Targeted Zest Script - Passing Cookies
6 views
Skip to first unread message
Nick Coblentz
Jul 27, 2017, 11:25:00 AM7/27/17
to mozilla-zest
Hello,
I'm trying to write a targeted Zest Script that deletes the NOPCOMMERCE.AUTH cookie from a request. An example request is shown below:
GET http://nopcommerce.local/nopcommercestage/wishlist HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://nopcommerce.local/nopcommercestage/
Cookie: Nop.customer=ab6013ae-bb6d-45b9-8bfa-5ae583c6e400; __RequestVerificationToken_L25vcGNvbW1lcmNlc3RhZ2U1=Z3U1YOy2T8yEQHvA25QFggtFkN6cLKC6s730wNkMfnxBnxhV1htTZHviDUlHXGOrUCGHS1DIGXlXvn6WPvPje_PCmAJoSL6377v5dxmc8tY1; ASP.NET_SessionId=3f4jcrnttxy4zpxedfnszpal; NopCommerce.RecentlyViewedProducts=RecentlyViewedProductIds=13; __atuvc=6%7C30; NOPCOMMERCE.AUTH=0961E8FDBF9A928447B4472DF4230E31CD8C37C86543272CBC1E1CB572F89F8B89A2A3DE5E07C56507FBE03ACDBB05A3E17A9371BED69FE82B67BDF34F9A5862DE2CFE1ACA9AAD706C65ED998210208912E8FC1FABC335E6B4BF597F434A4F1E88F41A968E2BC9007EDD10083118E4FA0B4FD53B7391F1B28BA9D8EDCEC0761E36C891F4659578250D2DCC360D4948EB7730E8C036E7200ECBE0CE1F8680270CBEE020EA4DFD1E2F6B0EC3B59A47F01D
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: nopcommerce.local
The difficulty I'm experiencing is that none of the cookies are being passed to request.header for the Zest script. ZAP seems to strip them out before it even gets tot he script. When I turn on debugging, I see the following being set for each of the variables:
Targeted scripts are scripts that act on a specified URL or set of URLs.
You typically invoke them by right-clicking on a node in the Sites tree or on a record in a list of responses and selecting 'Run with Script'.Called http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.header = Accept-Language: en-US,en;q=0.5\r\nReferer: http://nopcommerce.local/nopcommercest...
DEBUG: Set request.method = GET
DEBUG: Set request.body =
DEBUG: Set response.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set response.header = HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r...
DEBUG: Set response.body = \r\n\r\n<!DOCTYPE html>\r\n<html class="html-wishlist-page">\r\n<head>\r\n <title>Your ...
DEBUG: 1 Comment Targeted scripts are invoked manually for URLs, typically via 'right click' menus.
The template script just repeats the request and prints out the URL its been called for.
DEBUG: GET : http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.header = Accept-Language: en-US,en;q=0.5\r\nReferer: http://nopcommerce.local/nopcommercest...
DEBUG: Set request.method = GET
DEBUG: Set request.body =
DEBUG: Set response.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set response.header = HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r...
DEBUG: Set response.body = \r\n\r\n<!DOCTYPE html>\r\n<html class="html-wishlist-page">\r\n<head>\r\n <title>Your ...
