import sas function in Passive Rule for send http request

[Khaled Nassar]

hi team

i tried to make request in Passive Rule function but i can't add sas function ,

can i import it in another tab (instead of Active Scan) .?

[Simon Bennetts]

I'm sorry, I dont follow you.

What do you mean by "sas function"?

[Khaled Nassar]

oh sorry , i mean the function in zap active scan role

like example script

def scanNode(sas, msg):
  print('scan called for url=' + msg.getRequestHeader().getURI().toString());
  msg = msg.cloneRequest();
  sas.sendAndReceive(msg, False, False);

[Simon Bennetts]

Passive scan rules cannot make requests - they can look but not touch :)

You'll need to use an active scan rule instead.

[Khaled Nassar]

thanks for your response

 

I've another question : how can build something like reflector (https://github.com/elkokc/reflector) for find parameters is able to xss vulnarbilty by check (<,>,',") chars

so this require extension or i can do it in zap scripts .?

[thc...@gmail.com]

That can be implemented with scripts.

There's https://github.com/TypeError/reflect which is available in the
marketplace though.

Best regards.

[Khaled Nassar]

hi @thc202

reflect ext (https://github.com/TypeError/reflect) , for find reflected parameters not for check for XSS chars (<>'") :(

if i can't to do this in zap scripts , please send some references about `how to write zap ext by python`

thanks :D

[thc...@gmail.com]

Yeah, that add-on is not as automated. (There's a reflected XSS scan
rule in ZAP.)

You can do that with scripts, check
https://github.com/zaproxy/community-scripts for examples on how to send
requests and do other related things.

Best regards.

On 25/01/2021 18:16, Khaled Nassar wrote:
>
> hi @thc202
>
> reflect ext (https://github.com/TypeError/reflect)

> <https://github.com/TypeError/reflect> , for find reflected parameters not