Global Variable in ZAP desktop/docker
609 views
Skip to first unread message
Wojciech Kopec
Feb 1, 2022, 7:08:59 AM2/1/22
to OWASP ZAP User Group
My custom scripts which are of type httpSender/Authentication written in python/jython needs access to attacked target URL (-t in zap-docker). I'm looking for some way to provide such URL as some kind of global accessible variable, both in desktop/docker, preferably in docker.
How can I achieve something like that? I've tried setting global variable in provided python hooks script, but no success for now.
Simon Bennetts
Feb 1, 2022, 7:10:58 AM2/1/22
to OWASP ZAP User Group
Global variables are the way to go and should work fine.
What have you tried?
Cheers,
Simon
Wojciech Kopec
Feb 1, 2022, 7:42:41 AM2/1/22
to OWASP ZAP User Group
Tried doing in in hooks script such as below:
def zap_started(zap, target):
os.environ['TARGET_URL'] = target
def zap_started(zap, target):
print("Env property: {} = {})".format('TARGET_URL', os.environ.get('TARGET_URL','[EMPTY]')))
os.environ['TARGET_URL'] = target
def zap_started(zap, target):
print("Env property: {} = {})".format('TARGET_URL', os.environ.get('TARGET_URL','[EMPTY]')))
So basically using Python way to set OS variables, saving it in one hook, and trying to read in in other for confirmation.
I see there is org.zaproxy.zap.extension.script.ScriptVars in JavaDocs which can allow it but can it be used in pure Python scripts as in hooks?
Simon Bennetts
Feb 1, 2022, 7:49:59 AM2/1/22
to OWASP ZAP User Group
Ah ok, so you are using python/OS variables - I was thinking you were using the ZAP script global variables: https://www.zaproxy.org/docs/desktop/addons/script-console/
The hook script runs outside of ZAP and therefore it cannot access any of the ZAP internal data directly.
It can only interact with ZAP via the ZAP API.
Luckily you can read and write to the ZAP script global vars via the API, eg https://www.zaproxy.org/docs/api/#scriptactionsetglobalvar
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages