Hi,
That would be done with an HTTP Sender script:
https://www.zaproxy.org/docs/desktop/addons/script-console/#script-types
Some examples in:
https://github.com/zaproxy/community-scripts/tree/3db301ef0474ad87f45582fcb3264cc2787c016c/httpsender
Best regards.
On 25/03/2024 08:42, Ravindra Bandi wrote:
> Hi Team,
>
> Good morning! We are testing some web apis which works with hmac
> authentication. We do have some prequest script which helps to generated
> HASH during the API testing using Postman.
>
> we do have working automated security scan and we are familiar to use ZAP
> tool for manual security testing.
>
> Kindly let me know if there is a way to add prerequest script in ZAP tool
> while testing the apis. I did looked into script and other options.Looks
> like they are different
>
> Here is my sample script which I use in postman. I would like to try
> something like this using ZAP tool to perform security scan on my apis
>
> ***PREREQUEST SCRIPT. WORKING IN POSTMAN**
>
> var callerId *=* 'GUID';
>
> var hmacKey *=* 'GUID';
>
> var date *=* *new* Date();
>
> var contentToHash *=* pm.request.body *?*
>
> pm.request.body *+* pm.request.url *+* date.toISOString() *+* callerId
> *:*
>
> pm.request.url *+* date.toISOString() *+* callerId;
>
> var cryptoJs *=* *require*('crypto-js');
>
> var hash *=* cryptoJs.HmacSHA256(contentToHash, hmacKey);
>
> var hashInBase64 *=* cryptoJs.enc.Base64.stringify(hash);
>
>
>
> pm.request.headers.*add*({key: 'HMAC', value: hashInBase64});
>
> pm.request.headers.*add*({key: 'AccessId', value: callerId});
>
> pm.request.headers.*add*({key: 'RequestDateTime', value:
> date.toISOString()});
>
> pm.request.headers.*add*({key: 'X-AuthenticationMethod', value: 'HMAC'});
>
> pm.request.headers.*add*({key: 'Content-Type', value: