Raising an alert in a standalone script
209 views
Skip to first unread message
Suren Manukyan
May 27, 2022, 7:07:46 AM5/27/22
to OWASP ZAP User Group
Is there a possibility of raising alerts in scripts that don't get msg's passed to them?
Not to make this an XY problem, say i have a script that checks a global variable and should raise alerts based on their values. It will most likely go in a standalone script or an active script (outside scan() or scanNode()), how would I do that?
Not to make this an XY problem, say i have a script that checks a global variable and should raise alerts based on their values. It will most likely go in a standalone script or an active script (outside scan() or scanNode()), how would I do that?
Simon Bennetts
May 27, 2022, 7:16:41 AM5/27/22
to OWASP ZAP User Group
No.
Alerts by definition have messages associated with them.
You can raise them in standalone scripts but you would need to associate a message with them - lots of things would break if you didnt do that :/
We actually had this problem with WebSocket alerts - we ended up associating the alert with the WebSocket connection message (if I recall correctly).
I agree that this is not ideal but so much code assumes that alerts will have messages changing this would be "challenging" :)
Cheers,
Simon
Suren Manukyan
May 27, 2022, 7:18:39 AM5/27/22
to OWASP ZAP User Group
Fair enough.
I think I'll workaround by passing around a 'msg' object with globalCustomVars and using that to raise the alert meanwhile.
Thanks for the quick response.
Suren.
I think I'll workaround by passing around a 'msg' object with globalCustomVars and using that to raise the alert meanwhile.
Thanks for the quick response.
Suren.
Suren Manukyan
May 27, 2022, 7:56:02 AM5/27/22
to OWASP ZAP User Group
I need some more help with that. This is the script I'm trying to use more or less, i think I do everything right here, but I get the error below it.
Searched through the sources but couldn't find any newAlert() calls that need an argument in any of the ScriptActiveScanners's parents.
Searched through the sources but couldn't find any newAlert() calls that need an argument in any of the ScriptActiveScanners's parents.
------------Script--------------
from org.zaproxy.zap.extension.script import ScriptVars
from org.zaproxy.zap.extension.ascan import ScriptsActiveScanner as sas
msg = ScriptVars.getGlobalCustomVar("InsecureCookie")
if msg is not None:
sas.newAlert()\
.setRisk(0)\
.setConfidence(1)\
.setName("TestAlert")\
.setDescription("alertDescription")\
.setSolution("alertSolution")\
.setCweId(4)\
.setWascId(5)\
.setParam("1")\
.setAttack("2")\
.setEvidence("3")\
.setMessage(msg)\
.setUri(msg.getRequestHeader().getURI().toString())\
.raise()
---------------------------------
---------Error------------------
Traceback (most recent call last):
File "<script>", line 7, in <module>
TypeError: newAlert(): expected 1 args; got 0
Traceback (most recent call last):
File "<script>", line 7, in <module>
TypeError: newAlert(): expected 1 args; got 0
java.lang.reflect.UndeclaredThrowableExceptionjava.lang.reflect.UndeclaredThrowableException
--------------------------------
from org.zaproxy.zap.extension.script import ScriptVars
from org.zaproxy.zap.extension.ascan import ScriptsActiveScanner as sas
msg = ScriptVars.getGlobalCustomVar("InsecureCookie")
if msg is not None:
sas.newAlert()\
.setRisk(0)\
.setConfidence(1)\
.setName("TestAlert")\
.setDescription("alertDescription")\
.setSolution("alertSolution")\
.setCweId(4)\
.setWascId(5)\
.setParam("1")\
.setAttack("2")\
.setEvidence("3")\
.setMessage(msg)\
.setUri(msg.getRequestHeader().getURI().toString())\
.raise()
---------------------------------
---------Error------------------
Traceback (most recent call last):
File "<script>", line 7, in <module>
TypeError: newAlert(): expected 1 args; got 0
Traceback (most recent call last):
File "<script>", line 7, in <module>
TypeError: newAlert(): expected 1 args; got 0
java.lang.reflect.UndeclaredThrowableExceptionjava.lang.reflect.UndeclaredThrowableException
--------------------------------
Simon Bennetts
May 27, 2022, 8:03:33 AM5/27/22
to OWASP ZAP User Group
Thats not going to work - ScriptsActiveScanner is only initialised for active scan scripts :)
You will also need to associate the alert with a real HttpMessage, ie one which has request and response data.
I think it will need to be in the History table as well.
In other words I dont think you'll be able to fake it :/
If you cant find a suitable message to associate with it then I dont think you're going to be able to do this :(
Cheers,
Simon
Suren Manukyan
May 27, 2022, 8:10:45 AM5/27/22
to OWASP ZAP User Group
I think I missed an important point there.
The line
gets a real HttpMessage that was set using:
ScriptVars.setGlobalCustomVar("InsecureCookie",msg)
The line
msg = ScriptVars.getGlobalCustomVar("InsecureCookie")
gets a real HttpMessage that was set using:
ScriptVars.setGlobalCustomVar("InsecureCookie",msg)
in another, perfectly working passive script (the msg in that case is the msg that gets passed to the scan() function by zap). So i think i really do have a valid HttpMessage object passed to the standalone script, with history and whatnot, no?
Suren Manukyan
May 27, 2022, 8:13:16 AM5/27/22
to OWASP ZAP User Group
Typo: its not a standalone script, but an active script that just doesn't have the scan() and scanNode() functions.
kingthorin+owaspzap
May 27, 2022, 8:48:34 AM5/27/22
to OWASP ZAP User Group
Active scan scripts are only invoked by the active scanner. This script will likely fail if the required methods are not present.
Simon Bennetts
May 27, 2022, 8:55:11 AM5/27/22
to OWASP ZAP User Group
You should be able to get hold of the ExtensionAlert and then use the alertFound method.
Installed Extensions can all be accessed in this way: https://github.com/zaproxy/zaproxy/wiki/InternalHistory
Cheers,
Simon
thc...@gmail.com
May 27, 2022, 8:57:05 AM5/27/22
to zaprox...@googlegroups.com
There are also examples in the Community Scripts repo, e.g.:
https://github.com/zaproxy/community-scripts/blob/53ffac731fceeccc4a71360f3bcbb339f6e8ac08/targeted/WordPress%20User%20Enumeration.js
Best regards.
https://github.com/zaproxy/community-scripts/blob/53ffac731fceeccc4a71360f3bcbb339f6e8ac08/targeted/WordPress%20User%20Enumeration.js
Best regards.
Suren Manukyan
May 27, 2022, 9:00:41 AM5/27/22
to OWASP ZAP User Group
Gotcha, I've been digging through the community scripts myself. Thanks a lot.
Suren Manukyan
May 27, 2022, 9:04:34 AM5/27/22
to OWASP ZAP User Group
In https://www.javadoc.io/static/org.zaproxy/zap/2.11.1/org/parosproxy/paros/core/scanner/Alert.Source.html there's an enum of alert.source named MANUAL and TOOL. Was trying to find which functionality results in those. I guess I should be able to find the rest from now on.
Reply all
Reply to author
Forward
0 new messages