From 528b81d164d345048feb41d02e7c322458d39b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Walkowski?= Date: Sat, 13 Jan 2024 19:51:05 +0100 Subject: [PATCH 1/3] Create rsa-signing-for-zap.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Walkowski --- httpsender/rsa-signing-for-zap.py | 59 +++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 httpsender/rsa-signing-for-zap.py diff --git a/httpsender/rsa-signing-for-zap.py b/httpsender/rsa-signing-for-zap.py new file mode 100644 index 00000000..2696cf80 --- /dev/null +++ b/httpsender/rsa-signing-for-zap.py @@ -0,0 +1,59 @@ +# RSA Signing Script for Zed Attack Proxy - ZAP +# HelpAddOn Script - HTTPSender +# Michal Walkowski - https://mwalkowski.github.io/ +# https://github.com/mwalkowski +# +# Tested with Jython 14 beta and ZAP 2.14.0 +# For RSA Signing Process: https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-rsassa-pkcs1-v1_5-using-sha +# Based On: https://mwalkowski.github.io/post/using-burp-python-scripts-to-sign-requests-with-rsa-keys/ + +import urlparse +import uuid +import datetime +import base64 +import subprocess + +# path to private.key +PRIVATE_KEY = "private.key" +SIGNATURE_HEADER = 'X-Signature' +NONCE_HEADER = 'X-Nonce-Value' +NONCE_CREATED_AT_HEADER = 'X-Nonce-Created-At' + + +def sign(signature_input): + print('signature_input', signature_input) + signature_input_b64 = base64.standard_b64encode(signature_input.encode()).decode() + print('signature_input_b64', signature_input_b64) + + cmd = """printf %s "{}" | openssl dgst -sha256 -sign {}| openssl base64""".format(signature_input_b64, PRIVATE_KEY) + print(cmd) + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + + output, err = process.communicate() + if err.decode() != "": + raise Exception(err) + + return output.decode().replace("\n", "") + +def sendingRequest(msg, initiator, helper): + method = msg.getRequestHeader().getMethod() + path = urlparse.urlparse(msg.getRequestHeader().getURI().toString()).path + body = msg.getRequestBody().toString() + print(msg.getRequestBody().toString()) + + nonce_value = str(uuid.uuid4()) + nonce_created_at = '{}+00:00'.format(datetime.datetime.utcnow().isoformat()) + signature = sign("{}{}{}{}{}".format(method, path, nonce_value, nonce_created_at, body)) + + print('Adding new {}: {}'.format(SIGNATURE_HEADER, signature)) + msg.getRequestHeader().setHeader(SIGNATURE_HEADER, signature) + + print('Adding new {}: {}'.format(NONCE_HEADER, nonce_value)) + msg.getRequestHeader().setHeader(NONCE_HEADER, nonce_value) + + print('Adding new {}: {}'.format(NONCE_CREATED_AT_HEADER, nonce_created_at)) + msg.getRequestHeader().setHeader(NONCE_CREATED_AT_HEADER, nonce_created_at) + + +def responseReceived(msg, initiator, helper): + pass From 53d35cb738a61dae1e50fbdb007f611d0e3db476 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Walkowski?= Date: Tue, 16 Jan 2024 10:15:49 +0100 Subject: [PATCH 2/3] Rename rsa-signing-for-zap.py to RsaSigningForZap.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Walkowski --- httpsender/{rsa-signing-for-zap.py => RsaSigningForZap.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename httpsender/{rsa-signing-for-zap.py => RsaSigningForZap.py} (100%) diff --git a/httpsender/rsa-signing-for-zap.py b/httpsender/RsaSigningForZap.py similarity index 100% rename from httpsender/rsa-signing-for-zap.py rename to httpsender/RsaSigningForZap.py From 1fdc94f303d245add278d3d0b458103e5e021b2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Walkowski?= Date: Tue, 16 Jan 2024 10:18:55 +0100 Subject: [PATCH 3/3] Update CHANGELOG.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michał Walkowski --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a212ba7..9a2baa32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +### Added +- httpsender/RsaSigningForZap.py - A script that signs requests using RSA + ### Changed - Update minimum ZAP version to 2.14.0. - Remove checks for CFU initiator in HTTP Sender scripts and docs, no longer needed.