suggest new addons

[samcker dodi]

i don't have enough knoweledge for Java to create ZAP proxy add ons but i would like to suggest some add ons to be coded by ZAP community and i think that mat be very useful and push ZAP proxy a lot of steps forward because the only thing Burp pro has that ZAP proxy don't is the hundereds of plug in and add ons and here is a list of addons i suggest to be coded for ZAP :-

1- json beautifier 

2- addons to deal with Graphql requests that show the injection points 

3- HTTP smuggler add ons 

4- JWT attacks 

5- Javascript parser for endpoints and variable and possible sinks lead to Dom XSS

6- content type converter from XML to Json and vice versa 

7- 403 bypasser 

[thc...@gmail.com]

Hi.

Have you checked the existing add-ons?
https://www.zaproxy.org/addons/

Some of the features you list are already available.

Best regards.

[samcker dodi]

Hi 

yes sir i have checked them all and what i mean that this plugin for zap is less effiency than those on burp suite and for example 

1- graphql in zap is only bring the introspection but don't have a seperated tab for injection points like graphql raider in burp 

2- jwt only check for none signature hash but doesn't check for algorithem confusion ( RS256 to HS256 ) 

3- no plugin for http request smuggler in zap 

4- no plugin to enumerate endpoints in js files like those in burp 

so could you please update these plugin so we could only depend on ZAP proxy without any other proxy 

thanks in advance 

[kingthorin+owaspzap]

1 - You can edit any request. I guess we never prefill injection points, but that's no GraphQL related.

2 - Not sure where you got that info but it's simply WRONG ->  OWASP ZAP – ZAP JWT Support Add-on (zaproxy.org)

3 & 4 - ZAP is completely Open Source, we look forward to your contributions :)