Sending a simple HTTP request
632 views
Skip to first unread message
lulu vatu
May 14, 2020, 11:04:03 AM5/14/20
to OWASP ZAP Scripts
Hi,
I want to write a JavaScript script that is sending an HTTP request to a choosen URL, the URL is not in the scope, and I don't want it to be in the scope (so it will not be scanned by ZAP Proxy).
How can I do it ?
Thanks.
I want to write a JavaScript script that is sending an HTTP request to a choosen URL, the URL is not in the scope, and I don't want it to be in the scope (so it will not be scanned by ZAP Proxy).
How can I do it ?
Thanks.
kingthorin+owaspzap
May 14, 2020, 10:51:01 PM5/14/20
to OWASP ZAP Scripts
Use a stand alone script.
lulu vatu
May 17, 2020, 4:23:46 PM5/17/20
to OWASP ZAP Scripts
How do I execute a standalone JavaScript script withinh the zap-api-scan.py ?
I can run 'httpsender' script, but I can't run any 'standalone' script.
My script is here:
print("Hello")
I have added zap.load() and zap.enable() to load and enable the script, but the call to zap.enable return an error 400, and my script is not executed.
Le vendredi 15 mai 2020 04:51:01 UTC+2, kingthorin+owaspzap a écrit :
Use a stand alone script.
Simon Bennetts
May 18, 2020, 4:54:09 AM5/18/20
to OWASP ZAP Scripts
You can use this API call: https://www.zaproxy.org/docs/api/#scriptactionrunstandalonescript
Can you explain what your end goal is?
Standalone scripts might not be your best option, but it all depends on what you are trying to achieve.
lulu vatu
May 18, 2020, 6:30:52 AM5/18/20
to OWASP ZAP Scripts
I tried this API call, and the zap-api-scan.py is giving me an error.
So here is the test I want to implement:
1) I want to test whether certain URL (e.g: http://localhost/test) are accessible (it return an HTTP status code of 200)
1)
If I want to add other test case scenario, I will have to heavily
modify zap-api-scan.py again, and I want to avoid it and contain these
test cases inside one file only
2) I don't want to execute any other test (SQL Injection, ...), other that the custom one I created for that particular URL (http://localhost/test)
1) I want to test whether certain URL (e.g: http://localhost/test) are accessible (it return an HTTP status code of 200)
2) If the URL is accessible then there is a vulnerability
I suceeded to do this but not in a beautfiul way, here is how I did it:
1) I created a custom JavaScript script to capture response and check the url of response and status code
1) I created a custom JavaScript script to capture response and check the url of response and status code
2) I loaded and enabled this JS script via the Python API in the zap-api-scan.py file (zap.script.load/zap.script.enable)
3) I added the wanted URL to the ZAP scope via the Python API in the zap-api-scan.py: zap.core.access_url(http://localhost/test)
So it's working well, but there is two problem:
2) I don't want to execute any other test (SQL Injection, ...), other that the custom one I created for that particular URL (http://localhost/test)
However, I think I might achieve this scan with the help of hooks, I created a hook and I succesfully executed the code inside my hooks, since I have access to the zap object context in that hook, I guess I can now raise alert to the zap proxy core and sucessfuly implement my custom test case.
lulu vatu
May 18, 2020, 2:55:08 PM5/18/20
to OWASP ZAP Scripts
I'm receiving an error code 400 when I'm executing this for example:
import requests
headers = {
'Accept': 'application/json',
'X-ZAP-API-Key': 'API_KEY'
}
r = requests.get('http://zap/JSON/script/action/runStandAloneScript/', params={
'scriptName': 'string'
}, headers = headers)
print r.json()
I'm also receiving an error 400 when I call /addAlert, but all other API calls are fine.
Any idea ?
lulu vatu
May 18, 2020, 4:47:17 PM5/18/20
to OWASP ZAP Scripts
One of the developer helped me with that problem on IRC, you have to load standalone script aswell, you can't simply run them, standalone script work the same way as other script type (httpsender,etc...).
Resolved, thank you for the help.
Reply all
Reply to author
Forward
0 new messages