Merge pull request #4952 from psiinon/requester/hostheader

Requester: Option to manipulate Host header
zaproxy · Sep 29, 2023 · 4bb97d6 · 4bb97d6
2 parents 1101348 + b3cfeef
commit 4bb97d6
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 5 deletions.
diff --git a/addOns/requester/CHANGELOG.md b/addOns/requester/CHANGELOG.md
@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- Option to manipulate Host header.
+
 ### Changed
 - Maintenance changes.
 

diff --git a/addOns/requester/src/main/java/org/zaproxy/addon/requester/internal/HttpPanelSender.java b/addOns/requester/src/main/java/org/zaproxy/addon/requester/internal/HttpPanelSender.java
@@ -39,6 +39,7 @@
 import org.parosproxy.paros.model.Session;
 import org.parosproxy.paros.network.HttpMalformedHeaderException;
 import org.parosproxy.paros.network.HttpMessage;
+import org.parosproxy.paros.network.HttpRequestHeader;
 import org.parosproxy.paros.network.HttpSender;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.addon.requester.ExtensionRequester;
@@ -62,11 +63,12 @@ public class HttpPanelSender {
 
     private HttpSender delegate;
 
-    private JToggleButton fixContentLength = null;
-    private JToggleButton followRedirect = null;
-    private JToggleButton useTrackingSessionState = null;
-    private JToggleButton useCookies = null;
-    private JToggleButton useCsrf = null;
+    private JToggleButton fixContentLength;
+    private JToggleButton followRedirect;
+    private JToggleButton useTrackingSessionState;
+    private JToggleButton useCookies;
+    private JToggleButton useCsrf;
+    private JToggleButton hostHeader;
 
     public HttpPanelSender(CustomHttpPanelRequest requestPanel, HttpPanelResponse responsePanel) {
         this.responsePanel = responsePanel;
@@ -82,6 +84,7 @@ public HttpPanelSender(CustomHttpPanelRequest requestPanel, HttpPanelResponse re
                 getButtonFollowRedirects(), HttpPanel.OptionsLocation.AFTER_COMPONENTS);
         requestPanel.addOptions(
                 getButtonFixContentLength(), HttpPanel.OptionsLocation.AFTER_COMPONENTS);
+        requestPanel.addOptions(getButtonHostHeader(), HttpPanel.OptionsLocation.AFTER_COMPONENTS);
         if (extAntiCSRF != null) {
             requestPanel.addOptions(getButtonUseCsrf(), HttpPanel.OptionsLocation.AFTER_COMPONENTS);
         }
@@ -96,6 +99,12 @@ void sendMessage(Message aMessage) throws IOException {
 
         Map<String, Object> properties = new HashMap<>();
         properties.put("connection.manual.persistent", Boolean.TRUE);
+        if (!getButtonHostHeader().isSelected()) {
+            String host = httpMessage.getRequestHeader().getHeader(HttpRequestHeader.HOST);
+            if (host != null) {
+                properties.put("host", host);
+            }
+        }
         httpMessage.setUserObject(properties);
 
         if (getButtonFixContentLength().isSelected()) {
@@ -241,6 +250,15 @@ private JToggleButton getButtonFixContentLength() {
         return fixContentLength;
     }
 
+    private JToggleButton getButtonHostHeader() {
+        if (hostHeader == null) {
+            hostHeader = new JToggleButton(ExtensionRequester.createIcon("fugue/server.png"), true);
+            hostHeader.setToolTipText(
+                    Constant.messages.getString("requester.httpsender.checkbox.hostheader"));
+        }
+        return hostHeader;
+    }
+
     /**
      * A {@link HttpRedirectionValidator} that enforces the {@link
      * org.parosproxy.paros.control.Control.Mode Mode} when validating the {@code URI} of

diff --git a/addOns/requester/src/main/javahelp/help/contents/dialogs.html b/addOns/requester/src/main/javahelp/help/contents/dialogs.html
@@ -76,6 +76,15 @@ <H3>
 	any value you like.
 	<br>
 
+	<H3>
+		<img src="images/fugue/server.png" width="16" height="16" alt="" />&nbsp;
+		Update Host Header
+	</H3>
+	By default ZAP will automatically update (or add) the Host header to
+	match the URL specified. If this option is unselected then ZAP will not
+	update the header allowing you to specify any value you like.
+	<br>
+
 	<H3>
 		<img src="images/csrf-button.png" width="16" height="16" alt="" />&nbsp;
 		Regenerate Anti-CSRF Token

diff --git a/addOns/requester/src/main/javahelp/help/contents/images/fugue/server.png b/addOns/requester/src/main/javahelp/help/contents/images/fugue/server.png
diff --git a/addOns/requester/src/main/resources/org/zaproxy/addon/requester/Messages.properties b/addOns/requester/src/main/resources/org/zaproxy/addon/requester/Messages.properties
@@ -25,6 +25,7 @@ requester.httppanel.tab.response = Response
 
 requester.httpsender.checkbox.fixlength = Update Content Length
 requester.httpsender.checkbox.followredirect = Follow redirect
+requester.httpsender.checkbox.hostheader = Update Host Header
 requester.httpsender.checkbox.usecookies = Accept cookies
 requester.httpsender.checkbox.usecsrf = Regenerate Anti-CSRF Token
 requester.httpsender.checkbox.usesession = Use current tracking session

diff --git a/...equester/src/main/resources/org/zaproxy/addon/requester/images/fugue/server.png b/...equester/src/main/resources/org/zaproxy/addon/requester/images/fugue/server.png