how to convert zap script (python) into extension?
33 views
Skip to first unread message
Javi D R
Mar 2, 2021, 9:04:53 AM3/2/21
to OWASP ZAP Developer Group
Hi
I have already submitted my script. Now, i want to go a step ahead and would like to release it as an extension (.zap) and make it available in the marketplace. I have seen you need to build it with gradle but... it is a python script
Can a python script be released as an extension in the marketplace?
Thanks
Thanks
kingthorin+owaspzap
Mar 2, 2021, 2:20:52 PM3/2/21
to OWASP ZAP Developer Group
Scripts and Extensions are totally different things.
There is a Community Scripts extension (add-on really) which is released a few times a year (no set schedule) and includes all the scripts.
If you want to make an add-on currently your options are Java or Kotlin.
Javi D R
Mar 3, 2021, 4:24:32 AM3/3/21
to OWASP ZAP Developer Group
I see... thanks. What i want to do is build a zap docker image with those scripts included there and enabled by default. By now, i need to import the script manually in the script console and enable this. I tried to put the .py in the scripts folder but this is not automatically picked up
What is the best way to automatically load and enable a script to be ready every time i run zap?
Thanks
Thanks
psiinon
Mar 3, 2021, 4:31:02 AM3/3/21
to OWASP ZAP Developer Group
We have a FAQ for including scripts from the command line here: https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/
We also include script scan rules with the API scan, those are added and enabled via:
- https://github.com/zaproxy/zaproxy/blob/v2.10.0/docker/zap-api-scan.py#L366-L373
- https://github.com/zaproxy/zaproxy/blob/v2.10.0/docker/zap-api-scan.py#L399-L403
- https://github.com/zaproxy/zaproxy/tree/v2.10.0/docker/scripts/scripts/httpsender
Note that the new Automation Framework that I'm launching at ZAPCon is planned to support custom scripts in a simpler way, but not in the first version.
Cheers,
Simon
Javi D R
Mar 3, 2021, 5:35:29 AM3/3/21
to OWASP ZAP Developer Group
Glad to hear there is a ZapCon :) Maybe next year...
I have added this to my docker run command
-config script.scripts.name="Corsair" -config script.scripts.engine="Jython" -config script.scripts.type="active" -config script.scripts.enabled=true -config script.scripts.file="/zap/corsair/corsair.py"
I have also built a new docker image from the original one:
FROM owasp/zap2docker-stable
COPY corsair.py corsair/corsair.py
When i start it, it picks all the configuration
zap | 64 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.name = Corsair was Corsair
zap | 70 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.engine = Jython was Jython
zap | 71 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.type = active was active
zap | 72 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.enabled = true was true
zap | 73 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.file = /zap/corsair/corsair.py was /zap/corsair/corsair.py
When running, it says the script was not enabled. Any idea what might be the problem?
zap | 659112 [Thread-88] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://hack-yourself-first.com/ | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
zap | 659179 [Thread-88] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled] https://hack-yourself-first.com/ | ScriptsActiveScanner in 0.067s with 0 message(s) sent and 0 alert(s) raised.
kingthorin+owaspzap
Mar 3, 2021, 7:07:53 AM3/3/21
to OWASP ZAP Developer Group
Did you install the python add-on as part of your image?
Javi D R
Mar 4, 2021, 4:15:53 AM3/4/21
to OWASP ZAP Developer Group
Yes, but good point... it is not being found. I am sending the flag -addoninstall python-scripting, as this is the name it has in the marketplace, but it cant be found. What is the name to use for that plugin?
zap | 30352 [ZAP-daemon] ERROR org.parosproxy.paros.CommandLine - Failed to find add-on: python-scripting
psiinon
Mar 4, 2021, 4:28:10 AM3/4/21
to OWASP ZAP Developer Group
Its called "jython".
The ID is shown in the ZAP desktop when you select it, either in the set of installed add-ons or in the marketplace.
You can also look in the relevant XML file as per https://www.zaproxy.org/download/#latest-versions
Cheers,
Simon
Javi D R
Mar 4, 2021, 5:29:47 AM3/4/21
to OWASP ZAP Developer Group
I started it but still failing
zap | 66 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.name = Corsair was Corsair
zap | 72 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.engine = Jython was Jython
zap | 73 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.type = active was active
zap | 74 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.enabled = true was true
zap | 75 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config script.scripts.file = /zap/corsair/corsair.py was /zap/corsair/corsair.py
zap | 5491 [ZAP-daemon] INFO org.zaproxy.zap.extension.jython.ExtensionJython - Waiting for Jython engine to load...
zap | 9050 [ZAP-Jython-EngineLoader] INFO org.zaproxy.zap.extension.jython.ExtensionJython - Jython engine loaded.
zap | 1179345 [Thread-62] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled]Reply all
Reply to author
Forward
0 new messages