Javascript/Sender/Convert Https To Http

21 views
Skip to first unread message

Bruno Ronda

unread,
Aug 30, 2024, 5:29:52 PM8/30/24
to ZAP Scripts
Hi everyone,

I was recently  conducting an assessment on a target in an intranet not using Https secure connections, but Http. Long story short, my PoC revolved around uploading an SVG file not properly sanitized, that when accessed on the browser would trigger an internal network scan, IP addresses, domains, and ports used by various DBMS. Once the scan begins, then ZAP automatically calls each target for example http://192.168.5.1, but the browser forces the use of https://192.168.5.1, resulting on 404.

I tried to use Zest first, then Javascript to make a simpe HTTPSender script to convert all Https URLs to Http:

var originalUrl = msg.getRequestHeader().getURI().toString();
if (originalUrl.startsWith("https://")) {
var newUrl = originalUrl.replace("https://", "http://");
msg.getRequestHeader().getURI().setURI(newUrl);
but the scripts where breaking. It seems ZAP API is strict about how URIs are handled. 

I finally got a working solution, full code below. Note sure if anybody ever had the same issue but there you are:

function sendingRequest(msg, initiator, helper) {
var uri = msg.getRequestHeader().getURI();

// Check if the URL starts with "https"
if (uri.getScheme().equalsIgnoreCase("https")) {
// Construct the new URL by replacing "https" with "http"
var newUrl = uri.toString().replace("https", "http");

// Reconstruct the URI with the new scheme
uri = new org.apache.commons.httpclient.URI(newUrl, true);

// Update the port to 80 if it's currently set to 443
if (uri.getPort() == 443) {
uri.setPort(80);
}

// Update the request header with the new URI
msg.getRequestHeader().setURI(uri);
}
}

yours ever,

Bruno

Simon Bennetts

unread,
Sep 2, 2024, 5:02:53 AM9/2/24
to ZAP Scripts
Hi Bruno,

Do you have the HUD enabled?
If so then disable it, as it forces HTTP -> HTTPS.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages