Skip to content

HelpAddonsScriptsScripts

Jump to bottom
psiinon edited this page Oct 13, 2017 · 7 revisions

Scripts

The ZAP Script Add-on allows you to run scripts that can be embedded within ZAP and can access internal ZAP data structures. It supports any scripting language that supports JSR 223 (http://www.jcp.org/en/jsr/detail?id=223) , including:

WARNING - scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!

Script types

Different types of scripts are supported:

  • Stand Alone - scripts that are self contained and are only run when your start them manually
  • Active Rules - these run as part of the Active Scanner and can be individually enabled
  • Passive Rules - these run as part of the Passive Scanner and can be individually enabled
  • Proxy Rules - these run 'inline', can change every request and response and can be individually enabled. They can also trigger break points
  • HTTP Sender - scripts that run against every request/response sent/received by ZAP. This includes the proxied messages, messages sent during active scanner, fuzzer, ...
  • Targeted Rules - scripts that invoked with a target URL and are only run when your start them manually
  • Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
  • Script Input Vectors - scripts for defining exactly what ZAP should attack

All scripts that are run automatically are initially 'disabled' - you must enable them via the The Scripts 'tree' tab before they will run. If an error occurs when they run then they will be disabled. When you select the script then the last error will be shown in the Script Console tab. Targeted scripts can be invoked by right clicking on a record in the Sites or History tabs and selecting the 'Invoke with script...' menu item.

All scripting languages can be used for all script types, but only those languages that have been downloaded from the ZAP Marketplace will typically have templates. However you may well be able to adapt a template for another language. If your favourite language is not available on the Marketplace then please raise a new issue via the "Online/Report an issue" menu item. In the meantime you can just place the relevant jars in the 'lib' directory (not the 'plugin' directory) and restart ZAP.

Global Variables

Variables can be shared between all scripts via the class org.zaproxy.zap.extension.script.ScriptVars. For example in Javascript you can use this class as follows:

org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")

Script Variables

Variables can be shared between separate invocations of the same script via the same org.zaproxy.zap.extension.script.ScriptVars class. For example in Javascript you can use this class as follows:

org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(this.context, "var.name") Note that these methods are only usable from scripting languages that provide access to the ScriptContext (like Javascript).

See also

     The Script Console tab
     The Scripts 'tree' tab

External links

     https://github.com/zaproxy/zaproxy/wiki/InternalDetails ZAP internal objects
     https://javadoc.io/doc/org.zaproxy/zap ZAP javadocs
     https://wiki.openjdk.java.net/display/Nashorn/Rhino+Migration+Guide Rhino Migration Guide
Clone this wiki locally