How to Create a ZAP Addon/Extension

[ryerson...@gmail.com]

Moving the thread here from the user group.

kingthorin+owaspzap  was nice enough to share some resources

Few resources:

• psiinon did a series of "Hacking ZAP" blog posts, you can just google search them.
  
• There is an example addon in the zap-extensions repo (Alpha branch). [https://github.com/zaproxy/zap-extensions/tree/alpha/src/org/zaproxy/zap/extension/simpleExample]
  
• There's a ZAP 2.1.0 era doc here that might help: https://www.owasp.org/images/3/37/GuidelineZAPExtensionsAddOns1.0.pdf
  
• https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md
  
• https://github.com/zaproxy/zaproxy/wiki/Contributing-Changes
  

So far i installed eclipse and imported the project. To compile and run zap, do i just 'Run As' application org.zaproxy.zap?

If the above is correct, i followed the guide by creating a new folder for the simple extension and refreshed eclipse, please see link

http://prntscr.com/9z3ftl

The folder path is correct according to the guide but is it correct in how eclipse is understanding it?

I ask because when i now do 'Run As' application org.zaproxy.zap? i do not have the extension at all, (as shown in the above linked guide by kingthorin)

FYI: Some links in the guide are dead links and should be updated to the git wiki :)

Thank you! Cheers, Goran.

---

kingthorin+owaspzap Reply:

Ok.

First to compile and run ZAP make sure you have the ZAP project selected, hit the run button when it asks about the "main" function then yes you want org.zaproxy.zap.zap (or something like that....I forget the exact string, but it's the most "ZAP'ish" one).

Second to compile and use your extension you'll need to build and deploy it via ant tasks. Find the build/build.xml in the branch you're working on, edit it adding a deploy-<add-on> task similar to the others that are there. (You should be able to copy the 3 lines and make a minor edit for your entry). Then right click on that task in the tree and "Run-as" Ant Task. Once that completes, then launch ZAP (as above), once ZAP is running hit ctrl+L to load an add-on and navigate to the build output directory ...such as c:\<wherever>\workspace-zap\zap-extensions_alpha\build\zap-exts....select your <newaddon>.zap to load your addon. Note you'll need to delete it from C:\Users\<your_user>\OWASP ZAP_D\plugin before launching ZAP again to load a new version (assuming a repeated write code, build, deploy workflow). (You can't load an addon that's already loaded...) or you'll have to enable unloading so that you can uninstall your addon, before loading a new version.

[ryerson...@gmail.com]

So i deleted my two previous questions because i figured it out.

After importing, i have the following.

• community-scripts
  
• zap-core-help
  
• zap-extensions
  
• zap-extensions_alpha
  
• zap-extensions_beta
  
• zaproxy
  

1) I create a new package called simpleExtension under zap-extensions_alpha.

2) Edited the build.xml in zap-extensions_alpha to include several things

• <build-addon name="simpleExample" />
  
•     <target name="deploy-simpleExample" description="deploy the simple example extension">
          <build-deploy-addon name="simpleExample" />
      </target>

3) Select zaproxy project and run it as a java applicaiton (ZAP - org.zaproxy.zap)

4) Ctrl+L and load the newly created .zap file

Please let me know if the above steps are correct! They work, but that might not mean that they are correct :)

Cheers, Goran.

[kingthorin+owaspzap]

For your step 2 you should need to add a build task, they' leverage the generic "build-deploy-addon".
Between your step 2 and 3 did you actually execute the deploy-simpleExample ant task? Note build.xml in the alpha branch already contains a "deploye-simpleExample" task: https://github.com/zaproxy/zap-extensions/blob/alpha/build/build.xml#L559-L561

If you're creating your own addon, let's say called "goranqa", you'd add something like:

<target name="deploy-goranqa" description="deploy the simple example extension">
        <build-deploy-addon name="goranqa" />
</target>

If as a first step you just want to get simpleExample built and deployed then build.xml contains everything you need.

[kingthorin+owaspzap]

Sorry that should have said
"For your step 2 you should NOT need ..."

[ryerson...@gmail.com]

As a first step i just wanted to get simpleExample built and deployed, i should have been clearer.

I am now creating my own called simpleGoranQA and trying to get that deployed.

[ryerson...@gmail.com]

Success! Got my own to deploy.

Step 2) needed to deploy and create the .zap is.

<build-addon name="simpleGoranQA" /> No .zap file without this

<target name="deploy-simpleGoranQA" description="deploy the GoranQA simple example extension">

<build-deploy-addon name="simpleGoranQA" />

</target>

---

Also, this should be obvious but to other learning. You need to update all java references.

---

Now the following is not as obvious but you also need to update

ZapAddOn.xml

resources>Messages

resources>help>everything here

resources>help>contents> the html file (i renamed mine and changed the content)

---

Thank you for the help kingthorin+owaspzap. I'll working on a custom report plugin for zap with a few more choices as well as additional exports such as json and and pdf is there is time. I'll create a separate thread for that.

[ryerson...@gmail.com]

I am looking at various custom plugin's and i see many approaches. Is there an approach or plugin you suggest i can look at that uses JPanels and other components. Kind of the Best Practice to follow for creating a ZAP plugin?

[ryerson...@gmail.com]

I am trying to build off of the simpleExtension example and i am using a menu item.

I want a menu item to open a JPanel.

I have already created the JPanel and tested it on it's own, just the UI without any triggers or events.

So i hvae the following

public class ExtensionSimpleGoranQA extends ExtensionAdaptor {

.

.

private ReportingPanel reportingPanel = null;
.

.

@Override

public void hook(ExtensionHook extensionHook) {

   super.hook(extensionHook);

   

   if (getView() != null) {

       extensionHook.getHookMenu().addToWhat(reportingPanel ());

   }

}

This is where i have trouble, what is the appropriate hook method in this case.

Am i even going about this the right way?

My other class is

public class ReportingPanel extends AbstractPanel implements Tab

the other option would be

public class ReportingPanel extends AbstractFrame

both would work.

[kasun balasooriya]

Hi! 

I have some blog posts which I created whilst writing my plugin for zap.

Building a Sample Add-on for OWASP ZAP : https://neatrick.wordpress.com/2015/11/12/building-a-sample-add-on-for-owasp-zap/

An Add-on for OWASP ZAP to export alerts of a web application as Issues to JIRA : https://neatrick.wordpress.com/2015/12/14/an-add-on-for-owasp-zap-to-export-alerts-of-a-web-application-as-issues-to-jira/

An Add-on for OWASP ZAP to export alerts of a web application as Issues to JIRA – Part 2 Writing API methods for ZAP-API : https://neatrick.wordpress.com/2016/01/08/an-add-on-for-owasp-zap-to-export-alerts-of-a-web-application-as-issues-to-jira-part-2-writing-api-methods-for-zap-api/

Hope this helps.

 

Thanks and regards! 

 

Kasun Balasooriya about.me/kasunbalasooriya

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ryerson...@gmail.com]

@kasun balasooriya this is great! Thank you for sharing. I spent the weekend relearning JAVA, haha. I got the basic's figured out. I should have an alpha done by the end of the week.

[ryerson...@gmail.com]

I really like the JIRA export plugin, that is such a huge asset!

[kasun balasooriya]

Glad it helped! :)