Will ZAP Proxy takes HAR file as input for scanning?

836 views
Skip to first unread message

Vinothini Pandurangan

unread,
Apr 29, 2016, 2:39:06 PM4/29/16
to OWASP ZAP Developer Group
We are trying to integrate ZAP Proxy with our current scanning solution where we get the screen recording as HAR format which we want ZAP Proxy to use that to scan? Is that doable?
If Yes, which API serves this purpose.

kingthorin+owaspzap

unread,
May 3, 2016, 7:56:25 AM5/3/16
to OWASP ZAP Developer Group
ZAP does not currently have this functionality that I'm aware of.

You could open an enhancement request: https://github.com/zaproxy/zaproxy/issues/new

thc...@gmail.com

unread,
May 5, 2016, 10:19:10 AM5/5/16
to zaproxy...@googlegroups.com
There's already an issue that covers that (i.e. import). [1]

As a workaround you could send the HAR requests ("sendHarRequest") with
the ZAP API. [2]
(Not a good workaround, though.)


[1] https://github.com/zaproxy/zaproxy/issues/521
[2] https://github.com/zaproxy/zaproxy/wiki/ApiGen_core

Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

Vinothini Pandurangan

unread,
May 6, 2016, 1:47:39 AM5/6/16
to OWASP ZAP Developer Group
"sendHARRequest" will do scan for that request?

I'm adding Url's from HAR file into Sites tree by calling "accessUrl" and followed by ascan.scan().
But this works only for HTTP request. for Url with HTTPS, it throws below SSL handshake exception
pkix path building failed sun.security.provider.certpath.suncertpathbuilderexception

Thanks.

thc...@gmail.com

unread,
May 6, 2016, 4:39:10 AM5/6/16
to zaproxy...@googlegroups.com
Yes, the request will be scanned the same way all requests sent/proxied
through ZAP are.


That error is because of ZAP's Root CA cert (more details in your other
post).

The advantage of sendHarRequest (or sendRequest) over accessUrl is that
it does not require trusting ZAP's Root CA cert, they are sent directly
from ZAP.

Having an openUrl in the Core API would prevent this kind of issues.

Best regards.
> > <mailto:zaproxy-devel...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com
> <mailto:zaproxy-devel...@googlegroups.com>.

ZAP user

unread,
May 6, 2016, 1:11:44 PM5/6/16
to OWASP ZAP Developer Group
Thanks for your reply.
When I use accessUrl() and scan() methods, I can see Urls getting added to sites tree and scan is happening through ZAP tool.
But with sendHARRequest() I'm not seeing scan happening through ZAP UI tool also it returns byte array. Which can be converted to APIResponse to get results?

>     > For more options, visit https://groups.google.com/d/optout
>     <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com

Gajendra Sahu

unread,
Mar 25, 2019, 11:12:32 PM3/25/19
to OWASP ZAP Developer Group
Hi, I know this post it old but I am trying to do the same thing. I have a HAR file and I would like to scan it for security vulnerabilities. Please share any information or any code i can take a look to make it work.

Thanks! 

Jeffrin George Jose

unread,
Apr 11, 2022, 4:23:37 AM4/11/22
to OWASP ZAP Developer Group
Hi, 
May I know did zap add any functionality for this.  I am looking for a solution that is motioned in this post. 

Thanks in advance.  

psiinon

unread,
Apr 11, 2022, 4:34:46 AM4/11/22
to OWASP ZAP Developer Group
Yes, thats now supported by the Import/export add-on: https://www.zaproxy.org/docs/desktop/addons/import-export/

Cheers,

Simon

Jeffrin George Jose

unread,
Apr 18, 2022, 6:22:47 AM4/18/22
to OWASP ZAP Developer Group
Thanks a lot for your quick response. For some reason, when I tried Import HAR from the 'import' menu. Nothing comes up. My ZAP is up to date too. Probably I am doing something wrong as I am new to all this. 

thc...@gmail.com

unread,
Apr 18, 2022, 6:57:58 AM4/18/22
to zaproxy...@googlegroups.com
Best to check the log file:
https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Best regards.

Omkar Kumbhar

unread,
Apr 20, 2022, 4:57:08 AM4/20/22
to OWASP ZAP Developer Group
Hi,

Is there any way to import HAR file using ZAP Rest API ? Is it supported by ZAP API? I couldn't find any API for this.

Thanks,
Omkar

On Monday, April 11, 2022 at 2:04:46 PM UTC+5:30 psiinon wrote:

thc...@gmail.com

unread,
Apr 20, 2022, 5:42:34 AM4/20/22
to zaproxy...@googlegroups.com
Yes, using the endpoint e.g.:
/JSON/exim/action/importHar/?filePath=file.har

Best regards.

Omkar Kumbhar

unread,
Apr 21, 2022, 2:33:19 AM4/21/22
to OWASP ZAP Developer Group
cool. Thanks a lot.

Best regards,
Omkar

Reply all
Reply to author
Forward
0 new messages