ZEST script for csrftoken

[Vincent Yang]

Hi Team,

I reacord a ZEST script as below for ZAP authentication, I want to modify the script, save the "ts" value to a variable, and use it in "csrfToken" field.

But from Windows ZAP GUI, Add Zest Assignment, I can't find a way to do this.

Can you give me some tips?

{
  "about": "This is a Zest script. For more details about Zest visit https://github.com/zaproxy/zest/",
  "zestVersion": "0.8",
  "title": "chtlogin4",
  "description": "",
  "prefix": "",
  "type": "StandAlone",
  "parameters": {
    "tokenStart": "{{",
    "tokenEnd": "}}",
    "tokens": {},
    "elementType": "ZestVariables"
  },
  "statements": [
    {
      "url": "https://192.168.1.136/api/token",
      "data": "{\"method\":\"login\"}",
      "method": "POST",
      "headers": "Content-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\nContent-Length: 18\r\nOrigin: https://192.168.1.136\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",
      "response": {
        "url": "https://192.168.1.136/api/token",
        "headers": "HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age\u003d60\r\nCache-Control: no-cache,no-store\r\nPragma: no-cache\r\nExpires: 0\r\nX-Content-Type-Options: nosniff\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode\u003dblock\r\nX-XSS-Protection: 1; mode\u003dblock\r\nContent-Type: application/json; charset\u003d\"UTF-8\"\r\nConnection: close\r\nContent-Security-Policy: frame-ancestors \u0027self\u0027\r\nContent-Length: 78\r\nDate: Thu, 10 Feb 2022 11:13:35 GMT\r\nServer: lighttpd/1.4.56\r\n\r\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"3838\", \"data\": { \"ts\": \"73463067427\" } }",
        "statusCode": 200,
        "responseTimeInMs": 21,
        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        },
        {
          "rootExpression": {
            "length": 78,
            "approx": 2,
            "variableName": "response.body",
            "not": false,
            "elementType": "ZestExpressionLength"
          },
          "elementType": "ZestAssertion"
        }
      ],
      "followRedirects": false,
      "timestamp": 1644491615854,
      "cookies": [],
      "index": 1,
      "enabled": true,
      "elementType": "ZestRequest"
    },
    {
      "url": "https://192.168.1.136/api/login",
      "data": "u\u003dPVlXUnRhVzQ9MQ%3D%3D\u0026p\u003dYmNHRnpjM2R2Y21RPXc%3D",
      "method": "POST",
      "headers": "Content-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\ncsrfToken: 73463067427\r\nContent-Length: 47\r\nOrigin: https://192.168.1.136\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",
      "response": {
        "url": "https://192.168.1.136/api/login",
        "headers": "HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age\u003d60\r\nCache-Control: no-cache,no-store\r\nPragma: no-cache\r\nExpires: 0\r\nX-Content-Type-Options: nosniff\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode\u003dblock\r\nX-XSS-Protection: 1; mode\u003dblock\r\nSet-Cookie: auth_tokens\u003daNV594IcHLwPSkKg; Path\u003d/; HttpOnly; SameSite\u003dStrict; Secure;\r\nContent-Type: application/json; charset\u003d\"UTF-8\"\r\nConnection: close\r\nContent-Security-Policy: frame-ancestors \u0027self\u0027\r\nContent-Length: 264\r\nDate: Thu, 10 Feb 2022 11:13:35 GMT\r\nServer: lighttpd/1.4.56\r\n\r\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"3838\", \"data\": { \"mac\": \"00:11:22:33:44:50\", \"version\": \"V1.0.0.26-Cloud_1229\", \"model_name\": \"CHT\", \"role\": \"Master\", \"lan_iface_num\": 2, \"triband_enable\": \"1\", \"username\": \"admin\", \"right\": 1, \"token\": \"aNV594IcHLwPSkKg\" } }",
        "statusCode": 200,
        "responseTimeInMs": 68,
        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        },
        {
          "rootExpression": {
            "length": 264,
            "approx": 2,
            "variableName": "response.body",
            "not": false,
            "elementType": "ZestExpressionLength"
          },
          "elementType": "ZestAssertion"
        }
      ],
      "followRedirects": false,
      "timestamp": 1644491615896,
      "cookies": [],
      "index": 2,
      "enabled": true,
      "elementType": "ZestRequest"
    },
    {
      "url": "https://192.168.1.136/api/info",
      "data": "",
      "method": "GET",
      "headers": "csrfToken: 73463067427\r\nAuthorization: Bearer aNV594IcHLwPSkKg\r\nContent-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",
      "response": {
        "url": "https://192.168.1.136/api/info",
        "headers": "HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age\u003d60\r\nCache-Control: no-cache,no-store\r\nPragma: no-cache\r\nExpires: 0\r\nX-Content-Type-Options: nosniff\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode\u003dblock\r\nX-XSS-Protection: 1; mode\u003dblock\r\nContent-Type: application/json; charset\u003d\"UTF-8\"\r\nConnection: close\r\nContent-Security-Policy: frame-ancestors \u0027self\u0027\r\nContent-Length: 235\r\nDate: Thu, 10 Feb 2022 11:13:36 GMT\r\nServer: lighttpd/1.4.56\r\n\r\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"3838\", \"data\": { \"mac\": \"00:11:22:33:44:50\", \"version\": \"V1.0.0.26-Cloud_1229\", \"model_name\": \"CHT\", \"role\": \"Master\", \"lan_iface_num\": 2, \"triband_enable\": \"1\", \"username\": \"admin\", \"right\": 1 } }",
        "statusCode": 200,
        "responseTimeInMs": 33,
        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        },
        {
          "rootExpression": {
            "length": 235,
            "approx": 2,
            "variableName": "response.body",
            "not": false,
            "elementType": "ZestExpressionLength"
          },
          "elementType": "ZestAssertion"
        }
      ],
      "followRedirects": false,
      "timestamp": 1644491615983,
      "cookies": [],
      "index": 3,
      "enabled": true,
      "elementType": "ZestRequest"
    }
  ],
  "authentication": [],
  "index": 0,
  "enabled": true,
  "elementType": "ZestScript"
}

Regards,

Vincent

[Simon Bennetts]

Hiya Vincent,

You can handle this via Zest assignments.

The easiest option is probably using "Assign variable via string delimiters.

You just need to specify the location (HEAD or BODY) and then the strings before and after your token.

Assuming you want to get it from "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"3838\", \"data\": { \"ts\": \"73463067427\" } }",

you would use something like:

• Variable name: csrfToken
• Location: BODY
• Prefix String: ts: "
• Postfix String: "

Try it out in the ZAP desktop - its easier to test that way.

Let us know how you get on.

Cheers,

Simon

[Vincent Yang]

Hi Simon,

Thanks for your suggesion.

I tried as you suggested, add an variable, run the script in ZAP desktop, but the console output "Failed to find value between 'ts: "' and '"'".

Here is my Zest script:

{
  "about": "This is a Zest script. For more details about Zest visit https://github.com/zaproxy/zest/",
  "zestVersion": "0.8",

  "title": "chtlogin6",

  "description": "",
  "prefix": "",
  "type": "StandAlone",
  "parameters": {
    "tokenStart": "{{",
    "tokenEnd": "}}",
    "tokens": {},
    "elementType": "ZestVariables"
  },
  "statements": [
    {
      "url": "https://192.168.1.136/api/token",
      "data": "{\"method\":\"login\"}",
      "method": "POST",
      "headers": "Content-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\nContent-Length: 18\r\nOrigin: https://192.168.1.136\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",
      "response": {
        "url": "https://192.168.1.136/api/token",

        "headers": "HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age\u003d60\r\nCache-Control: no-cache,no-store\r\nPragma: no-cache\r\nExpires: 0\r\nX-Content-Type-Options: nosniff\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode\u003dblock\r\nX-XSS-Protection: 1; mode\u003dblock\r\nContent-Type: application/json; charset\u003d\"UTF-8\"\r\nConnection: close\r\nContent-Security-Policy: frame-ancestors \u0027self\u0027\r\nContent-Length: 83\r\nDate: Fri, 11 Feb 2022 03:00:07 GMT\r\nServer: lighttpd/1.4.56\r\n\r\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"60629\", \"data\": { \"ts\": \"324700771180779\" } }",
        "statusCode": 200,
        "responseTimeInMs": 25,

        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        }
      ],

      "followRedirects": false,
      "timestamp": 1644548407041,

      "cookies": [],
      "index": 1,
      "enabled": true,
      "elementType": "ZestRequest"
    },

