HTTP Sender Script - Output To JSON?

[sonawan...@gmail.com]

Hello

how can we save the responses of function responseReceived() to json file

I tried calling requires (const fs = require("fs");) but script throws error - 

org.graalvm.polyglot.PolyglotException: ReferenceError: "require" is not definedorg.graalvm.polyglot.PolyglotException: ReferenceError: "require" is not defined

org.graalvm.polyglot.PolyglotException: TypeError: undefined has no such function "getGlobalVar"org.graalvm.polyglot.PolyglotException: TypeError: undefined has no such function "getGlobalVar"

Requirement - 

I am using below string in function responseReceived () - its working perfect in script console - now i want to save this into separate json file

function responseReceived(msg, initiator, helper) {
    var HTTPStatus_code = msg.getResponseHeader().getStatusCode()

print(msg.getRequestHeader().getURI().toString() + " (Status = " + HTTPStatus_code + ")");

}

[kingthorin+owaspzap]

There's an example here: https://github.com/zaproxy/community-scripts/blob/main/httpsender/LogMessages.js

[sonawan...@gmail.com]

Hello KingThorin

Thanks for help

I am sharing my code, just in case if anyone needs it

-----------------------------------------------------------------------------------------------------------

Code - This is part of Custom HTTP Sender Script which adds custom headers to each request and then captures the response received

Purpose - sometime we need collection of all urls along with HTTP status Codes

var Quotes = '"';
var newline = '\n'

var Files = Java.type('java.nio.file.Files');
var Paths = Java.type('java.nio.file.Paths');
var StandardOpenOption = Java.type('java.nio.file.StandardOpenOption');

// Change this as required - this works well in Docker as long as a suitable local directory has been mapped to it
var f = Paths.get('C:/test/req-resp-log.json');

function appendToFile(str) {
    Files.write(f, str.toString().getBytes(), StandardOpenOption.CREATE, StandardOpenOption.APPEND);
}

function responseReceived(msg, initiator, helper) {
    // Debugging can be done using println like this
    var HTTPStatus_code = msg.getResponseHeader().getStatusCode()
    var response_url = msg.getRequestHeader().getURI().toString()
    if (HTTPStatus_code != 200) {
        if (HTTPStatus_code == 400) {
            print(response_url + " (Status = " + HTTPStatus_code + ")");
             write_file(response_url, HTTPStatus_code);
        }
        if (HTTPStatus_code == 401 || HTTPStatus_code == 403) {
            print(response_url + " (Status = " + HTTPStatus_code + ")");
            write_file(response_url, HTTPStatus_code);
        }
        if (HTTPStatus_code == 301 || HTTPStatus_code == 302 || HTTPStatus_code == 303 || HTTPStatus_code == 307 || HTTPStatus_code == 308) {
            print(response_url + " (Status = " + HTTPStatus_code + ")");
             write_file(response_url, HTTPStatus_code);
        }
    }
}

function write_file(response_url, HTTPStatus_code) {
        appendToFile("[{\n" +
        Quotes + "url" + Quotes + ":" + Quotes + response_url + Quotes + ",\n" +
        Quotes + "code" + Quotes + ":" + Quotes + HTTPStatus_code + Quotes
        + "\n}]"
        );

}

sample output - 

JSON file - 

[{
"url":"https://xyz.com",
"code":"200"
}][{
"url":"https://xyz.com/abcd",
"code":"401"
}][{
"url":"https://xyz.com/abcd.php",
"code":"400"
}][{
"url":"https://xyz.com/pqrs?avcd2",
"code":"400"
}]

Pending -

replace string "][" with "," to make it valid json - which you can do using in another function or outside in separate operation

[sonawan...@gmail.com]

Further Modified version  -- jython HTTPSender Script

---------------------------------------------------------------------------------------------------------------------------------

import org.zaproxy.zap.extension.script.ScriptVars as ScriptVars

import json

def sendingRequest(msg, initiator, helper):

    token = ScriptVars.getGlobalVar("bearer-token")

    if(token):

        print("Bearer Token = ", str(token[0:10] + "--------"))

        msg.getRequestHeader().setHeader('Authorization', 'Bearer ' + token)

    return msg

def responseReceived(msg, initiator, helper):

    response_url = msg.getRequestHeader().getURI().toString()

    Method = msg.getRequestHeader().getMethod()

