From a6fc8c5c04dcada80d25645673a84d74476f56e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Walkowski?= Date: Wed, 17 Jan 2024 16:13:26 +0100 Subject: [PATCH] Add HTTP Sender script to RSA sign the requests (#429) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Create RsaSigningForZap.py Signed-off-by: MichaƂ Walkowski --- CHANGELOG.md | 3 ++ httpsender/RsaSigningForZap.py | 59 ++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 httpsender/RsaSigningForZap.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a212ba7..9a2baa32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +### Added +- httpsender/RsaSigningForZap.py - A script that signs requests using RSA + ### Changed - Update minimum ZAP version to 2.14.0. - Remove checks for CFU initiator in HTTP Sender scripts and docs, no longer needed. diff --git a/httpsender/RsaSigningForZap.py b/httpsender/RsaSigningForZap.py new file mode 100644 index 00000000..2696cf80 --- /dev/null +++ b/httpsender/RsaSigningForZap.py @@ -0,0 +1,59 @@ +# RSA Signing Script for Zed Attack Proxy - ZAP +# HelpAddOn Script - HTTPSender +# Michal Walkowski - https://mwalkowski.github.io/ +# https://github.com/mwalkowski +# +# Tested with Jython 14 beta and ZAP 2.14.0 +# For RSA Signing Process: https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-rsassa-pkcs1-v1_5-using-sha +# Based On: https://mwalkowski.github.io/post/using-burp-python-scripts-to-sign-requests-with-rsa-keys/ + +import urlparse +import uuid +import datetime +import base64 +import subprocess + +# path to private.key +PRIVATE_KEY = "private.key" +SIGNATURE_HEADER = 'X-Signature' +NONCE_HEADER = 'X-Nonce-Value' +NONCE_CREATED_AT_HEADER = 'X-Nonce-Created-At' + + +def sign(signature_input): + print('signature_input', signature_input) + signature_input_b64 = base64.standard_b64encode(signature_input.encode()).decode() + print('signature_input_b64', signature_input_b64) + + cmd = """printf %s "{}" | openssl dgst -sha256 -sign {}| openssl base64""".format(signature_input_b64, PRIVATE_KEY) + print(cmd) + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + + output, err = process.communicate() + if err.decode() != "": + raise Exception(err) + + return output.decode().replace("\n", "") + +def sendingRequest(msg, initiator, helper): + method = msg.getRequestHeader().getMethod() + path = urlparse.urlparse(msg.getRequestHeader().getURI().toString()).path + body = msg.getRequestBody().toString() + print(msg.getRequestBody().toString()) + + nonce_value = str(uuid.uuid4()) + nonce_created_at = '{}+00:00'.format(datetime.datetime.utcnow().isoformat()) + signature = sign("{}{}{}{}{}".format(method, path, nonce_value, nonce_created_at, body)) + + print('Adding new {}: {}'.format(SIGNATURE_HEADER, signature)) + msg.getRequestHeader().setHeader(SIGNATURE_HEADER, signature) + + print('Adding new {}: {}'.format(NONCE_HEADER, nonce_value)) + msg.getRequestHeader().setHeader(NONCE_HEADER, nonce_value) + + print('Adding new {}: {}'.format(NONCE_CREATED_AT_HEADER, nonce_created_at)) + msg.getRequestHeader().setHeader(NONCE_CREATED_AT_HEADER, nonce_created_at) + + +def responseReceived(msg, initiator, helper): + pass