Get value from response header

[Zoe Nightshade]

Is it possible to get response headers and their values through scripts or any other ways?

[Simon Bennetts]

Of course :)

We aim to make sure you can get access to all of the ZAP data if you want.

Whats your use case?

That may influence the best way to get access to the headers..

cheers,

Simon

[Zoe Nightshade]

I am trying to setup authentication for a context that I will use in the automation framework. The flow is something like this

- hit the 1st endpoint with username/password

- response contains a header, for example header: value

- hit 2nd endpoint with "header: value" in request header

I hope that makes sense. I think Zest assignment to a variable will work, but I am not sure HEAD and BODY refer to request or response.

Also, I don't understand how to use the variable in the next request (tried a random string using {%variable%} but that didn't work). Thanks.

[Simon Bennetts]

Have you tried using Authentication Autodetection?

• https://www.zaproxy.org/docs/authentication/auto-detection/
• https://youtu.be/RCi9W77bGpI

If that works then it will make your life much easier.

And if it doesnt work (and you do have a UI) then maybe we can fix it?

Cheers,

Simon

[ar]

Thank you Simon!

Best regards alex rastimeshin

вт, 3 окт. 2023 г. в 15:05, Simon Bennetts <psi...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/96c90898-bb5a-4690-adf9-7239757a6746n%40googlegroups.com.

[Zoe Nightshade]

I tried using auto detection as well, but that doesn't solve the issue as the login process is a series of calls and not all of them are through redirects. With the script, I am pretty sure I have the flow set right but the issue I am facing right now is shown below. I need to do this as I need to capture a token for future requests that would not be sent otherwise.

I was able to get the required header from the response and the value is of the form "/api/test/sso?t=sso_token".I append it to the URL so it forms an endpoint like "https://localhost:8443/api/test/sso?t=sso_token" and send a GET request but there is an IOException, request does not contain a request-uri. I am not sure what the issue is.

Note that the token has special characters like dot(.), dash(-), underscore. Thanks!