Paste from file feature

52 views
Skip to first unread message

nnamidc

unread,
Jul 25, 2022, 11:18:48 AM7/25/22
to OWASP ZAP User Group
Dear,

In BURP Repeater you have the possibility to "Paste from File" to modify the request. This is specifically handy when needing to include the exact file content and don't want to risk messing up the content with copy-paste?

Is there a similar feature in ZAP or any work around to accomplish the same?

If not is this or could this be something to add in the feature?

Many thanks in advance.

Best regards,

Sam

kingthorin+owaspzap

unread,
Jul 25, 2022, 4:52:31 PM7/25/22
to OWASP ZAP User Group
Well you can import requests/responses in various formats. Which you can then fuzz. So, yes, just go ahead and do it.

I mean there isn't a specific button in the specific dialog but there's nothing stopping you from accomplishing  functionally the same result. 

Simon Bennetts

unread,
Jul 26, 2022, 4:36:17 AM7/26/22
to OWASP ZAP User Group
I can see the benefits of a "Paste from File" option.
Nothing like that is planned yet, but if anyone fancies working on it then just let us know :)

Cheers,

Simon

nnamidc

unread,
Jul 26, 2022, 5:11:29 AM7/26/22
to OWASP ZAP User Group
Many thanks for your reply. Much appreciated.

Well you can import requests/responses in various formats.

I only see "Import from HAR" to accomplish this. A search on the web and this user group seems to confirm my though but please correct if I'm missing something. Maybe via the API there are more options but I'm not a developer so did not look at it?

| there's nothing stopping you from accomplishing  functionally the same result

You're right but it seems a big effort to accomplish something simple (modifying a HTTP POST request body containing content you cannot just copy-paste e.g. a png file not base64 encoded. Please look at this conversation for details about my use case).

Many thanks in advance.

Best regards,

Sam

nnamidc

unread,
Jul 26, 2022, 5:22:54 AM7/26/22
to OWASP ZAP User Group
Many thanks for your reply. Much appreciated.

| I can see the benefits of a "Paste from File" option.

+1 :-)

| Nothing like that is planned yet

Should/can I create a sort of feature request?

| if anyone fancies working on it then just let us know

I would if it wasn't that
  • I wrote my last piece of code more than 25 years ago and even you could not really call that an application (small school project) :-)
  • I'm clearly missing some basic about file handling, formatting, encoding,... which I need to sort out first
But ZAP is a great application so one day I would be honored to contribute.

Best regards,

Sam

kingthorin+owaspzap

unread,
Jul 26, 2022, 7:22:13 AM7/26/22
to OWASP ZAP User Group
https://www.zaproxy.org/docs/desktop/addons/import-export/

I'm not seeing any big effort: Import, right click, fuzz....

kingthorin+owaspzap

unread,
Jul 26, 2022, 7:24:59 AM7/26/22
to OWASP ZAP User Group
To be clear, as Simon mentioned the benefit of a button in the dialog is appreciated. I'm just trying to get you a currently workable solution.

If you're editing the request outside of ZAP what are you editing with and what is the format?

nnamidc

unread,
Jul 26, 2022, 3:10:09 PM7/26/22
to OWASP ZAP User Group
Many thanks for your reply.

I'm rather new in the security domain and still have to learn a lot. So more than just having this functionality available I would like to understand what actually happens to improve my insight so I really appreciate your effort to look further and understand why I'm asking this.

I now see it was not the best idea to create two conversations. One with my actual problem (use case) and this one with the functionality question. So allow me to summarize my use case here, for details I refer to this conversation.

My goal is to intercept a file upload HTTP POST request, the request body is e.g. a png (real binary content no encoding e.g base64) and replace this request body with the binary content of another file. I tried already several things (see the other conversation) but for some reason the content change and the server consider it as an invalid file.

The approach with the HAR import should be possible but actually my issue is not the import, despite the question, but how getting the binary content in the request without changing it. I'm missing some knowledge so if you could point me to some resources also much appreciated.

Many thanks in advance.

Best regards,

Sam




Reply all
Reply to author
Forward
0 new messages