Mapping ZAP Plugins to issued http requests
41 views
Skip to first unread message
Sam Hakim
Mar 19, 2015, 1:33:02 PM3/19/15
to zaprox...@googlegroups.com
Good Day,
Thanks
Simon Bennetts
Mar 19, 2015, 2:09:05 PM3/19/15
to zaprox...@googlegroups.com
Right now we dont really have this information available, unless the plugins raise associate issues (in which case their ID is in that issue) :(
One option would be to run the plugins one at a time, then you can be sure of where the requests come from (I realise this is not ideal).
I'd have no problem with an option to add a custom header, eg something like X-ZAP-SCAN-ID: 123
But it would have to be defaulted to off, otherwise WAFs would just block all requests containing that header by default and give a false sense of security to their users ;)
And it might well be a non trivial change :/
If that would be useful then please raise it as an enhancement request https://code.google.com/p/zaproxy/issues/entry :)
Cheers,
Simon
One option would be to run the plugins one at a time, then you can be sure of where the requests come from (I realise this is not ideal).
I'd have no problem with an option to add a custom header, eg something like X-ZAP-SCAN-ID: 123
But it would have to be defaulted to off, otherwise WAFs would just block all requests containing that header by default and give a false sense of security to their users ;)
And it might well be a non trivial change :/
If that would be useful then please raise it as an enhancement request https://code.google.com/p/zaproxy/issues/entry :)
Cheers,
Simon
Sam Hakim
Mar 19, 2015, 2:26:14 PM3/19/15
to zaprox...@googlegroups.com
Thanks for the response. I was looking into ways to visualize how ZAP attacks web-apps using something like logstalgia[1], but instead of ip-addresses on the left, we would see ZAP plugins. This would allow one to see in action which plugins are responsible for which http requests.
Simon Bennetts
Mar 20, 2015, 8:40:12 AM3/20/15
to zaprox...@googlegroups.com
That looks neat.
And I've just thought of a way we could inject a header in a consistent way without huge changes :)
Raised as https://code.google.com/p/zaproxy/issues/detail?id=1573
Anyone interested in implementing it?
And I've just thought of a way we could inject a header in a consistent way without huge changes :)
Raised as https://code.google.com/p/zaproxy/issues/detail?id=1573
Anyone interested in implementing it?
Colm O'Flaherty
Mar 20, 2015, 9:26:44 AM3/20/15
to zaprox...@googlegroups.com
What about msg.setNote? last time I checked, this existed, but I stopped using it in active scanners because there was no place to view it. This approach would have the advantage of not being sent to the web server or WAF, so there would be nothing extra to detect, and no requirement to turn it on our off.
Simon Bennetts
Mar 20, 2015, 10:41:35 AM3/20/15
to zaprox...@googlegroups.com
Notes are shown at a 'note' icon in the History 'Note' column, and accessed via the 'right click' "Note..." option ;)
These are really intended to be for user defined notes, so I'm not sure I'd really want them to be used via code as you might end up with every url having a note, swamping the users ones.
Another option would be tags, eg of the form ZAPID=123
I suspect this isnt something that many people would use, so I still think the optional header could be the best option.
But I'm happy to accept the majority view :)
These are really intended to be for user defined notes, so I'm not sure I'd really want them to be used via code as you might end up with every url having a note, swamping the users ones.
Another option would be tags, eg of the form ZAPID=123
I suspect this isnt something that many people would use, so I still think the optional header could be the best option.
But I'm happy to accept the majority view :)
Reply all
Reply to author
Forward
0 new messages