Hello,
Currently I am trying to test a website that really does not like MITM proxies like ZAP so I am planning to use a browser extension that will intercept all requests and responses in the browser. The plan is to send all that information to a running ZAP instance so that the imported data is shown in the history of ZAP.
My first attempt was to use the browser client addon but that does not seem to work well. In the available documentation I noticed that the addon can be configured (e.g. for specifying the API key) but in my setup I only see one button ("Log HTTP Requests") and ZAP history remains empty (no sign of the messages that were sent/received by the browser)
Next I was trying to use the exising addon
"Request Interceptor" as it claims to be some sort of in-browser equivalent of ZAP or Burpsuite. However, I would prefer to use all assistance features that are already available in ZAP rather than extend this addon.
The addon currently does not report request or response bodies, but I already added that functionality (firefox only: will probably not work on chrome-based browsers because the extension requires manifest version 2)
I looked in the ZAP API documentation and the closest thing that I found for uploading messages to ZAP seems to be "eximActionImportHar" (not sure if this feature supports request/response bodies though) However, that API call needs a local file and I would prefer to POST (instead of GET) the data directly from browser to ZAP without intermediate temporary file.
Presumably this will not require too big a change in ZAP to implement?
Or can you suggest alternative approaches instead of hacking this API call?
Regards,
Eddy.