Can we send a POST request from external source and validate in ZAP?

[Sridatta S P]

Requirement is to send POST requests from an external source like excel or csv or .json etc., If yes, then pls let me know whether below listed actions can be performed.

1. Pls let me know the format required i.e., excel or csv template i.e., headers and values.

2. How do we send requests from excel or csv to ZAP and perform active scan?

Thanks & Regards,

Sridatta

[thc...@gmail.com]

Hi.

Better use the HTTP Archive format and can be imported with the
Export/Import add-on:
https://www.zaproxy.org/docs/desktop/addons/import-export/

Best regards.

[psiinon]

Or you can use a 3rd party tool like curl and proxy that through ZAP :)

[Sridatta S P]

Thanks. 

Queries on better approach:

1. Can we save site from result tree as har file?

2. What is the next action after import har file? progress bar gets displayed and shows as completed.

3. Can we run all of the below steps through CLI?

Steps:  Save the result tree site as .har, import it and run active scan? 

Regards,

Sridatta

[kingthorin+owaspzap]

Why would you export and import just to scan. If you've got stuff in the Sites Tree just go ahead and scan.

[kingthorin+owaspzap]

> 3. Can we run all of the below steps through CLI?

https://www.zaproxy.org/docs/automate/

On Tuesday, September 27, 2022 at 6:39:46 AM UTC-4 srida...@gmail.com wrote:

[Sridatta S P]

Yes, we can select and scan from UI but we are looking for a way to select few sites or filter POST requests, export them, import and trigger scan automatically through cli.

We are seeing possibilities to automate all these through CLI and to avoid dependency on UI.

Thanks & Regards,

Sridatta

[psiinon]

Hi Sridatta,

This is possible through the ZAP desktop, however I can definitely see the benefit of supporting it via automation as well.

There are currently no "export" API endpoints for exim add-on and no Automation Framework jobs either.

I think we should add options to export URLs in HAR format, both specified URLs and recursively from a given URL.

Anyone else have any other suggestions for export automation options we should support?

Cheers,

Simon

[alex van]

i have similar situations as described above. All the POSTs are saved in a json file and also it requires the cookies for the credential login.

Currently i have tried to use the curl to send POST request to ZAP, but however, i have to extract the cookies and send it with URL info together to ZAP. If no other alternative way, probably this can help.

regards,

alex

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/a1565507-79c2-4a69-b480-fbbed0bb7cdfn%40googlegroups.com.

[Sridatta S P]

Thank you Simon. 

Alternatively, is there any way to send/receive request/response through cli? 

Here request refers to right panel of ZAP desktop which gets displayed when any url is selected.

Thanks & Regards,

Sridatta

[Sridatta S P]

Hi Alex,

Can you pls share any examples of sending post request in curl?

I'm looking to send 'request' with header & body text.

Thanks & Regards,

Sridatta

On Friday, September 30, 2022 at 2:12:01 AM UTC+5:30 alexv...@gmail.com wrote:

[psiinon]

Hi Sridatta,

https://letmegooglethat.com/?q=curl+post+request+example :D

Cheers,

Simon

[Sridatta S P]

Thank you :)

I tried post request to our https site but I see response as "invalid authentication header" with 400 code as response.

My post request as below:

curl -k -v -H <headers has content type and cookie> -u username:pwd -X post <url> --proxy <zapproxy url>

Our website uses csrf token also. Do we need to pass that also? If yes,any format?

Thanks & Regards,

Sridatta

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/iktiFGhHWKw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/6abc8289-7da4-4034-b390-e3c425a0ecean%40googlegroups.com.

[psiinon]

Launch a browser from ZAP, navigate to the right page and submit the form.

You should see the POST request in ZAP.

Install this targeted script : https://github.com/zaproxy/community-scripts/blob/main/targeted/curl_command_generator.js

Then right click the POST request, "Invoke with Script..." and select that script - it will generate the correct curl command.

Cheers,

Simon

[Sridatta S P]

Hi Simon,

Thank you. Steps helped.

But I'm getting a 302 response now with the POST request.

Steps as follows:

1/  I copied cookie ID and headers from sample post request and sent it as a curl command with change in object name to submit.

2/ CURL command listed in ZAP desktop but with 302 response and empty response.

So my queries as below as I'm guessing it is due to session related:

1/ Does ZAP persist the session once user logged in? So that we can send/receive request with just same cookie or session ID via curl.

Or

1/ We have to create a curl command which perform login everytime, copy session id and post request?

Pls let me know your inputs.

Thanks & regards,

Sridatta

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/b69dcf38-ca0b-4f4f-8c55-2307e32d3fdcn%40googlegroups.com.

[psiinon]

The initial requirements was just "Requirement is to send POST requests from an external source like excel or csv or .json etc" :P

I take it you really want to send an "authenticated POST request"?

Adding authentication to the mix really complicates things :/

Do you completely understand how your application handles sessions and authentication?

Cheers,

Simon

[Sridatta S P]

Hi Simon,

Yes, I could get session id/csrf token/tickets to login successfully.

So login is happening fine now with status 200.

But I see post request sent via curl not creating objects and returns 302.

Since the same request was recorded in ZAP during manual creation, I'm expecting same post request to create object when sent via curl also.

Why this difference?

Thanks & Regards,

Sridatta