How to replace cookies in zap requests?

[wof joker]

I want to directly replace the cookie information in the original request instead of adding and modifying the parameters in the cookie. What should I do? Is it set using setcookies of httpmessage？

[LearnWork Smart]

I think can use Zap - Replacer option https://www.zaproxy.org/docs/desktop/addons/replacer/. 

I usually use it to pass in custom header, e.g. Basic Auth Header. 

[wof joker]

我想通过脚本调用。有什么好方法吗？

[wof joker]

As shown in the figure, this plug-in can not meet my needs. I need to replace everything in the cookie with 193799999

[Simon Bennetts]

Hiya,

Can you give an example of the cookie header you are receiving and what you would like it to be changed to?

Many thanks,

Simon

[wof joker]

thankyou for your reply！

This is the cookie value I set. I need to use it in the process of spider, passive scanning and active scanning, but the cookies I set will not overwrite the cookies generated by the web application system. I want to ask what I should do？

[Simon Bennetts]

Match "Cookie: " in the header and then replace it with "Cookie: This is that value I want to set=;"

Use a "Request Header String" and dont "Match Regex" - you want to replace the exact string "Cookie: " with "Cookie: " and whatever else you want to set.

Cheers,

Simon

[wof joker]

Thanks for the reply, it seems impossible to use "request header string" and "mismatched regular expression". Some cookies are constantly changing, which will cause me to constantly set the cookie value. I want to use a script to replace the cookie value requested by each agent with the cookie to be set. Do you include examples of such scripts?

[Simon Bennetts]

Can you give some examples of the constantly changing cookies - what they are and what you want the result to be?

I was not recommending that you use regex matching.

Replacer rules can be used in automation as per https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

You can also use HttpSender scripts to make any changes you want to the requests and responses - we have a load of examples here: https://github.com/zaproxy/community-scripts/tree/main/httpsender

Cheers,

Simon

[wof joker]

As shown in the figure below:，The cookie in the request is not the cookie set in my script. I want the cookie in the request to be the cookie set in my script。

[Simon Bennetts]

The request shown in the Sites tree is not necessarily the last one sent.

Look at the most recent requests in the History tab.

If it still doesnt appear to be working then try something simple like:

• msg.getRequestHeader().setHeader("X-ZAP-Test", "test");

Does that work for you?

[Simon Bennetts]

Also, have you configured ZAP to handle authentication?

If so it will (re)set the cookies for you.

[wof joker]

My requirements: replace the original requested cookie with my customized cookie; It is similar to modifying a custom cookie after burp intercepts the request and then sending it;

As shown in Figure 7 and figure 8, if the request of the graph tree structure is not the last request, I do not understand why jessionid = 666666 has changed in the tree structure. I read zap's Javadoc and compared it with https://github.com/zaproxy/community-scripts/blob/main/httpsender After many attempts, I still cannot replace the cookie in the original request with a custom cookie;

The environment I tried to test was the vulhub image of OWASP. Docker uses a standard image, starting with webswing;

I need help ~ can you provide a script case to replace the original request cookie? Httpsender's script cannot be overwritten