pass secret to zap hook
116 views
Skip to first unread message
Cameron Griffin
Jun 26, 2023, 9:28:53 AM6/26/23
to OWASP ZAP User Group
How can I pass a secret (API token) to a zap scan hook? If I hardcode the token, it works fine. I just can't get MY_TOKEN from the docker command to my-hook.js. I've tried adding the following, but MY_TOKEN is null.
var MY_TOKEN = process.env.MY_TOKEN
My docker run command:
-----------------------
var MY_TOKEN = process.env.MY_TOKEN
My docker run command:
-----------------------
docker run \
-v $(pwd)/zap/:/zap/wrk/:rw \
-e MY_TOKEN="1234abcd" \
owasp/zap2docker-stable zap-full-scan.py -I -d \
-t https://mytarget.com \
-g gen.conf \
-J mytarget-scan-report.json \
-r mytarget-scan-report.html \
-n /zap/wrk/my-scan.context \
--hook=my-hook.py
my-hook.py
------------
def zap_started(zap, target):
zap.script.load('my-hook.js', 'httpsender', 'Oracle Nashorn', '/zap/wrk/my-hook.js')
zap.script.enable('my-hook.js')
my-hook.js
------------
var HttpSender = Java.type('org.parosproxy.paros.network.HttpSender');
var MY_TOKEN = "1234abcd"
//var MY_TOKEN = process.env.AUTH_TOKEN
function sendingRequest(msg, initiator, helper) {
}
if (initiator !== HttpSender.AUTHENTICATION_INITIATOR && msg.isInScope()) {
msg.getRequestHeader().setHeader("Authorization", 'Bearer ' + MY_TOKEN);
msg.getRequestHeader().setHeader("other-required-header", "abc-123-efg-123456789");
}
Cameron Griffin
Jun 26, 2023, 9:35:39 AM6/26/23
to OWASP ZAP User Group
Formatting got mangled in the original post , trying again.
psiinon
Jun 26, 2023, 9:37:43 AM6/26/23
to zaprox...@googlegroups.com
The env vars should work.
https://github.com/zaproxy/community-scripts/blob/main/httpsender/aws-signing-for-owasp-zap.py#L23 uses
- access_key = os.environ.get('AWS_ACCESS_KEY_ID', 'myaccesskey')
Try using that?
If that doesnt work we have more options :)
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b5a12f49-6883-4503-9081-ab4547bbc3afn%40googlegroups.com.
--
OWASP ZAP Project leader
Cameron Griffin
Jun 26, 2023, 9:55:21 AM6/26/23
to OWASP ZAP User Group
I did try that and was able to get the python loader script to spit out the API TOKEN, but wasn't able to get an environment variable in my javascript. Is there a way to pass an environment variable from my python loader script to the javascript?
zap-full-scan.py calls my-hook.py
zap-full-scan.py calls my-hook.py
def zap_started(zap, target):
my_token = os.environ.get('AUTH_TOKEN')
print(my_token) <-- this works
zap.script.load('my-hook.js', 'httpsender', 'Oracle Nashorn', '/zap/wrk/my-hook.js')
zap.script.enable('my-hook.js')
my-hook.py loads my-hook.js (actual logic resides here)
var MY_TOKEN = process.env.AUTH_TOKEN
console.log(MY_TOKEN) <-- this does not work
thc...@gmail.com
Jun 26, 2023, 10:00:54 AM6/26/23
to zaprox...@googlegroups.com
In the HTTP Sender script you would have to use, e.g.:
System.getenv("AUTH_TOKEN")
https://github.com/zaproxy/community-scripts/blob/557a4490bc88c280b611c4db5372a2dd5e7c0f9a/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js#L94
Best regards.
System.getenv("AUTH_TOKEN")
https://github.com/zaproxy/community-scripts/blob/557a4490bc88c280b611c4db5372a2dd5e7c0f9a/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js#L94
Best regards.
Cameron Griffin
Jun 26, 2023, 10:09:43 AM6/26/23
to OWASP ZAP User Group
var System = Java.type("java.lang.System");
var AUTH_TOKEN = System.getenv("AUTH_TOKEN");
Worked like a charm!! Thanks!!
Reply all
Reply to author
Forward
0 new messages