Send HTTP POST application/json using GraalJS

[Phùng Quang Trường]

I'm trying to write GraalJS to send a POST application/json using GraalJS. I found some template inside ZAP but It is all about normal POST form. Also I know that JSON format is just text and I can send POST with text only but does anyone know how to send it in proper way or just send it as text?

[psiinon]

Hiya,

Heres a good example: https://github.com/zaproxy/community-scripts/blob/v17/targeted/cve-2021-22214.js#L102-L113

Cheers,

Simon

On Thu, Aug 24, 2023 at 1:00 PM Phùng Quang Trường <pqt12...@gmail.com> wrote:

I'm trying to write GraalJS to send a POST application/json using GraalJS. I found some template inside ZAP but It is all about normal POST form. Also I know that JSON format is just text and I can send POST with text only but does anyone know how to send it in proper way or just send it as text?

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b6028f3c-9d96-4f0d-bd49-79d93758f8bfn%40googlegroups.com.

--

ZAP Project leader

[Phùng Quang Trường]

My application that I'm writing Authentication Script return both Set-Cookie header and API-Key in response body. I wonder if I can write Http Sender script to set Cookie header and API-key header that Active Scan can use to send request? 

[psiinon]

Have you tried the Authentication Tester?

https://www.zaproxy.org/docs/authentication/auto-detection/

If so, how far did it get?

If not .. then I recommend trying it :)

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c67f2458-c1d3-4ac3-8361-341f25b1b7aen%40googlegroups.com.

--

ZAP Project leader

[Phùng Quang Trường]

In fact, what I am trying to do is scan a list of API. Because of the application swagger doesn't have enough parameters. So I have to send my own request and import to ZAP using HAR. The problem is because this is API with out web interface so the Authentication Tester seem not to work with. The authentication method is a POST method with application/json. Return header Set-Cookie and API-Key.

[psiinon]

OK, that makes sence.

Yes, you can write an httpsender script to inject anything.

Make sure you read all of https://www.zaproxy.org/docs/authentication/ - that should help.

Also see https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/ - thats more complicated that your situation, but it might give you some idea of what you can do, eg with script variables.

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/35f18b61-b51f-4ad4-aa87-d46e642f93a1n%40googlegroups.com.

--

ZAP Project leader

[Phùng Quang Trường]

One last question, if I write login script, do I still need to define Login/Logout regex to prevent the authentication script run every time?

[psiinon]

That depends.

You have 2 choices:

• Handle authentication yourself
• Configure ZAP to handle it

If you want ZAP to handle authentication then yes, you need to configure Logged in/out regexes :)

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/09e0fb0b-6503-4328-93b4-75e5746c18f5n%40googlegroups.com.

--

ZAP Project leader

[Phùng Quang Trường]

Got I, finally I can work with both Authentication Script and HttpSender. I wonder when I start Active Scan, does ZAP will run Authentication first or run Authentication Verification request first ?

[psiinon]

Your scripts should probably cope with both cases :)

But you can try it and see...

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2c258beb-a008-45fd-86a5-c27d77826437n%40googlegroups.com.

--

ZAP Project leader