How do we pass a variable from a Zest Script to another script (JS for example)?
1,415 views
Skip to first unread message
Cuneyt Karul
May 5, 2017, 12:27:13 PM5/5/17
to OWASP ZAP User Group
I am trying to achieve the following:
* I have a main Zest script that dynamically manages tokens
* When the tokens are refreshed I like to call a separate (standalone) Java Script to save this token as a global variable. i.e.
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.token", token);
* The caller Zest Action - Script UI allows me to pass the required parameters Token and the Value, which works fine when I hardcode the token value.
I however need to pass the value of a variable in the parameter screen, as the token naturally changes with time and is not static.
I tried the variable format which works within a Zest script
Name: token Value: {{val}}
but the {{val}} is not replaced with the actual value of the variable and passed as is.
So the question is, is it possible to pass the value of a variable to the other script?
And If it is, then what is the correct format to do so?
PS: I am going through all these extra steps just to be able to save a global variable and use it during my scans dynamically. If there is a way to directly save a global variable within a Zest script, it would be great if someone posted here how.
Thanks
Cuneyt
thc...@gmail.com
May 9, 2017, 5:02:26 AM5/9/17
to zaprox...@googlegroups.com
Hi.
> So the question is, is it possible to pass the value of a variable to the
> other script?
No, the variables are not being replaced before invoking the other
script. Would you mind raising issue?
> PS: I am going through all these extra steps just to be able to save a
> global variable and use it during my scans dynamically. If there is a way
> to directly save a global variable within a Zest script, it would be great
> if someone posted here how.
Zest scripts do not provide a way to set "global vars", this would be a
specific ZAP feature though, but worth raising an issue anyway.
Best regards.
> So the question is, is it possible to pass the value of a variable to the
> other script?
script. Would you mind raising issue?
> PS: I am going through all these extra steps just to be able to save a
> global variable and use it during my scans dynamically. If there is a way
> to directly save a global variable within a Zest script, it would be great
> if someone posted here how.
specific ZAP feature though, but worth raising an issue anyway.
Best regards.
thc...@gmail.com
May 10, 2017, 5:03:54 AM5/10/17
to zaprox...@googlegroups.com
Issues have been raised:
https://github.com/zaproxy/zaproxy/issues/3511
https://github.com/zaproxy/zaproxy/issues/3512
Best regards.
https://github.com/zaproxy/zaproxy/issues/3511
https://github.com/zaproxy/zaproxy/issues/3512
Best regards.
Luca Compagna
Dec 13, 2017, 4:37:47 AM12/13/17
to OWASP ZAP User Group
Can you please share how the invoked js script (called) can read the parameters that are passed by the ZEST script (caller)?
thanks,
luca
thc...@gmail.com
Dec 13, 2017, 5:44:57 AM12/13/17
to zaprox...@googlegroups.com
Sure, the JS script just needs to use the variables as usual. Following
a full example for the record.
Given a JS script called "set_global_var.js" that sets a global variable:
ScriptVars.setGlobalVar(name, value)
(ScriptVars package omitted for brevity.)
The Zest script then passes the "name" and "value" as parameters when
invoking the script, e.g.:
{
"title": "ZestScript",
"type": "StandAlone",
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {},
"elementType": "ZestVariables"
},
"statements": [
{
"string": "NameGlobalVar",
"variableName": "myZestVar",
"index": 1,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"string": "ValueGlobalVar",
"variableName": "myZestValue",
"index": 2,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"variableName": "",
"script": "/path/to/set_global_var.js",
"parameters": [
[
"name",
"{{myZestVar}}"
],
[
"value",
"{{myZestValue}}"
]
],
"index": 3,
"enabled": true,
"elementType": "ZestActionInvoke"
}
],
"authentication": [],
"index": 0,
"enabled": true,
"elementType": "ZestScript"
}
(Note that the above script path needs to be adjusted.)
Best regards.
On 13/12/17 09:37, Luca Compagna wrote:
> Can you please share how the invoked js script (called) can read the
> parameters that are passed by the ZEST script (caller)?
>
> thanks,
> luca
>
> On Wednesday, May 10, 2017 at 11:03:54 AM UTC+2, thc202 wrote:
>>
>> Issues have been raised:
>> https://github.com/zaproxy/zaproxy/issues/3511
>> https://github.com/zaproxy/zaproxy/issues/3512
>>
>> Best regards.
>>
a full example for the record.
Given a JS script called "set_global_var.js" that sets a global variable:
ScriptVars.setGlobalVar(name, value)
(ScriptVars package omitted for brevity.)
The Zest script then passes the "name" and "value" as parameters when
invoking the script, e.g.:
{
"title": "ZestScript",
"type": "StandAlone",
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {},
"elementType": "ZestVariables"
},
"statements": [
{
"string": "NameGlobalVar",
"variableName": "myZestVar",
"index": 1,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"string": "ValueGlobalVar",
"variableName": "myZestValue",
"index": 2,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"variableName": "",
"script": "/path/to/set_global_var.js",
"parameters": [
[
"name",
"{{myZestVar}}"
],
[
"value",
"{{myZestValue}}"
]
],
"index": 3,
"enabled": true,
"elementType": "ZestActionInvoke"
}
],
"authentication": [],
"index": 0,
"enabled": true,
"elementType": "ZestScript"
}
(Note that the above script path needs to be adjusted.)
Best regards.
On 13/12/17 09:37, Luca Compagna wrote:
> Can you please share how the invoked js script (called) can read the
> parameters that are passed by the ZEST script (caller)?
>
> thanks,
> luca
>
> On Wednesday, May 10, 2017 at 11:03:54 AM UTC+2, thc202 wrote:
>>
>> Issues have been raised:
>> https://github.com/zaproxy/zaproxy/issues/3511
>> https://github.com/zaproxy/zaproxy/issues/3512
>>
>> Best regards.
>>
Luca Compagna
Dec 13, 2017, 7:35:45 AM12/13/17
to OWASP ZAP User Group
got it, thanks. The missing part for me was the fact that the parameters "name" and "value" provided by the ZEST script are directly visible for the called JS script. So the simple JS script that follows just make it.
// name and value are passed by the caller script
var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars");
if (name != null) {
ScriptVars.setGlobalVar(name, value != null ? value : "");
};
cheers,
luca
SimsHere
Jan 25, 2019, 1:09:10 AM1/25/19
to OWASP ZAP User Group
Hi All,
My case is very similar, except that I need to set the global variables in a python extender script and access it in python HTTPSender script. Is there a way?
Thanks,
Kamal
Reply all
Reply to author
Forward
0 new messages