-
-
Notifications
You must be signed in to change notification settings - Fork 135
HelpAddonsScriptsScripts
The Script Console add-on allows you to run scripts that can be embedded within ZAP and can access internal ZAP data structures. It supports any scripting language that supports JSR 223 (http://www.jcp.org/en/jsr/detail?id=223) , including:
- ECMAScript / Javascript (using Nashorn engine, included by default)
- Zest https://developer.mozilla.org/en-US/docs/zest (included by default)
- Groovy http://groovy-lang.org/
- Python http://www.jython.org
- Ruby - http://jruby.org/
- and many more...
WARNING - scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
Different types of scripts are supported:
- Stand Alone - scripts that are self contained and are only run when your start them manually
- Active Rules - these run as part of the Active Scanner and can be individually enabled
- Passive Rules - these run as part of the Passive Scanner and can be individually enabled
- Proxy Rules - these run 'inline', can change every request and response and can be individually enabled. They can also trigger break points
- HTTP Sender - scripts that run against every request/response sent/received by ZAP. This includes the proxied messages, messages sent during active scanner, fuzzer, ...
- Targeted Rules - scripts that invoked with a target URL and are only run when your start them manually
- Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
- Script Input Vectors - scripts for defining exactly what ZAP should attack
- Extenders - scripts which can add new functionality, including graphical elements and new API end points
All scripts that are run automatically are initially 'disabled' - you must enable them via the The Scripts 'tree' tab before they will run. If an error occurs when they run then they will be disabled. When you select the script then the last error will be shown in the Script Console tab. Targeted scripts can be invoked by right clicking on a record in the Sites or History tabs and selecting the 'Invoke with script...' menu item.
All scripting languages can be used for all script types, but only those languages that have been downloaded from the ZAP Marketplace will typically have templates. However you may well be able to adapt a template for another language. If your favourite language is not available on the Marketplace then please raise a new issue via the "Online/Report an issue" menu item.
Variables can be shared between all scripts via the class org.zaproxy.zap.extension.script.ScriptVars. For example in Javascript you can use this class as follows:
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")
Variables can be shared between separate invocations of the same script via the same org.zaproxy.zap.extension.script.ScriptVars class. For example in Javascript you can use this class as follows:
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(this.context, "var.name")
Note that these methods are only usable from scripting languages that provide access to the ScriptContext (like Javascript). For other scripting languages (in ZAP versions after 2.7.0) the variables can be accessed/set by manually specifying the name of the script:
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar("ScriptName", "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar("ScriptName", "var.name")
The Script Console tab | ||
The Scripts 'tree' tab |
https://github.com/zaproxy/zaproxy/wiki/InternalDetails | ZAP internal objects | |
https://javadoc.io/doc/org.zaproxy/zap | ZAP javadocs | |
https://wiki.openjdk.java.net/display/Nashorn/Rhino+Migration+Guide | Rhino Migration Guide |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits