How to encode/change a variable extracted with GET and then sent it with POST?
150 views
Skip to first unread message
werkem...@gmail.com
Nov 16, 2017, 4:03:40 AM11/16/17
to mozilla-zest
Hi,
I also posted this in de ZAP group but I just realised that this is maybe more appropriate for the ZEST group.
I am trying to get the script based authentication working on a website. I am using a Zest script. It is not working yet. Hopefully the answer to my question will be the solution for the authentication problem.
The problem:
Multiple parameters are sent duing the login POST request. Some of these parameters are dynamic and we have to extract their values from the previous page and use them in the POST request. I refer to these variables with: {{variable1}} . This works more or less, but I think there is a problem with encoding.
When I perform the login manually and look inside the POST requests inside Zap I see a '%2F' in places where a '/' was used in the values of the parameters. However, when I run my authentication Zest script I see that the '/' is not replaced by '%2F' . This seems to be a problem, because Zest changes the color coding after the '/'. So the '/' seems a special character.
Question:
How can I dynamically encode/change my variable {{variable1}} such that every '/' appears as %2F? I do not want to do this manually once, but it should be done automatically with every login.
thc...@gmail.com
Nov 17, 2017, 6:46:31 AM11/17/17
to mozill...@googlegroups.com
Hi.
The Zest scripting does not yet support that. [1] Will see if we can get
that in soon as that's a recurrent issue.
There's a workaround to achieve that though. It's possible to call an
external script that does the required encoding.
For example, a JavaScript script (file name "encode.js", the extension
is important, it specifies the language of the script) with:
encodeURIComponent(param)
Then in the Zest script (in this example a StandAlone) invoke the
"encode.js" script passing the variable's value as a parameter (named
"param") and assign it to the variable itself, e.g.:
{
"prefix": "",
"type": "StandAlone",
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {},
"elementType": "ZestVariables"
},
"statements": [
{
"string": "/",
"variableName": "variable1",
"index": 1,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"string": "/other/var/",
"variableName": "variable2",
"index": 2,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"message": "Before:\n{{variable1}}\n{{variable2}}\n",
"index": 3,
"enabled": true,
"elementType": "ZestActionPrint"
},
{
"variableName": "variable1",
"script": "/path/to/urlencode.js",
"parameters": [
[
"param",
"{{variable1}}"
]
],
"index": 4,
"enabled": true,
"elementType": "ZestActionInvoke"
},
{
"variableName": "variable2",
"script": "/path/to/urlencode.js",
"parameters": [
[
"param",
"{{variable2}}"
]
],
"index": 5,
"enabled": true,
"elementType": "ZestActionInvoke"
},
{
"message": "After:\n{{variable1}}\n{{variable2}}",
"index": 6,
"enabled": true,
"elementType": "ZestActionPrint"
}
],
"authentication": [],
"index": 0,
"enabled": true,
"elementType": "ZestScript"
}
(Note the "script" property in "ZestActionInvoke" needs to be adjusted
to point to the actual location of the file "encode.js".)
The example can be loaded and executed in ZAP, which outputs:
Before:
/
/other/var/
After:
%2F
%2Fother%2Fvar%2F
[1] https://github.com/mozilla/zest/issues/81
Best regards.
On 16/11/17 09:03, werkem...@gmail.com wrote:
> Hi,
>
> I also posted this in de ZAP group but I just realised that this is maybe
> more appropriate for the ZEST group.
>
> I am trying to get the script based authentication working on a website. I
> am using a Zest script. It is not working yet. Hopefully the answer to my
> question will be the solution for the authentication problem.
>
> *The problem:*
The Zest scripting does not yet support that. [1] Will see if we can get
that in soon as that's a recurrent issue.
There's a workaround to achieve that though. It's possible to call an
external script that does the required encoding.
