-
Notifications
You must be signed in to change notification settings - Fork 2
Home
Welcome to the zest-owtf wiki!
This project is at the core of creation of Zest Scripts.The project is written in Java as some modules from ZAP have been used. The basic working is like this :
target id ,transactions id → DB Fetch → Convert to HttpMessage → Zest Scripts
Now we will dive into details :
The main class is Tester.java :
input arguments : total 6 arguments (all paths must be absolute)
- Root owtf directory
- Output Directory (owtf_review)
for recorded scripts : owtf_review/targets/recorded_scripts
for target scripts : owtf_review/targets/target_dir/zest
- target config db (owtf_review/db/target_config.db)
- Zest script
- Target IDs
- Transactions IDs
for e.g. If owtf root directory is /root/owtf, then above arguments will be,
"/root/owtf" "/root/owtf/owtf_review/targets" "/root/owtf-ui/owtf_review/db/target_config.db" "/root/owtf-ui/owtf_review/targets/recorded_scripts/test.zst" "1 2" "2 3"
Tester.java takes the arguments, parses them and separates them. https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/Tester.java#L34
Then converts string of target IDs and transaction IDs into integer lists . https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/Tester.java#L44
Creates object of ScriptPrepare.java class. (This class takes the template file and Creates a ZestScriptWrapper and ZestScript from it.Explained in detail later) https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/Tester.java#L44
Then creates the DBHandler object and passes the transaction IDs and Targets IDs to that object.https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/Tester.java#L64
And at last, object of Creator.java class creates the final zest script and outputs it.
Now Lets go through each module in order of their use.
ScriptPrepare.java : Simplest module. Created to facilitate the process of creating ZestScriptWrapper and ZestScript from the template.Another simple and self-explanatory module called FileReader.java is used to read from the file. Basic ScriptWrapper is created and ZestScriptWrapper is inherited from the ScriptWrapper.
DBHandler.java : This is the main module of the project.It has mainly two methods : - CreateRecordScript - CreateTargetScript
General idea in both of them is ,
Get path for transaction db → fetch the transaction → Get raw_request,response (status,header and body) → convert it to CustomObject (Just a dummy object to bind all the things together )
And then at the end Convert_to_http() is called : https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/DBHandler.java#L119
This method converts list of CustomObject to HttpMessage list. Converting transaction to HttpMessage is the easiest way to create Zest script as ZAP already does that.
So, final list of HttpMessage is stored as http_list.
Creator.java : This module adds HttpMessage to ZestScript as a ZestRequest. (For this ZestZapUtils has been imported as it already provides such functionality.) Then, two assertions are added. -Status code assertion -Response body length assertion (These are basic assertions to check request failed or passed.) https://github.com/dscarson/zest-owtf/blob/master/src/org/zest_owtf/mainclass/Creator.java#L55
and then script is written in the actual file using FileWrtr module.
This is the explanation of core modules of zest-owtf project. Most of the other minor details are self-explanatory. But if you still need help, you can mail me at [email protected].