Ajax Spider and Value Generator
94 views
Skip to first unread message
Даниил Сутягин
Nov 17, 2023, 10:32:29 AM11/17/23
to ZAP User Group
Hi, Simon!
Zap is a beautiful tool and our team is using it in everyday job.
Thank you and all your team for work!!
I have several questions about Ajax Spider usage with Value Generator.
It looks like Ajax Spider can insert only random input to form fields.
I tried to disable random input, but Ajax Spider is still not inserting
any values from Value Generator settings page.
Also i have found some links, that creates allusion that such
functionality is already implemented in ZAP.
https://github.com/zaproxy/zaproxy/issues/2089 - closed with completed tag
https://github.com/zaproxy/zaproxy/issues/3343 - still opened....
Will be such functionality ever implemented?
I hope so...
Thanks again, ZAP is awesome!
Best regards, Daniil Sutyagin
Zap is a beautiful tool and our team is using it in everyday job.
Thank you and all your team for work!!
I have several questions about Ajax Spider usage with Value Generator.
It looks like Ajax Spider can insert only random input to form fields.
I tried to disable random input, but Ajax Spider is still not inserting
any values from Value Generator settings page.
Also i have found some links, that creates allusion that such
functionality is already implemented in ZAP.
https://github.com/zaproxy/zaproxy/issues/2089 - closed with completed tag
https://github.com/zaproxy/zaproxy/issues/3343 - still opened....
Will be such functionality ever implemented?
I hope so...
Thanks again, ZAP is awesome!
Best regards, Daniil Sutyagin
Simon Bennetts
Nov 17, 2023, 11:09:15 AM11/17/23
to ZAP User Group
Thank you!
Issue #3343 is the relevant one, but at the time of writing this email it only has one 👍.
We prioritise work based on a load of criteria, but one of those is the number of 👍's on the first comment.
The current top voted issues on this basis are: https://github.com/zaproxy/zaproxy/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
So everyone, if there are any ZAP issues you really want to see implemented then give them a 👍!
Also see https://www.zaproxy.org/faq/how-do-i-get-a-specific-feature-implemented-in-zap/ which we should update for the 👍's...
Cheers,
Simon
Даниил Сутягин
Nov 17, 2023, 11:57:35 AM11/17/23
to ZAP User Group
Well, I get it. Thanks!
What if we will decide to develop such functionality on our own,
Could you give a little help for us, how to make development environment,
How to build ZAP from sources, and maybe some other nice advicies?
I already got, that main spider init logic is here:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/spiderAjax/src/main/java/org/zaproxy/zap/extension/spiderAjax/SpiderThread.java
And that it use CrawlJax as dependency.
Also, I got what here
https://github.com/zaproxy/zap-extensions/blob/0a2d05aa95740ddb1c30d9703cf983a2f0a1f484/addOns/spiderAjax/src/main/java/org/zaproxy/zap/extension/spiderAjax/SpiderThread.java#L225-L227
I can add functionality to check some other CheckBox, for example,
target.getOptions().useValueGenerator()
and next add rule, something like what:
// when Crawljax encounters a form element with the id or name "q" enter "Crawljax"
input.field("q").setValue("Crawljax");
builder.crawlRules().setInputSpec(input);
I got it from here:
https://github.com/crawljax/crawljax/wiki/Getting-started
And instead of using "q" and "Crawljax"
Get name of field and value for this field with FormHandlerValueGenerator
https://github.com/zaproxy/zap-extensions/blob/main/addOns/formhandler/src/main/java/org/zaproxy/zap/extension/formhandler/ExtensionFormHandler.java
But at this time I can't understand how to get name and value, i see only getFormHandlerFieldNames() here:
https://github.com/zaproxy/zap-extensions/blob/0a2d05aa95740ddb1c30d9703cf983a2f0a1f484/addOns/formhandler/src/main/java/org/zaproxy/zap/extension/formhandler/ExtensionFormHandler.java#L103C25-L103C51
Thanks again!
What if we will decide to develop such functionality on our own,
Could you give a little help for us, how to make development environment,
How to build ZAP from sources, and maybe some other nice advicies?
I already got, that main spider init logic is here:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/spiderAjax/src/main/java/org/zaproxy/zap/extension/spiderAjax/SpiderThread.java
And that it use CrawlJax as dependency.
Also, I got what here
https://github.com/zaproxy/zap-extensions/blob/0a2d05aa95740ddb1c30d9703cf983a2f0a1f484/addOns/spiderAjax/src/main/java/org/zaproxy/zap/extension/spiderAjax/SpiderThread.java#L225-L227
I can add functionality to check some other CheckBox, for example,
target.getOptions().useValueGenerator()
and next add rule, something like what:
// when Crawljax encounters a form element with the id or name "q" enter "Crawljax"
input.field("q").setValue("Crawljax");
builder.crawlRules().setInputSpec(input);
I got it from here:
https://github.com/crawljax/crawljax/wiki/Getting-started
And instead of using "q" and "Crawljax"
Get name of field and value for this field with FormHandlerValueGenerator
https://github.com/zaproxy/zap-extensions/blob/main/addOns/formhandler/src/main/java/org/zaproxy/zap/extension/formhandler/ExtensionFormHandler.java
But at this time I can't understand how to get name and value, i see only getFormHandlerFieldNames() here:
https://github.com/zaproxy/zap-extensions/blob/0a2d05aa95740ddb1c30d9703cf983a2f0a1f484/addOns/formhandler/src/main/java/org/zaproxy/zap/extension/formhandler/ExtensionFormHandler.java#L103C25-L103C51
Thanks again!
Simon Bennetts
Nov 17, 2023, 12:05:08 PM11/17/23
to ZAP User Group
We have a pretty thorough Developer Guide here :) https://www.zaproxy.org/docs/developer/
The best place to discuss the implementation is on the issue.
If you comment on it then we'll also be able to assign it to you.
Thanks for offering to get involved!
Simon
Reply all
Reply to author
Forward
0 new messages