Hi everyone,
I was recently conducting an assessment on a target in an intranet not using Https secure connections, but Http. Long story short, my PoC revolved around uploading an SVG file not properly sanitized, that when accessed on the browser would trigger an internal network scan, IP addresses, domains, and ports used by various DBMS. Once the scan begins, then ZAP automatically calls each target for example
http://192.168.5.1, but the browser forces the use of
https://192.168.5.1, resulting on 404.
I tried to use Zest first, then Javascript to make a simpe HTTPSender script to convert all Https URLs to Http:
var originalUrl = msg.getRequestHeader().getURI().toString();
if (originalUrl.startsWith("https://")) {
var newUrl = originalUrl.replace("https://", "http://");
msg.getRequestHeader().getURI().setURI(newUrl);
but the scripts where breaking. It seems ZAP API is strict about how URIs are handled.
I finally got a working solution, full code below. Note sure if anybody ever had the same issue but there you are:
function sendingRequest(msg, initiator, helper) {
var uri = msg.getRequestHeader().getURI();
// Check if the URL starts with "https"
if (uri.getScheme().equalsIgnoreCase("https")) {
// Construct the new URL by replacing "https" with "http"
var newUrl = uri.toString().replace("https", "http");
// Reconstruct the URI with the new scheme
uri = new org.apache.commons.httpclient.URI(newUrl, true);
// Update the port to 80 if it's currently set to 443
if (uri.getPort() == 443) {
uri.setPort(80);
}
// Update the request header with the new URI
msg.getRequestHeader().setURI(uri);
}
}
yours ever,
Bruno