Scripting in OWASP ZAP using Jython
Script in OWASP ZAP
ZAP supports scripts that can be embedded within ZAP and can access internal ZAP data structures and classes. These scripts allow you to dynamically enhance ZAP from within ZAP.
ZAP supports any scripting language that supports JSR 223 (http://www.jcp.org/en/jsr/detail?id=223) , including:
What is Jython?
Jython is one of scripting format that can run in ZAP.
The Jython project provides implementations of Python in Java, providing to Python the benefits of running on the JVM and access to classes written in Java. The current release (a Jython 2.7.x) only supports Python 2 (sorry). There is work towards a Python 3 in the project’s GitHub repository.
Database format in ZAP
OWASP ZAP is using https://hsqldb.org/ as default database to store data.
How to use other database platform?
In this article i will give an example on how to use PostgreSQL in ZAP scripting using Jython.
--
import os
import sys
from org.zaproxy.zap.extension.script import ScriptVars
First 2 lines are common use of Python import.
3rd line is importing ZAP extension lib, ScriptVars that Gets all the variables (key/value pairs) of the given script. We can pass the DB credential using this method.
sys.path.append("/Users/herwindyopurbokusumo/Downloads/postgresql-42.3.9.jar")
import org.postgresql.Driver as Driver
This first line represent loading PostgreSQL JDBC jar library (https://jdbc.postgresql.org/download/). From this lib, we can interact to DB PostgreSQL.
The 2nd line import method Driver that represent main driver object.
username = ScriptVars.getScriptVar("Script1","username")
password = ScriptVars.getScriptVar("Script1","password")
Those 2 lines represent getting parameter "username" and "password" supplied into Script1.
How to send value via those params, you can use API component script, Action: setScriptVar.
props = Properties()
props.put("user", username)
props.put("password", password)
The 3 lines stands for key-value data structure that we gonna supplied later.
conn = Driver().connect("jdbc:postgresql://192.168.0.115:5432/test", props)
Connect to PostgreSQL using method Driver that we load earlier and pass the Properties data structure.
st = conn.createStatement()
rs = st.executeQuery("SELECT 1")
Run a SQL query. In this example, it runs "SELECT 1".
while(rs.next()):
print(rs.getString(1))
rs.close()
st.close()
conn.close()
Retrieve the response from the query. After that close SQL statement object and close the connection as well.
The complete code:
import os
import sys
from org.zaproxy.zap.extension.script import ScriptVars
from java.util import Properties
sys.path.append("/Users/herwindyopurbokusumo/Downloads/postgresql-42.3.9.jar")
import org.postgresql.Driver as Driver
username = ScriptVars.getScriptVar("Script1","username")
password = ScriptVars.getScriptVar("Script1","password")
props = Properties()
props.put("user", username)
props.put("password", password)
conn = Driver().connect("jdbc:postgresql://192.168.0.115:5432/test", props)
st = conn.createStatement()
rs = st.executeQuery("SELECT 1")
while(rs.next()):
print(rs.getString(1))
rs.close()
st.close()
conn.close()
Response:
Hope it helps for everyone who read it.