'request hooks' for Owasp ZAP - owasp

Is there a way I can trigger some action once a particular request is issued in ZAP?
For example, I want to send a POST request to an endpoint whenever there is a login/logout request.
Environment: I'm using a ZAP docker image.

Your best option is to use an HTTP Sender script - that will get invoked on every request and response sent or proxied through ZAP. You can test for your login/logout request and then send you POST request.
To add scripts to ZAP from the command line see this FAQ.

Related

401 Not Authorized error in soapUI but web service works perfect in Postman

As the title states, when I send a request from soapUI to an SAP web service I am returned with an XML that contains a "401 Nicht autorisiert" error message in it. Since it is an SAP web service, I do have to input credentials when I create the new project, but those are the only credentials I have input before running the project.
With the same credentials, I am able to create a request and not receive an error message when I use the Postman interface.
Could this be an issue with the web service configuration, or is this an authorization issue with soapUI?
Links to images:
SoapUI: https://imgur.com/2ZOBMgZ
Postman: https://imgur.com/M1SOCgG
From your images it looks like the Authorization: Basic... header is not being sent as part of your HTTP request out of soapUI and I assume your service doesn't challenge for the credentials in a way that soapUI understands.
One way around this is to click the Authenticate pre-emptively radio button on the basic authorization dialog box. This will construct and send the header the same way as Postman.

VSTS connection with SOAPui via ReSTapi

I am trying to make connection to Azure VSTS with SOAPui through vsts rest api's, but the response I am getting is: HTTP/1.1 203 Non-Authoritative information
Though when I hit the same request from POSTMAN it's giving successful response for every operation(Get, Post, Delete).
As I have a framework for API automation in SOAPUI I need to have this connection to post the test results in VSTS against respective test case.
Any idea how to resolve this would be much appreciated!!
Thanks
This is due to the incorrect authentication headers (Authorization header) that you send in the request. I have experienced this issue when you are trying to send empty username in SoapUI - Basic Authorization tab.
This can be handled by generating the header offline (using some online utilities - https://www.blitter.se/utils/basic-authentication-header-generator/) and sending in a separate header like below,
Authorization: Basic Onl1eWl1eWl5aXlpeWl5aXk=
Hope this helps.

Use HTTP Request in auto update feature of Install4j

I managed to use the auto update feature of Intsall4J by setting URL of updates.xml. For testing I used server (to host Installer.exe and updates.xml) with anonymous access. It worked fine.
But now requirement is that server needs HTTP request with Authorization header.
Is it possible to use HTTP request with Authorization header in auto update feature?
HTTP authentication is supported by downloads, the updater will ask the user for user name and password.
If you want to hard-code the login in the installer, you can add a "Run script" action to the startup node and execute
System.getProperty("serverAuthUser", "user name");
System.getProperty("serverAuthPassword", "password");

Github webhook not posting to Amazon SQS queue due to UnknownOperationException

I'm trying to configure a Github repository to post to an Amazon SQS queue, via a webhook (not the pre-configured SQS Service). The queue has full permissions, so anyone can post a message to it - and when I post via curl, it works fine.
curl -d "Action=SendMessage&MessageBody=curl_testing" https://sqs.us-east-1.amazonaws.com/123/my_queue
However, when I use the same queue URL in a webhook and test it, I get a 404, and UnknownOperationException.
The default curl format is form-urlencoded, so I changed the webhook default format (application/json) to that - which made no difference. (Interestingly, I also switched curl to use application/json, and it failed with the same error.)
There aren't a lot of options on the webhook, but I tried them all (with/without a secret token, or SSL certs), with no success.
Is it possible to have a webhook post to SQS (with the expected repo information, such as commits, etc)? And if so, how?
In your curl example you can see that SQS is expecting Action and MessageBody attributes. You can specify them in body of POST request or as the URL parameters. This way it's possible to send notification to SQS queue but you will lost information from webhook which is formatted as JSON.
You can set the action and message body in the webhook Payload URL like this:
https://sqs.us-east-1.amazonaws.com/123/my_queue?Action=SendMessage&MessageBody=Webhook_triggered
This way whenever the webhook is activated, you will receive SQS message with "Webhook_triggered" body.

Facebook Real-time Updates: (#2200) callback verification failed, code 2200

I am trying to get realtime updates from facebook for my application as documented in https://developers.facebook.com/docs/reference/api/realtime/. I am struggling now when it comes back to the Subscription Verification. I have set up a callback server which accepts both GET and POST requests. I verified that the server works by making curl requests to it.
However, I stil get this error when attempting to create a subscription issuing the POSt request below
{"error":{"message":"(#2200) callback verification failed:
","type":"OAuthException","code":2200}
From what I read in the documentation and other threads, I assume that this means that the single GET request to my callback URL fails. The callback url does not get requested by neither GET nor POST requests indeed. I suppose that facebook is somehow blocked from accessing the endpoint. However, I am able to auth as a user using the auth dialog (https://developers.facebook.com/docs/reference/dialogs/oauth/) where I pass a callback url on the same server as well. The server runs http (for now).
This is the curl I am using to post the subscription. Host file has an entry to redirect dev.minggler.com to localhost =>( 127.0.0.1 dev.minggler.com)
curl -XPOST 'https://graph.facebook.com/256139341164822/subscriptions?callback_url=http%3A%2F%2Fdev.minggler.com%3A3000%2Ffacebook%2Frealtimeupdates&object=user&fields=friends&verify_token=abcd123&access_token=$MYTOKEN'
Can anybody help me out on this?
finally found the problem. the server wasn't reachable from outside. resolving it solved the problem