OWASP-ZAP:如何使用脚本暂停传统蜘蛛
我需要在以下条件上暂停蜘蛛
- 当响应代码为302时,
- ,当响应标头的位置设置为登录页面时:“ login.jsp”
以下是我当前正在做的事情 脚本:HTTP发件人 引擎:Jython 脚本:
import httplib
HOST = "127.0.0.1"
PORT = 2031
APIKEY="2031"
def sendingRequest(msg, initiator, helper):pass
def responseReceived(msg, initiator, helper):
if initiator == 3:
try:
h=httplib.HTTPConnection("{0}:{1}".format(HOST,PORT))
if h:
if msg.getResponseHeader() and msg.getResponseHeader().getStatusCode()==302:
if msg.getResponseHeader().getHeader("Location") is not None:
if "Login.jsp" in msg.getResponseHeader().getHeader("Location"):
h.request("GET", "/JSON/spider/action/pauseAllScans/?apikey={0}".format(APIKEY))
except: pass
我想知道他们是否还有其他或更好的方法来实现这一目标?
先感谢您。
I have an requirement where I need to pause spider on the following condition
- when response code is 302
- when response header has location with value set to login page eg: "login.jsp"
Following is what I am currently doing
Script: HTTP sender
Engine: Jython
Script:
import httplib
HOST = "127.0.0.1"
PORT = 2031
APIKEY="2031"
def sendingRequest(msg, initiator, helper):pass
def responseReceived(msg, initiator, helper):
if initiator == 3:
try:
h=httplib.HTTPConnection("{0}:{1}".format(HOST,PORT))
if h:
if msg.getResponseHeader() and msg.getResponseHeader().getStatusCode()==302:
if msg.getResponseHeader().getHeader("Location") is not None:
if "Login.jsp" in msg.getResponseHeader().getHeader("Location"):
h.request("GET", "/JSON/spider/action/pauseAllScans/?apikey={0}".format(APIKEY))
except: pass
I was wondering if their is any other or better way to achieve this?
Thank you in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您有Sai 为什么要暂停扫描。我的猜测是,您可以重新认证。如果是这样,我认为更好的选择是配置ZAP来处理身份验证,那么如果用户被登录,它将自动重新实现。如果您真的想以自己的方式执行此操作,那么您就不必进行API调用 - 您的脚本已经在ZAP中运行,因此可以通过代码暂停蜘蛛。
You havnt sai why you want to pause the scans. My guess is that so you can re-authenticate. If so then I think the better option is to configure ZAP to handle authentication, then it will automatically re-authenticate if the user ever gets logged out. If you really want to do it your way then you dont have to make an API call - your script is already running in ZAP and so will be able to pause the spider via code.