getSelectedText method for Targeted scripts?

[Gerson Ethical]

Hi,

I am developing a custom script that needs the selected text as a parameter when sending it to the script, similar to what is done with Fuzz or with Encode/Decode, for example, if the request is:
Get https://example.com
Cookies: asd=dsa
and I have asd=dsa when I selected by right clicking and clicking on the script to be able to use asd=dsa as a parameter, something like msg.getSelectedText() .

Best Regards Community

[psiinon]

Hiya,

We dont expose that info via Targeted scripts I'm afraid.

I'd recommend using an Extender script which adds a right click option in a similar way to how it would be done in Java.

Cheers,

Simon

[Gerson Ethical]

Hi @psiinon,

do you have any example?

Thanks a lot.

[Gerson Ethical]

Hi @psiinon,

I have tried multiple ways but I haven't been able to yet, do you have an example?

Regards

[psiinon]

I'm afraid we dont :(

Its basically a case of translating Java into JavaScript.

Have a look at https://github.com/zaproxy/community-scripts/blob/main/extender/ZAP%20onEvent%20Handler.js

Then have try to find code similar to what you want thats already in ZAP and try to convert it, one step at a time.

e.g. start with just creating a new menu item which does nothing. Can you get that to work?

Cheers,

Simon

[Gerson Ethical]

In example:

// Extender scripts allow you to add completely new functionality to ZAP.
// The install function is called when the script is enabled and the uninstall function when it is disabled.
// Any functionality added in the install function should be removed in the uninstall method.
// See the other templates for examples on how to do add different functionality.

// Script variable to use when uninstalling

var popupmenuitemtype = Java.extend(Java.type("org.zaproxy.zap.view.popup.PopupMenuItemHttpMessageContainer"));
var a =  Java.extend(Java.type("org.zaproxy.zap.extension.httppanel.view.syntaxhighlight.HttpPanelSyntaxHighlightTextArea"));

var curlmenuitem = new popupmenuitemtype("b64 sqli") {
performAction: function(href) {
        print("->");
        print( a.getMethods() );
        print("<-");
invokeWith("href.getSelection()");
},
precedeWithSeparator: function() {
return true;
},
isSafe: function() {
return true;
}
}


/**
 * This function is called when the script is enabled.
 *
 * @param helper - a helper class which provides the methods:
 * getView() this returns a View object which provides an easy way to add graphical elements.
 * It will be null is ZAP is running in daemon mode.
 * getApi() this returns an API object which provides an easy way to add new API calls.
 * Links to any functionality added should be held in script variables so that they can be removed in uninstall.
 */
function install(helper) {
if (helper.getView()) {
helper.getView().getPopupMenu().addMenu(curlmenuitem);
}
}

/**
 * This function is called when the script is disabled.
 *
 * @param helper - a helper class which provides the methods:
 * getView() this returns a View object which provides an easy way to add graphical elements.
 * It will be null is ZAP is running in daemon mode.
 * getApi() this returns an API object which provides an easy way to add new API calls.
 */
function uninstall(helper) {
  if (helper.getView()) {
    helper.getView().getPopupMenu().removeMenu(curlmenuitem);
  }
}


// Note: The following code lives also in Community-Scripts add-on.

function invokeWith(msg) {
    print("mark1")
var string = "curl -i -s -k -X  '"+msg.getRequestHeader().getMethod()+"'  \\\n";
var header = msg.getRequestHeader().getHeadersAsString();
header = header.split(msg.getRequestHeader().getLineDelimiter());
var suspiciousHeaders = false;
for(var i=0;i<header.length;i++){
var headerEntry = header[i].trim()
if (headerEntry.startsWith("@")) {
suspiciousHeaders = true;
}
// deny listing Host (other deny listing should also specify here)
var keyval = headerEntry.split(":");
if(keyval[0].trim() != "Host")
string += " -H '"+headerEntry+"' ";
}
// if no User-Agent present ensures that curl request doesn't add one
if(string.indexOf("User-Agent") < 0)
string += " -A '' ";
string += " \\\n";
var body = msg.getRequestBody().toString();
if(body.length() != 0){
string += "--data-raw $'"+addSlashes(body)+"' \\\n";
}
string += "'"+msg.getRequestHeader().getURI().toString()+"'";

if (!suspiciousHeaders) {
var selected = new java.awt.datatransfer.StringSelection(string);
var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard();
clipboard.setContents(selected,null);
}
print (string);

if (suspiciousHeaders) {
print("\n**WARNING**");
print("The generated command might be including a local file (e.g. `@/path/to/file`) in a header, carefully review the command before executing it.");
print("Note: The command was *not* added to the clipboard.\n");
}
}

function addSlashes(body){
var a ={}
a[body] = 1;
return JSON.stringify(a).slice(2,-4);
}

I don't need a GUI, I just need that when I click on the selected text and select the script, I can work with the selected text

[psiinon]

So is that working for you now?

Cheers,

Simon

[Gerson Ethical]

Hi Psiinon,

nope, Only the part of right clicking on the request and sending it to the Extender script works for me, but I still can't find a way to send the selected text to the script and be able to do an x.getSelectedText() or something similar in the script. I know it should be possible because it is something that is done, for example, with Encode/Decode/Hash:

But when reviewing I have not been able to understand how it does it, I am not an expert in programming. I think is somethink like this (https://github.com/zaproxy/zap-extensions/blob/3505c9b1c32b95911e4fc45fddabc316bd96c784/addOns/encoder/src/main/java/org/zaproxy/addon/encoder/PopupReplaceInputMenu.java#L38) :

[gdgd009xcd]

Hi, Gerson

You might want to get SelectedText in JTextComponent on ZAP, so you may visit this gist samples 

https://gist.github.com/gdgd009xcd/38855a5703277846858f0157ada5d6e3

and you can learn on your own by trying things out. that's open source.

Hope this helps.

gdgd009xcd

2024年2月15日(木) 22:02 Gerson Ethical <gerson....@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/d33bb327-5b3c-4212-99be-7feb7f519f0bn%40googlegroups.com.

[thc...@gmail.com]

Worth noting that for components without any selection the selected text
will be null (e.g. PopupCopyMenu disables the menu item in that case).

Best regards.

>> <https://groups.google.com/d/msgid/zaproxy-develop/d33bb327-5b3c-4212-99be-7feb7f519f0bn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>

[psiinon]

Could you submit that gist to the Community Scripts repo?

https://github.com/zaproxy/community-scripts

Many thanks!

Simon

[gdgd009xcd]

Hi, psiinon

You mean that I submit the Community-Scripts PR?
If so, I have no experience in doing proper PR and my poor English may
confuse your team :)
But I might give it a try.
* Add signoff on every commit.
*Please use an appropriate title to promote your work.
* Don't forget to update CHANGELOG.md
I guess that's what I must do at least.
...


Best Regards.


2024年2月19日(月) 18:39 psiinon <psi...@gmail.com>:

> To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/52ae4d49-f307-428f-aae0-165711a1cd24n%40googlegroups.com.

[psiinon]

Thats ok!

Just let us know if you have any questions or problems.

Git and GitHub can be very confusing to start with, but they are very useful skills to learn, and we're here to help :)

Many thanks,

Simon

[Gerson Ethical]

Thanks a lot gdgd009xcd,

How could I declare a variable in line 30 with the HTTPrequest from which I executed the function? I need to send those two variables to a function (HTTPRequest + selectedValue). sorry I don't know much about javascript