modify request/response
4,000 views
Skip to first unread message
nwg
Jan 20, 2015, 5:48:17 PM1/20/15
to zaproxy...@googlegroups.com
I am brand new to ZAP today and have been scouring the web trying to find a simple example of scripting to automate the modification of a response or a header.
The goal here is to redirect a request to something like a css file to a local file or even to a file on a localhost.
I was recently forced onto a mac machine and this is something I know how to do with fiddler on a win machine but that isn't an option anymore.
Any help would be most appreciated.
Is there a script cook book somewhere that I didn't find? Something like this: http://docs.telerik.com/fiddler/KnowledgeBase/FiddlerScript/ModifyRequestOrResponse
I did see the unofficial repo and will start poking around in there as well.
Thanks
gmaran23
Jan 24, 2015, 12:45:26 PM1/24/15
to zaproxy...@googlegroups.com
Well, luckily you are in good hands.
Have you checked the existing script templates? Available at [Open ZAP] --> Scripts (on left top) --> Scripting --> Templates --> Proxy --> and there you go, how to modify request or response, a lot of samples.
You can create a ZEST script from any of these existing templates and modify a anything in a request or response. You can also enable or disable your script at will.
ZEST is very easy UI based scripting. Here's is a nice blog to demonstate that. http://dunnesec.com/category/tools/owasp-zap/owasps-zest-scripting/ . I have scripted in fiddler, and ZEST scripting is child's play :)
Let us know how it works for you.
Have you checked the existing script templates? Available at [Open ZAP] --> Scripts (on left top) --> Scripting --> Templates --> Proxy --> and there you go, how to modify request or response, a lot of samples.
You can create a ZEST script from any of these existing templates and modify a anything in a request or response. You can also enable or disable your script at will.
ZEST is very easy UI based scripting. Here's is a nice blog to demonstate that. http://dunnesec.com/category/tools/owasp-zap/owasps-zest-scripting/ . I have scripted in fiddler, and ZEST scripting is child's play :)
Let us know how it works for you.
kingthorin+owaspzap
Jan 26, 2015, 2:39:32 PM1/26/15
to zaproxy...@googlegroups.com
Just check the thread list in the group you posted to :)
"Javascript / Proxy / Conditional request rewriting"
"Javascript / Proxy / Conditional request rewriting"
nwg
Jan 26, 2015, 6:03:52 PM1/26/15
to zaproxy...@googlegroups.com
Thank you both for pointing me in the right direction. I am playing with this again and while I have found the template my values in the fields aren't working.
I think my regex works for finding the correct request urls but my attempts to replace and reroute that are failing.
for my replace value I am using the regex: http.*css/
my replace is then: /Users/<filepath>/css/
is it possible to replace a request url with a local file?
kingthorin+owaspzap
Jan 26, 2015, 6:22:15 PM1/26/15
to zaproxy...@googlegroups.com
Access local files via the file:// handler
http://en.wikipedia.org/wiki/File_URI_scheme#Unix
Using your RegEx only matches the first occurence:
https://regex101.com/r/iY8nQ9/1
If you use /g then you'll match all (note the invalid match on line 2):
https://regex101.com/r/iY8nQ9/2
This script may give you some help with RegEx usage:
https://groups.google.com/d/msg/zaproxy-scripts/v8DCjjT3TxM/NSiPikI98JQJ
http://en.wikipedia.org/wiki/File_URI_scheme#Unix
Using your RegEx only matches the first occurence:
https://regex101.com/r/iY8nQ9/1
If you use /g then you'll match all (note the invalid match on line 2):
https://regex101.com/r/iY8nQ9/2
This script may give you some help with RegEx usage:
https://groups.google.com/d/msg/zaproxy-scripts/v8DCjjT3TxM/NSiPikI98JQJ
nwg
Jan 27, 2015, 1:33:36 PM1/27/15
to zaproxy...@googlegroups.com
I can't seem to get local files to load no matter how I format them.
