A Gentle Introduction to ZAP Scripts (Part 3)
Session Management Scripts
Session Management Scripts, as the name suggests, allow you to manage a session after authentication. The extractWebSession() function is called after authentication and the processMessageToMatchSession() function is called after the sendingRequest() of HttpSender scripts for outgoing requests.
To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/session/ScriptBasedSessionManagementMethodType.java#L745
As the name suggests, standalone scripts are not part of any Zap process and runs on its own. You have access to the internals of the Zap program which means that you can things like clearing global variables stored in org.zaproxy.zap.extension.script.ScriptVars e.g. tokens stored as global variables in your authentication scripts. You can run the script directly by clicking on the “Run” button:
Targeting scripts are scripts that you write to conduct operations related to a http request like creating a curl command of a http request, processing the response of a particular http request or traversing the site tree relative to the node you invoke the targeted script on.
To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/extension/script/TargetedScript.java
In order to invoke a targeted script, you can either invoke via the Site tree
or an entry in the History tab.
You can also invoke a targeted script in the Fuzzer dialog box.
And also in the request/response tab.
WebSocket Passive Rules
Websocket passive rules script allows you to scan websocket messages vulnerabilities in addition to https://www.zaproxy.org/docs/desktop/addons/websockets/pscanrules/. They perform the same function as Passive Rules scripts. Don’t forget to enable it to use it.
To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zap-extensions/blob/master/addOns/websocket/src/main/java/org/zaproxy/zap/extension/websocket/pscan/scripts/WebSocketPassiveScript.java
The script will be triggered for each message shown in the WebSockets tab.
WebSocket Sender Scripts
WebSocket Sender scripts are the equivalent of HttpSender scripts but for websockets. They allow you to modify the outgoing request message before forwarding it to the server. Don’t forget to enable it to use it.
To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zap-extensions/blob/master/addOns/websocket/src/main/java/org/zaproxy/zap/extension/websocket/WebSocketSenderScript.java