Skip to content

Latest commit

 

History

History

proxy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Add spoofed CORS origin.zst
Add spoofed CORS origin.zst
 
 
Change all POSTs to GETs.zst
Change all POSTs to GETs.zst
 
 
Convert HTTPS links to HTTP.zst
Convert HTTPS links to HTTP.zst
 
 
Disable browser XSS protection.zst
Disable browser XSS protection.zst
 
 
Drop requests by response code.js
Drop requests by response code.js
 
 
Drop requests not in scope.js
Drop requests not in scope.js
 
 
Drop requests via URL regexes.zst
Drop requests via URL regexes.zst
 
 
Emulate Android.js
Emulate Android.js
 
 
Emulate Chrome.js
Emulate Chrome.js
 
 
Emulate Firefox.js
Emulate Firefox.js
 
 
Emulate IE.js
Emulate IE.js
 
 
Emulate Safari.js
Emulate Safari.js
 
 
Emulate iOS.js
Emulate iOS.js
 
 
Hide Referer header.zst
Hide Referer header.zst
 
 
Ignore cookies.zst
Ignore cookies.zst
 
 
README.md
README.md
 
 
Remove CSP.zst
Remove CSP.zst
 
 
Remove HSTS headers.zst
Remove HSTS headers.zst
 
 
Remove all JavaScript form validation.zst
Remove all JavaScript form validation.zst
 
 
Remove data validation tags in response body.zst
Remove data validation tags in response body.zst
 
 
Remove object tags in response body.zst
Remove object tags in response body.zst
 
 
Remove script tags in response body.zst
Remove script tags in response body.zst
 
 
Remove secure flag from cookies.zst
Remove secure flag from cookies.zst
 
 
Replace in request body.zst
Replace in request body.zst
 
 
Replace in request header.zst
Replace in request header.zst
 
 
Replace in request or response body.js
Replace in request or response body.js
 
 
Replace in response body.zst
Replace in response body.zst
 
 
Replace in response header.zst
Replace in response header.zst
 
 
Require non-cached response.zst
Require non-cached response.zst
 
 
Require non-compressed responses.zst
Require non-compressed responses.zst
 
 
Return fake response.js
Return fake response.js
 
 
Show commented out in response body.zst
Show commented out in response body.zst
 
 
Useragent Replace.js
Useragent Replace.js
 
 
WAF_Bypass.js
WAF_Bypass.js
 
 
dropCookiesSelectively.js
dropCookiesSelectively.js
 
 

README.md

Proxy scripts

Scripts which these run 'inline', can change every request and response that is proxied through ZAP and can be individually enabled. They can also trigger break points. They are not invoked for requests that originate from ZAP, for example from the active scanner or spiders. To access requests that originate from ZAP use httpsender scripts.

Javascript template

// The proxyRequest and proxyResponse functions will be called for all requests  and responses made via ZAP, 
// excluding some of the automated tools
// If they return 'false' then the corresponding request / response will be dropped. 
// You can use msg.setForceIntercept(true) in either method to force a break point

// Note that new proxy scripts will initially be disabled
// Right click the script in the Scripts tree and select "enable"  

/**
 * This function allows interaction with proxy requests (i.e.: outbound from the browser/client to the server).
 * 
 * @param msg - the HTTP request being proxied. This is an HttpMessage object.
 */
function proxyRequest(msg) {
	// Debugging can be done using print like this
	print('proxyRequest called for url=' + msg.getRequestHeader().getURI().toString())
	
	return true
}

/**
 * This function allows interaction with proxy responses (i.e.: inbound from the server to the browser/client).
 * 
 * @param msg - the HTTP response being proxied. This is an HttpMessage object.
 */
function proxyResponse(msg) {
	// Debugging can be done using print like this
	print('proxyResponse called for url=' + msg.getRequestHeader().getURI().toString())
	return true
}

Variables

Name Javadocs
msg HttpMessage

Code Links