Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zest Script Ignores followRedirects #221

Closed
H4CKS4F3 opened this issue Nov 18, 2020 · 1 comment
Closed

Zest Script Ignores followRedirects #221

H4CKS4F3 opened this issue Nov 18, 2020 · 1 comment

Comments

@H4CKS4F3
Copy link

Using ZAP 2.9.0 with Zest 32.0.0, it appears the followRedirects flag is being ignored (or I don't understand how it works).

I created this test script to demonstrate the issue:

{
  "about": "This is a Zest script. For more details about Zest visit https://developer.mozilla.org/en-US/docs/Zest",
  "zestVersion": "0.3",
  "title": "FollowRedirectsFalseNotWorking.zst",
  "description": "A template standalone script",
  "prefix": "",
  "type": "StandAlone",
  "parameters": {
    "tokenStart": "{{",
    "tokenEnd": "}}",
    "tokens": {},
    "elementType": "ZestVariables"
  },
  "statements": [
    {
      "url": "https://www.iana.org/domains/example",
      "data": "",
      "method": "GET",
      "headers": "",
      "assertions": [
        {
          "rootExpression": {
            "code": 301,
            "not": false,
            "elementType": "ZestExpressionStatusCode"
          },
          "elementType": "ZestAssertion"
        }
      ],
      "followRedirects": false,
      "timestamp": 0,
      "cookies": [],
      "index": 1,
      "enabled": true,
      "elementType": "ZestRequest"
    }
  ],
  "authentication": [],
  "index": 0,
  "enabled": true,
  "elementType": "ZestScript"
}

Despite the followRedirects flag being set to false, upon running the script, I assert (in this example) a stats code of 301 but it fails and I observe two entries in history:
https://www.iana.org/domains/example - 301
https://www.iana.org/domains/reserved - 200

I'm trying to build an authentication script, but need to capture the auth cookie only set in a 302 response. Despite setting the followRedirects to false, the script still follows the redirect. I'm not sure if it's a bug, or if I'm doing something incorrectly.

@thc202
Copy link
Member

thc202 commented Nov 18, 2020

This was fixed in #216, it will be included in the next Zest release (and then updated in the ZAP add-on).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants