Web Application Security Memo

ウェブセキュリティに関するメモ書き

Explanations for the posts titled "Add a new property to the Http-header" in OWASP ZAP Developer Group

※当サイトにはプロモーションが含まれています。

公開日: 更新日:

OWASP ZAP

(This post is an English version of the previous article.)

I recently read the posts titled “Add a new property to the Http-header” in OWASP ZAP Developer Group, where thc202 wrote the scripts written in JavaScript to set a custom header in all requests sent by ZAP. I’ll explain what the scripts are doing in this article.

The first script

You need to select “Stand Alone” as Type and “ECMAScript: Oracle Nashorn” as Script engine when creating this one.

// Registering a listener instance of the interface "HttpSenderListener" to the instance of the "HttpSender" class
org.parosproxy.paros.network.HttpSender.addListener(
  new org.zaproxy.zap.network.HttpSenderListener {
    getListenerOrder: function() {
      return 1;
    },
            
    // this method is called right before sending a HTTP request
    onHttpRequestSend: function(msg, initiator) {
      // adding a custom header to a message object
      msg.getRequestHeader().setHeader(
        "X-MyCustomHeader", "ValueOfMyCustomHeader");
    },
 
    // this method is called right after receiving a HTTP response
    onHttpResponseReceive: function(msg, initiator) {
    }
});

Explanations:

  • ZAP executes a script using JSR-223.

    The ZAP Script Add-on allows you to run scripts that can be embedded within ZAP and can access internal ZAP data structures.

    HelpAddonsScriptsScripts - zaproxy

    • It means that a script can use the Java classes and interfaces implemented in ZAP without additional codes.

  • The HttpSender class has the role to send a request and receive a response, which is used by proxy, spider, active scanner, and fuzzer function, etc.

  • The HttpSender class has a list of listeners — each listener is implementing the HttpSenderListener interface — as its property.

    • The listeners run right before sending a request and after receiving a response, where a script can modify a message object msg.
    • ZAP’s also using lots of listeners to implement functions other than scripts.
    • The script above adds a new listener to the listener list.

  • msg in the script is an instance of the HttpMessage class, which has properties for a request and response.

  • There seems to be no method that remove a listener, so you can’t stop the effect of your adding listener till ZAP ends. (Please let me know if there’s a way.)

The second script

When creating this script, you need to select “Proxy” as Type to effects only to the requests proxied through ZAP.

function proxyRequest(msg) { 
  msg.getRequestHeader().setHeader(
    "X-MyCustomHeader", "ValueOfMyCustomHeader"); 
  return true 
} 
 
function proxyResponse(msg) { 
  return true 
}

Explanations:

  • The methods above implement the ProxyScript interface.

Memo

  • The Script function has great potential, but writing a complicated script might be hard due to difficulty of debugging and need of knowledge about ZAP’s internal mechanisms.

Environment

  • OWASP ZAP 2.3.1

(Please point out any mistakes in my English.)
(Typos and comments are also welcome.)

Lastupdated: 2014-11-16

関連記事