python supported?

[Javi D R]

Hi

I have seen this, https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide/tree/main/ZAP-scripts and it is is really interesting!

Is python now supported by ZAP? Some time ago it was only Jython what was supported, which is super annoying. If now we can write scripts in python, i can write several plugins!

[kingthorin+owaspzap]

It's still Jython under the hood, but you write python code to do whatever you want, which is what all the scripts you linked to are. 

[psiinon]

The ZAP core is written in java and so can use JSR223 to integrate any scripting language that supports it.

The core team is relatively small and so does not have the resources to integrate any scripting languages that do not support JSR223 :)

Cheers,

Simon

[Javi D R]

Thanks both. So then, how can i add those existing python scripts in zap? I am trying to import it in the script console and it only allows me to select as engine Zest or ECMAScript. 

If i select Zest, it doesnt load the script, it loads a template

Selecting ECMA, it loads the script, but itexpects a javascript file so i have this error when triggering the python rule

jdk.nashorn.internal.runtime.ParserException: <eval>:1:3 Missing close quote

Im trying the very basics, https://raw.githubusercontent.com/BlazingWind/OWASP-ASVS-4.0-testing-guide/main/ZAP-scripts/14-3-3-Server-header.py, with a site i know returns a server header.

How could i make that rule work? Once i have an example of how to load it, i can start writing my own scripts

Thanks!

[psiinon]

You first need to install the Python Scripting add-on: https://www.zaproxy.org/docs/desktop/addons/python-scripting/

That will include the python script templates and allow you to import or write your own scripts.

We also have a community scripts add-on https://www.zaproxy.org/docs/desktop/addons/community-scripts/ which includes all of the scripts in the https://github.com/zaproxy/community-scripts repo.

If you write any scripts that you think others may find useful then please submit them to that repo :)

FYI I cover ZAP scripting in both the ZAP in Ten and ZAP Deep Dive video series.

Cheers,

Simon

[Javi D R]

Thanks! That is what i was missing :)

I want to adapt two standalone tools we have as zap plugins. I will keep you posted  

https://github.com/Santandersecurityresearch/DrHeader
https://github.com/Santandersecurityresearch/corsair_scan

[Javi D R]

Hi

Quick question.... is there any limitation about importing dependencies? I am importing tldextract, but it says this dependency does not exist.

How can i install dependencies?

Thanks

[psiinon]

That depends on the scripting langauge you use.

For python thats possible as per https://www.zaproxy.org/docs/desktop/addons/python-scripting/options/

Cheers,

Simon

[Javi D R]

Great. Nearly there!

My script works fine now, it does what iwant, but the console returns this error:

java.lang.reflect.UndeclaredThrowableExceptionjava.lang.reflect.UndeclaredThrowableException

How could i see what is throwing that exception?

Thanks

[kingthorin+owaspzap]

You could check Zap's log file, it might have more verbose details:

https://www.zaproxy.org/faq/how-do-you-configure-zap-logging/

[Javi D R]

No, nothing in the logs, this is at debug level, but i found the issue. The script needs to have the scan method. If it is not there it throws that exception. I added this and it is fixed

def scan(sas, msg, param, value):

pass

Ok, all done now.... in my local machine. Now, if i want to release the plugin, and i want to import that library, how can it be done? What is detailed here (https://www.zaproxy.org/docs/desktop/addons/python-scripting/options/) appears to work only in a local environment, isnt it?

[kingthorin+owaspzap]

You would need to add instructions as code comments for users. You can then open a pull request against: https://github.com/zaproxy/community-scripts

Or blazingwind's repo if it is related to the ASVS stuff linked earlier.

[Javi D R]

Hi

I have done a PR with the changes but the pipeline failed. There is not much information about what failed (I will fix the DGO, dont worry about that)

https://github.com/zaproxy/community-scripts/pull/208

The pipeline is this one

https://github.com/zaproxy/community-scripts/runs/2012219590?check_suite_focus=true

Thanks

[Javi D R]

never mind... fixed now