Form Handler not working properly in ZAP Docker
85 views
Skip to first unread message
JS Chuah
Apr 10, 2023, 5:18:20 AM4/10/23
to OWASP ZAP User Group
Problem: formhandler defined in options.prop only work for field(0),(1),(2)
Environment: owasp/zap2docker-stable:s2023-04-04
Command: docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable:s2023-04-04 zap-api-scan.py -t ${openApiSpec} -f openapi -d -I -r zap_report_html.html -x zap_report_xml.xml -J zap_report_json.json -z "-configfile /zap/wrk/options.prop" --hook=LogMessagesHook.py
Content of my options.prop:
formhandler.fields.field(0).fieldId=appid
formhandler.fields.field(0).value=haha0
formhandler.fields.field(0).enabled=true
formhandler.fields.field(1).fieldId=createdby
formhandler.fields.field(1).value=haha1
formhandler.fields.field(1).enabled=true
formhandler.fields.field(2).fieldId=createddt
formhandler.fields.field(2).value=haha2
formhandler.fields.field(2).enabled=true
formhandler.fields.field(3).fieldId=updatedby
formhandler.fields.field(3).value=haha3
formhandler.fields.field(3).enabled=true
formhandler.fields.field(4).fieldId=updateddt
formhandler.fields.field(4).value=haha4
formhandler.fields.field(4).enabled=true
formhandler.fields.field(5).fieldId=version
formhandler.fields.field(5).value=haha5
formhandler.fields.field(5).enabled=true
Observation: in req-resp-log.txt log, field(0), (1), (2) are replaced with correct value, but other fields are
"updatedBy":"John Doe"
"updatedDt":"1970-01-01T00:00:00.001Z"
"version":10
Environment: owasp/zap2docker-stable:s2023-04-04
Command: docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable:s2023-04-04 zap-api-scan.py -t ${openApiSpec} -f openapi -d -I -r zap_report_html.html -x zap_report_xml.xml -J zap_report_json.json -z "-configfile /zap/wrk/options.prop" --hook=LogMessagesHook.py
Content of my options.prop:
formhandler.fields.field(0).fieldId=appid
formhandler.fields.field(0).value=haha0
formhandler.fields.field(0).enabled=true
formhandler.fields.field(1).fieldId=createdby
formhandler.fields.field(1).value=haha1
formhandler.fields.field(1).enabled=true
formhandler.fields.field(2).fieldId=createddt
formhandler.fields.field(2).value=haha2
formhandler.fields.field(2).enabled=true
formhandler.fields.field(3).fieldId=updatedby
formhandler.fields.field(3).value=haha3
formhandler.fields.field(3).enabled=true
formhandler.fields.field(4).fieldId=updateddt
formhandler.fields.field(4).value=haha4
formhandler.fields.field(4).enabled=true
formhandler.fields.field(5).fieldId=version
formhandler.fields.field(5).value=haha5
formhandler.fields.field(5).enabled=true
Observation: in req-resp-log.txt log, field(0), (1), (2) are replaced with correct value, but other fields are
"updatedBy":"John Doe"
"updatedDt":"1970-01-01T00:00:00.001Z"
"version":10
JS Chuah
Apr 10, 2023, 5:57:42 AM4/10/23
to OWASP ZAP User Group
Also I found that even for field(0),(1),(2)
If I enter empty value, eg:
formhandler.fields.field(0).value=
The value will be "John Doe"
thc...@gmail.com
Apr 10, 2023, 10:10:13 AM4/10/23
to zaprox...@googlegroups.com
Hi.
Use the latest image (released today) which should no longer have that
issue.
Note that it's better to keep using the same thread instead of creating
a new one when the subject is still the same, we will get to it in time.
Best regards.
Use the latest image (released today) which should no longer have that
issue.
Note that it's better to keep using the same thread instead of creating
a new one when the subject is still the same, we will get to it in time.
Best regards.
thc...@gmail.com
Apr 10, 2023, 10:10:26 AM4/10/23
to zaprox...@googlegroups.com
I'd have to check it to confirm but I guess the OpenAPI add-on is using
the default values when the Form Handler returns an empty value.
Best regards.
the default values when the Form Handler returns an empty value.
Best regards.
Reply all
Reply to author
Forward
0 new messages