search

secureCodeBox / scanner-webapplication-zap

Part of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2
Apache License 2.0
5 stars 4 forks source link

Configure the ZAP Replacer AddOn to add/replace HTTP Header #17

Closed rseedorff closed 5 years ago

rseedorff commented 5 years ago

As a user i would like to configure the ZAP replacer options for my scans. More Informations on that can be found here: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsReplacerReplacer

There is an existing ZAP API Endpoint for this:

/replacer/action/addRule() -> Adds a replacer rule. For the parameters: desc is a user friendly description, enabled is true or false, matchType is one of [REQ_HEADER, REQ_HEADER_STR, REQ_BODY_STR, RESP_HEADER, RESP_HEADER_STR, RESP_BODY_STR], matchRegex should be true if the matchString should be treated as a regex otherwise false, matchString is the string that will be matched against, replacement is the replacement string, initiators may be blank (for all initiators) or a comma separated list of integers as defined in HttpSender

In my target definition (used for ZAP Scans) i would like to configure this like:

[
    {
        "name": "ZAP BodgeIt Scan",
        "location": "http://bodgeit:8080/bodgeit/",
        "attributes": {
            "ZAP_BASE_URL": "http://bodgeit:8080/bodgeit/",
            "ZAP_SPIDER_MAX_DEPTH": 1
            "ZAP_REPLACER_RULES":  
             [
                 { "matchType":"RESP_HEADER",
                   "description":"Remove CSP",
                   "matchString":"Content-Security Policy",
                   "initiators":"",
                   "matchRegex":"false",
                   "replacement":"",
                   "enabled":"true"},
                 { "matchType":"RESP_HEADER",
                   "description":"Remove HSTS",
                   "matchString":"Strict-Transport-Security",
                   "initiators":"",
                   "matchRegex":"false",
                   "replacement":"",
                   "enabled":"true"},
                 { "matchType":"REQ_HEADER",
                   "description":"Add a special Authentication Headerl",
                   "matchString":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
                   "initiators":"",
                   "matchRegex":"false",
                   "replacement":"Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l",
                   "enabled":"true"}
            ]
        }
    }
]
rseedorff commented 5 years ago

Configure the ZAP Replacer AddOn to add/replace HTTP Header