import sas function in Passive Rule for send http request
44 views
Skip to first unread message
Khaled Nassar
unread,
Jan 25, 2021, 12:40:09 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to OWASP ZAP Scripts
hi team
i tried to make request in Passive Rule function but i can't add sas function ,
can i import it in another tab (instead of Active Scan) .?
Simon Bennetts
unread,
Jan 25, 2021, 12:43:28 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to OWASP ZAP Scripts
I'm sorry, I dont follow you.
What do you mean by "sas function"?
Khaled Nassar
unread,
Jan 25, 2021, 12:47:24 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to OWASP ZAP Scripts
oh sorry , i mean the function in zap active scan role
like example script
def scanNode(sas, msg): print('scan called for url=' + msg.getRequestHeader().getURI().toString()); msg = msg.cloneRequest(); sas.sendAndReceive(msg, False, False);
Simon Bennetts
unread,
Jan 25, 2021, 12:51:24 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to OWASP ZAP Scripts
Passive scan rules cannot make requests - they can look but not touch :)
You'll need to use an active scan rule instead.
Khaled Nassar
unread,
Jan 25, 2021, 12:58:30 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to OWASP ZAP Scripts
thanks for your response
I've another question : how can build something like reflector (https://github.com/elkokc/reflector) for find parameters is able to xss vulnarbilty by check (<,>,',") chars
so this require extension or i can do it in zap scripts .?
thc...@gmail.com
unread,
Jan 25, 2021, 1:07:04 PM1/25/21
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message