    HTTPStatus_code = msg.getResponseHeader().getStatusCode()

    write_file(initiator, response_url, Method, HTTPStatus_code)

# Function To Write Responses To A JSON File

def write_file(initiator, response_url, Method, HTTPStatus_code):

    if(initiator == 1):

        initiator = "PROXY_SCANNNER"

    if(initiator == 2):

        initiator = "ACTIVE_SCANNER"

    if(initiator == 3):

        initiator = "SPIDER_SCANNNER"

    if(initiator == 4):

        initiator = "FUZZER_SCANNNER"

    if(initiator == 5):

        initiator = "AUTHENTICATION_SCANNNER"

    if(initiator == 6):

        initiator = "MANUAL_REQUEST_SCANNNER"

    if(initiator == 7):

        initiator = "CHECK_FOR_UPDATES_SCANNNER"

    if(initiator == 8):

        initiator = "BEAN_SHELL_SCANNNER"

    if(initiator == 9):

        initiator = "ACCESS_CONTROL_SCANNNER"

    if(initiator == 10):

        initiator = "AJAX_SPIDER_SCANNNER"

    # writting report to file

    issue_json_file = r"/scripts/req-resp-log.json"

    print("--------------------------------------------------------------------------------")

    print( Method + " = "  + initiator + " | " + response_url + " | " + str(HTTPStatus_code))

    print("--------------------------------------------------------------------------------")

   

    with open(issue_json_file, "a+") as f:

        json.dump({"Scanner": initiator, "Method": Method, "response_url": response_url,

                    "HTTPStatus_code": HTTPStatus_code}, f, indent=4, separators =(". ", " = "))

[Priyam Pratap Singh (Devil)]

Hey there all,
Where and How do I run this script, can anyone please explain? I'm new to ZAP.

[thc...@gmail.com]

It really depends how are you running ZAP, but for getting yourself
familiar with ZAP it might be easier to start with the desktop:
https://www.zaproxy.org/docs/desktop/addons/script-console/

In the Scripts tab you can create/add the scripts, in this case it would
be an HTTP Sender.
https://www.zaproxy.org/docs/desktop/addons/script-console/tree/

Best regards.

On 15/03/2024 05:25, Priyam Pratap Singh (Devil) wrote:
> Hey there all,
> Where and How do I run this script, can anyone please explain? I'm new to
> ZAP.
> On Friday, September 9, 2022 at 5:51:55 PM UTC+5:30 sonawan...@gmail.com
> wrote:
>

>> *Further Modified version -- jython HTTPSender Script*

>>> *Code* - This is part of Custom HTTP Sender Script which adds custom

>>> headers to each request and then captures the response received
>>>

>>> *Purpose *- sometime we need collection of all urls along with HTTP

>>> status Codes
>>>
>>> var Quotes = '"';
>>> var newline = '\n'
>>>
>>> var Files = Java.type('java.nio.file.Files');
>>> var Paths = Java.type('java.nio.file.Paths');
>>> var StandardOpenOption = Java.type('java.nio.file.StandardOpenOption');
>>>
>>> // Change this as required - this works well in Docker as long as a
>>> suitable local directory has been mapped to it
>>> var f = Paths.get('C:/test/req-resp-log.json');
>>>

>>> *function appendToFile(str)* {
>>> Files.write(f, str.toString().getBytes(), StandardOpenOption.CREATE,
>>> StandardOpenOption.APPEND);
>>> }
>>>
>>>
>>> *function responseReceived(msg, initiator, helper)* {

>>> // Debugging can be done using println like this
>>> var HTTPStatus_code = msg.getResponseHeader().getStatusCode()
>>> var response_url = msg.getRequestHeader().getURI().toString()
>>> if (HTTPStatus_code != 200) {
>>> if (HTTPStatus_code == 400) {
>>> print(response_url + " (Status = " + HTTPStatus_code + ")");
>>> write_file(response_url, HTTPStatus_code);
>>> }
>>> if (HTTPStatus_code == 401 || HTTPStatus_code == 403) {
>>> print(response_url + " (Status = " + HTTPStatus_code + ")");
>>> write_file(response_url, HTTPStatus_code);
>>> }
>>> if (HTTPStatus_code == 301 || HTTPStatus_code == 302 ||
>>> HTTPStatus_code == 303 || HTTPStatus_code == 307 || HTTPStatus_code == 308)
>>> {
>>> print(response_url + " (Status = " + HTTPStatus_code + ")");
>>> write_file(response_url, HTTPStatus_code);
>>> }
>>> }
>>> }
>>>

