Join GitHub today
Plug-n-Hack Clients tab
To receive client events:
- Access the pages you want to monitor while proxying through ZAP
- Right click in the relevant node(s) in the Sites tree and select 'Monitor clients -> Include subtree'
- Force your browser to reload those pages
- Client events (such as postMessage, click, mouseover etc) will then be listed in this tab - select them to see the full details.
You can also intercept and change postMessages on the fly. Client messages are intercepted if the ‘break on all requests’ button is selected on the top level toolbar. You can also set custom client breakpoints via a button on the Clients tab.
You can fuzz postMessages in the same way as any other message - highlight the string you want to fuzz in the Request tab, right click and select “Fuzz”. This option will only be available if the relevant browser still has that page open,as PnH sends the payloads to the browser. Standard ‘XSS’ payloads can be used to detect DOM XSS vulnerabilities, but you will need to manually monitor the UI to see if any of them are successful.