Create new OWASP ZAP Exstension
62 views
Skip to first unread message
Federica
Sep 22, 2021, 8:30:45 AM9/22/21
to OWASP ZAP Developer Group
Hello all,
I'm building a ZAP extension in Java. I'm having problems when I try to use the function:
I'm building a ZAP extension in Java. I'm having problems when I try to use the function:
public ApiResponse newSession(String name, String overwrite) throws ClientApiException from Project: zap-api-java, Class: Core inside the extension code.
In particular, I noticed that when executed outside the extension the code works well, but when the same code is run inside the extension OWASP ZAP crashes (I have to end the process from the Task manager in order to be able to use ZAP again)
My code is the following one:
ClientApi api = new ClientApi("localhost", 8080, "Secret API Key");
api.core.newSession("", "true");
I would like to understand if it is a problem on my side or if it is not possible to use this method inside an extension.
Thanks in advance for the help
kingthorin+owaspzap
Sep 22, 2021, 8:42:57 AM9/22/21
to OWASP ZAP Developer Group
If you're working in java why are you interacting with the web API?
Maybe you could tell us more about what you're trying to accomplish? Because randomly creating a new ZAP session on the user via the web api probably isn't what you're actually wanting.
kingthorin+owaspzap
Sep 22, 2021, 8:44:41 AM9/22/21
to OWASP ZAP Developer Group
If you arent providing a path/name when creatimg the session it'll fail. You would have to get the response object to get the failure details.
psiinon
Sep 22, 2021, 8:45:22 AM9/22/21
to OWASP ZAP Developer Group
Hiya,
If you're creating a new ZAP add-on then that code is running in ZAP.
You should just call the classes directly rather than using the API.
So to create a new session you can use:
Model.getSingleton().newSession();
Cheers,
Simon
Federica
Sep 22, 2021, 9:08:32 AM9/22/21
to OWASP ZAP Developer Group
Thank you for your answers.
By trying with
Model.getSingleton().newSession(); it is finally working!
Best regards,
Federica
Alessandro Pisani
Sep 27, 2021, 5:02:37 AM9/27/21
to OWASP ZAP Developer Group
Hi all,
I have a similar doubt. I would like to save ZAP's messages.
By using the API I can do it using zap.core.messages("", "", ""). But I cannot find a way to do it without using the API.
Is there a way to do it when my code is directly running inside ZAP as for the
Model.getSingleton().newSession()
?
Kind regards,
Alessandro
psiinon
Sep 27, 2021, 5:43:33 AM9/27/21
to OWASP ZAP Developer Group
If you can do it via the API then you can do it via the code :D
That view is implemented here: https://github.com/zaproxy/zaproxy/blob/v2.10.0/zap/src/main/java/org/zaproxy/zap/extension/api/CoreAPI.java#L1152-L1169
You can just copy the code from processHttpMessages.
Cheers,
Simon
Alessandro Pisani
Sep 27, 2021, 8:08:41 AM9/27/21
to OWASP ZAP Developer Group
Thank you for your answer!
Thank you for the pointers, however I still cannot find a way to get the message in 'string' format (like a toString() method in which all fields are collected together) as the one present in the API (https://github.com/zaproxy/zap-api-java/blob/7034458302b288fbf38ac824c186404ec085d5e3/subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ApiResponseList.java#L94). To me, the only possibility seems to be retrieving the fields individually (e.g.: using getRequestHeader(), getNote(), ...).
Is it correct or am I missing something?
Regards,
Alessandro
kingthorin+owaspzap
Sep 27, 2021, 4:27:57 PM9/27/21
to OWASP ZAP Developer Group
kingthorin+owaspzap
Sep 27, 2021, 4:42:55 PM9/27/21
to OWASP ZAP Developer Group
Reply all
Reply to author
Forward
0 new messages