Zest is unable to handle token generation through the java script
22 views
Skip to first unread message
sandeep p
Sep 5, 2022, 7:49:37 AM9/5/22
to zaproxy-zest
While I was doing zest scripting to generate a token through java script, I need to get a new token for every request that has been coming from client side. But ZEST is unable to handle it. Is there any solution for us to update the script or integrate zest with java script.
Thanks,
Sandeep.
Simon Bennetts
Sep 6, 2022, 3:26:26 AM9/6/22
to zaproxy-zest
Hi Sandeep,
Details always matter, especially in cases like this.
What is the app doing?
What is your script doing?
Why do you think Zest is unable to handle it?
Right now we have nothing to go on.
Cheers,
Simon
sandeep p
Sep 6, 2022, 11:12:54 AM9/6/22
to zaproxy-zest
Hi Simon,
Thanks for the replay, Please find the scenario below.
We have sequence of 5 requests for the login to be completed and somewhere in the 3rd request a unique token_id is being sent in the request, but this unique token_id is not being received in any of the previous responses, it is being generated on client side at the runtime randomly using java script. This is what we want to be incorporated into the script, so that the 3rd request will also be successful, then the following login sequence is completed.
Example:
Request 1
Request 2
Request 3-->having a unique token_id(parameter), this unique token is generated using some java script code.
Request 4
Request 5
Thanks,
Request 1
Request 2
Request 3-->having a unique token_id(parameter), this unique token is generated using some java script code.
Request 4
Request 5
Thanks,
Sandeep
Simon Bennetts
Sep 7, 2022, 4:34:06 AM9/7/22
to zaproxy-zest
Hi Sandeep,
If the token is generated client side then you will need to launch a browser to make the client side request.
Zest can do that.
You may need another httpsender script in order to extract the token, but without more details its difficult to say.
Example requests and responses would help...
Cheers,
Simon
sandeep p
Sep 12, 2022, 10:35:19 AM9/12/22
to zaproxy-zest
Hi Simon,
Within the angular JS, we have a code that generates a unique “token_id” on the client side by taking a few inputs dynamically.
c=this.loginUrl+a+"parameter1="+encodeURIComponent(b)+"¶meter2="+encodeURIComponent(d)+"&token_id="+encodeURIComponent(e)+"¶meter3="+encodeURIComponent(i)+"& parameter4="+encodeURIComponent(l);
1. login.aspx
2. Main.js
3. Dashboard.aspx
Thanks,
Sandeep.
sandeep p
Sep 13, 2022, 7:51:49 AM9/13/22
to zaproxy-zest
Hi Simon,
Is the provided information sufficient for you to help us.
Thanks,
Sandeep.
sandeep p
Nov 3, 2022, 6:21:19 AM11/3/22
to zaproxy-zest
Hi Simon,
below pages and files in my application.
1. login.aspx
Sample Code Snippet:
c=this.loginUrl+a+"parameter1="+encodeURIComponent(b)+"¶meter2="+encodeURIComponent(d)+"&token_id="+encodeURIComponent(e)+"¶meter3="+encodeURIComponent(i)+"& parameter4="+encodeURIComponent(l);
While I was doing zest scripting to generate a token through java script, I need to get a new token for every request that has been coming from client side. But ZEST is unable to handle it.
Let’s assume.
We have sequence of 3 requests for the login to be completed and somewhere in the 2nd request (main.js) and it’s generating a unique token_id by using below mentioned sample Java script code snippet, this unique token_id is not being received in any of the previous responses. This is what we want to be incorporated into the script, by using this unique token_id we can access “Users Dashboard.aspx”.
Application uses dot net and angular java script.
We have sequence of 3 requests for the login to be completed and somewhere in the 2nd request (main.js) and it’s generating a unique token_id by using below mentioned sample Java script code snippet, this unique token_id is not being received in any of the previous responses. This is what we want to be incorporated into the script, by using this unique token_id we can access “Users Dashboard.aspx”.
Application uses dot net and angular java script.
below pages and files in my application.
1. login.aspx
2. Main.js (mentioned below sample code snippet)
3. User dashboard.aspx
3. User dashboard.aspx
Sample Code Snippet:
c=this.loginUrl+a+"parameter1="+encodeURIComponent(b)+"¶meter2="+encodeURIComponent(d)+"&token_id="+encodeURIComponent(e)+"¶meter3="+encodeURIComponent(i)+"& parameter4="+encodeURIComponent(l);
Can you help us how this JS can be integrated with Zest script.
Thanks,
Sandeep.
Simon Bennetts
Nov 3, 2022, 11:48:35 AM11/3/22
to zaproxy-zest
Hi Sandeep,
Lets see if I understand this.
Your app constructs a token on the client for every request using the above javascript, and if that token is not valid then the backend rejects it?
Is that right?
Cheers,
Simon
sandeep p
Nov 7, 2022, 3:13:18 AM11/7/22
to zaproxy-zest
Hi Simon.
Yes, your understanding is correct. Can you please help us in this situation.
Thanks,
Sandeep.
Simon Bennetts
Nov 7, 2022, 4:23:03 AM11/7/22
to zaproxy-zest
Honestly, it sounds like you've made your life really difficult for yourselves without making your service any more secure.
Ideally you should go back and rewrite it in a more sane way!
Failing that, your only realistic option is to implement the same logic in a ZAP httpsender script written in javascript.
Good luck!
Simon
sandeep p
Nov 7, 2022, 7:58:40 AM11/7/22
to zaproxy-zest
Hi Simon,
Thanks for the response.
Any future plans to getting this kind of feature.
Thank You,
Sandeep.
Simon Bennetts
Nov 7, 2022, 8:23:11 AM11/7/22
to zaproxy-zest
Theres nothing for us to do - ZAP already supports the necessary scripting, as far as I'm aware.
You just need to write the scripts...
Reply all
Reply to author
Forward
0 new messages