PA-7272 Added request/response headers to report

Dockerfile

@@ -7,14 +7,13 @@ COPY ./main.py ./requirements.txt ./VERSION.txt ./
 COPY ./helpers helpers/
 COPY ./hooks hooks/
 COPY ./model model/
-COPY ./scripts/httpsender /home/zap/.ZAP_D/scripts/scripts/httpsender/
-RUN chmod 777 /home/zap/.ZAP_D/scripts/scripts/httpsender/
-
-# Needed for reportRequestHeaders option, disabled until functionality is pulled into stable zap release
-# COPY ./reports/traditional-json /zap/reports/traditional-json
-# COPY ./reports/traditional-json-headers /zap/reports/traditional-json-headers
-# RUN chmod -R 444 /zap/reports/traditional-json
-# RUN chmod -R 444 /zap/reports/traditional-json-headers
+COPY ./scripts/httpsender /home/zap/.ZAP/scripts/scripts/httpsender/
+RUN chmod 777 /home/zap/.ZAP/scripts/scripts/httpsender/
+
+COPY ./reports/traditional-json /zap/reports/traditional-json
+COPY ./reports/traditional-json-headers /zap/reports/traditional-json-headers
+RUN chmod -R 444 /zap/reports/traditional-json
+RUN chmod -R 444 /zap/reports/traditional-json-headers
 
 RUN pip3 install -r requirements.txt && mkdir /zap/wrk && cd /opt \
 	&& wget -qO- -O geckodriver.tar.gz https://github.com/mozilla/geckodriver/releases/download/v0.30.0/geckodriver-v0.30.0-linux64.tar.gz \

README.md

@@ -69,7 +69,7 @@ The basic command to run a baseline scan would look like:
 | `--buildVersion` | None | Version of application build artifacts |
 | `--buildURI` | None | URI to CI build info |
 | `--operatingEnvironment` | None | Set Operating environment for information purposes only |
-| `--reportRequestHeaders` | False | (Temporarily Unavailable) Include request/response headers data in report |
+| `--reportRequestHeaders` | False | Include request/response headers data in report |
 | `--outputFormat` | None | Output format for vulnerabilities: only the value SARIF is available at the moment |
 | `--gpat` | None | GitHub Personal Authorization Token |
 | `--bearerToken` | None | Bearer token to authenticate |

VERSION.txt

@@ -1 +1 @@
-1.0.14
+1.0.15

helpers/blindxss.py

@@ -21,14 +21,14 @@ def load(config: DASTConfig, zap):
 
 
 def replace_collector_uri(uri):
-    template_script_path = '/home/zap/.ZAP_D/scripts/scripts/active/blindxss.js'
+    template_script_path = '/home/zap/.ZAP/scripts/scripts/active/blindxss.js'
 
     file_data = read_file(file_path=template_script_path)
 
     file_data = file_data.replace('callbackdomain.com', uri)
 
     random_suffix = randint(1000, 9999)
-    script_path = f'/home/zap/.ZAP_D/scripts/scripts/active/bxxs_{random_suffix}.js'
+    script_path = f'/home/zap/.ZAP/scripts/scripts/active/bxxs_{random_suffix}.js'
     with open(script_path, 'w') as file:
         file.write(file_data)
     return script_path

helpers/constants.py

@@ -72,5 +72,5 @@
 
 
 # ZAP SCRIPTS
-ZAP_ACTIVE_SCAN_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP_D/scripts/scripts/active/"
-ZAP_HTTP_SENDER_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP_D/scripts/scripts/httpsender/"
+ZAP_ACTIVE_SCAN_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP/scripts/scripts/active/"
+ZAP_HTTP_SENDER_SCRIPTS_FOLDER_PATH = "/home/zap/.ZAP/scripts/scripts/httpsender/"

main.py

@@ -242,11 +242,7 @@ def parse_configuration(self, configuration: Dict, target_url: str):
             elif key =="bearerToken":
                 self.auth_bearer_token = value
             elif key == "reportRequestHeaders":
-                if str.lower(value) == "true":
-                    self.report_request_headers = True
-                    log("Argument 'reportRequestHeaders' is temporarily disabled, parameter will be ignored.")
-                else:
-                    self.report_request_headers = False
+                self.report_request_headers = True if str.lower(value) == "true" else False
             elif key == "onFailure":
                 self.on_failure = value
             elif key == "checkoutDir":
@@ -865,9 +861,9 @@ def parse_args(self) -> None:
         )
         parser.add_argument(
             "--reportRequestHeaders",
-            help="(Temporarily Unavailable) Include request/response headers data in report",
+            help="Include request/response headers data in report",
             type=str,
-            default="False",
+            default="True",
             required=False
         )
         parser.add_argument(
@@ -993,15 +989,15 @@ def run_analysis(self) -> None:
                 exit_app(f"The scan mode {self.scan_mode} is invalid.")
                 return None
 
-            # log(f"Copying report templates. Include request headers: {self.report_request_headers}", log_level=LogLevel.DEBUG)
-            # os.system("mkdir -p ~/.ZAP_D/reports")
-            # os.system("mkdir -p /root/.ZAP_D/reports")
-            # if self.report_request_headers is True:
-            #    os.system("cp -R /zap/reports/traditional-json-headers ~/.ZAP_D/reports/traditional-json")
-            #    os.system("cp -R /zap/reports/traditional-json-headers /root/.ZAP_D/reports/traditional-json")
-            # else:
-            #    os.system("cp -R /zap/reports/traditional-json ~/.ZAP_D/reports/traditional-json")
-            #    os.system("cp -R /zap/reports/traditional-json /root/.ZAP_D/reports/traditional-json")
+            log(f"Copying report templates. Include request headers: {self.report_request_headers}", log_level=LogLevel.DEBUG)
+            os.system("mkdir -p ~/.ZAP/reports")
+            os.system("mkdir -p /root/.ZAP/reports")
+            if self.report_request_headers is True:
+               os.system("cp -R /zap/reports/traditional-json-headers ~/.ZAP/reports/traditional-json")
+               os.system("cp -R /zap/reports/traditional-json-headers /root/.ZAP/reports/traditional-json")
+            else:
+               os.system("cp -R /zap/reports/traditional-json ~/.ZAP/reports/traditional-json")
+               os.system("cp -R /zap/reports/traditional-json /root/.ZAP/reports/traditional-json")
 
             command: str = scan_function()