A Gentle Introduction to ZAP Scripts (Part 3)

Leave a Comment / General / By

A Gentle Introduction to ZAP Scripts (Part 3)

Session Management Scripts

Session Management Scripts, as the name suggests, allow you to manage a session after authentication. The extractWebSession() function is called after authentication and the processMessageToMatchSession() function is called after the sendingRequest() of HttpSender scripts for outgoing requests.

To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/session/ScriptBasedSessionManagementMethodType.java#L745

Standalone Scripts

As the name suggests, standalone scripts are not part of any Zap process and runs on its own. You have access to the internals of the Zap program which means that you can things like clearing global variables stored in org.zaproxy.zap.extension.script.ScriptVars e.g. tokens stored as global variables in your authentication scripts. You can run the script directly by clicking on the “Run” button:

Targeted Scripts​

Targeting scripts are scripts that you write to conduct operations related to a http request like creating a curl command of a http request, processing the response of a particular http request or traversing the site tree relative to the node you invoke the targeted script on.

To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/zaproxy/zap/extension/script/TargetedScript.java

In order to invoke a targeted script, you can either invoke via the Site tree

or an entry in the History tab.

You can also invoke a targeted script in the Fuzzer dialog box.

And also in the request/response tab.

WebSocket Passive Rules​

 Websocket passive rules script allows you to scan websocket messages vulnerabilities in addition to https://www.zaproxy.org/docs/desktop/addons/websockets/pscanrules/. They perform the same function as Passive Rules scripts. Don’t forget to enable it to use it.

To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zap-extensions/blob/master/addOns/websocket/src/main/java/org/zaproxy/zap/extension/websocket/pscan/scripts/WebSocketPassiveScript.java

The script will be triggered for each message shown in the WebSockets tab.

WebSocket Sender Scripts​

WebSocket Sender scripts are the equivalent of HttpSender scripts but for websockets. They allow you to modify the outgoing request message before forwarding it to the server. Don’t forget to enable it to use it.

To find out more of the function(s) and their argument(s), you can look at the Java script interface: https://github.com/zaproxy/zap-extensions/blob/master/addOns/websocket/src/main/java/org/zaproxy/zap/extension/websocket/WebSocketSenderScript.java

Leave a Comment

Your email address will not be published. Required fields are marked *