Not able to enable HttpSender script while using zap api python client and zap docker image
563 views
Skip to first unread message
Niladri Bihari Sahu
Sep 12, 2018, 5:14:16 AM9/12/18
to OWASP ZAP User Group
Hi,
I am trying to test my APIS using the openapi json file and using python client for that.
Steps :
1. pulled the zap weekly docker image
2. Using the zap-api-scan.py running the below command.
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t https://<my url for the json file of the APIs> -O <HostName to override> -f openapi -D 20 -r TestReport.html -d
My Requirements:
1. I need to create a api authorization key before sending every http request as the expiry of the api token is 40 secs.
2. Need to create a hash of the request body for post requests.
3.To create the token I need the Request Path,Hash of request body and add the token and hash to the header of every request.
Can you please let me know the steps to create an HTTP sender script for this and how I can enable from the zap-api-scan.py. It would be great if you can let me know how to write a script for that.
kingthorin+owaspzap
Sep 12, 2018, 8:15:17 AM9/12/18
to OWASP ZAP User Group
Start by getting it working in the GUI, that'll make your life easier.
Goto the scripts tab and create a new script.
Niladri Bihari Sahu
Sep 12, 2018, 8:22:41 AM9/12/18
to OWASP ZAP User Group
I have already done that.i need to do that for docker image and need to enable from the zap-api-scan.py as need to automate it
kingthorin+owaspzap
Sep 12, 2018, 12:31:25 PM9/12/18
to OWASP ZAP User Group
Ok so when you say "not able to enabled HttpSender script" what have you tried? What isn't working? Are you getting an error?
Details help us help you :)
Niladri Bihari Sahu
Sep 12, 2018, 12:58:20 PM9/12/18
to OWASP ZAP User Group
In zap-api-scan.py first copying to docker and then loading and enabling the script.
Similar
To enabling the script Alert_on_HTTP_Response_Code_Errors.js.
Cp_to_docker
Zap.script.load
Zap.script.enable
Similar
To enabling the script Alert_on_HTTP_Response_Code_Errors.js.
Cp_to_docker
Zap.script.load
Zap.script.enable
kingthorin+owaspzap
Sep 12, 2018, 1:46:24 PM9/12/18
to OWASP ZAP User Group
It's still unclear what the issue is.
From a directory that's readable by your docker components just call the script.load endpoint.
Maybe one of these write-ups will help you:
Niladri Bihari Sahu
Sep 12, 2018, 1:56:25 PM9/12/18
to OWASP ZAP User Group
If you can check the zap-api-scan.py how they are enabling the script mentioned in previous reply.but the script is already present in the docker image.but i dont know how to enable a custom script.
kingthorin+owaspzap
Sep 12, 2018, 2:20:20 PM9/12/18
to OWASP ZAP User Group
Per your earlier post you're mounting `pwd` and /zap/wrk/ as read/write ($(pwd):/zap/wrk/:rw), load your scripts from there...
Niladri Bihari Sahu
Sep 12, 2018, 2:26:54 PM9/12/18
to OWASP ZAP User Group
How can i keep the script at that directory at the first place.and also can you please let me know the complete line of code to load the script.that directory is getting created when i run the docker image.
kingthorin+owaspzap
Sep 12, 2018, 8:43:51 PM9/12/18
to OWASP ZAP User Group
You have two options (as I see it).
1) Customize the python script outside of the docker container and use it to control ZAP (in the container) via the API.
2) Customize the docker image to include everything you want.
Dash
Apr 18, 2019, 12:12:55 PM4/18/19
to OWASP ZAP User Group
Hi,
Were you able to get this problem sorted out? I also need a custom httpsender script to work within a docker container without any customizations done to the image.
If you were able to get your issue resolved, can you please share your solution & any associated scripts?
Warm regards,
D
Reply all
Reply to author
Forward
0 new messages