Welcome to 16892 Developer Community-Open, Learning,Share
menu search


I am using this command to do full scan on https://www.example.com.

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py 
    -t https://www.example.com -g gen.conf -r testreport.html

I need to add a http parameter for every http request.

Add http parameter like this www.example.com/toto?booking=true&satckoverflow=1.

I know that there is an add-extra-headers.js script inside http sender section of ZAP GUI. But I do not know how to use it when I do docker run zap-full-scan.

I can not do docker zap api scan.

Update: The second solution proposed down was used and this is my script

var URL_TYPE    = org.parosproxy.paros.network.HtmlParameter.Type.url;
var HtmlParameter = Java.type('org.parosproxy.paros.network.HtmlParameter');

var paramName = 'param1';
var paramValue = 'value1';

function sendingRequest(msg, initiator, helper) {
  if (!msg.getRequestHeader().getURI().toString().contains(paramName + '=' + paramValue)) {
    //You might want to add a check here for the proper domain or path as well..
    var urlParams = msg.getUrlParams();
    var newParam = new HtmlParameter(URL_TYPE, paramName, paramValue);
    urlParams.add(newParam); // you could print this if you need to see what's up
  return msg;

function responseReceived(msg, initiator, helper) {
  //Nothing to do here

thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome To Ask or Share your Answers For Others

1 Answer

Dp you need to add an HTTP header or some other parameter? The header can be easily added via environmental variables: https://www.zaproxy.org/docs/desktop/start/features/authentication/#envvars

If you need to add another sort of parameter then this can done via scripts but you will need to tell ZAP where to load them from.

First of all implement and test your scipt in the ZAP GUI - its much easier to see whats going on there. Once thats working then you need to put the script in a directory that you mount using the standard Docker -v parameter as per https://www.zaproxy.org/docs/docker/full-scan/ Finally you have to configure ZAP to tell it about the script using the local ath of the script in the Docker container. Thats detailed in this FAQ: https://www.zaproxy.org/faq/how-do-you-add-a-script-to-zap-from-the-command-line/

thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to 16892 Developer Community-Open, Learning and Share