The issue: Grall.js javascript engine cannot access/load the zap class
257 views
Skip to first unread message
K
Nov 11, 2022, 3:13:46 AM11/11/22
to OWASP ZAP User Group
Hello,
I used this script (https://github.com/zaproxy/zaproxy/issues/6017 ) to modify the WebSockets and everything worked fine.
var ExtensionWebSocket = Java.type("org.zaproxy.zap.extension.websocket.ExtensionWebSocket")
var WebSocketMessage = Java.type("org.zaproxy.zap.extension.websocket.WebSocketMessage")
var WebSocketMessageDTO = Java.type("org.zaproxy.zap.extension.websocket.WebSocketMessageDTO")
var Initiator = Java.type("org.zaproxy.zap.extension.websocket.WebSocketProxy$Initiator")
var Control = Java.type("org.parosproxy.paros.control.Control")
var JavaInt = Java.type("int")
var getWebSocketProxy = ExtensionWebSocket.class.getDeclaredMethod("getWebSocketProxy", JavaInt.class)
getWebSocketProxy.setAccessible(true)
var ext = Control.getSingleton().getExtensionLoader().getExtension(ExtensionWebSocket.class);
function onMessageFrame(msg, helper){
if (helper.getInitiator() != Initiator.PROXY || msg.getDirection() != "OUTGOING") {
return;
}
var msg = new WebSocketMessageDTO()
msg.setOutgoing(true)
msg.opcode = WebSocketMessage.OPCODE_TEXT
msg.payload = "Custom Message"
proxy = getWebSocketProxy.invoke(ext, helper.getChannelId())
proxy.sendAndNotify(msg, Initiator.MANUAL_REQUEST)
}
But after updating the ZAP to 2.12 and java. I started to get errors:
org.graalvm.polyglot.PolyglotException: TypeError: Access to host class org.zaproxy.zap.extension.websocket.ExtensionWebSocket is not allowed or does not exist.org.graalvm.polyglot.PolyglotException: TypeError: Access to host class org.zaproxy.zap.extension.websocket.ExtensionWebSocket is not allowed or does not exist.
I still can use without any problem ZAP's other functionality like global vars in scripts:
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("antCSRF", "xxxxxxx");
I switched back to version 2.11.1, and tried to set up a clear installation, but the issue persist.
OS: Windows, also tried on Kali
ZAP version: 2.11.1 and 2.12
Java version:
java version "19.0.1" 2022-10-18
Java(TM) SE Runtime Environment (build 19.0.1+10-21)
Java HotSpot(TM) 64-Bit Server VM (build 19.0.1+10-21, mixed mode, sharing)
JS Engine: Grall.js
I used this script (https://github.com/zaproxy/zaproxy/issues/6017 ) to modify the WebSockets and everything worked fine.
var ExtensionWebSocket = Java.type("org.zaproxy.zap.extension.websocket.ExtensionWebSocket")
var WebSocketMessage = Java.type("org.zaproxy.zap.extension.websocket.WebSocketMessage")
var WebSocketMessageDTO = Java.type("org.zaproxy.zap.extension.websocket.WebSocketMessageDTO")
var Initiator = Java.type("org.zaproxy.zap.extension.websocket.WebSocketProxy$Initiator")
var Control = Java.type("org.parosproxy.paros.control.Control")
var JavaInt = Java.type("int")
var getWebSocketProxy = ExtensionWebSocket.class.getDeclaredMethod("getWebSocketProxy", JavaInt.class)
getWebSocketProxy.setAccessible(true)
var ext = Control.getSingleton().getExtensionLoader().getExtension(ExtensionWebSocket.class);
function onMessageFrame(msg, helper){
if (helper.getInitiator() != Initiator.PROXY || msg.getDirection() != "OUTGOING") {
return;
}
var msg = new WebSocketMessageDTO()
msg.setOutgoing(true)
msg.opcode = WebSocketMessage.OPCODE_TEXT
msg.payload = "Custom Message"
proxy = getWebSocketProxy.invoke(ext, helper.getChannelId())
proxy.sendAndNotify(msg, Initiator.MANUAL_REQUEST)
}
But after updating the ZAP to 2.12 and java. I started to get errors:
org.graalvm.polyglot.PolyglotException: TypeError: Access to host class org.zaproxy.zap.extension.websocket.ExtensionWebSocket is not allowed or does not exist.org.graalvm.polyglot.PolyglotException: TypeError: Access to host class org.zaproxy.zap.extension.websocket.ExtensionWebSocket is not allowed or does not exist.
I still can use without any problem ZAP's other functionality like global vars in scripts:
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("antCSRF", "xxxxxxx");
I switched back to version 2.11.1, and tried to set up a clear installation, but the issue persist.
My best guess is that issue is related to the JS script engine, maybe previously it was different or Java restrictions. Unfortunately, google did not help to solve this.
ZAP version: 2.11.1 and 2.12
Java version:
java version "19.0.1" 2022-10-18
Java(TM) SE Runtime Environment (build 19.0.1+10-21)
Java HotSpot(TM) 64-Bit Server VM (build 19.0.1+10-21, mixed mode, sharing)
JS Engine: Grall.js
thc...@gmail.com
Nov 11, 2022, 3:24:46 AM11/11/22
to zaprox...@googlegroups.com
Hi.
That's related to the Java update, better use Java 11 which still
includes the Nashorn JavaScript engine (which does not have that issue).
Best regards.
That's related to the Java update, better use Java 11 which still
includes the Nashorn JavaScript engine (which does not have that issue).
Best regards.
K
Nov 11, 2022, 9:27:07 AM11/11/22
to OWASP ZAP User Group
Thanks.
This solved the issue.
Reply all
Reply to author
Forward
0 new messages