How do I recreate these cURL calls in ZAP?
1,492 views
Skip to first unread message
lawrence...@gmail.com
May 3, 2017, 4:05:27 PM5/3/17
to OWASP ZAP User Group
I don't want to use Zap, but I'm being forced to use it by Salesforce. We have developed a "Managed Package" which we would like to release in the Salesforce App Exchange. The app calls our external API. Salesforce is insisting that we run Zap against the API. But I'm not sure that Zap is the right tool.
Normally I start a session by getting a JWT token:
curl "https://api.example.com/v1/authtoken?service=salesforce&user=lawr...@example.com&pass=testxxx" -X GET --header 'Accept: application/json' --header 'x-api-key: RSF82tPTTkxq3tfaIyTWXJPKJR9lcdwFKn'
Which gives me this JWT token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoibGF3cmVuY2VAcHJpdmNvLmNvbSIsInVzZXJfaWQiOjQyMDAwLCJpYXQiOjE0OTM4NDAxNjcsImV4cCI6MTQ5Mzg2ODk2N30.RpqOBA8vWvDIBYS-cSz73O5H8Sslh0bFEOQ'
So now I can do a real query for business data:
curl --verbose -d '{ "revenue_upper_limit" : "1000000000", "revenue_lower_limit" : "1000000000", "emplyee_count_lower_limit" : "200", "employee_count_upper_limit" : "2000", "industry" : "transportation" , "api_pagination" : "4" }' -X POST "https://api.example.com/v1/verbose/" --header "Content-Type: application/json" --header 'Accept: application/json' --header 'x-api-key: RSF82tPTTkxq3tfaIyTWXJPKJR9lcdwFKn' --header 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoibGF3cmVuY2VAcHJpdmNvLmNvbSIsInVzZXJfaWQiOjQyMDAwLCJpYXQiOjE0OTM4NDAxNjcsImV4cCI6MTQ5Mzg2ODk2N30.RpqOBA8vWvDIBYS-cSz73O5H8Sslh0bFEOQ'
How do I recreate this in Zap? Where do I put in all of the HTTP headers, and how do I do POST?
lawrence...@gmail.com
May 3, 2017, 5:13:06 PM5/3/17
to OWASP ZAP User Group
Maybe this is impossible? Perhaps I can tell Salesforce that this is impossible?
thc...@gmail.com
May 3, 2017, 6:00:49 PM5/3/17
to zaprox...@googlegroups.com
Hi.
> How do I recreate this in Zap?
Simplest way is to just proxy the cURL requests through ZAP.
> Where do I put in all of the HTTP headers, and how do I do POST?
You can craft HTTP requests with Manual Request Editor. [1]
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req
Best regards.
> How do I recreate this in Zap?
> Where do I put in all of the HTTP headers, and how do I do POST?
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req
Best regards.
Simon Bennetts
May 4, 2017, 3:53:38 AM5/4/17
to OWASP ZAP User Group
Pro tip - its not a good idea to ask for help on a forum starting with the statement that you dont want to use the tool in question.
It is not likely to endear yourself to the people who are most likely to be able to answer your questions.
No one is forced to work on ZAP. We develop and support it because we choose to.
We all have other things to do and therefore have to prioritize what we do and who we help.
In this case you got lucky. I would probably have prioritized someone who appeared to be more willing to learn and grow.
It is not likely to endear yourself to the people who are most likely to be able to answer your questions.
No one is forced to work on ZAP. We develop and support it because we choose to.
We all have other things to do and therefore have to prioritize what we do and who we help.
In this case you got lucky. I would probably have prioritized someone who appeared to be more willing to learn and grow.
Reply all
Reply to author
Forward
0 new messages