HTTP Method filter for Breakpoints

zaproxy / zaproxy

The ZAP core project

https://www.zaproxy.org

Apache License 2.0

12.3k stars 2.21k forks source link

HTTP Method filter for Breakpoints #8542

Open xehpuk opened 2 weeks ago

xehpuk commented 2 weeks ago

Is your feature request related to a problem? Please describe.

I get too many "false positive" breaks because of CORS pre-flight (OPTION) requests.

Describe the solution you'd like

An additional option to whitelist HTTP methods.

Describe alternatives you've considered

None.

Screenshots

Example:

"Add Breakpoint" dialog with new option for HTTP Methods

Additional context

No response

Would you like to help fix this issue?

[ ] Yes

kingthorin commented 2 weeks ago

Technically you could set the "Location" as Request Header and do it there via regex. But, I agree it could probably be easier/nicer for users with a set of checkboxes or a multi-select combobox.

I couldn't quick find a site that had OPTIONS requests. Just as a PoC I used ^GET as my pattern, with that on it broke on GETs, once I checked "Inverse" it stopped catching GETs.

xehpuk commented 2 weeks ago

Ah, nice. So I can use ^(GET|POST) <url>. Minor downside is that the URL should be escaped.

kingthorin commented 2 weeks ago

Yes or ^OPTIONS and turn on Inverse (so you'd get anything but OPTIONS requests). You probably don't even need to include <url> depends how you're working I guess.