Pre Request script(Like Postman) Possible in ZAP?

[Ravindra Bandi]

Hi Team,

Good morning! We are testing some web apis which works with hmac authentication. We do have some prequest script which helps to generated HASH during the API testing using Postman.

we do have working automated security scan and we are familiar to use ZAP tool for manual security testing.

Kindly let me know if there is a way to add prerequest  script in ZAP tool while testing the apis. I did looked into script and other options.Looks like they are different

Here is my sample script which I use in postman. I would like to try something like this using ZAP tool to perform security scan on my apis

***PREREQUEST SCRIPT. WORKING IN POSTMAN**

var callerId = 'GUID';

var hmacKey = 'GUID';

 var date = new Date();

var contentToHash = pm.request.body ?

    pm.request.body + pm.request.url + date.toISOString() + callerId :

    pm.request.url + date.toISOString() + callerId;

var cryptoJs = require('crypto-js');

var hash = cryptoJs.HmacSHA256(contentToHash, hmacKey);

var hashInBase64 = cryptoJs.enc.Base64.stringify(hash);

 

pm.request.headers.add({key: 'HMAC', value: hashInBase64});

pm.request.headers.add({key: 'AccessId', value: callerId});

pm.request.headers.add({key: 'RequestDateTime', value: date.toISOString()});

pm.request.headers.add({key: 'X-AuthenticationMethod', value: 'HMAC'});

pm.request.headers.add({key: 'Content-Type', value: 'application/json;charset=UTF-8'});

Regards,

Ravi B

[Ravindra Bandi]

Hi Team, 

Can someone help on posting requests with this script in ZAP tool. 

Regards,

Ravi B

[thc...@gmail.com]

Hi,

That would be done with an HTTP Sender script:
https://www.zaproxy.org/docs/desktop/addons/script-console/#script-types

Some examples in:
https://github.com/zaproxy/community-scripts/tree/3db301ef0474ad87f45582fcb3264cc2787c016c/httpsender


Best regards.

On 25/03/2024 08:42, Ravindra Bandi wrote:
> Hi Team,
>
> Good morning! We are testing some web apis which works with hmac
> authentication. We do have some prequest script which helps to generated
> HASH during the API testing using Postman.
>
> we do have working automated security scan and we are familiar to use ZAP
> tool for manual security testing.
>
> Kindly let me know if there is a way to add prerequest script in ZAP tool
> while testing the apis. I did looked into script and other options.Looks
> like they are different
>
> Here is my sample script which I use in postman. I would like to try
> something like this using ZAP tool to perform security scan on my apis
>
> ***PREREQUEST SCRIPT. WORKING IN POSTMAN**
>

> var callerId *=* 'GUID';
>
> var hmacKey *=* 'GUID';
>
> var date *=* *new* Date();
>
> var contentToHash *=* pm.request.body *?*
>
> pm.request.body *+* pm.request.url *+* date.toISOString() *+* callerId
> *:*
>
> pm.request.url *+* date.toISOString() *+* callerId;
>
> var cryptoJs *=* *require*('crypto-js');
>
> var hash *=* cryptoJs.HmacSHA256(contentToHash, hmacKey);
>
> var hashInBase64 *=* cryptoJs.enc.Base64.stringify(hash);
>
>
>
> pm.request.headers.*add*({key: 'HMAC', value: hashInBase64});
>
> pm.request.headers.*add*({key: 'AccessId', value: callerId});
>
> pm.request.headers.*add*({key: 'RequestDateTime', value:
> date.toISOString()});
>
> pm.request.headers.*add*({key: 'X-AuthenticationMethod', value: 'HMAC'});
>
> pm.request.headers.*add*({key: 'Content-Type', value:

[Ravindra Bandi]

Hi,

I have been trying to import using Options->Scripts tab but import is failing as the ZAP tool (v2.14) says the file is not supported. I have quickly tried some of the available scripts from specified Github url in previous mail. Can you confirm if I am using right option to import http sender scripts

snapshots attached

[thc...@gmail.com]

The scripts are imported in the Scripts tab of the main window.
https://www.zaproxy.org/docs/desktop/addons/script-console/tree/

Best regards.