mozilla :: #websectools

16 Mar 2017
07:44psiinonmorning
11:53dsoffHello :) anyone here have some knowledge on the uri encoding for GET requests in Zest?
11:56psiinonhi dsoff - I'll try to help :)
11:57dsoffhooray, so I have extracted a url using ZestAssignStringDelimiters
11:58dsoffwhich returns an encoded string
11:58dsoffwhich in theory should be fine to use in the next request
11:59psiinonyeah
12:00dsoffbut if I use it in a ZestRequest it gets encoded again before sending the request
12:01dsoffso ss%3Amem%3A turns into: ss%253Amem%253A
12:01dsoffif I then replace the %3A with : it doesn't encode it though
12:04thc202that might require changes in Zest to not automatically encode, or, we should allow to decode the var
12:05dsoffhmmm :(
12:05dsoffbut why doesn't it encode the : then?
12:06dsoffis that because a : is valid in a url?
12:07dsoffbecause it only seems to encode %
12:07dsoffno + / and =
12:08thc202need to take a look at the code, it should encode :
12:08dsoffokay, is that in the zest github?
12:08thc202yes
12:08dsoffcool, will take a look thanks :)
12:16thc202actually the variable values should not be being encoded (not directly at least)
12:17thc202could you share an example URL and the variable where the issue happens?
12:18dsoffvariable value from Print statement: SSO?SAMLRequest=fZJRT8IwFIX/ytJ3aDdgg4YtmfAgCQph0wdfTLfdSZPSzt4O9d87GAZNDM8957vnnHSO4qAanrZur3fw3gI67/OgNPLzQ0xaq7kRKJFrcQDkruRZ+rDmwZDxxhpnSqOIlyKCddLohdHYHsBmYI+yhKfdOiZ75xrklMoah8qUQg0qONJsL4vCKHD7IaKhJ2hAt5ssJ96ySyG1OPGubtFFvNr5bDweUVk1tAtRSwUXwA4qaaF0NMs2xFstY/IaBEUYRiGrZpPJlEXjYlyKAkrm+/W0Zr7oZIgtrDQ6oV1MA
12:18dsoffuZHAzYa+GHuB5xFnLEX4m0vXe+krqR+uz1M0YuQ3+f5dtCXegaL50KdgCTz07z8fNj+Gvw2VvysTJJ/N53TX9T+RMMfO8xquTVKll9eqpT5WFgQDmLiE5r0lr8fIPkG&RelayState=ss:mem:ebc8150a34eba24cf64409d0b4837ed62b63a204dc09d5565032a36e596e9b94
12:18dsoffactual request: SSO?SAMLRequest=fZJRT8IwFIX/ytJ3aDdgg4YtmfAgCQph0wdfTLfdSZPSzt4O9d87GAZNDM8957vnnHSO4qAanrZur3fw3gI67/OgNPLzQ0xaq7kRKJFrcQDkruRZ+rDmwZDxxhpnSqOIlyKCddLohdHYHsBmYI+yhKfdOiZ75xrklMoah8qUQg0qONJsL4vCKHD7IaKhJ2hAt5ssJ96ySyG1OPGubtFFvNr5bDweUVk1tAtRSwUXwA4qaaF0NMs2xFstY/IaBEUYRiGrZpPJlEXjYlyKAkrm+/W0Zr7oZIgtrDQ6oV1MAuZHAzYa+GHuB5xFnLEX4m
12:18dsoff0vXe+krqR+uz1M0YuQ3+f5dtCXegaL50KdgCTz07z8fNj+Gvw2VvysTJJ/N53TX9T+RMMfO8xquTVKll9eqpT5WFgQDmLiE5r0lr8fIPkG&RelayState=ss:mem:ebc8150a34eba24cf64409d0b4837ed62b63a204dc09d5565032a36e596e9b94
12:19dsoffthis is after manually decoding it
12:19dsoffwithout any processing:
12:19thc202(fyi, the interesting methods are ZestRequest.replaceTokens and ZestVariables.replaceInString I think)
12:22dsoffSSO?SAMLRequest=fZJfT8IwFMW%2FytJ36LotCA0jmfAgCQph6IMvpuvuXJOunb0d6rd3%2FDFgYnjuOb97zkmnKBrd8qzztdnCRwfog69GG%2BTHh5R0znArUCE3ogHkXvI8e1zxaBjy1llvpdUkyBDBeWXN3BrsGnA5uL2S8LxdpaT2vkVOqapwqK0UelDCnua1KgqrwddDREsP0Ihu1vmOBIs%2BhTLiwLu4RR%2FxYueTJImpKlvah6iUhjNgC6VyID3N8zUJlouUvJXxOJmIkEkoQwkVq1hUJEUVsyoah9Wo6mWIHSwNemF8SqKQ3Q3CeMBGOxZxNuFx%2BEqCzbnrvT
12:22dsoffKlMu%2B3hylOIuQPu91mcCr1Ag6PhXoBmU0P8%2FLjYXc1%2BG2s%2BF2ZzP7ddEqvqKcTLX%2FqMcvFxmolv4NMa%2Fs5dyA8pIQROjtZ%2Fn6A2Q8%3D&RelayState=ss%3Amem%3A02a2b642b24a873b8507e2cf83fee0f99855cc535289a90c94dfa7ae59abf3f8
12:22dsoffSSO?SAMLRequest=fZJfT8IwFMW%252FytJ36LotCA0jmfAgCQph6IMvpuvuXJOunb0d6rd3%252FDFgYnjuOb97zkmnKBrd8qzztdnCRwfog69GG%252BTHh5R0znArUCE3ogHkXvI8e1zxaBjy1llvpdUkyBDBeWXN3BrsGnA5uL2S8LxdpaT2vkVOqapwqK0UelDCnua1KgqrwddDREsP0Ihu1vmOBIs%252BhTLiwLu4RR%252FxYueTJImpKlvah6iUhjNgC6VyID3N8zUJlouUvJXxOJmIkEkoQwkVq1hUJEUVsyoah9Wo6mWIHSwNemF8SqKQ3Q3CeMBGOxZxNuFx%2
12:22dsoff52BEqCzbnrvTKlMu%252B3hylOIuQPu91mcCr1Ag6PhXoBmU0P8%252FLjYXc1%252BG2s%252BF2ZzP7ddEqvqKcTLX%252FqMcvFxmolv4NMa%252Fs5dyA8pIQROjtZ%252Fn6A2Q8%253D&RelayState=ss%253Amem%253A02a2b642b24a873b8507e2cf83fee0f99855cc535289a90c94dfa7ae59abf3f8
12:42thc202thanks, and the "raw" URL, the one that contains the variables?
