EnDe meats ZAP
55 views
Skip to first unread message
Achim
Dec 10, 2012, 4:50:26 PM12/10/12
to OWASP ZAP Developer Group
Hi,
it's time to anounce that the JavaScript library with en-, decoding,
crypting, hashing and conversion functions now can be used with ZAP's
Script Console. At least Simon engaged me to do it here ;-)
First a little introduction for those who don't know what this library
is about. The library is from OWASP's EnDe project which can be found
here: https://www.owasp.org/index.php/Category:OWASP_EnDe
Links to usage, documentation, download, github and online version can
be found there.
Enough with biased texts, let's talk about EnDe within ZAP.
First we need the library, use https://github.com/EnDe/EnDe and build
EnDe.lib.zap from sources (or mail me and I can provide a prebuild
version).
Load it in ZAP's Script Console and ready we go.
Instead of reading boring texts, here're some example to catch your
interest:
me=EnDe.B64.EN.b64("€uro",72); print(me);
print(EnDe.IP.num2ip('','','','2130706474','','','.'));
alert() and print() are wrapper functions part of EnDe.lib.zap to make
usage as simple as possible,
There's also help() for those who want dig deeper ;-)
So far, this is just a cumbersome way to do codings and conversions.
But wait, how about:
alert(EnDe.Check.CC.get("3743-8899-4242-8007"));
print(EnDe.IP.ip2num('','','',EnDe.IP.num2ip('','','','2130706433','','','.').replace(/
0/,'42'),'','','.')):
I'd like to see more useful examples within ZAP. I can think of
passive scanners which for example check cookies and parameters,
wether in request or response, and analyze them.
Therefore the script console needs to be improved 'cause it's a bit a
performance penulty now.
EnDe.lib.zap is not perfect yet. Even with compressed code it's about
500k. However, it can be stripped by another 20% if needed. Would be
nice if the script console can load the library once and provide it
for further usage.
You may ask why using JavaScript inside ZAP which already has a good
module integration. The answer is that with JavaScript you can rapidly
type new higly customized functionality while ZAP is already running.
Please tell me your opinions and ideas.
Cheers
Achim
it's time to anounce that the JavaScript library with en-, decoding,
crypting, hashing and conversion functions now can be used with ZAP's
Script Console. At least Simon engaged me to do it here ;-)
First a little introduction for those who don't know what this library
is about. The library is from OWASP's EnDe project which can be found
here: https://www.owasp.org/index.php/Category:OWASP_EnDe
Links to usage, documentation, download, github and online version can
be found there.
Enough with biased texts, let's talk about EnDe within ZAP.
First we need the library, use https://github.com/EnDe/EnDe and build
EnDe.lib.zap from sources (or mail me and I can provide a prebuild
version).
Load it in ZAP's Script Console and ready we go.
Instead of reading boring texts, here're some example to catch your
interest:
me=EnDe.B64.EN.b64("€uro",72); print(me);
print(EnDe.IP.num2ip('','','','2130706474','','','.'));
alert() and print() are wrapper functions part of EnDe.lib.zap to make
usage as simple as possible,
There's also help() for those who want dig deeper ;-)
So far, this is just a cumbersome way to do codings and conversions.
But wait, how about:
alert(EnDe.Check.CC.get("3743-8899-4242-8007"));
print(EnDe.IP.ip2num('','','',EnDe.IP.num2ip('','','','2130706433','','','.').replace(/
0/,'42'),'','','.')):
I'd like to see more useful examples within ZAP. I can think of
passive scanners which for example check cookies and parameters,
wether in request or response, and analyze them.
Therefore the script console needs to be improved 'cause it's a bit a
performance penulty now.
EnDe.lib.zap is not perfect yet. Even with compressed code it's about
500k. However, it can be stripped by another 20% if needed. Would be
nice if the script console can load the library once and provide it
for further usage.
You may ask why using JavaScript inside ZAP which already has a good
module integration. The answer is that with JavaScript you can rapidly
type new higly customized functionality while ZAP is already running.
Please tell me your opinions and ideas.