DEBUG: 3 Action invoke: org.mozilla.zest.core.v1.ZestActionPrint
Called http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: 3 Action result: Called http://nopcommerce.local/nopcommercestage/wishlist
I used the default template so far as a baseline to get it to send the Cookie. Here's a few things I've tried to address this:
I'm trying to write a targeted Zest Script that deletes the NOPCOMMERCE.AUTH cookie from a request. An example request is shown below:
GET http://nopcommerce.local/nopcommercestage/wishlist HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://nopcommerce.local/nopcommercestage/
Cookie: Nop.customer=ab6013ae-bb6d-45b9-8bfa-5ae583c6e400; __RequestVerificationToken_L25vcGNvbW1lcmNlc3RhZ2U1=Z3U1YOy2T8yEQHvA25QFggtFkN6cLKC6s730wNkMfnxBnxhV1htTZHviDUlHXGOrUCGHS1DIGXlXvn6WPvPje_PCmAJoSL6377v5dxmc8tY1; ASP.NET_SessionId=3f4jcrnttxy4zpxedfnszpal; NopCommerce.RecentlyViewedProducts=RecentlyViewedProductIds=13; __atuvc=6%7C30; NOPCOMMERCE.AUTH=0961E8FDBF9A928447B4472DF4230E31CD8C37C86543272CBC1E1CB572F89F8B89A2A3DE5E07C56507FBE03ACDBB05A3E17A9371BED69FE82B67BDF34F9A5862DE2CFE1ACA9AAD706C65ED998210208912E8FC1FABC335E6B4BF597F434A4F1E88F41A968E2BC9007EDD10083118E4FA0B4FD53B7391F1B28BA9D8EDCEC0761E36C891F4659578250D2DCC360D4948EB7730E8C036E7200ECBE0CE1F8680270CBEE020EA4DFD1E2F6B0EC3B59A47F01D
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: nopcommerce.local
The difficulty I'm experiencing is that none of the cookies are being passed to request.header for the Zest script. ZAP seems to strip them out before it even gets tot he script. When I turn on debugging, I see the following being set for each of the variables:
Targeted scripts are scripts that act on a specified URL or set of URLs.
You typically invoke them by right-clicking on a node in the Sites tree or on a record in a list of responses and selecting 'Run with Script'.Called http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.header = Accept-Language: en-US,en;q=0.5\r\nReferer: http://nopcommerce.local/nopcommercest...
DEBUG: Set request.method = GET
DEBUG: Set request.body =
DEBUG: Set response.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set response.header = HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r...
DEBUG: Set response.body = \r\n\r\n<!DOCTYPE html>\r\n<html class="html-wishlist-page">\r\n<head>\r\n <title>Your ...
DEBUG: 1 Comment Targeted scripts are invoked manually for URLs, typically via 'right click' menus.
The template script just repeats the request and prints out the URL its been called for.
DEBUG: GET : http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set request.header = Accept-Language: en-US,en;q=0.5\r\nReferer: http://nopcommerce.local/nopcommercest...
DEBUG: Set request.method = GET
DEBUG: Set request.body =
DEBUG: Set response.url = http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: Set response.header = HTTP/1.1 200 OK\r\nCache-Control: private\r\nContent-Type: text/html; charset=utf-8\r...
DEBUG: Set response.body = \r\n\r\n<!DOCTYPE html>\r\n<html class="html-wishlist-page">\r\n<head>\r\n <title>Your ...
DEBUG: 3 Action invoke: org.mozilla.zest.core.v1.ZestActionPrint
Called http://nopcommerce.local/nopcommercestage/wishlist
DEBUG: 3 Action result: Called http://nopcommerce.local/nopcommercestage/wishlist
I used the default template so far as a baseline to get it to send the Cookie. Here's a few things I've tried to address this:
- Force the user to login (by setting up authentication for the context, adding users, and then clicking the force user mode) - This works for including the cookie in the final request, but it doesn't actually send the cookie to the Zest script, which means I cant strip out just the NOPCOMMERCE.AUTH cookie an leave the other cookies.
- Got to Tools -> options -> zest, and uncheck ignore cookies when recording zest scripts
So my question is, if I right click and say invoke with zest script, how do I get the cookies in that request to reach the Zest script instead of ZAP stripping them out?
Thanks!
Nick
Nick Coblentz
Jul 27, 2017, 12:31:48 PM7/27/17
to mozilla-zest
I found another solution actually. I created a similar Zest script as an Active Scan rule instead of a Targeted script. Then I did an active scan. It sends the original cookie to the Zest script, and then I can strip it out with a Zest Assignment. I can review each request/response manually or I can flag them based on a 200 response (or other criteria I set up). I noticed that I cannot try to scan as a user that I've set up in the context however, because it will strip out the cookie, but then add it back in before it actually sends the request.
Reply all
Reply to author
Forward
0 new messages