RequestRecorder is an extension of Zed Attack Proxy(ZAP). You can test applications that need to access pages in a specific order, such as shopping carts or registration of member information. This Extension records the http request sequence of the web application, tracks the anti-CSRF token and session cookies, and can tests it by ZAPROXY tools(ActiveScan).
To summarize the above, this addon can build multistep request sequence without scripting,
and can use them with tool such as scanners or manual request on ZAP.
- ZAP ver 2.13.0 or later
- java ver 11 or later
Click here below:
English manuals
Japanese manuals
I tested member registration my sample page which has CSRF token. below is result:
Test Environment: WEBSAMPSQLINJ Docker image(docker-compose)
Scantarget: [Modify User] 3.2.moduser.php (See Sitemap)
ZAPROXY Version: 2.10.0-SNAPSHOT
Addon: RequestRecorder ver0.9.6, ActiveScan rule addons(See below).
ZAPROXY Mode: Standard mode
| url | parameter | Advanced SQLInjection Scanner Ver13 beta | CustomActiveScan ver0.0.1 alpha |
|---|---|---|---|
| http://localhost:8110/moduser.php | password | DETECTED (time based pg_sleep(5)) | DETECTED(boolean based) |
| http://localhost:8110/moduser.php | age | DETECTED (time based pg_sleep(5)) | DETECTED(boolean based) |
The add-on is built with [Gradle]: https://gradle.org/
To download & build this addon, simply run:
$ git clone https://github.com/gdgd009xcd/RequestRecorder.git
$ cd RequestRecorder/
$ ./gradlew addOns:requestRecorderForZAP:jarZapAddOn
The add-on will be placed in the directory RequestRecorder/addOns/requestRecorderForZAP/build/zapAddOn/bin
$ cd addOns/requestRecorderForZAP/build/zapAddOn/bin
$ ls
requestRecorderForZAP-beta-1.2.1.zap
$
- Gradle builds may fail due to network connection timeouts for downloading dependencies. If you have such problems, please retry the gradlew command each time. or you can download addon file from release page
- Start IJ, click [Clone Repository]
- Specify URL of repository. for example: https://github.com/gdgd009xcd/RequestRecorder.git
- Click [Clone]. IJ's IDE is opened.
- In the IJ's IDE, To display the Gradle tool window,
select menu:[View->Tool Windows->Gradle] or click [gradle] icon.
It shows a tree of Gradle tasks. - Double click gradle task named:
[zap-extensions->Tasks->build->jarZapAddon] - The addon zap file will be placed in the directory:
RequestRecorder/addOns/requestRecorderForZAP/build/zapAddOn/bin
This addon is 3rd party addon, so you must add this addon file to ZAPROXY manually. this addon does not have any telemetry feature.
- get addon file requestRecorderForZAP-xxx-n.n.n.zap on this release page
- Start ZAPROXY in your PC's Desktop.
- Install add-on requestRecorderForZAP-xxx-n.n.n.zap file according to the ZAP add-on installation method (example: File menu "Load add-on file").
- restart zap(sorry, currently this addon does not work unless restart zap after install it.)