12:42dsoffthat is {{redirectAddress}}
12:45thc202ah, so, you already have the whole URL encoded (thought it had a variable inside it among other things)
12:45dsoffyep
12:48psiinonthc202: we talked about having encode/decode operations a while back didnt we?
12:48thc202yeah, was thinking about that too
12:48psiinon:)
12:53dsoffhmmm... I'm thinking I might be going at it all wrong :(
12:54dsoffso my application uses an SSO solution which means requests get redirected to the IDP if there is no auth found
12:55thc202dsoff, are you using just that variable as the URL of the request?
12:55dsoffyes
12:57thc202ok
13:00thc202are you writing an authentication script?
13:01dsoffyep
13:02dsoffLogin Form Target URL is dynamic, so I don't think I can use the form based auth
13:22thc202yeah, it needs to use an auth script
13:22thc202the zest request allows to automatically follow redirects, do you need to process the redirection response? (extract cookie?)
13:25dsoffnot that I know of, I do however get a complete screen on which I need to submit another form.
13:25dsoffthen again I haven't been there yet
13:26dsoffI do need to do a post to the responseURL from the redirect though
13:27dsoffso app.local-dev -> auth.local-dev?execution=e4s1
13:27dsoffand then post to auth.local-dev?execution=e4s1
13:30dsoffit's the e4s1 that changes on every request
13:37thc202similar to this one https://github.com/zaproxy/community-scripts/pull/31/files then? (although that's JavaScript not Zest)
13:46dsofflooks kinda correct. let me try fiddling with it to see if I can get it to work
13:47thc202ok
20:44kingthorinHola
20:46thc202hi :)
20:52kingthorinI decided to move fwd with a bunch of those community script things based on a simple subset of the alpha extension guidelines....I can't check builds, loads isn't an issue, so that leaves isn't obviously malicious.....which none of them were
20:52kingthorinhttps://github.com/zaproxy/zap-extensions/wiki/AddOnDevelopment#alpha-version
20:53kingthorinfrom my review :)
20:55kingthorinthe remaining 3 I replied to
20:55kingthorinhopefully we'll hear back from the submitters
20:57kingthorinI've been thinking more about Dave's 2595 ticket and the remaining two things
20:57kingthorinfor edit mode, I'm thinking for dbl click leave the dialog but for right click and edit button just do a panel switch....that seem logical to you?
20:57kingthorin...reasonable
21:02thc202kingthorin, I'm fine with that, though two of them had "issues" but I can live with that ;)
21:02thc202hopefully
21:02thc202yeah, as long that's explained in the help pages it should be fine
21:03thc202it's good to have both options, it's easier to maximise the dialogue than the tab, in case you need more space
21:03kingthorinI think for scripts we're going to have to settle with less than perfect
21:04thc202true
21:04kingthorinI've also been looking at options to put a slim scrollbar on textfields for the panel
21:05thc202slim, more than the current scroll bars?
21:05kingthorinlike the second example here: http://stackoverflow.com/a/35933352
21:05kingthorin(the orange scroller)
21:06kingthorinjust trying to figure out how to extract the example to be a custom jcomponent that's textfield and scroll all-in-one
21:06kingthorinI haven't put to much time/thought into it....just an idea
21:08kingthorinsorry I'm jumping all over tonight, gotta head to chapter meeting shortly.....back to the scripts topic, I think it's fair to be more picky with alpha code submissions but for scripts if things aren't absolutely perfect it might be better to make them available and hope for more community feedback/engagement....I dunno I can try to start a thread about it but
21:08kingthorinthat's my thought
21:09thc202I agree with that
21:09thc202re scroll bar, that saves a lot of space
21:10kingthorinI've only played with it for abotu 20m but so far I can't find a working way to extract that example to a working constructor
21:10kingthorinanyway don't waste time/thought on it yet, like I said it's only a back of my head idea so far
21:11thc202I just added the "for the record" comments because some of the previous issues were not addressed (even though the pull request comment said so)
21:12thc202ok, that will require nested classes (or top level "utility" classes)
21:12thc202which is fine
21:13kingthorinok, i'll dig into the scripts a bit more, maybe I can submit modification PRs that address the remaining things
21:13thc202:)
21:14kingthorinthanks thc202!
21:14thc202do you speak Spanish?
21:15kingthorinbarely, enough to order drinks and find a bathroom in cuba :)
21:15thc202:D
21:15kingthoringotta run, ttyl
21:16thc202ok, cya
17 Mar 2017
No messages
   
Last message: 128 days and 1 hour ago