How to render your own HTML page in zaproxy while analyzing an incoming request

[Jorrit Willaert]

We are developing a new extension for Zaproxy (in the specific zap-extensions repo), which checks incoming requests and shows an HTML page if for example a 'bad' password has been detected (assume the user fills it in a non-hashed password field). In that HTML page, the user is being asked whether or not he wants to proceed.

We are wondering how we can easily visualize our webpage in the browser, given that we work in zap-extensions. We figured out that it is possible by sending a request to for example google.com, after which we change the whole body to our HTML page. We do, however, realize that it is not an ideal solution.

Are there easier solutions, where a new incoming response is spawn on demand in the method onHttpRequestSend(HttpMessage msg) (The extension resembles 'frontendscanner')?

[kingthorin+owaspzap]

First you shouldn't add to zap-extensions, the core team doesn't need any other code to be responsible for. We do have processes in place to publish third party add-ons via the ZAP Marketplace. You can model your repo and project based on kingthorin/neonmarker or SasanLabs/jwt.

You can build it as an httpSenderListener and replace/update the response client side. In fact if a whole add-on is overkill you could just as a HttpSender script and add it to the zaproxy/community-scripts repo.

Alternatively I guess you could also consider implementing it as a zap-hud tool.

[psiinon]

I think it could be a good addition to the HUD :)