Fixed bugs + changed url-decode (again)

stfbk · Sep 25, 2023 · a10db31 · a10db31
1 parent 6ee990d
commit a10db31
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/doc/language.md b/doc/language.md
@@ -526,7 +526,7 @@ The Checks tag inside an operation has a list of Check elements, which can be de
 
 > Note that `check` accepts only the `is present` tag.
 
-> Note that by default, all the values read from a message that contains url-encoded values (only message, not json) are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false
+> Note that by default, all the values read from a message are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false. You should disable url-decoding when you are checking values that contains "+" characters, that would be converted to spaces.
 
 In passive tests the checks's result are intended as the entire test result, so all the checks has to pass to have a successfull test.
 

diff --git a/tool/src/main/java/migt/BurpExtender.java b/tool/src/main/java/migt/BurpExtender.java
@@ -176,11 +176,11 @@ private void processMatchedMsg(MessageType msg_type,
                     // TODO: fix randomly replaced messages
                     // sometimes the bytes of the processed message is different from the original one, but the string
                     // of both messages is equal
-                    if (!Arrays.equals(message.getRequest(), mainPane.act_active_op.processed_message)) {
+                    if (!Arrays.equals(messageInfo.getRequest(), mainPane.act_active_op.processed_message)) {
                         messageInfo.setRequest(mainPane.act_active_op.processed_message);
                     }
                 } else {
-                    if (!Arrays.equals(message.getResponse(), mainPane.act_active_op.processed_message)) {
+                    if (!Arrays.equals(messageInfo.getResponse(), mainPane.act_active_op.processed_message)) {
                         messageInfo.setResponse(mainPane.act_active_op.processed_message);
                     }
                 }

diff --git a/tool/src/main/java/migt/Check.java b/tool/src/main/java/migt/Check.java
@@ -557,12 +557,20 @@ public void execute(List<Var> vars) throws ParsingException {
         // URL-decode matched content
         // when a string contains a "+" character then, it is replaced with a space.
         if (url_decode) {
+            /*
             Pattern p = Pattern.compile("%[0-9a-fA-F]{2}");
             Matcher m = p.matcher(op_val);
             if (m.find()) {
                 // if the content contains url-encoded characters then, url-decode the content
                 op_val = URLDecoder.decode(op_val, StandardCharsets.UTF_8);
             }
+            */
+            if (op_val.contains("+")) {
+                System.err.println("Warning! During a check on the value\"" + op_val + "\" a '+' symbol has been" +
+                        "converted to a space, as it has been interpreted as url-encoded character. If you want to avoid" +
+                        "this behaviour use 'url decode' tag set to false inside the check to disable url-decoding " );
+            }
+            op_val = URLDecoder.decode(op_val, StandardCharsets.UTF_8);
         }
 
         if (imported_api instanceof Operation_API) {

diff --git a/tool/src/main/java/migt/EditOperation.java b/tool/src/main/java/migt/EditOperation.java
@@ -307,6 +307,7 @@ public void execute(List<Var> vars) throws ParsingException {
                             this.result = false;
                             return;
                         }
+                        applicable = true;
                     } else if (sign) {
                         applicable = true;
                         tmp_imported_api.jwt.sign = true;