From ef95690092a0f1faff3002fd2b913445bb6b731f Mon Sep 17 00:00:00 2001 From: Scott Bailey Date: Thu, 2 Sep 2021 09:31:23 -0400 Subject: [PATCH] New add-more-headers.js httpsender script A list of headers specified in "add_headers" global variable will be added to all requests. Signed-off-by: Scott Bailey --- CHANGELOG.md | 1 + httpsender/add-more-headers.js | 70 ++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 httpsender/add-more-headers.js diff --git a/CHANGELOG.md b/CHANGELOG.md index a6df245a..8b8c9333 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - httpsender/full-session-n-csrf-nashorn.js > full session and csrf token management. - httpfuzzerprocessor/unexpected_responses.js > compare response codes to a (pass/fail) regex and generate alerts - targeted/dns-email-spoofing > Check if DMARC / SPF policies are configured on a domain. +- httpsender/add-more-headers.js > Add caller-specified headers to all requests. ### Changed - Update links in READMEs. diff --git a/httpsender/add-more-headers.js b/httpsender/add-more-headers.js new file mode 100644 index 00000000..c625200d --- /dev/null +++ b/httpsender/add-more-headers.js @@ -0,0 +1,70 @@ +// This HttpSender script adds headers to all messages transmitted by zaproxy, +// including automated tools. Refer to the HttpSender class definition: +// https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/network/HttpSender.java +// for a list of 'initiator' values (although we don't use them). + +var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars"); + +/* + * HttpSender scripts do not support parameters, so we'll use a known global + * variable to supply desired content. The value of this variable should be a + * JSON string containing a serialized map object. The map keys + * are the desired header name and the values are the header values. + * + * Example: + * add_headers defined with value '{"x-this": "v1", "x-that": "v2"}' will + * result in the following headers being added to every request: + * x-this: v1 + * x-that: v2 + */ + +PARAMETER_VARIABLE = "add_headers"; +user_headers = null; + +// Logging with the script name is super helpful! +function logger() { + print('[' + this['zap.script.name'] + '] ' + arguments[0]); +} + +// Parse and store headers where we can get at them quickly +function initializeHeaders(variableName) { + logger("Initializing..."); + user_headers = JSON.parse(ScriptVars.getGlobalVar(variableName)); +} + +/* + * Processes messages by adding user-specified headers (overwriting original + * values if header already exists). This may be pointless for some initiators + * (CHECK_FOR_UPDATES) and redundant for others (FUZZER). + * + * Called before forwarding the message to the server. + * + * @param {HttpMessage} msg - The message that will be forwarded to the server. + * @param {int} initiator - The initiator that generated the message. + * @param {HttpSenderScriptHelper} helper - A utility object with helper functions. + */ +function sendingRequest(msg, initiator, helper) { + // Get user-supplied headers if we didn't already do it + if (!user_headers) { + initializeHeaders(PARAMETER_VARIABLE); + } + + // Ensure each header is present with the required value + for (var key in user_headers) { + var value = user_headers[key]; + // logger("Setting " + key + " to " + value); + msg.getRequestHeader().setHeader(key, value); + } + + return msg; +} + +/* Called after receiving the response from the server. + * + * @param {HttpMessage} msg - The message that was forwarded to the server. + * @param {int} initiator - The initiator that generated the message. + * @param {HttpSenderScriptHelper} helper - A utility object with helper functions. + */ +function responseReceived(msg, initiator, helper) { + // Nothing to do here +}