    {
      "prefix": " ts: \"",
      "postfix": "\"",
      "location": "BODY",
      "variableName": "csrfToken",
      "index": 2,
      "enabled": true,
      "elementType": "ZestAssignStringDelimiters"
    },
    {
      "url": "https://192.168.1.136/api/login",
      "data": "u\u003dRllXUnRhVzQ9Uw%3D%3D\u0026p\u003dVmNHRnpjM2R2Y21RPTY%3D",
      "method": "POST",
      "headers": "Content-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\ncsrfToken: {{csrfToken}}\r\nContent-Length: 47\r\nOrigin: https://192.168.1.136\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",

      "response": {
        "url": "https://192.168.1.136/api/login",

        "headers": "HTTP/1.1 200 OK\nStrict-Transport-Security: max-age\u003d60\nCache-Control: no-cache,no-store\nPragma: no-cache\nExpires: 0\nX-Content-Type-Options: nosniff\nX-Content-Type-Options: nosniff\nX-Frame-Options: SAMEORIGIN\nX-XSS-Protection: 1; mode\u003dblock\nX-XSS-Protection: 1; mode\u003dblock\nSet-Cookie: auth_tokens\u003dqgl8x9OniEtDlnTn; Path\u003d/; HttpOnly; SameSite\u003dStrict; Secure;\nContent-Type: application/json; charset\u003d\"UTF-8\"\nConnection: close\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nContent-Length: 265\nDate: Fri, 11 Feb 2022 03:00:07 GMT\nServer: lighttpd/1.4.56\n\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"60629\", \"data\": { \"mac\": \"00:11:22:33:44:50\", \"version\": \"V1.0.0.26-Cloud_1229\", \"model_name\": \"CHT\", \"role\": \"Master\", \"lan_iface_num\": 2, \"triband_enable\": \"1\", \"username\": \"admin\", \"right\": 1, \"token\": \"qgl8x9OniEtDlnTn\" } }",
        "statusCode": 200,
        "responseTimeInMs": 67,

        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        }
      ],

      "followRedirects": false,
      "timestamp": 1644548407094,

      "cookies": [],
      "index": 3,
      "enabled": true,
      "elementType": "ZestRequest"
    },

    {
      "url": "https://192.168.1.136/api/info",
      "data": "",
      "method": "GET",

      "headers": "csrfToken: {{csrfToken}}\r\nAuthorization: Bearer qgl8x9OniEtDlnTn\r\nContent-Type: application/x-www-form-urlencoded; charset\u003dUTF-8\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\n",

      "response": {
        "url": "https://192.168.1.136/api/info",

        "headers": "HTTP/1.1 200 OK\nStrict-Transport-Security: max-age\u003d60\nCache-Control: no-cache,no-store\nPragma: no-cache\nExpires: 0\nX-Content-Type-Options: nosniff\nX-Content-Type-Options: nosniff\nX-Frame-Options: SAMEORIGIN\nX-XSS-Protection: 1; mode\u003dblock\nX-XSS-Protection: 1; mode\u003dblock\nContent-Type: application/json; charset\u003d\"UTF-8\"\nConnection: close\nContent-Security-Policy: frame-ancestors \u0027self\u0027\nContent-Length: 236\nDate: Fri, 11 Feb 2022 03:00:07 GMT\nServer: lighttpd/1.4.56\n\n",
        "body": "{ \"code\": 0, \"wait\": 0, \"timestamp\": \"60629\", \"data\": { \"mac\": \"00:11:22:33:44:50\", \"version\": \"V1.0.0.26-Cloud_1229\", \"model_name\": \"CHT\", \"role\": \"Master\", \"lan_iface_num\": 2, \"triband_enable\": \"1\", \"username\": \"admin\", \"right\": 1 } }",
        "statusCode": 200,
        "responseTimeInMs": 26,

        "elementType": "ZestResponse"
      },
      "assertions": [
        {
          "rootExpression": {
            "code": 200,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        }
      ],

      "followRedirects": false,
      "timestamp": 1644548407179,
      "cookies": [],
      "index": 4,

[Vincent Yang]

Hi Simon,

Sorry, I made a mistake, the prefix define is not correct, I change the variable define as below, the script run successfully.

That's cool, thank you so much.

    {
      "prefix": "\"ts\": \"",
      "postfix": "\"",
      "location": "BODY",
      "variableName": "csrfToken",
      "index": 2,
      "enabled": true,
      "elementType": "ZestAssignStringDelimiters"
    },

Regards,

Vincent