How to override HTTP response in HTTP Sender

[NewZapScripter]

Hello there, 

I am trying to write a HTTP Sender script that drops requests to certain URLs.

To start off,  I have been playing around with converting the example Proxy script "Drop messages not in scope.js" to a HttpSender script. See below:

function sendingRequest(msg, initiator, helper) {

if (!msg.isInScope()) {

print("Msg not in scope: " + msg.getRequestHeader().getURI().toString());

msg.setResponseBody("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n" +

"<html><head></head><body><h1>403 Forbidden</h1>\n" +

"Out of scope request blocked by ZAP script 'Drop requests not in scope.js'\n" +

"</body></html>");

msg.setResponseHeader("HTTP/1.1 403 Forbidden\r\n" +

"Content-Type: text/html; charset=UTF-8");

msg.getResponseHeader().setContentLength(msg.getResponseBody().length());

msg.getResponseHeader().setStatusCode(403);

}

return msg;

}

I can see the "Msg not in scope" messages in the script output console but the response is not being overidden with the content I have specified - it is still doing a normal request. Any idea how I properly send a fake response back?

[kingthorin+owaspzap]

You should probably print the message IDs. Chances are you're seeing script output for something that isn't in scope but then seeing traffic for something that is in scope.

[NewZapScripter]

The IDs look OK to me. 

So it should be possible to correctly set the response body and header via setResponseBody() and setResponseHeader() in the HTTP Sender sendingRequest() function?

This code works fine as a Proxy but I was wondering if there is something different in the HTTP Sender (apart from the fact that it is called on all ZAP requests / responses).

[NewZapScripter]

So, if I add some print statement before the return as follows:

print(msg.getResponseHeader().toString());

print(msg.getResponseBody().toString());

return msg;

I see the response body and header that I expect. But it seems that the request is still being passed onto the url and then my response is being overwritten?

[kingthorin+owaspzap]

I don't have ZAP in front of me so I can't test this. But I believe if you don't actually want to send the message then you'd have to return null or set the request URL to something that's going to fail. Then set the response in the responseReceived method.

That's just off the top of my head. I can actually look into it later.

[NewZapScripter]

Ok, so I looked at the HttpSenderScript.java code and it says that only the request should be modified, so it appears that I am incorrectly trying to set the response.

In which case, how do I just drop the requests in sendingRequest()?

[NewZapScripter]

Thanks kingthorin - I'll try the approach that you suggested.

[thc...@gmail.com]

Hi.

The HTTP Sender scripts can't prevent a message from being sent. They
just can modify it.

Best regards.

[kingthorin+owaspzap]

Trust thc202, he knows the code base better than I do :-)

[NewZapScripter]

Ha ha! Thank you! I've managed to get this working by modifying the request to a failure uri in sendingRequest() and overriding the HTTP response in responseReceived() as suggested.

Cheers :-)