zap-java-api
zap-java-api copied to clipboard
iriusrisk
makeRequest doesn't seem to use the cookies set in the HarRequest
There's a test in ZAProxyScannerTest called testCookiesWithMakeRequest that illustrates the issue.
Basically, the expected behaviour is this:
- login to app, that sets a cookie
- grab a copy of a request that contains the cookie
- change the value of the cookie in the HarRequest
- submit the HarRequest with the new cookie using makeRequest
- The HarEntry returned, should have a HarRequest that contains the new cookie value.
The current behaviour: The HarRequest contained in HarEntry returned from makeRequest contains the old cookie value.
I've changed the URL for the test web application to: http://localhost:9110/ropeytasks/
The HTTP request, sent by ZAP, contains the old cookie value because the request is built using the HarRequest's headers field [1] (which contains a Cookie request header with the old cookie value).
The field cookies [2] (the one being changed) is not taken into account to build the request as it's supposed to contain the same cookies as the field headers.
The same applies to other fields that are extracted from other "main" fields (example: queryString and url, with only the latter being used).
Since changing the HarRequest using its setter methods might produce malformed objects (regarding the HAR format) I believe that it would be better to provide an utility class (or an HarRequest builder class) that allows to change its fields while keeping it well-formed. What do you think?
[1] http://www.softwareishard.com/blog/har-12-spec/#headers [2] http://www.softwareishard.com/blog/har-12-spec/#cookies
Ah, I misunderstood how the harllb worked internally. I've created a utility method:
https://github.com/continuumsecurity/zap-java-api/commit/fcc38c650350c5e7d78af3935da22717a8ce3aa5
Right now, this is all I need for bdd-security, but a general builder will be a better solution going forward. Does the makeRequest set the content-length automatically based on the har content?