Correct HAR format for sendHarRequest

0
votes

I am trying to test the sendHarRequest function via the locally provided OWASP ZAP API in order to send a POST Request through ZAP.

I have already tried to encode my request with the ZAP Encoder into other formats, however that wasn't successful either. 

{
  "request": {
    "method": "POST",
    "url": "http://service.com/questions/depot?include-backend-answers=false",
    "cookies": [],
    "headers": [
      {
        "name": "Accept",
        "value": "application/json, text/plain, */*"
      },
      {
        "name": "Content-Type",
        "value": "application/json;charset=UTF-8"
      }
    ],
    "queryString": [
      {
        "name": "include-backend-answers",
        "value": "true"
      }
    ],
    "postData": {
      "mimeType": "application/json;charset=UTF-8",
      "params": [],
      "text": "{\"answerQuestionWrappers\":[{\"questionId\":\"QUESTION_BENEFICIARY\",\"answers\":[{\"optionId\":\"BENEFICIARY_OPTION_1\",\"value\":1}]},{\"questionId\":\"QUESTION_PENSION_PLAN\",\"answers\":[{\"optionId\":\"PENSION_PLAN_OPTION_1\",\"value\":1}]},{\"questionId\":\"QUESTION_PENSION_INFO\",\"answers\":[{\"optionId\":\"PENSION_INFO_OPTION_1\",\"groupId\":null,\"followUp\":null,\"followUpContainsCheckbox\":null,\"followUpOnly\":null,\"value\":1}]}]}"
    }
}

I keep getting {"code":"illegal_parameter","message":"Provided parameter has illegal or unrecognized value"} as the response.

On the other hand using the following code within the Request Editor of ZAP works perfectly fine. 

POST http://http://service.com/questions/depot?include-backend-answers=false HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 207
Content-Type: application/json
accept: application/json, text/plain, */*
Authorization: Bearer someAuthorizationKey
Host: service.de:12089

{"answerQuestionWrappers":[{"questionId":"QUESTION_BENEFICIARY","answers":[{"optionId":"BENEFICIARY_OPTION_1","groupId":null,"followUp":null,"followUpContainsCheckbox":null,"followUpOnly":null,"value":1}]}]}

I found this post in the OWASP ZAP User-Group https://groups.google.com/forum/#!msg/zaproxy-users/vNfAfWvrCQ0/a73geZ8NBQAJ;context-place=forum/zaproxy-users and I think I have the same problem, however for me there was no clear solution.

1
owaspzap

1 Answers

0
votes

You can browse the API Web UI by pointing your browser at ZAP's IP:Port, ex: http://localhost:8080/ (by default).

The sendHarRequest (request* followRedirects ) endpoint is described as:

Sends the first HAR request entry, optionally following redirections. Returns, in HAR format, the request sent and response received and followed redirections, if any. The Mode is enforced when sending the request (and following redirections), custom manual requests are not allowed in 'Safe' mode nor in 'Protected' mode if out of scope.

For a description of Http ARchive format refer to: https://en.wikipedia.org/wiki/HAR_(file_format)

To get valid examples you can export them from ZAP, via the following API endpoints:

  • messageHar (id* ) - Gets the message with the given ID in HAR format

  • messagesHar (baseurl start count ) - Gets the HTTP messages sent through/by ZAP, in HAR format, optionally filtered by URL and paginated with 'start' position and 'count' of messages

  • messagesHarById (ids* ) - Gets the HTTP messages with the given IDs, in HAR format.

If you're sending post data, it'll need to be properly URL encoded.

Quote chau362:

The actual problem was that I was missing the required keys "headersSize" and "bodySize" which can be set to a default of -1 if unknown, and "httpVersion", with the value "http/1.1".

As follows:

"request" : {
        "method" : "POST",
        "url" : "http://service.com/questions/depot?include-backend-answers=false",
        "httpVersion" : "HTTP/1.1",
        "cookies" : [ ],
        "headers" : [
      {
        "name": "Accept",
        "value": "application/json, text/plain, */*"
      },
      {
        "name": "Content-Type",
        "value": "application/json;charset=UTF-8"
      }
    ],
        "queryString" : [
      {
        "name": "include-backend-answers",
        "value": "true"
      }
    ],
    "postData": {
      "mimeType": "application/json;charset=UTF-8",
      "params": [],
      "text": "{\"answerQuestionWrappers\":[{\"questionId\":\"QUESTION_BENEFICIARY\",\"answers\":[{\"optionId\":\"BENEFICIARY_OPTION_1\",\"value\":1}]},{\"questionId\":\"QUESTION_PENSION_PLAN\",\"answers\":[{\"optionId\":\"PENSION_PLAN_OPTION_1\",\"value\":1}]},{\"questionId\":\"QUESTION_PENSION_INFO\",\"answers\":[{\"optionId\":\"PENSION_INFO_OPTION_1\",\"groupId\":null,\"followUp\":null,\"followUpContainsCheckbox\":null,\"followUpOnly\":null,\"value\":1}]}]}"
    }
    "headersSize" : -1,
    "bodySize" : -1
    },