>>> *function write_file(response_url, HTTPStatus_code) *{

>>> appendToFile("[{\n" +
>>> Quotes + "url" + Quotes + ":" + Quotes + response_url + Quotes +
>>> ",\n" +
>>> Quotes + "code" + Quotes + ":" + Quotes + HTTPStatus_code + Quotes
>>> + "\n}]"
>>> );
>>>
>>> }
>>>
>>>

>>> *sample output - *
>>> *JSON file - *
>>> [{

>>> "url":"https://xyz.com",
>>> "code":"200"
>>> }][{
>>> "url":"https://xyz.com/abcd",
>>> "code":"401"
>>> }][{
>>> "url":"https://xyz.com/abcd.php",
>>> "code":"400"
>>> }][{
>>> "url":"https://xyz.com/pqrs?avcd2",
>>> "code":"400"
>>> }]
>>>
>>>

>>> *Pending -*
>>> *replace string "][" with "," to make it valid json - which you can do
>>> using in another function or outside in separate operation*

>>>
>>> On Saturday, July 30, 2022 at 4:57:54 PM UTC+5:30 kingthorin+owaspzap
>>> wrote:
>>>
>>>> There's an example here:
>>>> https://github.com/zaproxy/community-scripts/blob/main/httpsender/LogMessages.js
>>>>
>>>> On Saturday, July 30, 2022 at 6:26:09 AM UTC-4 sonawan...@gmail.com
>>>> wrote:
>>>>
>>>>> Hello
>>>>>

>>>>> how can we save the responses of *function responseReceived() to json
>>>>> file*
>>>>>
>>>>> I tried calling requires *(*const fs = require("fs");*) but script
>>>>> throws error - *

>>>>> org.graalvm.polyglot.PolyglotException: ReferenceError: "require" is
>>>>> not definedorg.graalvm.polyglot.PolyglotException: ReferenceError:
>>>>> "require" is not defined
>>>>>
>>>>> org.graalvm.polyglot.PolyglotException: TypeError: undefined has no
>>>>> such function "getGlobalVar"org.graalvm.polyglot.PolyglotException:
>>>>> TypeError: undefined has no such function "getGlobalVar"
>>>>>

>>>>> *Requirement - *

>>>>> I am using below string in function responseReceived () - its working
>>>>> perfect in script console - now i want to save this into separate json file
>>>>>

>>>>> *function responseReceived(msg, initiator, helper)* {

[Priyam Pratap Singh (Devil)]

Thanks for your response, I've used script job in Automation Framework using a Yaml file.

It ran fine, but didn't produce any results. I'm sharing the config and results here.

Config : 

---
env:
  contexts:
  - name: "defaultcontext"
    urls:
      - "https://example.com/"
    includePaths:
    excludePaths: []
    sessionManagement:
      method: "http"
      parameters: {}
  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true
  vars: {}
jobs:
- parameters:
    action: "add"
    type: "active"
    engine: "ECMAScript : Graal.js"
    name: "test.js"
    file: "/home/kali/Desktop/ZAP_2.14.0/test.js"
  name: "script"
  type: "script"
- parameters:
    action: "run"
    type: "standalone"
    name: "test.js"
  name: "test"
  type: "script"

Output : 

Found Java version 17.0.6
Available memory: 7933 MB
Using JVM args: -Xmx1983m
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
No check for updates for over 3 month - add-ons may well be out of date
Job sessionManagement set method = http
Job sessionManagement set parameters = {}
Job script set action = add
Job script set type = active
Job script set engine = ECMAScript : Graal.js
Job script set name = test.js
Job script set file = /home/kali/Desktop/ZAP_2.14.0/test.js
Job test set action = run
Job test set type = standalone
Job test set name = test.js
Job script started
Job: script Start action: add
Job script finished, time taken: 00:00:00
Job script started
Job: test Start action: run
Job script finished, time taken: 00:00:01
Automation plan succeeded!
...

Please tell me if I did something wrong, or there's a different way to Get all the URLs?

[thc...@gmail.com]

You should add the script as standalone not active.


What type of results are you expecting?

Best regards.