Cheers
Achim
psiinon
Dec 12, 2012, 5:05:44 AM12/12/12
to zaproxy...@googlegroups.com
Thanks Achim - thats great!
I've added EnDe and linked to this discussion from the wiki: http://code.google.com/p/zaproxy/wiki/RelatedTools
I'd like us to build a ZAP addon which would allow people to easily download and use EnDe.
But this is a javascript library rather that a 'standard' extension.
The addon mechanism will cope with this, but we might well need to extend the scripting support to allow libraries to be easily loaded and used in other scripts.
I also want to extend scripting support, so that you can easily extend the UI.
So, for example, you could create a script using EnDe functionality, and then invoke this from a new 'right click' menu item.
And, as Achim suggested, create new active and passive scan rules using scripts, which should also be able to use any of the libraries available.
Any other suggestions as to how we could make use of this?
Cheers,
Simon
I've added EnDe and linked to this discussion from the wiki: http://code.google.com/p/zaproxy/wiki/RelatedTools
I'd like us to build a ZAP addon which would allow people to easily download and use EnDe.
But this is a javascript library rather that a 'standard' extension.
The addon mechanism will cope with this, but we might well need to extend the scripting support to allow libraries to be easily loaded and used in other scripts.
I also want to extend scripting support, so that you can easily extend the UI.
So, for example, you could create a script using EnDe functionality, and then invoke this from a new 'right click' menu item.
And, as Achim suggested, create new active and passive scan rules using scripts, which should also be able to use any of the libraries available.
Any other suggestions as to how we could make use of this?
Cheers,
Simon
Achim
Dec 12, 2012, 5:01:12 PM12/12/12
to OWASP ZAP Developer Group
some comments, please see inline below ...
Achim
On 12 Dez., 11:05, psiinon <psii...@gmail.com> wrote:
...
file
containing all necessary code plus the small wrappers.
It's no problem for me to store that file on github, but it would then
be dowloaded
with each git clone or pull, which is not the intend for generated
files ;-)
If there is a proper place to store the file, I'm happy to make
regular updates.
> The addon mechanism will cope with this, but we might well need to extend
> the scripting support to allow libraries to be easily loaded and used in
> other scripts.
Biggest pain at the moment is, that you have to load the file and
either write your
own code right behind manually or load a second file.
Second problem is that the "run" button executes the code always
completely.
Third: it's not easy to run JavaScript code proper in the console. We
need coding
guidlines right at the beginning if there're more such libraries.
Feel free to ask me if assistance is required.
> I also want to extend scripting support, so that you can easily extend the
> UI.
> So, for example, you could create a script using EnDe functionality, and
> then invoke this from a new 'right click' menu item.
That is how it should be.
Anyone? ... (I'm neither java nor GUI developer)
...
Achim
On 12 Dez., 11:05, psiinon <psii...@gmail.com> wrote:
...
> I'd like us to build a ZAP addon which would allow people to easily
> download and use EnDe.
> But this is a javascript library rather that a 'standard' extension.
You don't need EnDe, you just need EnDe.lib.zap which is a generated
> download and use EnDe.
> But this is a javascript library rather that a 'standard' extension.
file
containing all necessary code plus the small wrappers.
It's no problem for me to store that file on github, but it would then
be dowloaded
with each git clone or pull, which is not the intend for generated
files ;-)
If there is a proper place to store the file, I'm happy to make
regular updates.
> The addon mechanism will cope with this, but we might well need to extend
> the scripting support to allow libraries to be easily loaded and used in
> other scripts.
either write your
own code right behind manually or load a second file.
Second problem is that the "run" button executes the code always
completely.
Third: it's not easy to run JavaScript code proper in the console. We
need coding
guidlines right at the beginning if there're more such libraries.
Feel free to ask me if assistance is required.
> I also want to extend scripting support, so that you can easily extend the
> UI.
> So, for example, you could create a script using EnDe functionality, and
> then invoke this from a new 'right click' menu item.
Anyone? ... (I'm neither java nor GUI developer)
...
Reply all
Reply to author
Forward
0 new messages