Python ZAP API contextregex adds a \ before \Q and \E

Chiel Sprangers

unread,

Apr 17, 2019, 10:44:08 AM4/17/19

to OWASP ZAP User Group

Hello,

I am currently working with the Python API and when I want to include a regex to the context extra \ get added to \Q and \E. Because of this the regex doesn't behave the way it should.

Context regex sent to zap

\Qhttp://192.168.2.131/dvwa/\E.*

Expected context regex in zap

\Qhttp://192.168.2.131/dvwa/\E.*

Context regex in zap

\\Qhttp://192.168.2.131/dvwa/\\E.*

zap.context.context(contextname) output:

{'excludeRegexs': [], 'loggedInPattern': '', 'urlParameterParserClass': 'org.zaproxy.zap.model.StandardParameterParser', 'description': '', 'includeRegexs': '[\\Qhttp://192.168.2.131/dvwa/\\E.*]', 'inScope': 'true', 'authenticationDetectionMethodId': '0', 'loggedOutPattern': '', 'postParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'name': '2019-04-17 16:43:04.283145', 'urlParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'id': '10', 'authType': 'Manual Authentication', 'postParameterParserClass': 'org.zaproxy.zap.model.StandardParameterParser'}

Does anyone know how to solve this?

Thanks,

Chiel

Patrick Dwyer

unread,

Apr 18, 2019, 2:18:34 AM4/18/19

to OWASP ZAP User Group

Without seeing you code I can't be sure. But I think this is just because \ is an escape character in python strings.

So python output of

'[\\Qhttp://192.168.2.131/dvwa/\\E.*]'

Is equivalent to this

[\Qhttp://192.168.2.131/dvwa/\E.*]

A good way to test would be to run something like this

c = zap.context.context(contextname)
print(c['includeRegexs'])

That should output the expected value.

Patrick Dwyer

unread,

Apr 18, 2019, 2:21:40 AM4/18/19

to OWASP ZAP User Group

^ that of course doesn't help you with why it isn't working as expected though.

Chiel Sprangers

unread,

Apr 18, 2019, 3:23:33 AM4/18/19

to OWASP ZAP User Group

Yes you are right the last bit of code does print the expected value. In the atachments I have added my code and below is the output of those scripts.

code:

c = self.zap.context.context(self.contextname)
print(c['includeRegexs'])

output:

includeRegexs = [\Qhttp://192.168.2.131/dvwa/\E.*]

code:

print(self.zap.context.context(self.contextname))

output:

{'excludeRegexs': [], 'loggedInPattern': '', 'urlParameterParserClass':'org.zaproxy.zap.model.StandardParameterParser', 'description': '', 'includeRegexs':'[\\Qhttp://192.168.2.131/dvwa/\\E.*]', 'inScope': 'true', 'authenticationDetectionMethodId': '0','loggedOutPattern': '', 'postParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'name': '2019-04-18 08:54:41.493082', 'urlParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'id': '4','authType': 'Manual Authentication', 'postParameterParserClass':'org.zaproxy.zap.model.StandardParameterParser'}

code:

__str__ method the owaspzap class

output:

ContextName: 2019-04-18 08:54:41.493082, ContextId: 4, UserId: 2, AuthIsSet: True, Key: change-me-1337, Zap:<zapv2.ZAPv2 object at 0x7f4919b66630>, Target: http://192.168.2.131/dvwa/, LoginUrl: http://192.168.2.131/dvwa/login.php, Username: qwer, Password: 1234, AuthMethod: formBasedAuthentication, AuthMethodConfigParams: loginUrl=http://192.168.2.131/dvwa/login.php&loginRequestData=username%3D%7B%25qwer%25%7D%26password%3D%7B%251234%25%7D, ContextRegex: \Qhttp://192.168.2.131/dvwa/\E.*, LoggedInIndicator: Ingelogd!!!, LoggedOutIndicator: Wrong username or password, Credentials: username=qwer&password=1234

So I guess that you are right and I should find a way to escape the escape character.

Greetings,

Chiel

owaspzap.py

testowaspzap.py

loginauthmethod.py

Chiel Sprangers

unread,

Apr 18, 2019, 3:36:11 AM4/18/19

to OWASP ZAP User Group

And I have tried to use double backslash and that doesn't work either.

This adds the regex with double backslash to zap aswell.

code:

contextregex = "\\Qhttp://192.168.2.131/dvwa/\\E.*"
...
print(self.zap.context.context(self.contextname))

output:

{'excludeRegexs': [], 'loggedInPattern': '', 'urlParameterParserClass': 'org.zaproxy.zap.model.StandardParameterParser', 'description': '', 'includeRegexs': '[\\Qhttp://192.168.2.131/dvwa/\\E.*]', 'inScope': 'true', 'authenticationDetectionMethodId': '0', 'loggedOutPattern': '', 'postParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'name': '2019-04-18 08:54:41.493082', 'urlParameterParserConfig': {'kvps': '&', 'kvs': '=', 'struct': []}, 'id': '4', 'authType': 'Manual Authentication', 'postParameterParserClass': 'org.zaproxy.zap.model.StandardParameterParser'}

Chiel Sprangers

unread,

Apr 18, 2019, 4:53:10 AM4/18/19

to OWASP ZAP User Group

Quick update

If all you want to do is spider the url, I have found a way to bypass this error.

Unfortunately it's a method the devil would frown upon. Basically what you do is use .* as the regex so it accepts any input and scans everything it finds.

thc...@gmail.com

unread,

Apr 18, 2019, 5:20:12 AM4/18/19

to zaprox...@googlegroups.com

Hi.

There's no extra backslash being added to the regex set through the
Python API, the context shows two backslashes because the backslash has
special meaning in the JSON string (thus it's being escaped).

Best regards.

Chiel Sprangers

unread,

Apr 18, 2019, 7:09:20 AM4/18/19

to OWASP ZAP User Group

Ow thanks it works now!

Reply all

Reply to author

Forward