Modifying zaproxy and zap-extensions

[Jake Howlett]

Hi,

I am using the Eclipse IDE and I followed your video tutorial to get it set up.

I am having some trouble trying to compile an addOn from /zap-extensions. 

I have created a new method in /zaproxy in /zap/src/main/java/org/zaproxy/zap/extension/anticsrf/ExtensionAntiCSRF.java

Which I am trying to call in the ascanrulesAlpha addOn however the new method is not recognised by Eclipse or when trying to compile the addOn.

I can get a list of methods at runtime and it does include my new method so it seems to just be compile time that is not been updated of new methods in zaproxy.

I am wondering if the dependency for zap-extensions is the ZAP that is on Github not my local version but that doesn't explain why the correct methods are printed at runtime.

Regards,

Jake

[thc...@gmail.com]

Hi.

The add-ons in zap-extensions are currently compiling/targeting 2.11,
changes to core will not be visible until the next main release.

You can change the add-on to compile with your local zaproxy project
(replace the project or use a snapshot), but that can't be merged as is.
You can use reflection though.

Best regards.

[Jake Howlett]

How can I replace the project or use a snapshot?

I cannot seem to find any reference to the zap 2.11 dependency in the zap-extensions project.

What is the best practise for developing an active scan rule in zap-extensions that also needs changes to the core (for example adding a configuration textbox/checkbox to the Options panel)?

Regards,

Jake

[psiinon]

 

What is the best practise for developing an active scan rule in zap-extensions that also needs changes to the core (for example adding a configuration textbox/checkbox to the Options panel)?

The advice is: dont do it :)

You can of course (using reflection as thc202 mentioned), but only people with the modified core will be able to use it, which is a very small percentage of the people using ZAP.

Core changes (since the previous release) are only generally available after a new release.

Cheers,

Simon

[Jake Howlett]

Ok that is understandable, I want my improvements to be used by the whole community so I will change approach.

What alternatives are there? I need to add a configurable regex which would be set in the options panel for the GUI or via the API (both residing in the core) using the acsrf extension (it is related and so the configurable regex would fit nicely here). I then need to retrieve the regex in my new active scan rule to use in the scan.

Should I be instead creating a new ZAP extension that has a generates a new tab on the Option screen and new route in the API (to set the regex) that the new active scan rule can retrieve the regex from?

Jake

[psiinon]

We already have a solution for that - the Options / Rule Configuration Screen :)

https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ruleconfig/

If you use that then you dont even need to make any GUI changes, which is always a plus in my book ;)

Cheers,

Simon

[Jake Howlett]

A much better of an idea, I forgot about ruleconfig. Thanks Simon!

[thc...@gmail.com]

For the record.

> How can I replace the project

There are several ways, e.g. composite build:
https://docs.gradle.org/current/userguide/composite_builds.html

this might be more straightforward than the following.

> or use a snapshot?

Publish the new ZAP version to the local repo and change the add-on to
use the SNAPSHOT version.
https://docs.gradle.org/current/userguide/publishing_maven.html#publishing_maven:install

> I cannot seem to find any reference to the zap 2.11 dependency in the
> zap-extensions project.

That's done with `zapVersion.set("2.11.1")` e.g.:
https://github.com/zaproxy/zap-extensions/blob/400c93aa7ba9feea19c807805ebbfd054c45e3d7/addOns/accessControl/accessControl.gradle.kts#L5

Best regards.

[Jake Howlett]

Thank you thc202 for your detailed explanation of alternatives, I will look into them to see if they can help with any other pieces of my ZAP development. I will be using the ruleConfig for now as it fits the purpose well and especially as the new active scan rule is going to be in alpha stage, GUI changes are not needed just yet.

This query was regarding a new Active CSRF-token tester scan rule that I am currently developing.

There is however one code change to the core that is needed (https://github.com/zaproxy/zaproxy/issues/7161) to get the core ready for this new scan rule. 

Once I have this scan rule into a more complete position and the core code change has been discussed then I will know if I can embed it into ZAP. After that I will create a pull request on Github.

Jake

[kingthorin+owaspzap]

Does the existing csrf partial matching address your need or do you really need full blown regex?

https://github.com/zaproxy/zaproxy/pull/6088

[Jake Howlett]

This is to test the response given after altering the anti-CSRF token. So I want to mimic the logged in / logged out indicators used in authentication. I could do a string.contains() instead, is regex not supported by the ruleConfig extension? I would just be taking the string and converting it into a regex pattern.

[kingthorin+owaspzap]

No I think regex is used for other rule configs. I just recalled that other PR so I thought I'd ask about it. Had hoped to save you effort/time :)