Pre Request script(Like Postman) Possible in ZAP?

64 views
Skip to first unread message

Ravindra Bandi

unread,
Mar 25, 2024, 4:46:00 AMMar 25
to ZAP User Group
Hi Team,

Good morning! We are testing some web apis which works with hmac authentication. We do have some prequest script which helps to generated HASH during the API testing using Postman.

we do have working automated security scan and we are familiar to use ZAP tool for manual security testing.

Kindly let me know if there is a way to add prerequest  script in ZAP tool while testing the apis. I did looked into script and other options.Looks like they are different

Here is my sample script which I use in postman. I would like to try something like this using ZAP tool to perform security scan on my apis

***PREREQUEST SCRIPT. WORKING IN POSTMAN**

var callerId = 'GUID';

var hmacKey = 'GUID';

 var date = new Date();

var contentToHash = pm.request.body ?

    pm.request.body + pm.request.url + date.toISOString() + callerId :

    pm.request.url + date.toISOString() + callerId;

var cryptoJs = require('crypto-js');

var hash = cryptoJs.HmacSHA256(contentToHash, hmacKey);

var hashInBase64 = cryptoJs.enc.Base64.stringify(hash);

 

pm.request.headers.add({key: 'HMAC', value: hashInBase64});

pm.request.headers.add({key: 'AccessId', value: callerId});

pm.request.headers.add({key: 'RequestDateTime', value: date.toISOString()});

pm.request.headers.add({key: 'X-AuthenticationMethod', value: 'HMAC'});

pm.request.headers.add({key: 'Content-Type', value: 'application/json;charset=UTF-8'});


Regards,
Ravi B

Ravindra Bandi

unread,
Mar 26, 2024, 12:23:12 AMMar 26
to ZAP User Group
Hi Team, 

Can someone help on posting requests with this script in ZAP tool. 

Regards,
Ravi B

thc...@gmail.com

unread,
Mar 28, 2024, 3:42:04 AMMar 28
to zaprox...@googlegroups.com
Hi,

That would be done with an HTTP Sender script:
https://www.zaproxy.org/docs/desktop/addons/script-console/#script-types

Some examples in:
https://github.com/zaproxy/community-scripts/tree/3db301ef0474ad87f45582fcb3264cc2787c016c/httpsender


Best regards.

On 25/03/2024 08:42, Ravindra Bandi wrote:
> Hi Team,
>
> Good morning! We are testing some web apis which works with hmac
> authentication. We do have some prequest script which helps to generated
> HASH during the API testing using Postman.
>
> we do have working automated security scan and we are familiar to use ZAP
> tool for manual security testing.
>
> Kindly let me know if there is a way to add prerequest script in ZAP tool
> while testing the apis. I did looked into script and other options.Looks
> like they are different
>
> Here is my sample script which I use in postman. I would like to try
> something like this using ZAP tool to perform security scan on my apis
>
> ***PREREQUEST SCRIPT. WORKING IN POSTMAN**
>
> var callerId *=* 'GUID';
>
> var hmacKey *=* 'GUID';
>
> var date *=* *new* Date();
>
> var contentToHash *=* pm.request.body *?*
>
> pm.request.body *+* pm.request.url *+* date.toISOString() *+* callerId
> *:*
>
> pm.request.url *+* date.toISOString() *+* callerId;
>
> var cryptoJs *=* *require*('crypto-js');
>
> var hash *=* cryptoJs.HmacSHA256(contentToHash, hmacKey);
>
> var hashInBase64 *=* cryptoJs.enc.Base64.stringify(hash);
>
>
>
> pm.request.headers.*add*({key: 'HMAC', value: hashInBase64});
>
> pm.request.headers.*add*({key: 'AccessId', value: callerId});
>
> pm.request.headers.*add*({key: 'RequestDateTime', value:
> date.toISOString()});
>
> pm.request.headers.*add*({key: 'X-AuthenticationMethod', value: 'HMAC'});
>
> pm.request.headers.*add*({key: 'Content-Type', value:

Ravindra Bandi

unread,
Apr 12, 2024, 2:05:05 AMApr 12
to ZAP User Group
Hi,

I have been trying to import using Options->Scripts tab but import is failing as the ZAP tool (v2.14) says the file is not supported. I have quickly tried some of the available scripts from specified Github url in previous mail. Can you confirm if I am using right option to import http sender scripts

snapshots attached
Capture.PNG

thc...@gmail.com

unread,
Apr 12, 2024, 4:41:38 AMApr 12
to zaprox...@googlegroups.com
The scripts are imported in the Scripts tab of the main window.
https://www.zaproxy.org/docs/desktop/addons/script-console/tree/

Best regards.
Reply all
Reply to author
Forward
0 new messages