tell zap to not forward specific url

[karim reda Fakhir]

Hi everybody ; 

I make zap as proxy for certain application on my mobile , it's work perfectly , but my application after 5 minutes send a call to logout web service on the backend , how i tell zap to not forward the logout call ?

Thx in advance.

[hauschu...@gmail.com]

Hello!

Good question!

I originally was looking into the Replacer function (under Tools/Options), but it looks like that only acts on headers or body, not the request URL.

So unless someone else here has some cool insight, there are two ways I can think of to do that:

The first is to use an HttpSender zest script (this script will act on all requests, even for scans, fuzzers, etc). You can then set a simple statement like IF: URL (regex contains '/logout.etc') THEN replace {{request.url}} with google.com (or something) ELSE (blank).

As far as I know there isn't an easy to drop the request entirely (at least in .zst format!), so I would suggest just changing the URL to point to something harmless. Though it's possible your application might not like that....

See screenshot for layout

My next method would be to use Fiddler as a downstream proxy, and it has an Autoresponder function which allows you to check url regex and then just drop the request (or even return a predefined one instead). But of course installing an entirely new tool just for one problem might not be the best, and it's windows native (though i'm sure some others have a similar option)

Let us know what you come up with!

[hauschu...@gmail.com]

Update!

You can also add a custom break point (click the big red X with small green plus above the request header pane) and set a regex to only match the logout request. 

Once you click the green button to the left to enable breakpoints, it should catch the logout request before it is sent, and then you can choose to click the 'bin request or response' button to just drop it entirely. It should leave all other requests/responses alone.

The only downside here is that you will have to manually drop it every time, but every 5 minutes isn't too bad!

[karim reda Fakhir]

Hey thx you for your response , i will use the http sender because i am familiar with it .

Great

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/9f62aeac-3a7c-4d22-a64a-c6086f9392da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[thc...@gmail.com]

Hi.

The Replacer rules can also change the URL, you need to choose Request
Header String for that:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer


The Proxy scripts can drop (there's a Zest template showing that) and
also return custom responses when handling the request, ideal for this
use case.

(The HTTP Sender scripts can't drop a request, no matter what script
engine is used.)

Best regards.

[hauschu...@gmail.com]

Awesome, I always forget about those proxy templates!

[karim reda Fakhir]

yah very good solution thk u ,,,😁

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/fc13f7b7-8b44-c542-5c7b-4d2f820ab511%40gmail.com.