Getting history for current web session
47 views
Skip to first unread message
ZAPuser
Aug 24, 2021, 7:13:09 PM8/24/21
to OWASP ZAP User Group
Hello,
I'm looking into extHist as a way to get the current web session represented by its Id as part of a Passive Rules script.
I've seen code that loops through the history table like: while (i <= lastRef) {
However, I do not want to loop through the table but instead I would like to get the current Id only so that I can apply tags to it (addTag) on the fly.
My questions:
- is this possible to get the current Id without looping?
- can the current Id be used to add tags via addTag and for the change reflected in the History tab?
Thanks
kingthorin+owaspzap
Aug 24, 2021, 9:33:31 PM8/24/21
to OWASP ZAP User Group
Define "current". That's kind of a difficult concept given ZAPs multithreaded nature and the fact that there are history IDs set by fuzz and active scan that aren't displayed in history, etc.
For guidance on scripting and tags your best bet is to look at: https://github.com/zaproxy/community-scripts/blob/main/standalone/historySourceTagger.js
However if you're just wanting to passively tag things why not actually use ZAP's tag functionality?
kingthorin+owaspzap
Aug 24, 2021, 9:53:42 PM8/24/21
to OWASP ZAP User Group
https://www.zaproxy.org/faq/why-are-there-missing-history-ids/ might be of interest as well.
ZAPuser
Aug 24, 2021, 11:59:33 PM8/24/21
to OWASP ZAP User Group
Thanks for the reply!
I'm using a set of regexes via a Passive Rules script to trigger alerts when a URL matches on live traffic. What I mean by current is basically whenever an alert is triggered (ps.raiseAlert) I would also like to add a tag(s) for the corresponding URL in the History tab. This is why I didn't want to loop through the entire history table, but instead simply add the tag for that 'current' match.
By the way I came across your script earlier and it was very useful for understanding some of the basics of parsing the history table. Thank you for that link of the missing history Ids, I was actually puzzled by that earlier too.
thc...@gmail.com
Aug 25, 2021, 3:01:13 AM8/25/21
to zaprox...@googlegroups.com
You can call ps.addTag("My Tag") to tag the message being passive scanned.
Best regards.
>>>> I'm looking into *extHist *as a way to get the current web session
>>>> represented by its *Id *as part of a Passive Rules script.
>>>>
>>>> I've seen code that loops through the history table like: *while (i <=
>>>> lastRef) {*
>>>> *addTag*) on the fly.
>>>>
>>>> My questions:
>>>> - is this possible to get the current *Id *without looping?
>>>> - can the current *Id *be used to add tags via *addTag *and for the
>>>> change reflected in the* History *tab*?*
>>>>
>>>> Thanks
>>>>
>>>
>
Best regards.
>>>> represented by its *Id *as part of a Passive Rules script.
>>>>
>>>> I've seen code that loops through the history table like: *while (i <=
>>>> lastRef) {*
>>>>
>>>> However, I do not want to loop through the table but instead I would
>>>> like to get the current *Id *only so that I can apply tags to it (
>>>> However, I do not want to loop through the table but instead I would
>>>> *addTag*) on the fly.
>>>>
>>>> My questions:
>>>> - is this possible to get the current *Id *without looping?
>>>> - can the current *Id *be used to add tags via *addTag *and for the
>>>> change reflected in the* History *tab*?*
>>>>
>>>> Thanks
>>>>
>>>
>
Simon Bennetts
Aug 25, 2021, 3:22:11 AM8/25/21
to OWASP ZAP User Group
If you just want to do something when alertds are raised then you can also hook into the ZAP event bus.
Events are raised whenever an alert is added, changed or removed - these events include the alert id so you can then do anything you like to that alert.
If thats of interest then we can go into more details...
Cheers,
Simon
ZAPuser
Aug 25, 2021, 11:59:05 AM8/25/21
to OWASP ZAP User Group
Thanks very much for your responses!
I found the suggestion from thc202 to be just what I needed here (ps.addTag). I was looking for something similar but under the wrong name. I saw msg.setNote(note) and thought there might be a msg.setTag(tag) but there wasn't. The addTag works just as intended.
Is there a similar way to interact with the current message being scanned for example to highlight the line in the history tab? I saw there was an addon (https://github.com/kingthorin/neonmarker) but wanted to see if there is a more simple way to do it, for example: ps.addHighlight("red")?
kingthorin+owaspzap
Aug 25, 2021, 2:04:28 PM8/25/21
to OWASP ZAP User Group
You can use it from scripts but your tag on the "latest" message would need to be unique:
Might endup with some weird race condition(s) too.
