Introduction to Graphical Zest In Owasp Zap Proxy (Part 1)

Introduction to Graphical Zest In Owasp Zap Proxy (Part 1)

This tutorial shows you what Zest is and how to use Zest inside Zap Proxy. This is meant to be an introduction which should get you up to speed with Zest if you have no prior experience with it. There are other advanced usages of Zest which is probably going to be covered in a future post.

Prerequisites:

  • Zap 2.9 (with Zest – Graphical Security Scripting Language addon installed)
  • DVWA (Damn Vulnerable Web App)

Overview

Zest is a scripting language that is wholly in JSON format but it is meant to be written using a GUI so that you don’t have to write it by hand and that is where Zap GUI comes in. You can write if/else statements, loops, create variables, among other features, similar to other scripting languages. You can use it to create authentication scripts, for example, instead of using jpython or javascript. So let’s launch up Zap and start experimenting with it. Click on the + button to open up the Scripts tab. 

You can pretty much add a Zest script under any of the script categories below as long as you can use a Zest – Mozilla Zest scripting engine (second screenshot below).

Let’s create a standalone script. Right click on the Stand Alone script category and select New Script…

Let’s configure it like below.

Once you create the script, you should see the dialog box below automatically popup. If that does not happen, double click on the MyStandAloneScript script. 

Let’s focus on the Parameters for now as we will be using that for the following sections below. The Parameters tab allows you to set input name/value pairs which you can reference in your script.

Click on the Add button and you should see a dialog box to put in a name/value pair. 

Let’s put in 2 name/value pairs as shown below and save the settings.

If/Else Statements

Let’s see how we can do an if/else statement with Zest. We right click on the script and select the menu option below.

You will see the dialog box below where you can set your Equals condition. Select the variable name as the input parameter someString that you have configured above.

And set the value to be the same as your input parameter someString. You can choose to make the Equals condition case sensitive by ticking on the Case exact checkbox or you can also invert the outcome of the condition by ticking on the Inverse checkbox but we shall leave both checkboxes as unticked and click on the Save button.

You should see that the script now has an If/Then/Else condition which is essential an If/Else statement. 

So what we want to do is to print out a statement when someString == someStringValue. Right click on the Then section and select the menu option as shown below.

You should see a dialog box like below.

Put in input parameter of someString is {{someString}}. Note that we are using a variable here which is the input parameter that we defined earlier. This is how we reference variables in Zest in Zap GUI but using {{ prefix and }} suffix.

Click on Save button and you should see the print action below the Then section. Let’s do the same for the Else section.

This is the final If/Else statement.

Let’s run this script to see it in action. Go to the script console and click on the Run button (red arrow). Don’t forget to clear the output first(green arrow)

You can see from the script output that the If condition returned true. 

Let’s modify the if condition to return false. Let’s double click on the condition and change the value to someStringValue1. Save it and re-run the script again.

The script console outputs the Else print statement.

Advanced If/Else Statement

What we want to do now is to use logical operator such as AND and OR. Let’s just try logical OR first. Select the If condition and select the menu option  shown below.

You will find that the IF :Equals becomes IF :OR

Select the OR section and choose the menu option shown below.

Add in the condition where we check if someString == helloworld and click the Save button.

This is how your OR condition looks like now. 

If we were to write this in java code, the equivalent is :

if(someString.equalsIgnoreCase("someStringValue1") || someString.equalsIgnoreCase("helloworld"){
//print out line
} else {
//print out line
}

So how do we interpret this gui layout of the OR logical operator so that we can understand what is going on better? (Note: I have changed the comparison value from someStringValue1 back to someStringValue)

  1. Ignore the OR part of IF :OR as denoted by the black box. You already have the OR word in the next line. 
  2. Interpret the remaining OR statement as OR(someString == someStringValue, someString == helloworld). So what we have here is that each element in the OR “array” is a condition where we only need one to return true for the If condition to return true. This way of interpretation becomes more important when we start throwing the AND operator into the mix. We shall see this later.

Re-run the script and you will see that the If condition returns true and the correct print statement is executed. Play around with different values of someString input parameter to see different results.

Using AND Logical Operator with OR Logical Operator

What we are going to do now is to use AND and OR logical operators together. We still have another input parameter that we have not used – someInt. Let’s add that to the If condition like how we did with the OR logical operator as shown below.

Your If statement should now appear like below.

Add the AND condition by selecting the menu option below.

Set the condition to be someInt equals to 123 and save it.

You should get the end result below.

So how do we interpret this gui layout? Same as how we interpret for the OR logical operator.

  1. Ignore the AND part of IF :AND as denoted by the black box. You already have the AND word in the next line. 
  2. Interpret the AND statement as AND(OR(,, …), someInt == 123). So what we have here is that each element in the AND “array” is a condition where we need all elements return true for the If condition to return true. One of the elements of the AND “array” is an OR “array” of conditions where it needs at least one condition to return true for the final If statement to return true.

Re-run the script and you will see that the If condition returns true and the correct print statement is executed. Play around with different values of someString and someInt input parameter to see different results.

If you have not saved your script, now is a good time to do so before we move on to Part 2.

Go to Part 2

Leave a Comment

Your email address will not be published. Required fields are marked *