Skip to content

Instantly share code, notes, and snippets.

@hazcod

hazcod/zap-header-inject-script.js

Created October 9, 2020 11:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hazcod/a3958bb87ebbd2c4a01a32d41180776b to your computer and use it in GitHub Desktop.
Save hazcod/a3958bb87ebbd2c4a01a32d41180776b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
zap-header-inject-script.js
function sendingRequest(origMsg, initiator, helper)
{
// skip if it isn't for the API scope
if (! origMsg.getRequestHeader().getHostName().contains("mywebapi")) { return; }
var httpRequestHeader = origMsg.cloneAll().getRequestHeader();
// add the Accept header if not exists
if (origMsg.getRequestHeader().getHeader("Accept") == null)
{
httpRequestHeader.setHeader('Accept', 'bar');
}
// inject single use authentication token
if (origMsg.getRequestHeader().getHeader("Authorization") == null)
{
// Make sure any Java classes used explicitly are imported
var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader")
var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader")
var URI = Java.type("org.apache.commons.httpclient.URI")
var Cookie = Java.type("org.apache.commons.httpclient.Cookie")
// Prepare the login request details
var loginURL = 'https://example.com/login';
var username = 'user';
var password = 'password';
if (username == "" || password == "") {
print("Error: missing credentials!");
return;
}
var requestUri = new URI(loginURL + "?username=" + username + '&password=' + password, false);
var requestMethod = HttpRequestHeader.POST;
var requestHeader = new HttpRequestHeader(requestMethod, requestUri, HttpHeader.HTTP10);
requestHeader.setHeader('Accept', 'bar');
print("Sending " + requestMethod + " request to " + requestUri + "\n");
var msg = origMsg.cloneAll()
msg.setRequestHeader(requestHeader);
helper.getHttpSender().sendAndReceive(msg, false);
if (msg.getResponseHeader().getStatusCode() != 200) {
print("invalid response received: " + msg.getResponseBody().toString());
return;
}
var jsonMsg = JSON.parse( msg.getResponseBody().toString() );
if (! jsonMsg.data.token) {
print("Invalid json response: " + jsonMsg);
return;
}
var token = jsonMsg.data.token;
//print("token is: " + token);
httpRequestHeader.setHeader("Authorization", 'Bearer ' + token);
}
origMsg.setRequestHeader(httpRequestHeader);
}
function responseReceived(msg, initiator, helper) {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment