How to change API request Order(based on HTTP Method/API Endpoint) from the ZAP Tree

[mats...@gmail.com]

Hi Simon,

   Is there any way where I can change and send the request Order of the API Request from the ZAP Tree either imported via Spec or Learned via Browser Proxy.

   Below is the order in which I have the endpoint with different HTTP Method is loaded in the ZAP Tree

   

I want the request should get send in these order GET -> POST -> PUT with respect to HTTP Method, but based on the Tree now it is getting send as PUT -> POST -> GET. Any ways we can change the order based on HTTP Method in the ZAP Tree.

I also want to send API request based on different Endpoints. Any way we can change the order of sending API Request based on API Endpoints in the ZAP Tree.

Thanks

Srikanth

[thc202]

Hi,

The Sequence Scanner add-on is meant for that:
https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/

Best regards.

[mats...@gmail.com]

I tried following as part of referring to the above link:

a) Simulated a Flow(GET, POST, PUT and DELETE) and Captured the HAR file from the browser with Cookie

b) Using  Import HAR as Sequence Option in UI imported the HAR file which worked fine.

c) Ran the imported Flow(GET, POST, PUT and DELETE) again via ZAP, ZAP sends the requests but with empty Cookie(Cookie values set to None) as opposed to what is captured in HAR resulting in 401 UnAuthorized Error.

Any reason why ZAP is not sending the cookie details properly, if that is expected do we have any workaround to fix this.

Thanks

Srikanth

[thc202]

Options > Scripts > Engine > Zest, there uncheck the Cookie header.

That's done by default because you usually would do an authenticated
scan (which would add the necessary session tokens/headers).

Best regards.

[mats...@gmail.com]

This change of options also did not work. It sends below values for cookie always which is resulting in Authentication Failure:

Cookie: avi-sessionid=None; sessionid=None; accesstoken=None; refreshtoken=None

Thanks

Srikanth

[thc202]

ZAP will not add/set None unless the server set that in a response, did
you verify the session is still valid for those cookies?

Best regards.

[mats...@gmail.com]

Hi,

   Based on your above comments I understand that I should also need to capture login API along with CRUD APIs which I did now, it is again resulting in 401 UnAuthorized because we have to send X-Csrftoken Header with CSRF Token value what we receive from Server in Cookie which is fetched from HAR and it has old value resulting in Unauthorization. How to get CSRF Token coming from Server and replace the X-Csrftoken Header in the HAR file with that incoming value.

   

Thanks

Srikanth

[Simon Bennetts]

You will need to actually try things out and see what works.

Once you undersatand exactly what you need to do then you can use ZAP scripting to make it happen.

If you dont know how to do that then explain exactly what you need to do and we can help.

Cheers,

Simon

[mats...@gmail.com]

Hi Simon,

     Below is my requirement:

        a) From the openapi Spec I wanted to do CRUD Operation like POST, PUT, PATCH, GET,DELETE on multiple API Endpoint using ZAP with Correct Payload

        b) Run a) with Bad Payload(Attacks, Incorrect Keys etc)

    To achieve this I tried following:

        a) Imported API Spec which imported all the above CRUD operations with payload in different order like PUT -> DELETE -> PATCH -> POST -> GET 

        b) I change all the operation with correct payload and ran

        c) Since order was incorrect CRUD operations were failing. Ideally the CRUD Operation order should be POST -> PUT -> PATCH -> GET -> DELETE make the crud

        d) I realized from above thread we cannot change the order of Operation in ZAP via UI directly, other option recommended was to capture all the CRUD operation via HAR file from Browser.

        e) I created the HAR file with all the operation in sequence with Cookies and Login Captured and imported in ZAP

        f) I imported the HAR file and replayed, it resulted in Authorization Failure because for every operation we do, we wanted cookie to be sent what is received from Server and along with we add another header X-Csrftoken this needs to be filled with csrftoken what we obtain in Cookie, which ZAP is failing to honor that is expected but how to make ZAP add the value to X-Csrftoken header and send in POST/PUT/PATCH Request 

    My Question is how to achieve point f) during ZAP CRUD operation replay of HAR file.