ZAPuser
Aug 25, 2021, 2:41:48 PM8/25/21
to OWASP ZAP User Group
I tried the following implementation:
extNeon = org.parosproxy.paros.control.Control.getSingleton().getExtensionLoader().getExtension(org.zaproxy.zap.extension.neonmarker.ExtensionNeonmarker.NAME);
function scan(ps, msg, src)
{
// Regex found a match, let's a tag and add color to the entry line in History tab
ps.addTag("my tag");
extNeon.addColorMapping("Comment", 0x990000)
}
but getting the following error:
java.lang.RuntimeException: java.lang.NoSuchMethodException: Can't unambiguously select between fixed arity signatures [(java.lang.String), (int)] of the method org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument types [jdk.nashorn.internal.runtime.NativeJavaPackage]java.lang.RuntimeException: java.lang.NoSuchMethodException: Can't unambiguously select between fixed arity signatures [(java.lang.String), (int)] of the method org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument types [jdk.nashorn.internal.runtime.NativeJavaPackage]
kingthorin+owaspzap
Aug 25, 2021, 8:28:43 PM8/25/21
to OWASP ZAP User Group
Hmmmm that might be due to more recent changes to the Scripts extension, I'll do some testing.
kingthorin+owaspzap
Aug 25, 2021, 9:06:41 PM8/25/21
to OWASP ZAP User Group
Okay got it sorted out. That error happens when you don't have Neonmarker installed. So install it first ;)
You probably don't want to add the mapping inside the scan method, otherwise it'll be added for every message scanned. (The add-on should prevent duplicates, I'll have to tackle that separately.) The example in the wiki is meant to be a standalone script. (I'll tweak the content to make that more clear).
For the color mapping you add you probably want "extNeon.addColorMapping("my tag, 0x990000)", so that it colors the things you tag :) [Not those that have the "Comment" tag.]
Also if you're going to share the script with others (hopefully you'll add it to the community-scripts repo). It would probably be a good move to wrap the addColorMapping call in a conditional that checks that you actually found extNeon...
if (extNeon != null) {
extNeon.addColorMapping("my tag", 0x990000)
}
That way if others fail to install Neonmarker they'll still get the tag and not the error you got. (Of course you should comment the script so that it's clear that if they want colored history they need to install the add-on)
ZAPuser
Aug 26, 2021, 12:18:59 AM8/26/21
to OWASP ZAP User Group
Thanks!
This seems to work well. I do intend to share the script if I can get it to a decent enough level!
I am the author of this tool using Fiddler https://github.com/malwareinfosec/EKFiddle. However, Telerik is pushing their premium version and there is doubts whether they will be maintaining the classic version. I was also asked recently by someone who uses zaproxy if I ever intended to make a version for it and because I had only heard about zap a few times, I decided to check it further.
So I took a look and started learning a bit. I have to say Java was a big drawback initially (I was hoping for an interface built on something more modern or perhaps even a web UI) as I have uninstalled anything Java related for years... I also have never programmed in Java so it's interesting to say the least because the JavaScript for Java (Nashorn) is a bit wonky at times!
Anyway, if anyone is interested in what I'm trying to do here, feel free to get in touch. The tool is meant for security researchers and identifying malicious websites (exploits, scams, skimmers, malvertising, etc.).
thc...@gmail.com
Aug 26, 2021, 1:52:15 AM8/26/21
to zaprox...@googlegroups.com
It would also be better to add the mapping outside the scan function,
since that just needs to be done once (the scripts are cached so that
would be executed less times even).
(Assuming it's ok to have the mapping when there are no occurrences.)
Best regards.
On 26/08/2021 02:06, kingthorin+owaspzap wrote:
> Okay got it sorted out. That error happens when you don't have Neonmarker
> installed. So install it first ;)
>
> You probably don't want to add the mapping inside the scan method,
> otherwise it'll be added for every message scanned. (The add-on should
> prevent duplicates, I'll have to tackle that separately.) The example in
> the wiki is meant to be a standalone script. (I'll tweak the content to
> make that more clear).
>
> For the color mapping you add you probably want "*extNeon.addColorMapping("my
> tag, 0x990000)*", so that it colors the things you tag :) [Not those that
>>> org.parosproxy.paros.control.Control.getSingleton().getExtensionLoader().getExtension(org.zaproxy.zap.extension.neonmarker.ExtensionNeonmarker.NAME
>>> <http://org.zaproxy.zap.extension.neonmarker.ExtensionNeonmarker.NAME>);*
>>>
>>> *function scan(ps, msg, src)*
>>> *{*
>>> *// Regex found a match, let's a tag and add color to the entry line in
>>> History tab*
>>> *ps.addTag("my tag");*
>>> *extNeon.addColorMapping("Comment", 0x990000)*
>>> *}*
>>>>> name. I saw *msg.setNote(note)* and thought there might be
since that just needs to be done once (the scripts are cached so that
would be executed less times even).
(Assuming it's ok to have the mapping when there are no occurrences.)
Best regards.
On 26/08/2021 02:06, kingthorin+owaspzap wrote:
> Okay got it sorted out. That error happens when you don't have Neonmarker
> installed. So install it first ;)
>
> You probably don't want to add the mapping inside the scan method,
> otherwise it'll be added for every message scanned. (The add-on should
> prevent duplicates, I'll have to tackle that separately.) The example in
> the wiki is meant to be a standalone script. (I'll tweak the content to
> make that more clear).