For example, a JavaScript script (file name "encode.js", the extension
is important, it specifies the language of the script) with:
encodeURIComponent(param)
Then in the Zest script (in this example a StandAlone) invoke the
"encode.js" script passing the variable's value as a parameter (named
"param") and assign it to the variable itself, e.g.:
{
"prefix": "",
"type": "StandAlone",
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {},
"elementType": "ZestVariables"
},
"statements": [
{
"string": "/",
"variableName": "variable1",
"index": 1,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"string": "/other/var/",
"variableName": "variable2",
"index": 2,
"enabled": true,
"elementType": "ZestAssignString"
},
{
"message": "Before:\n{{variable1}}\n{{variable2}}\n",
"index": 3,
"enabled": true,
"elementType": "ZestActionPrint"
},
{
"variableName": "variable1",
"script": "/path/to/urlencode.js",
"parameters": [
[
"param",
"{{variable1}}"
]
],
"index": 4,
"enabled": true,
"elementType": "ZestActionInvoke"
},
{
"variableName": "variable2",
"script": "/path/to/urlencode.js",
"parameters": [
[
"param",
"{{variable2}}"
]
],
"index": 5,
"enabled": true,
"elementType": "ZestActionInvoke"
},
{
"message": "After:\n{{variable1}}\n{{variable2}}",
"index": 6,
"enabled": true,
"elementType": "ZestActionPrint"
}
],
"authentication": [],
"index": 0,
"enabled": true,
"elementType": "ZestScript"
}
(Note the "script" property in "ZestActionInvoke" needs to be adjusted
to point to the actual location of the file "encode.js".)
The example can be loaded and executed in ZAP, which outputs:
Before:
/
/other/var/
After:
%2F
%2Fother%2Fvar%2F
[1] https://github.com/mozilla/zest/issues/81
Best regards.
On 16/11/17 09:03, werkem...@gmail.com wrote:
> Hi,
>
> I also posted this in de ZAP group but I just realised that this is maybe
> more appropriate for the ZEST group.
>
> I am trying to get the script based authentication working on a website. I
> am using a Zest script. It is not working yet. Hopefully the answer to my
> question will be the solution for the authentication problem.
>
>
> Multiple parameters are sent duing the login POST request. Some of these
> parameters are dynamic and we have to extract their values from the
> previous page and use them in the POST request. I refer to these variables
> with: {{variable1}} . This works more or less, but I think there is a
> problem with encoding.
>
> When I perform the login manually and look inside the POST requests inside
> Zap I see a '%2F' in places where a '/' was used in the values of the
> parameters. However, when I run my authentication Zest script I see that
> the '/' is not replaced by '%2F' . This seems to be a problem, because Zest
> changes the color coding after the '/'. So the '/' seems a special
> character.
>
>
> *Question:*
> Multiple parameters are sent duing the login POST request. Some of these
> parameters are dynamic and we have to extract their values from the
> previous page and use them in the POST request. I refer to these variables
> with: {{variable1}} . This works more or less, but I think there is a
> problem with encoding.
>
> When I perform the login manually and look inside the POST requests inside
> Zap I see a '%2F' in places where a '/' was used in the values of the
> parameters. However, when I run my authentication Zest script I see that
> the '/' is not replaced by '%2F' . This seems to be a problem, because Zest
> changes the color coding after the '/'. So the '/' seems a special
> character.
>
>
Francesco Perez
Apr 16, 2018, 10:57:50 AM4/16/18
to mozilla-zest
Hi, i was trying to make that you say, but when i print in zest, there is always the same answer, i mean, / and /other/var/ (before and after) as answer, but inside the script, when i print, the answer is rigth %2F and %2Fother%2Fvar%2F. i dont know how to asing the value inside the js script to zest variable as answer. can you help me please.
Regards.
thc...@gmail.com
Jan 30, 2019, 8:44:08 AM1/30/19
to mozill...@googlegroups.com
(For the record since the answer might be too late for you.)
You don't assign it directly in the script, that's done by Zest
internally. Zest assigns the result of evaluating the script,
that's why it's simply:
encodeURIComponent(param)
Best regards.
You don't assign it directly in the script, that's done by Zest
internally. Zest assigns the result of evaluating the script,
that's why it's simply:
encodeURIComponent(param)
Best regards.
Reply all
Reply to author
Forward
0 new messages