How to make a POST request through CMD & Automation Framework

179 views
Skip to first unread message

Karan Bohra

unread,
Aug 2, 2022, 1:26:18 PM8/2/22
to OWASP ZAP User Group
I wish to do DAST on a POST API. 

While i can successfully make the request though Manual Editor on ZAP UI and generate a response & alerts, I am unable to do the same using cmd. 

Reason for going through CMD is as we need to run our tests on an agent using Azure pipeline, hence headless mode.

What I have also tried is adding scripts through CMD & Automation Framework(by adding a script job) or using -script with cmd and providing the Script file, unfortunately it doesnt work. Script runs but it doesnt generate any data in the report and they are blank.

Use Case: DAST a POST API just as you can DAST a GET API using cmd & Automation Framework(-autorun).

P.S. - I have used -config.replacer to provide headers & auth for GET. I am using the same header setup for POST as well.

Any help will be highly appreciated.

Thank you.

Regards,
Karan Bohra


kingthorin+owaspzap

unread,
Aug 2, 2022, 2:08:26 PM8/2/22
to OWASP ZAP User Group
Why not properly interact with the API or Automation Framework? (Instead of trying to frakenstien something with CMD?)

Simon Bennetts

unread,
Aug 3, 2022, 3:49:15 AM8/3/22
to OWASP ZAP User Group
Hi Karan,

The Automation Framework should work in this case, but you will need to play around a bit to get the headers working.
The best way to do this is in isolation:
  1. Write a script which makes just one POST request.
  2. Add a script job to invoke the "LogMessages.js" script as per https://www.zaproxy.org/docs/docker/diagnosing-problems/#automation-framework
  3. Invoke it with the relevant config options to add the headers.
If the right headers are not shown then you've got the configs wrong.
If you're struggling with this then you can post your full scripts here - you can use a site like https://www.example.com in the examples as you are not performing any attacks.

We should make it easier to specify headers in the request job, I'll see if I can look at that before too long.

Cheers,

Simon

Karan Bohra

unread,
Aug 4, 2022, 1:21:51 PM8/4/22
to OWASP ZAP User Group
Hi  kingthorin, Simon,

Thank you for your suggestions & feedback. We managed to accomplish using the openapi task of Automation Framework to send requests.

@Simon for headers we are using config replacer in a small script to fetch and send the access token. 

Still trying to iron out a few difficulties from the next steps but believe we should be able to go through.

Thank you once again.

Regards,
Karan Bohra

Simon Bennetts

unread,
Aug 5, 2022, 2:45:21 AM8/5/22
to OWASP ZAP User Group
Hiya Karan,

Thats good - thanks for letting us know.

Simon
Reply all
Reply to author
Forward
0 new messages