Thanks

Srikanth  

[mats...@gmail.com]

Any Thoughts on how to achieve point f) mentioned above?

-Srikanth

[Simon Bennetts]

Hi Srikanth,

It sounds like you have a couple of problems.

The first one is making sure the requests are made in the correct order.

Importing the HAR file will mean the initial operations are in the right order, but that order will not be maintained when ZAP starts attacking.

This is because ZAP uses the Sites tree in order to prevent too many duplicated requests, and that does not record the order requests are made.

A better option is to define the requests in a Zest file and specify then as sequences https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/

When ZAP attacks sequences it always attacks in the order specified.

You can import the original OpenAPI requests and then add them to a Zest script. You can change the order of the requests in the script in ZAP.

The second problem you have is authentication.

Did you check to see whether the requests were correctly authenticated when you imported the OpenAPI definition?

Where is the csrftoken defined?

You may need to write a custom script to handle it.

Cheers,

Simon

[mats...@gmail.com]

Hi Simon,

    Below are some observation during the tests:

    - OpenSpec has lot of API info and if I convert that to Zest Script UI Hangs because of too much things to Load. Its tough to work without UI.

    - I have a HAR which has initial Login Requests followed by POST request to create a profile that I loaded as Sequence which created Script in Zest File

         - When I run this Zest Script initial set of request resulted in 200OK but Later during sending POST Request to create a profile after Login failed because there is a header by X-Csrftoken which needs to be sent with CSRF value what is being received in Set-Cookie from the responses of previous request which ZAP will not know, How to make ZAP aware of this 

           Below is a example of previous response Set-Cookie and How the Next Request Supposed to get Sent but it is sending with incorrect X-Csrftoken Header

  

            1. Response Headers of Previous Requests after Successful Authentication via Logins API:

            Set-Cookie: csrftoken=bf85984867a08447df38b9c4b4ae454e; expires=Wed, 27-Jan-2027 12:49:40 GMT; Max-Age=31449600; Path=/

            Set-Cookie: avi-sessionid=a1ac5ecba2ecc2ce5252badb13c29a9a; expires=Thu, 29-Jan-2026 12:49:40 GMT; HttpOnly; Max-Age=86400; Path=/; SameSite=None; Secure

            Set-Cookie: sessionid=a1ac5ecba2ecc2ce5252badb13c29a9a; expires=Thu, 29-Jan-2026 12:49:40 GMT; HttpOnly; Max-Age=86400; Path=/; SameSite=None; Secure    

           2. POST Request to create a Profile which is failing because of following incorrect value in Request Headers:

               Cookie: csrftoken=bf85984867a08447df38b9c4b4ae454e; accesstoken=None; refreshtoken=None; avi-sessionid=a1ac5ecba2ecc2ce5252badb13c29a9a; sessionid=a1ac5ecba2ecc2ce5252badb13c29a9a

                X-Csrftoken: 6966b55d7857e43b1ac32d3c6e84075c     --- This value it is getting from HAR File which was at the time of HAR Capture

 

            I want the X-Csrftoken value to be sent as bf85984867a08447df38b9c4b4ae454e instead of the fixed value that is captured in HAR file. 

Thanks

Srikanth

[Simon Bennetts]

Hi Srikanth,

You will need to implement an httpsender script - we have various examples here https://github.com/zaproxy/community-scripts/tree/main/httpsender

It will need to check all responses for the csrftoken being set, and when it is store it in a script variable: https://www.zaproxy.org/docs/desktop/addons/script-console/#script-variables

The script should also check for POST requests, and then add the X-Csrftoekn cookie with the value you have stored in the variable.

This is not something ZAP can do automatically because it is application specific.

Cheers,

Simon

[mats...@gmail.com]

Thanks. will check on this and get back.