ZAP scripts behave inconsistnently

0
votes

I am trying to set up authentication and http sender script for Open API scanning project.

At some point in time I have reached a state where authentication script for oauth2 is working correctly (produces valid token obtained from remote endpoint) and http_sender appends authorization header for requests. It turned out later that I mistyped required header so I changed it's name, saved the script and rerun the script (via scan). Turned out now both headers are appended to outgoing http requests: mistyped version and correct one. Behavior does not change after restarting ZAP and reloading session, but mistyped header disappears when I create a new session, I can't find where can I clean it up and it does not look right to recreate session when one minor change is needed in the script.

The second issue that I have is that authentication script just stopped working without any modifications to it. I switch between environments occasionally but code remains the same. I even moved hardcoded values from context to script and it still does not work. I have set up a parallel script in python to fetch the token and it works (all parameters being the same), but in ZAP I get authentication failure (recreating session does not help). I don't own the oauth endpoint so it's not possible for me to take a look at it directly, but I suspect that both problems have something in common. Looks like some data is residing in the shadows and affects how the scripts are run.

First version of sender script:

function sendingRequest(msg, initiator, helper) {
    var loginToken = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("logintoken");
    msg.getRequestHeader().setHeader("Autentication", "Bearer " + loginToken);
}

Second version of sender script:

function sendingRequest(msg, initiator, helper) {
    var loginToken = org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("logintoken");
    msg.getRequestHeader().setHeader("Authorization", "Bearer " + loginToken);
}```

Authentication function is just tuned version of the zap template to send oauth2 parameters in the body of the POST request and actually worked for some time. It would really help to have some troubleshooting capabilities during scripting.
1
javascriptscriptingzap

1 Answers

2
votes

Re the first issue, it all depends on how the script is being used. The ZAP session is a record of all of the requests and responses. For some of the old responses you used the wrong header. That hapenned, you cant take it back. If you reuse those requests then ZAP will send the wrong header unless you remove it. If you create new requests that are not based on historic ones then the header should not be present.

Re the second issue, authentication is hard and can fail for what seems like minor differences :( One good option would be to proxy your python script through ZAP. Hopefully it will still work, and then you can compare the working request with the failing one.