().setMethod("GET");
	msg.getRequestHeader().setContentLength(msg.getRequestBody().length());

	// create a new sender
	sender = new org.parosproxy.paros.network.HttpSender(org.parosproxy.paros.model.Model.getSingleton().getOptionsParam().getConnectionParam(), true, 6)

	// send our new request
	sender.sendAndReceive(msg)

	statusCode=msg.getResponseHeader().getStatusCode();
	print(path + statusCode)
	}

	}