Zest Script Recording Functionality
dscarson edited this page Aug 16, 2014
·
1 revision
####What is it ?
A functionality to record the transactions while browsing the web using OWTF proxy, and creating a Zest script from the recorded transactions. Similar to record a zest script functionality in ZAP. This is how to use it : 1)Go to zest console and click button ‘Record a Zest Script’ , It will turn to a red button ‘Stop Recording !’ Note : The special thing about zest recording is it applies to all the targets’ zest consoles. What I mean is, if you start recording from one target’s zest consoles, the record buttons in all the targets’ zest consoles will turn red. In short, this functionality has kinda “global scope”. 2) Now browse the web (after making sure you have configured OWTF proxy ). When you hit Stop recording , a Zest script called Default.zst will be created containing all the transactions from the beginning of the recording. You can view content of this script from any target’s zest console.
####How it works ?
- This one is tricky but simple.There is transaction_logger in proxy module. Which logs the transactions from the cache files into the database. While logging into database, the function LogTransactions from transaction_manager is called. - We have a global setting in general profile called “ZEST_RECORDING” which is set to False by default.Whenever recording is started it is set to true. - So, when LogTransactions is called and if ZEST_RECORDING is set to true then these transactions are added to the list in zest module. (list is called recordedTransactions). - Each time a new transactions comes it is added as a tuple (target_id,transaction_id) into the list.(list is expanded). - When the recording is stopped, the list of tuples is passed to method CreateRecordScript, which creates Zest script from the given tuples.
Detailed Pictorial representation of how to record zest scripts can be found here.
This wiki and the OWTF README document contains a lot of information, please take your time and read these instructions carefully.
We provide a CHANGELOG that provides details about almost every OWTF release.
Be sure to read the CONTRIBUTING guidelines before reporting a new OWTF issue or opening a pull request.
If you have any questions about the OWTF usage or want to share some information with the community, please go to one of the following places:
- IRC channel
#owtf
(irc.freenode.net)
Google Summer of Code 2018 Guide
Installation
Getting Started
- Define where your tools are
- Run OWASP OWTF
- HTTP Auth Configurations
- Simulation mode
- AUX plugins usage
- FAQ
SET usage
Cookbooks (GSoC 2014 Projects UPDATE)
-
Zest Integration:
- Quick Guide to get started with Zest,ZAP and Replay
- Zest and ZAP API Installation
- Zest and ZAP integration Introduction
- Zest Runner module
- Forward HTTP request to ZAP
- Zest script creation from single HTTP transaction
- Zest script creation from multiple HTTP transactions
- Zest Script Creator module
- HTTP Request Editing Window (Replay Function)
- Zest Script Recording Functionality
- Zest scripting console
Development
-
Plugins:
-
Tests:
Contact