I have been trying to use the file handler article you linked to but no matter how I format the file for my mac machine the request never gets a file loaded.
file:///Users/user/Documents/main.css
file://Users/user/Documents/main.css
file:///MacintoshHD/Users/user/Documents/main.css
file://MacintoshHD/Users/user/Documents/main.css
I have been able to redirect the request to a different css file hosted somewhere else which is helpful to a degree but for my purposes I really need to load a local file.
Is there any type of proxy setting in ZAP or my browser that could be blocking these requests?
Simon Bennetts
Jan 27, 2015, 1:58:36 PM1/27/15
to zaproxy...@googlegroups.com
Browsers probably access local files directly and dont use the proxy settings.
The only way around this I can think of is to have a local web server and access them that way.
Simon
The only way around this I can think of is to have a local web server and access them that way.
Simon
nwg
Jan 28, 2015, 10:24:57 AM1/28/15
to zaproxy...@googlegroups.com
Based on tools like NProxy: http://goddyzhao.me/nproxy/
Which I can use when I am not on my corp network I know browsers can/do send those requests through a proxy.
Is this something that could be a feature request for ZAP?
Simon Bennetts
Feb 5, 2015, 9:40:39 AM2/5/15
to zaproxy...@googlegroups.com
I'm sure it could be :)
But could you explain exactly what you want the feature to provide?
Cheers,
Simon
But could you explain exactly what you want the feature to provide?
Cheers,
Simon
nwg
Feb 9, 2015, 2:47:23 PM2/9/15
to zaproxy...@googlegroups.com
My goal is to replace certain css files being called by the browser with local copies.
From my tests it appears that ZAP can't replace http requests with file:// handler paths.
I linked to NProxy previously which may be operating on something other than the request but is able to do this. It just doesn't support an upstream proxy like ZAP does.
Simon Bennetts
Feb 10, 2015, 6:34:45 AM2/10/15
to zaproxy...@googlegroups.com
Can you share your script?
I can see why this would be useful and if ZAP doesnt currently allow it then we should be able to fix it so that it does.
Cheers,
Simon
I can see why this would be useful and if ZAP doesnt currently allow it then we should be able to fix it so that it does.
Cheers,
Simon
kingthorin+owaspzap
Feb 10, 2015, 8:54:03 AM2/10/15
to zaproxy...@googlegroups.com
I just did a quick PoC for this with images. Firefox and IE don't seem happy to load images using the file:/// handler when content was served remotely.....I didn't test this extensively but it seems like a browser issue not a ZAP issue.
However if I setup a local web server[1] it was quite easy to do the replacement of remote content with local content (http://localhost/<whatever>). I just used a proxy script and setup the proxyResponse function to look for a page containing the thing I wanted to replace then did a:
when the condition was met.
[1] I find TinyWeb handy: https://www.ritlabs.com/en/products/tinyweb/
However if I setup a local web server[1] it was quite easy to do the replacement of remote content with local content (http://localhost/<whatever>). I just used a proxy script and setup the proxyResponse function to look for a page containing the thing I wanted to replace then did a:
msg.setResponseBody(msg.getResponseBody.toString().replace("http://somesite.com/thing.jpg","http://localhost/bullseye.jpeg");
when the condition was met.
[1] I find TinyWeb handy: https://www.ritlabs.com/en/products/tinyweb/
kingthorin+owaspzap
Feb 18, 2015, 8:00:15 AM2/18/15
to zaproxy...@googlegroups.com
nwg, did you ever come up with a working solution?
nwg
Feb 20, 2015, 1:20:52 PM2/20/15
to zaproxy...@googlegroups.com
I am working on a deadline at work and haven't been able to play with this recently but I will get back to it soon I hope.
One comment I do have is that I don't believe it to be a browser issue because I can use nProxy with any browser on my mac.
Reply all
Reply to author
Forward
0 new messages