Script in Zest to modify a server response before being forwarded to the client on the fly?
2 views
Skip to first unread message
Ashwin
Jun 22, 2018, 8:55:30 AM6/22/18
to mozilla-zest
Hey folks,
My use case is to modify a server's response before it's forwarded to the client. I've played with the Replacer add-on in ZAP and it works as I need except that I was looking to implement the following cases:
1. I need the modification filter (the Replacer in this case) to act only on certain APIs, and to skip the rest. The Replacer add on seems to be as simple as a find and replace feature rather than allowing for multiple conditionals to filter out a response for modification. Can I add more filters to one replacer option? I don't see any way.
2. I have recorded a script in Zest (using the replacer module from above to modify the responses) but as per my observations, the script also records the APIs that are received and is present in the final .zst script file that is created. Is there a way to create/record the script without the APIs getting recorded? I need to do this because the API request sent from the client will have dynamically generated query parameters that will change with every request.
Essentially, I needed a system where the script would run continuously, would monitor for certain requests from the client only when those specific API request calls are made and the Replacer would have multiple conditionals and would modify API responses with a certain pattern. I already have the client connected to ZAP through a proxy.
From what I've tried, I don't think ZAP supports this yet, but would just like to confirm this scenario with the community before I move on to build my own proxy server to handle this scenario.
thc...@gmail.com
Jun 22, 2018, 9:43:23 AM6/22/18
to mozill...@googlegroups.com
Hi.
Answers/comments below.
On 22/06/18 13:55, Ashwin wrote:
> Hey folks,
>
> My use case is to modify a server's response before it's forwarded to the
> client. I've played with the Replacer add-on in ZAP and it works as I need
> except that I was looking to implement the following cases:
>
> 1. I need the modification filter (the Replacer in this case) to act only
> on certain APIs, and to skip the rest. The Replacer add on seems to be as
> simple as a find and replace feature rather than allowing for multiple
> conditionals to filter out a response for modification. Can I add more
> filters to one replacer option? I don't see any way.
Right, the replacer rules are intended for simple use cases, it just
allows to filter by what is shown (although it could allow to filter by
URL too, that's generally useful.).
>
> 2. I have recorded a script in Zest (using the replacer module from above
> to modify the responses) but as per my observations, the script also
> records the APIs that are received and is present in the final .zst script
> file that is created. Is there a way to create/record the script without
> the APIs getting recorded? I need to do this because the API request sent
> from the client will have dynamically generated query parameters that will
> change with every request.
No, the requests are always included (that's the main purpose of
recording). If you use a Proxy script type you can dynamically change
the contents of the request/response being proxied through the variables
provided (e.g. request.body).
>
> Essentially, I needed a system where the script would run continuously,
> would monitor for certain requests from the client only when those specific
> API request calls are made and the Replacer would have multiple
> conditionals and would modify API responses with a certain pattern. I
> already have the client connected to ZAP through a proxy.
ZAP also supports other scripting languages (e.g. JavaScript, Jython,
Groovy...) which give a lot more flexibility on what/when is applied to
the messages.
>
> From what I've tried, I don't think ZAP supports this yet, but would just
> like to confirm this scenario with the community before I move on to build
> my own proxy server to handle this scenario.
>
I'd suggest trying first with other language, they are specifically for
these use cases.
Have you checked the community-scripts repo? [1] It has some examples
doing things like that.
[1] https://github.com/zaproxy/community-scripts/
Best regards.
Answers/comments below.
On 22/06/18 13:55, Ashwin wrote:
> Hey folks,
>
> My use case is to modify a server's response before it's forwarded to the
> client. I've played with the Replacer add-on in ZAP and it works as I need
> except that I was looking to implement the following cases:
>
> 1. I need the modification filter (the Replacer in this case) to act only
> on certain APIs, and to skip the rest. The Replacer add on seems to be as
> simple as a find and replace feature rather than allowing for multiple
> conditionals to filter out a response for modification. Can I add more
> filters to one replacer option? I don't see any way.
allows to filter by what is shown (although it could allow to filter by
URL too, that's generally useful.).
>
> 2. I have recorded a script in Zest (using the replacer module from above
> to modify the responses) but as per my observations, the script also
> records the APIs that are received and is present in the final .zst script
> file that is created. Is there a way to create/record the script without
> the APIs getting recorded? I need to do this because the API request sent
> from the client will have dynamically generated query parameters that will
> change with every request.
recording). If you use a Proxy script type you can dynamically change
the contents of the request/response being proxied through the variables
provided (e.g. request.body).
>
> Essentially, I needed a system where the script would run continuously,
> would monitor for certain requests from the client only when those specific
> API request calls are made and the Replacer would have multiple
> conditionals and would modify API responses with a certain pattern. I
> already have the client connected to ZAP through a proxy.
Groovy...) which give a lot more flexibility on what/when is applied to
the messages.
>
> From what I've tried, I don't think ZAP supports this yet, but would just
> like to confirm this scenario with the community before I move on to build
> my own proxy server to handle this scenario.
>
these use cases.
Have you checked the community-scripts repo? [1] It has some examples
doing things like that.
[1] https://github.com/zaproxy/community-scripts/
Best regards.
Reply all
Reply to author
Forward
0 new messages