Test HTTP/2 API
317 views
Skip to first unread message
Phil
Feb 3, 2023, 5:26:39 AM2/3/23
to OWASP ZAP User Group
Hello everyone!
I read in this article https://www.zaproxy.org/blog/2022-02-10-new-zap-networking-layer/ that ZAP has implemented the ability to make requests in HTTP/2. I have tried looking for different configurations among the options and downloaded both weekly and stable versions, but I can't find any option that allows me to set the request in HTTP/2.
Specifically what I am looking for is the ability to simulate "curl --http2-prior-knowledge", does this possibility currently exist in ZAP?
I read in this article https://www.zaproxy.org/blog/2022-02-10-new-zap-networking-layer/ that ZAP has implemented the ability to make requests in HTTP/2. I have tried looking for different configurations among the options and downloaded both weekly and stable versions, but I can't find any option that allows me to set the request in HTTP/2.
Specifically what I am looking for is the ability to simulate "curl --http2-prior-knowledge", does this possibility currently exist in ZAP?
Thanks
thc...@gmail.com
Feb 3, 2023, 3:44:41 PM2/3/23
to zaprox...@googlegroups.com
Hi.
There's no option, the user is expected to send/create the messages with
the version they want. (Though if you want to force the client side to
use HTTP/2 you can enable ALPN with HTTP/2 only, for HTTPS at least.)
If you want to force all messages to be sent as HTTP/2 you can use, for
example, the Community Scripts' script:
https://github.com/zaproxy/community-scripts/blob/2274f74feba314a46bc7fc2fe86e1454b14c6da8/httpsender/UpgradeHttp1To2.js
The scan tools (e.g. spider, active scan, fuzzer) will use the version
of the seed/original messages.
Best regards.
There's no option, the user is expected to send/create the messages with
the version they want. (Though if you want to force the client side to
use HTTP/2 you can enable ALPN with HTTP/2 only, for HTTPS at least.)
If you want to force all messages to be sent as HTTP/2 you can use, for
example, the Community Scripts' script:
https://github.com/zaproxy/community-scripts/blob/2274f74feba314a46bc7fc2fe86e1454b14c6da8/httpsender/UpgradeHttp1To2.js
The scan tools (e.g. spider, active scan, fuzzer) will use the version
of the seed/original messages.
Best regards.
Reply all
Reply to author
Forward
0 new messages