Using OWASP ZAP API with Session Tokens

[Daniel G.]

Hi every body,

I have a very specific question. Here is the mater: I'm trying to do a simple spider and active scan from OWASP API using Java, very similar to the one over here: https://github.com/zaproxy/zaproxy/blob/develop/src/org/zaproxy/clientapi/core/SimpleExample.java

The thing is that when I try to perform the spider attack as it is in the previous example it's off course sucessfull, how ever I need to manually add cookies headers, I've seen a Phyton example which uses the 'httSessions'  from the ClietnApi to do so, how ever it doesn't work for me... or at least not as expected. The issue it's that when I run my Java class which is the one in charge to perform the attack and retrieve the vulnerabilities list it doesn't work since I'm getting a NullPointerException from Server side and the request headers remaing the same even thoug I've set custom Session Token Values (I'm able to see the OWASP proxy outbound request headers and I can see from OWASP server output that indeed tokens are being added), when I run the class for the second time it just simply works from that point on and the cookies headers are present into the http request.

Obviously I'm doing something wrong, but I just can't figure out what it is. 

The steps that I'm following are these:

 1. Create a new ClientApi instanse

 2. Create an "empty session" via 'httpSessions' attribute from the API

 3. Acces the target URL

 4. Setting the session tokens using the method 'setSessionTokenValue' from httpSessions attribute to the recently created session.

 5. Acces the target URL for a second time

 6. Set this new session as "active"

 7. Perform the attack

Can any one help me to figure out what's wrong? I could provide ny other data you may need.

PD: I'm using version 2.4.2

Thanks.