Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
The ZAP Script Add-on allows you to run scripts that can be embedded within ZAP and can access internal ZAP data structures. It supports any scripting language that supports JSR 223 (http://www.jcp.org/en/jsr/detail?id=223) , including:
- Zest https://developer.mozilla.org/en-US/docs/zest (included by default)
- Groovy http://groovy-lang.org/
- Python http://www.jython.org
- Ruby - http://jruby.org/
- and many more...
WARNING - scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!
Different types of scripts are supported:
- Stand Alone - scripts that are self contained and are only run when your start them manually
- Active Rules - these run as part of the Active Scanner and can be individually enabled
- Passive Rules - these run as part of the Passive Scanner and can be individually enabled
- Proxy Rules - these run 'inline', can change every request and response and can be individually enabled. They can also trigger break points
- HTTP Sender - scripts that run against every request/response sent/received by ZAP. This includes the proxied messages, messages sent during active scanner, fuzzer, ...
- Targeted Rules - scripts that invoked with a target URL and are only run when your start them manually
- Authentication - scripts that invoked when authentication is performed for a Context. To be used, they need to be selected when configuring the Script-Based Authentication Method for a Context.
- Script Input Vectors - scripts for defining exactly what ZAP should attack
- Extenders - scripts which can add new functionality, including graphical elements and new API end points
All scripts that are run automatically are initially 'disabled' - you must enable them via the The Scripts 'tree' tab before they will run. If an error occurs when they run then they will be disabled. When you select the script then the last error will be shown in the Script Console tab. Targeted scripts can be invoked by right clicking on a record in the Sites or History tabs and selecting the 'Invoke with script...' menu item.
All scripting languages can be used for all script types, but only those languages that have been downloaded from the ZAP Marketplace will typically have templates. However you may well be able to adapt a template for another language. If your favourite language is not available on the Marketplace then please raise a new issue via the "Online/Report an issue" menu item. In the meantime you can just place the relevant jars in the 'lib' directory (not the 'plugin' directory) and restart ZAP.
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(this.context, "var.name","value") org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(this.context, "var.name")
|The Script Console tab|
|The Scripts 'tree' tab|
|https://github.com/zaproxy/zaproxy/wiki/InternalDetails||ZAP internal objects|
|https://wiki.openjdk.java.net/display/Nashorn/Rhino+Migration+Guide||Rhino Migration Guide|