>
> tag, 0x990000)*", so that it colors the things you tag :) [Not those that
> have the "Comment" tag.]
>
> Also if you're going to share the script with others (hopefully you'll add
> it to the community-scripts repo). It would probably be a good move to wrap
> the addColorMapping call in a conditional that checks that you actually
> found extNeon...
>
> if (extNeon != null) {
> *extNeon.addColorMapping("my tag", 0x990000)*
>
> Also if you're going to share the script with others (hopefully you'll add
> it to the community-scripts repo). It would probably be a good move to wrap
> the addColorMapping call in a conditional that checks that you actually
> found extNeon...
>
> if (extNeon != null) {
> }
>
> That way if others fail to install Neonmarker they'll still get the tag and
> not the error you got. (Of course you should comment the script so that
> it's clear that if they want colored history they need to install the
> add-on)
>
> On Wednesday, August 25, 2021 at 8:28:43 PM UTC-4 kingthorin+owaspzap wrote:
>
>> Hmmmm that might be due to more recent changes to the Scripts extension,
>> I'll do some testing.
>>
>>
>> On Wednesday, August 25, 2021 at 2:41:48 PM UTC-4 ZAPuser wrote:
>>
>>> I tried the following implementation:
>>>
>>> *extNeon =
>
> That way if others fail to install Neonmarker they'll still get the tag and
> not the error you got. (Of course you should comment the script so that
> it's clear that if they want colored history they need to install the
> add-on)
>
> On Wednesday, August 25, 2021 at 8:28:43 PM UTC-4 kingthorin+owaspzap wrote:
>
>> Hmmmm that might be due to more recent changes to the Scripts extension,
>> I'll do some testing.
>>
>>
>> On Wednesday, August 25, 2021 at 2:41:48 PM UTC-4 ZAPuser wrote:
>>
>>> I tried the following implementation:
>>>
>>> org.parosproxy.paros.control.Control.getSingleton().getExtensionLoader().getExtension(org.zaproxy.zap.extension.neonmarker.ExtensionNeonmarker.NAME
>>> <http://org.zaproxy.zap.extension.neonmarker.ExtensionNeonmarker.NAME>);*
>>>
>>> *function scan(ps, msg, src)*
>>> *{*
>>> *// Regex found a match, let's a tag and add color to the entry line in
>>> History tab*
>>> *ps.addTag("my tag");*
>>> *extNeon.addColorMapping("Comment", 0x990000)*
>>> *}*
>>>
>>> but getting the following error:
>>> *java.lang.RuntimeException: java.lang.NoSuchMethodException: Can't
>>> but getting the following error:
>>> unambiguously select between fixed arity signatures [(java.lang.String),
>>> (int)] of the method
>>> org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument
>>> types
>>> [jdk.nashorn.internal.runtime.NativeJavaPackage]java.lang.RuntimeException:
>>> java.lang.NoSuchMethodException: Can't unambiguously select between fixed
>>> arity signatures [(java.lang.String), (int)] of the method
>>> org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument
>>> types [jdk.nashorn.internal.runtime.NativeJavaPackage]*
>>> (int)] of the method
>>> org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument
>>> types
>>> [jdk.nashorn.internal.runtime.NativeJavaPackage]java.lang.RuntimeException:
>>> java.lang.NoSuchMethodException: Can't unambiguously select between fixed
>>> arity signatures [(java.lang.String), (int)] of the method
>>> org.parosproxy.paros.extension.ExtensionLoader.getExtension for argument
>>> On Wednesday, August 25, 2021 at 11:04:28 AM UTC-7 kingthorin+owaspzap
>>> wrote:
>>>
>>>> You can use it from scripts but your tag on the "latest" message would
>>>> need to be unique:
>>>> https://github.com/kingthorin/neonmarker/wiki
>>>>
>>>> Might endup with some weird race condition(s) too.
>>>>
>>>> On Wednesday, August 25, 2021 at 11:59:05 AM UTC-4 ZAPuser wrote:
>>>>
>>>>> Thanks very much for your responses!
>>>>>
>>>>> I found the suggestion from thc202 to be just what I needed here (
>>>>> *ps.addTag*). I was looking for something similar but under the wrong
>>> wrote:
>>>
>>>> You can use it from scripts but your tag on the "latest" message would
>>>> need to be unique:
>>>> https://github.com/kingthorin/neonmarker/wiki
>>>>
>>>> Might endup with some weird race condition(s) too.
>>>>
>>>> On Wednesday, August 25, 2021 at 11:59:05 AM UTC-4 ZAPuser wrote:
>>>>
>>>>> Thanks very much for your responses!
>>>>>
>>>>> I found the suggestion from thc202 to be just what I needed here (
>>>>> name. I saw *msg.setNote(note)* and thought there might be
malwareinfosec
Aug 26, 2021, 11:24:11 AM8/26/21
to OWASP ZAP User Group
Thank you for all the good tips!
Reply all
Reply to author
Forward
0 new messages